Edit tour

Windows Analysis Report
171121_PDF.exe

Overview

General Information

Sample Name:	171121_PDF.exe
Analysis ID:	558240
MD5:	60d8b8589ba8045361ae148ee76c7582
SHA1:	328a778d026ad6611bb295bf3a799b6499fc7c7c
SHA256:	8f34d0008f07a4460c9ebc5a8d8a558a85979bd0112962eddf9506dc5b627989
Infos:

Detection

GuLoader Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Remcos RAT

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Yara detected GuLoader

Hides threads from debuggers

Installs a global keyboard hook

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Uses dynamic DNS services

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Sleep loop found (likely to delay execution)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to call native functions

Contains functionality for execution timing, often used to detect debuggers

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Checks if the current process is being debugged

PE / OLE file has an invalid certificate

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64native

171121_PDF.exe (PID: 4656 cmdline: "C:\Users\user\Desktop\171121_PDF.exe" MD5: 60D8B8589BA8045361AE148EE76C7582)

ieinstal.exe (PID: 6972 cmdline: "C:\Users\user\Desktop\171121_PDF.exe" MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 7000 cmdline: "C:\Users\user\Desktop\171121_PDF.exe" MD5: 7871873BABCEA94FBA13900B561C7C55)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://onedrive.live.com/downloa"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000005.00000000.95166069748.0000000003000000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: ieinstal.exe PID: 7000	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000005.00000000.95166069748.0000000003000000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/downloa"}

Multi AV Scanner detection for submitted file

Source: 171121_PDF.exe	Virustotal: Detection: 60%	Perma Link
Source: 171121_PDF.exe	Metadefender: Detection: 17%	Perma Link
Source: 171121_PDF.exe	ReversingLabs: Detection: 67%

Yara detected Remcos RAT

Source: Yara match	File source: 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ieinstal.exe PID: 7000, type: MEMORYSTR

Antivirus / Scanner detection for submitted sample

Source: 171121_PDF.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe

Avira: detection malicious, Label: TR/AD.Nekark.jinay

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe	Virustotal: Detection: 60%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe	Metadefender: Detection: 17%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe	ReversingLabs: Detection: 67%

Machine Learning detection for sample

Source: 171121_PDF.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe

Joe Sandbox ML: detected

Source: 2.0.171121_PDF.exe.400000.0.unpack

Avira: Label: TR/AD.Nekark.jinay

Source: 171121_PDF.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://onedrive.live.com/downloa

Uses dynamic DNS services

Source: unknown

DNS query: name: olufem.ddns.net

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp	String found in binary or memory: https://d34m1w.bn.files.1drv.com/
Source: ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp	String found in binary or memory: https://d34m1w.bn.files.1drv.com/#
Source: ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp	String found in binary or memory: https://d34m1w.bn.files.1drv.com/K
Source: ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp	String found in binary or memory: https://d34m1w.bn.files.1drv.com/e
Source: ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp	String found in binary or memory: https://d34m1w.bn.files.1drv.com/rer
Source: ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp	String found in binary or memory: https://d34m1w.bn.files.1drv.com/y#
Source: ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, ieinstal.exe, 00000005.00000002.100061742275.0000000003475000.00000004.00000020.sdmp	String found in binary or memory: https://d34m1w.bn.files.1drv.com/y4m7fxSf_SYygxFCqOTyBtDpLqPOYB60ldIfMGh_-vtFefb5neuOGhwPPxWnqgy8Dxz
Source: ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp	String found in binary or memory: https://d34m1w.bn.files.1drv.com/y4mlvrZnpVzkFAu500fuzSWuME5RflAMbugHHfl4crVqcejz3wapD4Rm6d4a3n06QKS
Source: ieinstal.exe, 00000005.00000002.100061248342.0000000003407000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/
Source: ieinstal.exe, 00000005.00000002.100061248342.0000000003407000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/c
Source: ieinstal.exe, 00000005.00000002.100061542449.000000000344D000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/download?cid=176929A81F7E1249&resid=176929A81F7E1249%211217&authkey=ABMgMS

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Windows user hook set: 0 keyboard low level C:\Program Files (x86)\internet explorer\ieinstal.exe

Jump to behavior

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ieinstal.exe PID: 7000, type: MEMORYSTR

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: 171121_PDF.exe

Source: 171121_PDF.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_00405A7F	2_2_00405A7F
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0040721E	2_2_0040721E
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_00406A36	2_2_00406A36
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_00405395	2_2_00405395
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_023684F7	2_2_023684F7
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02361A5F	2_2_02361A5F
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236FB8E	2_2_0236FB8E
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236CFC2	2_2_0236CFC2
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236330D	2_2_0236330D
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236702D	2_2_0236702D
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02367005	2_2_02367005
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E629	2_2_0236E629
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E665	2_2_0236E665
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D66F	2_2_0236D66F
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D698	2_2_0236D698
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E6F9	2_2_0236E6F9
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E6CD	2_2_0236E6CD
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E734	2_2_0236E734
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236272C	2_2_0236272C
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D71E	2_2_0236D71E
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E76E	2_2_0236E76E
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D758	2_2_0236D758
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02369784	2_2_02369784
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_023647F1	2_2_023647F1
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02367463	2_2_02367463
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E59E	2_2_0236E59E
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E5EC	2_2_0236E5EC
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236DA30	2_2_0236DA30
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02360A5C	2_2_02360A5C
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02364A41	2_2_02364A41
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02364A81	2_2_02364A81
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02364AE4	2_2_02364AE4
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02364B2E	2_2_02364B2E
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02364BB4	2_2_02364BB4
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236DBC5	2_2_0236DBC5
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02364819	2_2_02364819
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E819	2_2_0236E819
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D855	2_2_0236D855
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E844	2_2_0236E844
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D89D	2_2_0236D89D
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_023648DD	2_2_023648DD
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D989	2_2_0236D989
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D9D1	2_2_0236D9D1
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236CFED	2_2_0236CFED
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02366FD9	2_2_02366FD9
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02364C32	2_2_02364C32
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02361DBE	2_2_02361DBE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 5_2_030103D9	5_2_030103D9

Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236F695 NtProtectVirtualMemory,	2_2_0236F695
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236CFC2 NtAllocateVirtualMemory,	2_2_0236CFC2
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D210 NtAllocateVirtualMemory,	2_2_0236D210
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D295 NtAllocateVirtualMemory,	2_2_0236D295
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D2E0 NtAllocateVirtualMemory,	2_2_0236D2E0
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D311 NtAllocateVirtualMemory,	2_2_0236D311
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D046 NtAllocateVirtualMemory,	2_2_0236D046
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D0E6 NtAllocateVirtualMemory,	2_2_0236D0E6
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D0D1 NtAllocateVirtualMemory,	2_2_0236D0D1
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236D13C NtAllocateVirtualMemory,	2_2_0236D13C
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02368A05 NtWriteVirtualMemory,	2_2_02368A05
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236CFED NtAllocateVirtualMemory,	2_2_0236CFED
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 5_2_03010951 Sleep,NtProtectVirtualMemory,	5_2_03010951
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 5_2_03010A64 NtProtectVirtualMemory,	5_2_03010A64
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 5_2_03010A5D NtProtectVirtualMemory,	5_2_03010A5D

Source: 171121_PDF.exe, 00000002.00000000.95004111933.0000000000419000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBrugstyveriscortic.exe vs 171121_PDF.exe
Source: 171121_PDF.exe	Binary or memory string: OriginalFilenameBrugstyveriscortic.exe vs 171121_PDF.exe

Source: C:\Users\user\Desktop\171121_PDF.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: edgegdi.dll			Jump to behavior

Source: 171121_PDF.exe

Static PE information: invalid certificate

Source: 171121_PDF.exe	Virustotal: Detection: 60%
Source: 171121_PDF.exe	Metadefender: Detection: 17%
Source: 171121_PDF.exe	ReversingLabs: Detection: 67%

Source: 171121_PDF.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\171121_PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\171121_PDF.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\171121_PDF.exe "C:\Users\user\Desktop\171121_PDF.exe"
Source: C:\Users\user\Desktop\171121_PDF.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe"
Source: C:\Users\user\Desktop\171121_PDF.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe"
Source: C:\Users\user\Desktop\171121_PDF.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe"	Jump to behavior
Source: C:\Users\user\Desktop\171121_PDF.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe"	Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

File created: C:\Users\user\AppData\Roaming\wifitskl

Jump to behavior

Source: C:\Users\user\Desktop\171121_PDF.exe

File created: C:\Users\user\AppData\Local\Temp\~DFFFD65EAE6BEE96C9.TMP

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/3@10/1

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Mutant created: \Sessions\1\BaseNamedObjects\audiotsk-RA5QGA

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000005.00000000.95166069748.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_00405241 pushfd ; retf	2_2_00405242
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_00405A57 push 0000004Bh; retf	2_2_00405A7B
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_00408858 push 00000018h; ret	2_2_0040885A
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0040A864 push esi; iretd	2_2_0040A865
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_00405A7F push ebx; ret	2_2_00405B0D
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_00406A27 push es; iretd	2_2_00406A35
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_00405AD4 push ebx; ret	2_2_00405B0D
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_00405CFE push 18FEA023h; retf	2_2_00405D16
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_004086A1 push edx; iretd	2_2_004086AE
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236816B push ss; iretd	2_2_023681C4
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_023681D4 push ss; iretd	2_2_023681C4
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236564B push ebp; iretd	2_2_0236564C
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236A7C6 push ecx; ret	2_2_0236A7DA
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02361834 push es; retf	2_2_0236183A
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02362EF5 push ebp; iretd	2_2_02362F47
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02360F16 push edx; ret	2_2_02360F31
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_02362F48 pushad ; iretd	2_2_02362F57

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

File created: C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe

Jump to dropped file

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Skuffejernenesco2			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Skuffejernenesco2			Jump to behavior

Source: C:\Users\user\Desktop\171121_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\171121_PDF.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\171121_PDF.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 171121_PDF.exe, 00000002.00000002.95423993948.00000000039B0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/91.0.4472.124 SAFARI/537.36SHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLLPROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLL
Source: 171121_PDF.exe, 00000002.00000002.95421592094.00000000005B4000.00000004.00000020.sdmp, 171121_PDF.exe, 00000002.00000002.95423993948.00000000039B0000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100061142965.0000000003360000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: 171121_PDF.exe, 00000002.00000002.95421500993.000000000059D000.00000004.00000020.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: ieinstal.exe, 00000005.00000002.100061142965.0000000003360000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/91.0.4472.124 SAFARI/537.36SHELL32ADVAPI32TEMP=\VAGABO.EXE\CUSCONINESOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSKUFFEJERNENESCO2HTTPS://ONEDRIVE.LIVE.COM/DOWNLOAD?CID=176929A81F7E1249&RESID=176929A81F7E1249%211217&AUTHKEY=ABMGMSTXNC_3PVK

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 996	Thread sleep count: 9108 > 30			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 996	Thread sleep time: -45540s >= -30000s			Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Thread sleep count: Count: 9108 delay: -5

Jump to behavior

Source: C:\Users\user\Desktop\171121_PDF.exe

Code function: 2_2_023640AA rdtsc

2_2_023640AA

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Window / User API: threadDelayed 9108			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Window / User API: foregroundWindowGot 673			Jump to behavior

Source: C:\Users\user\Desktop\171121_PDF.exe

System information queried: ModuleInformation

Jump to behavior

Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: vmicshutdown
Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: ieinstal.exe, 00000005.00000002.100061142965.0000000003360000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36shell32advapi32TEMP=\vagabo.exe\CUSCONINESoftware\Microsoft\Windows\CurrentVersion\RunSkuffejernenesco2https://onedrive.live.com/download?cid=176929A81F7E1249&resid=176929A81F7E1249%211217&authkey=ABMgMSTxNC_3pVk
Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: vmicvss
Source: ieinstal.exe, 00000005.00000002.100061775312.000000000347A000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: ieinstal.exe, 00000005.00000002.100061248342.0000000003407000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW(
Source: 171121_PDF.exe, 00000002.00000002.95421592094.00000000005B4000.00000004.00000020.sdmp, 171121_PDF.exe, 00000002.00000002.95423993948.00000000039B0000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100061142965.0000000003360000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: 171121_PDF.exe, 00000002.00000002.95421500993.000000000059D000.00000004.00000020.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: 171121_PDF.exe, 00000002.00000002.95423993948.00000000039B0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36shell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dllProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dll
Source: ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp	Binary or memory string: vmicheartbeat

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\171121_PDF.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Users\user\Desktop\171121_PDF.exe

Code function: 2_2_023640AA rdtsc

2_2_023640AA

Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_023696BF mov eax, dword ptr fs:[00000030h]	2_2_023696BF
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236E59E mov eax, dword ptr fs:[00000030h]	2_2_0236E59E
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236C982 mov eax, dword ptr fs:[00000030h]	2_2_0236C982
Source: C:\Users\user\Desktop\171121_PDF.exe	Code function: 2_2_0236BEA2 mov eax, dword ptr fs:[00000030h]	2_2_0236BEA2

Source: C:\Users\user\Desktop\171121_PDF.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\171121_PDF.exe

Code function: 2_2_0236AB06 LdrInitializeThunk,

2_2_0236AB06

Source: C:\Users\user\Desktop\171121_PDF.exe

Code function: 2_2_0236FB8E RtlAddVectoredExceptionHandler,

2_2_0236FB8E

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\171121_PDF.exe

Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 3000000

Jump to behavior

Source: C:\Users\user\Desktop\171121_PDF.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe"			Jump to behavior
Source: C:\Users\user\Desktop\171121_PDF.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe"			Jump to behavior

Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmp	Binary or memory string: Program Managers.net:6110
Source: ieinstal.exe, 00000005.00000002.100062544413.0000000003A11000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: ieinstal.exe, 00000005.00000002.100062544413.0000000003A11000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmp	Binary or memory string: Program Manager:\Users
Source: ieinstal.exe, 00000005.00000002.100062544413.0000000003A11000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmp	Binary or memory string: Program ManagerEM
Source: ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, ieinstal.exe, 00000005.00000002.100061248342.0000000003407000.00000004.00000020.sdmp, logs.dat.5.dr	Binary or memory string: [ Program Manager ]
Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmp	Binary or memory string: Program Managers.net:
Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmp	Binary or memory string: Program Managers.net:6110?
Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmp	Binary or memory string: Program ManagerEM d
Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmp	Binary or memory string: Program ManagerEM D

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ieinstal.exe PID: 7000, type: MEMORYSTR

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ieinstal.exe PID: 7000, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	112 Process Injection	1 Masquerading	11 Input Capture	421 Security Software Discovery	Remote Services	11 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	23 Virtualization/Sandbox Evasion	LSASS Memory	23 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	112 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	21 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 DLL Side-Loading	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
171121_PDF.exe	60%	Virustotal		Browse
171121_PDF.exe	17%	Metadefender		Browse
171121_PDF.exe	68%	ReversingLabs	Win32.Trojan.Shelsy
171121_PDF.exe	100%	Avira	TR/AD.Nekark.jinay
171121_PDF.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe	100%	Avira	TR/AD.Nekark.jinay
C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe	60%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe	17%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe	68%	ReversingLabs	Win32.Trojan.Shelsy

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.171121_PDF.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1107800		Download File
2.0.171121_PDF.exe.400000.0.unpack	100%	Avira	TR/AD.Nekark.jinay		Download File

Domains

Source	Detection	Scanner	Label	Link
olufem.ddns.net	3%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
olufem.ddns.net	172.111.251.34	true	true	3%, Virustotal, Browse	unknown
onedrive.live.com	unknown	unknown	false		high
d34m1w.bn.files.1drv.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://onedrive.live.com/downloa	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://d34m1w.bn.files.1drv.com/K	ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp	false	high
https://onedrive.live.com/c	ieinstal.exe, 00000005.00000002.100061248342.0000000003407000.00000004.00000020.sdmp	false	high
https://d34m1w.bn.files.1drv.com/y#	ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp	false	high
https://d34m1w.bn.files.1drv.com/y4m7fxSf_SYygxFCqOTyBtDpLqPOYB60ldIfMGh_-vtFefb5neuOGhwPPxWnqgy8Dxz	ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, ieinstal.exe, 00000005.00000002.100061742275.0000000003475000.00000004.00000020.sdmp	false	high
https://d34m1w.bn.files.1drv.com/e	ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp	false	high
https://onedrive.live.com/download?cid=176929A81F7E1249&resid=176929A81F7E1249%211217&authkey=ABMgMS	ieinstal.exe, 00000005.00000002.100061542449.000000000344D000.00000004.00000020.sdmp	false	high
https://d34m1w.bn.files.1drv.com/#	ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp	false	high
https://d34m1w.bn.files.1drv.com/y4mlvrZnpVzkFAu500fuzSWuME5RflAMbugHHfl4crVqcejz3wapD4Rm6d4a3n06QKS	ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp	false	high
https://d34m1w.bn.files.1drv.com/rer	ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp	false	high
https://onedrive.live.com/	ieinstal.exe, 00000005.00000002.100061248342.0000000003407000.00000004.00000020.sdmp	false	high
https://d34m1w.bn.files.1drv.com/	ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.111.251.34	olufem.ddns.net	United States		9009	M247GB	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	558240
Start date:	23.01.2022
Start time:	06:48:48
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	171121_PDF.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/3@10/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 74% Number of executed functions: 53 Number of non-executed functions: 44
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 20.82.19.171, 20.54.122.82, 13.107.42.13, 13.107.42.12
Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, client.wns.windows.com, bn-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, odc-web-geo.onedrive.akadns.net, odc-bn-files-brs.onedrive.akadns.net, ctldl.windowsupdate.com, wdcp.microsoft.com, arc.msn.com, wd-prod-cp.trafficmanager.net, odc-bn-files-geo.onedrive.akadns.net, ris.api.iris.microsoft.com, wd-prod-cp-eu-north-1-fe.northeurope.cloudapp.azure.com, l-0004.l-msedge.net, wdcpalt.microsoft.com, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, l-0003.l-msedge.net, wd-prod-cp-eu-west-2-fe.westeurope.cloudapp.azure.com, img-prod-cms-rt-microsoft-com.akamaized.net
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:51:16	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Skuffejernenesco2 C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe
06:51:24	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Skuffejernenesco2 C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe

Created / dropped Files

C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe

Download File

Process:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	112464
Entropy (8bit):	6.100488610521297
Encrypted:	false
SSDEEP:	1536:OPtG0c3vhsblLAvTIpS1HP9CGZG48TdiwOeQqn4kFgGYglLg:X1JsblLAvI+FW48QwOen4Hi8
MD5:	60D8B8589BA8045361AE148EE76C7582
SHA1:	328A778D026AD6611BB295BF3A799B6499FC7C7C
SHA-256:	8F34D0008F07A4460C9EBC5A8D8A558A85979BD0112962EDDF9506DC5B627989
SHA-512:	6D7AB39A3367D72D70E0CF8AF182FDF7B20100BE1159465CEBF5603C06BD485FFD0B5ACEE687AD029C1205C1CDADFBFE10002451B484CDE1746ED2C8814F58E7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 60%, Browse Antivirus: Metadefender, Detection: 17%, Browse Antivirus: ReversingLabs, Detection: 68%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................._.................Rich...........................PE..L....~.N.................`...P...............p....@..........................................................................m..(........+..............P...................................................8... ....................................text...._.......`.................. ..`.data........p.......p..............@....rsrc....+.......0..................@..@..^............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFFFD65EAE6BEE96C9.TMP

Download File

Process:	C:\Users\user\Desktop\171121_PDF.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.623084520004525
Encrypted:	false
SSDEEP:	12:rl3lKFQCb776fGZHbYS6TS63TXlYdl7HtllGXPuK9iUmTc:rbQylDVYdtNllG/uw7
MD5:	23BC92D1C5A3C3698C8524B7CEB3F5D9
SHA1:	199D2660FEA3F7310397A37A8C7C600E7A26D461
SHA-256:	5A6730EB0987730B214A46DC814FE2071576A338B2210DECE2780AC6E3B45DD7
SHA-512:	6FA7CAB689912B93C312D35E0E0F218E6138A3BCB8BC1B31CF0F80E4795C079F8589B879CCAC55C14262C710D4772A4067CCA4ED7890AED678EC988D113227DD
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\wifitskl\logs.dat

Download File

Process:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
File Type:	data
Category:	dropped
Size (bytes):	228
Entropy (8bit):	3.324676875990576
Encrypted:	false
SSDEEP:	3:rnls2PltX6cl5JWRal2Jl+7R0DAlBG4LNQblovDl9iGLilXIkl+Rf3zNQblovDlw:aiUU5YcIeeDAlybW/Ne5IRfebW/G
MD5:	4E974FEC547CB42D02EBEF1C4F168E6E
SHA1:	26C86768D963521FBB151F247A117B9C0EB1EBEA
SHA-256:	8A7CCD77EF7FE3C4C467A8A7F0BF4153058E5A60E4F9B54A5C4E52BCBAD5B155
SHA-512:	32CDE6BB8AA11BDA151BE95FA4B15CB618461CB9ECB3AB36DB5D7574BA8DCCA1C7BFCCA8705C7E0E58847DD88F4D2A9405A692782FB344E896B6EB05495801EB
Malicious:	false
Reputation:	low
Preview:	....[.2.0.2.2./.0.1./.2.3. .0.6.:.5.1.:.2.1. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r. .].....[.W.i.n.].r.....[. .R.u.n. .].........[. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r. .].....

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, _adj_fdiv_m64, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarSetVar, __vbaLateMemCallLd, _CIatan, __vbaR8IntI4, _allmul, _CItan, _CIexp, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	ART
InternalName	Brugstyveriscortic
FileVersion	1.00
CompanyName	ART
LegalTrademarks	ART
Comments	ART
ProductName	ART
ProductVersion	1.00
FileDescription	Classic ART
OriginalFilename	Brugstyveriscortic.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/23/22-06:51:20.532714	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	55429	1.1.1.1	192.168.11.20
01/23/22-06:52:21.635352	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	53233	1.1.1.1	192.168.11.20
01/23/22-06:53:22.622846	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	49426	1.1.1.1	192.168.11.20
01/23/22-06:54:24.546109	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	53111	1.1.1.1	192.168.11.20
01/23/22-06:55:27.156616	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	58328	1.1.1.1	192.168.11.20
01/23/22-06:56:29.782953	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	49551	1.1.1.1	192.168.11.20
01/23/22-06:57:30.160630	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	56088	1.1.1.1	192.168.11.20
01/23/22-06:58:37.645977	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	49208	1.1.1.1	192.168.11.20

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 23, 2022 06:51:20.533876896 CET	49801	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:20.703293085 CET	6110	49801	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:21.213707924 CET	49801	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:21.383318901 CET	6110	49801	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:21.885405064 CET	49801	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:22.051764965 CET	6110	49801	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:22.557038069 CET	49801	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:22.731542110 CET	6110	49801	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:23.244467974 CET	49801	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:23.417984962 CET	6110	49801	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:24.441565990 CET	49802	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:24.608980894 CET	6110	49802	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:25.119052887 CET	49802	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:25.303689957 CET	6110	49802	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:25.806296110 CET	49802	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:26.020940065 CET	6110	49802	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:26.524879932 CET	49802	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:26.728079081 CET	6110	49802	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:27.243567944 CET	49802	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:27.408804893 CET	6110	49802	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:28.418706894 CET	49805	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:28.582556009 CET	6110	49805	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:29.086854935 CET	49805	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:29.250814915 CET	6110	49805	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:29.758615971 CET	49805	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:29.926840067 CET	6110	49805	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:30.430270910 CET	49805	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:30.594449997 CET	6110	49805	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:31.102112055 CET	49805	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:31.266598940 CET	6110	49805	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:32.277121067 CET	49807	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:32.444715023 CET	6110	49807	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:32.945451021 CET	49807	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:34.009474993 CET	6110	49807	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:34.523053885 CET	49807	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:34.693078995 CET	6110	49807	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:35.195008993 CET	49807	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:35.362740040 CET	6110	49807	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:35.866545916 CET	49807	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:36.035017014 CET	6110	49807	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:37.041501045 CET	49809	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:37.218277931 CET	6110	49809	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:37.725533009 CET	49809	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:37.902740002 CET	6110	49809	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:38.413064957 CET	49809	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:38.606342077 CET	6110	49809	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:39.115875006 CET	49809	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:39.294013023 CET	6110	49809	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:39.803375006 CET	49809	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:40.790137053 CET	6110	49809	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:41.813607931 CET	49816	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:41.976222992 CET	6110	49816	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:42.490164995 CET	49816	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:42.656023026 CET	6110	49816	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:43.161834002 CET	49816	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:43.330912113 CET	6110	49816	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:43.833558083 CET	49816	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:44.019136906 CET	6110	49816	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:44.520960093 CET	49816	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:44.687252998 CET	6110	49816	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:45.695609093 CET	49817	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:46.133512020 CET	6110	49817	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:46.645481110 CET	49817	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:46.821264029 CET	6110	49817	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:47.332819939 CET	49817	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:47.505533934 CET	6110	49817	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:48.020308018 CET	49817	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:48.193583012 CET	6110	49817	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:48.707468987 CET	49817	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:48.885680914 CET	6110	49817	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:49.897425890 CET	49819	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:50.072941065 CET	6110	49819	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:50.582212925 CET	49819	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:50.824712992 CET	6110	49819	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:51.332093000 CET	49819	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:51.508572102 CET	6110	49819	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:52.019186974 CET	49819	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:52.200375080 CET	6110	49819	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:52.706732988 CET	49819	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:52.884602070 CET	6110	49819	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:53.896095991 CET	49820	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:54.061736107 CET	6110	49820	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:54.565732002 CET	49820	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:54.733727932 CET	6110	49820	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:55.237365961 CET	49820	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:55.405459881 CET	6110	49820	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:55.909164906 CET	49820	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:56.077308893 CET	6110	49820	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:56.580893040 CET	49820	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:56.749423027 CET	6110	49820	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:57.754939079 CET	49821	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:57.921236992 CET	6110	49821	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:58.424160004 CET	49821	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:59.050299883 CET	6110	49821	172.111.251.34	192.168.11.20
Jan 23, 2022 06:51:59.564516068 CET	49821	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:51:59.733380079 CET	6110	49821	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:00.236265898 CET	49821	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:00.405827999 CET	6110	49821	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:00.907862902 CET	49821	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:01.073436022 CET	6110	49821	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:02.080876112 CET	49822	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:02.255270958 CET	6110	49822	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:02.767038107 CET	49822	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:02.939196110 CET	6110	49822	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:03.454380035 CET	49822	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:03.630862951 CET	6110	49822	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:04.141537905 CET	49822	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:04.322937012 CET	6110	49822	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:04.828948021 CET	49822	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:05.018976927 CET	6110	49822	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:06.033442020 CET	49823	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:06.198220015 CET	6110	49823	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:06.703550100 CET	49823	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:06.865828991 CET	6110	49823	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:07.375406027 CET	49823	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:07.538144112 CET	6110	49823	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:08.047070026 CET	49823	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:08.218194008 CET	6110	49823	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:08.718806982 CET	49823	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:08.890011072 CET	6110	49823	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:09.907242060 CET	49825	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:10.078202009 CET	6110	49825	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:10.577866077 CET	49825	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:10.762115955 CET	6110	49825	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:11.265022039 CET	49825	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:11.434305906 CET	6110	49825	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:11.936857939 CET	49825	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:12.102085114 CET	6110	49825	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:12.608500004 CET	49825	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:12.774204969 CET	6110	49825	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:13.781565905 CET	49826	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:13.950345039 CET	6110	49826	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:14.451910019 CET	49826	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:14.619543076 CET	6110	49826	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:15.123553991 CET	49826	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:15.298969030 CET	6110	49826	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:15.810882092 CET	49826	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:15.977668047 CET	6110	49826	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:16.482779980 CET	49826	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:16.653629065 CET	6110	49826	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:17.671555996 CET	49827	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:17.853178978 CET	6110	49827	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:18.357161999 CET	49827	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:18.541395903 CET	6110	49827	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:19.044637918 CET	49827	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:19.233788013 CET	6110	49827	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:19.747606993 CET	49827	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:19.931286097 CET	6110	49827	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:20.434947968 CET	49827	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:20.619327068 CET	6110	49827	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:21.636152983 CET	49828	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:21.804104090 CET	6110	49828	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:22.309600115 CET	49828	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:22.487633944 CET	6110	49828	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:22.996814966 CET	49828	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:23.164179087 CET	6110	49828	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:23.668536901 CET	49828	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:23.835673094 CET	6110	49828	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:24.340295076 CET	49828	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:24.512168884 CET	6110	49828	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:25.528856993 CET	49829	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:25.703850985 CET	6110	49829	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:26.214780092 CET	49829	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:26.389885902 CET	6110	49829	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:26.902179003 CET	49829	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:27.388817072 CET	6110	49829	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:27.902054071 CET	49829	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:28.076713085 CET	6110	49829	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:28.589508057 CET	49829	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:28.768785000 CET	6110	49829	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:29.777782917 CET	49830	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:29.942840099 CET	6110	49830	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:30.448210955 CET	49830	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:30.627479076 CET	6110	49830	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:31.135576010 CET	49830	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:31.302898884 CET	6110	49830	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:31.807324886 CET	49830	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:31.970854044 CET	6110	49830	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:32.479170084 CET	49830	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:32.656891108 CET	6110	49830	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:33.668127060 CET	49831	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:33.835191965 CET	6110	49831	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:34.338124037 CET	49831	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:34.502459049 CET	6110	49831	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:35.009840965 CET	49831	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:35.178560019 CET	6110	49831	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:35.681468964 CET	49831	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:35.848517895 CET	6110	49831	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:36.353344917 CET	49831	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:36.520379066 CET	6110	49831	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:37.526228905 CET	49832	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:37.692684889 CET	6110	49832	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:38.196655035 CET	49832	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:38.368731022 CET	6110	49832	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:38.883857012 CET	49832	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:39.060817957 CET	6110	49832	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:39.571311951 CET	49832	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:39.740403891 CET	6110	49832	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:40.243108034 CET	49832	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:40.410862923 CET	6110	49832	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:41.415956020 CET	49849	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:41.589917898 CET	6110	49849	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:42.102097034 CET	49849	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:42.278139114 CET	6110	49849	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:42.789438963 CET	49849	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:42.966172934 CET	6110	49849	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:43.476778030 CET	49849	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:43.650158882 CET	6110	49849	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:44.164115906 CET	49849	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:44.345837116 CET	6110	49849	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:45.366197109 CET	49850	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:45.532949924 CET	6110	49850	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:46.038701057 CET	49850	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:46.208503962 CET	6110	49850	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:46.710411072 CET	49850	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:46.876389027 CET	6110	49850	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:47.382045031 CET	49850	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:47.548413038 CET	6110	49850	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:48.051737070 CET	49850	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:48.216334105 CET	6110	49850	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:49.226847887 CET	49851	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:49.403194904 CET	6110	49851	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:49.912781954 CET	49851	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:50.102287054 CET	6110	49851	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:50.615823984 CET	49851	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:50.786716938 CET	6110	49851	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:51.287520885 CET	49851	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:51.463311911 CET	6110	49851	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:51.974853992 CET	49851	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:52.150620937 CET	6110	49851	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:53.163219929 CET	49852	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:53.506558895 CET	6110	49852	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:54.021250010 CET	49852	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:54.201942921 CET	6110	49852	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:54.708640099 CET	49852	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:54.890132904 CET	6110	49852	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:55.395978928 CET	49852	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:55.610790014 CET	6110	49852	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:56.114588976 CET	49852	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:56.324081898 CET	6110	49852	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:57.334465981 CET	49853	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:57.518738031 CET	6110	49853	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:58.020350933 CET	49853	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:58.206604004 CET	6110	49853	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:58.707704067 CET	49853	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:58.882534981 CET	6110	49853	172.111.251.34	192.168.11.20
Jan 23, 2022 06:52:59.395001888 CET	49853	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:52:59.595107079 CET	6110	49853	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:00.098047018 CET	49853	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:00.286470890 CET	6110	49853	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:01.302206039 CET	49854	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:01.522459030 CET	6110	49854	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:02.035090923 CET	49854	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:02.267528057 CET	6110	49854	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:02.769300938 CET	49854	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:03.014758110 CET	6110	49854	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:03.519323111 CET	49854	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:03.698765039 CET	6110	49854	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:04.206562996 CET	49854	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:04.462542057 CET	6110	49854	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:05.473218918 CET	49855	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:05.672204971 CET	6110	49855	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:06.174896002 CET	49855	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:06.428555012 CET	6110	49855	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:06.940380096 CET	49855	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:07.124391079 CET	6110	49855	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:07.627527952 CET	49855	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:07.840137005 CET	6110	49855	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:08.346270084 CET	49855	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:09.640491009 CET	6110	49855	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:10.643742085 CET	49856	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:10.900445938 CET	6110	49856	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:11.408102036 CET	49856	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:11.748461008 CET	6110	49856	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:12.251646042 CET	49856	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:12.452446938 CET	6110	49856	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:12.954643965 CET	49856	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:13.156764030 CET	6110	49856	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:13.657525063 CET	49856	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:13.860718966 CET	6110	49856	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:14.877480984 CET	49857	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:15.042573929 CET	6110	49857	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:15.547802925 CET	49857	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:15.718682051 CET	6110	49857	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:16.219455004 CET	49857	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:16.382543087 CET	6110	49857	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:16.891124010 CET	49857	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:17.054694891 CET	6110	49857	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:17.562844038 CET	49857	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:17.730721951 CET	6110	49857	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:18.735790968 CET	49859	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:18.908258915 CET	6110	49859	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:19.421809912 CET	49859	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:19.584130049 CET	6110	49859	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:20.093719959 CET	49859	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:20.260454893 CET	6110	49859	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:20.765479088 CET	49859	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:20.936814070 CET	6110	49859	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:21.437127113 CET	49859	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:21.600521088 CET	6110	49859	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:22.623589039 CET	49860	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:22.794497013 CET	6110	49860	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:23.295952082 CET	49860	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:23.462636948 CET	6110	49860	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:23.967796087 CET	49860	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:24.135397911 CET	6110	49860	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:24.639584064 CET	49860	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:24.806490898 CET	6110	49860	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:25.311151981 CET	49860	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:25.627222061 CET	6110	49860	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:26.640367031 CET	49861	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:26.825378895 CET	6110	49861	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:27.326452017 CET	49861	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:27.517607927 CET	6110	49861	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:28.029270887 CET	49861	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:28.216737986 CET	6110	49861	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:28.732418060 CET	49861	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:28.917094946 CET	6110	49861	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:29.419773102 CET	49861	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:30.387166023 CET	6110	49861	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:31.405508995 CET	49862	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:31.575289011 CET	6110	49862	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:32.075256109 CET	49862	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:32.243710041 CET	6110	49862	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:32.747241020 CET	49862	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:32.911483049 CET	6110	49862	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:33.418756008 CET	49862	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:33.583234072 CET	6110	49862	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:34.090503931 CET	49862	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:34.257970095 CET	6110	49862	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:35.263902903 CET	49863	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:35.437625885 CET	6110	49863	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:35.949573994 CET	49863	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:36.149235964 CET	6110	49863	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:36.652468920 CET	49863	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:36.825467110 CET	6110	49863	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:37.339855909 CET	49863	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:37.517504930 CET	6110	49863	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:38.027257919 CET	49863	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:38.202611923 CET	6110	49863	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:39.215800047 CET	49864	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:39.386418104 CET	6110	49864	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:39.886092901 CET	49864	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:40.055824995 CET	6110	49864	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:40.557810068 CET	49864	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:40.722560883 CET	6110	49864	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:41.229612112 CET	49864	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:41.394395113 CET	6110	49864	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:41.901243925 CET	49864	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:42.074708939 CET	6110	49864	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:43.089746952 CET	49865	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:43.274113894 CET	6110	49865	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:43.785263062 CET	49865	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:43.970140934 CET	6110	49865	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:44.478832960 CET	49865	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:44.661989927 CET	6110	49865	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:45.166162014 CET	49865	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:45.350049019 CET	6110	49865	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:45.853461981 CET	49865	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:46.046139002 CET	6110	49865	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:47.057889938 CET	49866	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:47.232230902 CET	6110	49866	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:47.743634939 CET	49866	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:47.916395903 CET	6110	49866	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:48.431010008 CET	49866	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:48.616259098 CET	6110	49866	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:49.118544102 CET	49866	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:49.288407087 CET	6110	49866	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:49.790251017 CET	49866	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:49.964368105 CET	6110	49866	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:50.979638100 CET	49867	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:51.146748066 CET	6110	49867	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:51.649075985 CET	49867	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:51.822463036 CET	6110	49867	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:52.336488962 CET	49867	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:52.509673119 CET	6110	49867	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:53.023909092 CET	49867	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:53.214478016 CET	6110	49867	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:53.726912975 CET	49867	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:53.901693106 CET	6110	49867	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:54.915292025 CET	49868	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:55.097348928 CET	6110	49868	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:55.601428032 CET	49868	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:55.793025017 CET	6110	49868	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:56.304372072 CET	49868	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:56.624943018 CET	6110	49868	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:57.132230043 CET	49868	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:57.312915087 CET	6110	49868	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:57.819766045 CET	49868	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:58.002476931 CET	6110	49868	172.111.251.34	192.168.11.20
Jan 23, 2022 06:53:59.008474112 CET	49869	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:53:59.532902002 CET	6110	49869	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:00.037930012 CET	49869	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:02.037552118 CET	49869	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:02.208403111 CET	6110	49869	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:02.709161043 CET	49869	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:02.884305000 CET	6110	49869	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:03.396482944 CET	49869	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:03.568563938 CET	6110	49869	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:04.591150045 CET	49870	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:04.893162012 CET	6110	49870	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:05.396107912 CET	49870	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:05.564786911 CET	6110	49870	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:06.067845106 CET	49870	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:06.232573986 CET	6110	49870	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:06.739728928 CET	49870	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:07.261619091 CET	6110	49870	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:07.770622015 CET	49870	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:07.940243006 CET	6110	49870	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:08.943363905 CET	49871	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:09.114350080 CET	6110	49871	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:09.629574060 CET	49871	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:09.801836967 CET	6110	49871	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:10.316838026 CET	49871	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:10.489933968 CET	6110	49871	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:11.004328966 CET	49871	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:11.178023100 CET	6110	49871	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:11.691684008 CET	49871	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:11.873948097 CET	6110	49871	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:12.880393982 CET	49872	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:13.050158978 CET	6110	49872	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:13.550678968 CET	49872	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:13.714304924 CET	6110	49872	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:14.222213984 CET	49872	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:14.389708996 CET	6110	49872	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:14.894000053 CET	49872	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:15.065773010 CET	6110	49872	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:15.565635920 CET	49872	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:15.731317997 CET	6110	49872	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:16.739094973 CET	49873	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:16.904139042 CET	6110	49873	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:17.409019947 CET	49873	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:17.580044985 CET	6110	49873	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:18.080754995 CET	49873	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:18.248158932 CET	6110	49873	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:18.752614021 CET	49873	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:18.916330099 CET	6110	49873	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:19.424237013 CET	49873	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:19.592223883 CET	6110	49873	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:20.597076893 CET	49874	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:20.772665977 CET	6110	49874	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:21.283154011 CET	49874	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:21.464207888 CET	6110	49874	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:21.970489979 CET	49874	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:22.144375086 CET	6110	49874	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:22.657923937 CET	49874	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:22.832175970 CET	6110	49874	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:23.345376015 CET	49874	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:23.520044088 CET	6110	49874	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:24.546886921 CET	49875	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:24.709899902 CET	6110	49875	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:25.219902039 CET	49875	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:25.385767937 CET	6110	49875	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:25.891554117 CET	49875	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:26.053838015 CET	6110	49875	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:26.563361883 CET	49875	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:26.725812912 CET	6110	49875	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:27.234966993 CET	49875	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:27.398176908 CET	6110	49875	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:28.408214092 CET	49876	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:28.572283030 CET	6110	49876	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:29.078259945 CET	49876	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:29.247867107 CET	6110	49876	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:29.750124931 CET	49876	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:29.915844917 CET	6110	49876	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:30.421894073 CET	49876	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:30.588259935 CET	6110	49876	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:31.093652964 CET	49876	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:31.264208078 CET	6110	49876	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:32.266364098 CET	49877	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:32.443706989 CET	6110	49877	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:32.952577114 CET	49877	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:33.127456903 CET	6110	49877	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:33.639852047 CET	49877	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:33.815727949 CET	6110	49877	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:34.327281952 CET	49877	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:34.503520966 CET	6110	49877	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:35.014528036 CET	49877	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:35.239500999 CET	6110	49877	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:36.249895096 CET	49878	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:36.421915054 CET	6110	49878	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:36.936391115 CET	49878	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:37.102118015 CET	6110	49878	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:37.607687950 CET	49878	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:37.769642115 CET	6110	49878	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:38.279495955 CET	49878	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:38.441507101 CET	6110	49878	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:38.951134920 CET	49878	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:39.117172003 CET	6110	49878	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:40.124170065 CET	49879	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:40.299396992 CET	6110	49879	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:40.810455084 CET	49879	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:40.991496086 CET	6110	49879	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:41.497558117 CET	49879	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:41.667643070 CET	6110	49879	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:42.169301987 CET	49879	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:42.343602896 CET	6110	49879	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:42.856600046 CET	49879	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:43.031682014 CET	6110	49879	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:44.045063972 CET	49880	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:44.214709997 CET	6110	49880	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:44.715447903 CET	49880	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:44.882122040 CET	6110	49880	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:45.387479067 CET	49880	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:45.610518932 CET	6110	49880	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:46.121408939 CET	49880	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:46.289506912 CET	6110	49880	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:46.793396950 CET	49880	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:46.957446098 CET	6110	49880	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:47.966670990 CET	49881	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:48.140908957 CET	6110	49881	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:48.652211905 CET	49881	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:48.833909035 CET	6110	49881	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:49.339469910 CET	49881	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:49.513801098 CET	6110	49881	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:50.026865959 CET	49881	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:50.199673891 CET	6110	49881	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:50.714210987 CET	49881	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:50.896286964 CET	6110	49881	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:51.902647018 CET	49882	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:52.083220959 CET	6110	49882	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:52.588924885 CET	49882	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:52.764889002 CET	6110	49882	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:53.276257992 CET	49882	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:53.460402012 CET	6110	49882	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:53.963471889 CET	49882	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:54.138715029 CET	6110	49882	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:54.650804996 CET	49882	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:54.822659016 CET	6110	49882	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:55.839627981 CET	49884	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:56.010588884 CET	6110	49884	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:56.525554895 CET	49884	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:56.699084997 CET	6110	49884	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:57.212821960 CET	49884	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:57.386699915 CET	6110	49884	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:57.900068998 CET	49884	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:58.070257902 CET	6110	49884	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:58.571952105 CET	49884	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:58.745269060 CET	6110	49884	172.111.251.34	192.168.11.20
Jan 23, 2022 06:54:59.761228085 CET	49885	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:54:59.945732117 CET	6110	49885	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:00.446314096 CET	49885	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:00.617788076 CET	6110	49885	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:01.133716106 CET	49885	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:01.309674025 CET	6110	49885	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:01.821171045 CET	49885	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:01.990907907 CET	6110	49885	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:02.492826939 CET	49885	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:02.668288946 CET	6110	49885	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:03.681320906 CET	49886	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:03.855000973 CET	6110	49886	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:04.367562056 CET	49886	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:04.540033102 CET	6110	49886	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:05.054709911 CET	49886	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:05.230986118 CET	6110	49886	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:05.742086887 CET	49886	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:05.916486025 CET	6110	49886	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:06.429379940 CET	49886	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:06.639319897 CET	6110	49886	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:07.649398088 CET	49887	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:07.819678068 CET	6110	49887	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:08.319741964 CET	49887	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:08.485980034 CET	6110	49887	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:08.991580009 CET	49887	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:09.157738924 CET	6110	49887	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:09.663163900 CET	49887	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:09.827450037 CET	6110	49887	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:10.335001945 CET	49887	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:10.499525070 CET	6110	49887	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:11.508241892 CET	49888	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:11.674967051 CET	6110	49888	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:12.178201914 CET	49888	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:12.349881887 CET	6110	49888	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:12.865617990 CET	49888	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:13.029942036 CET	6110	49888	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:13.537411928 CET	49888	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:13.702260971 CET	6110	49888	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:14.209074020 CET	49888	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:14.374169111 CET	6110	49888	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:15.381953001 CET	49889	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:15.557360888 CET	6110	49889	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:16.068070889 CET	49889	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:16.245331049 CET	6110	49889	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:16.755248070 CET	49889	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:16.929559946 CET	6110	49889	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:17.442791939 CET	49889	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:17.617546082 CET	6110	49889	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:18.130033016 CET	49889	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:18.305048943 CET	6110	49889	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:19.318697929 CET	49890	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:19.493596077 CET	6110	49890	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:20.004662991 CET	49890	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:20.177355051 CET	6110	49890	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:20.691889048 CET	49890	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:20.865062952 CET	6110	49890	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:21.379262924 CET	49890	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:21.557173014 CET	6110	49890	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:22.066715002 CET	49890	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:22.253515005 CET	6110	49890	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:23.270845890 CET	49891	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:23.438666105 CET	6110	49891	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:23.941235065 CET	49891	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:24.105784893 CET	6110	49891	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:24.613046885 CET	49891	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:24.778352022 CET	6110	49891	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:25.284657955 CET	49891	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:25.462172031 CET	6110	49891	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:25.972126961 CET	49891	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:26.138037920 CET	6110	49891	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:27.157322884 CET	49892	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:27.327989101 CET	6110	49892	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:27.831033945 CET	49892	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:28.004038095 CET	6110	49892	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:28.518330097 CET	49892	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:28.687871933 CET	6110	49892	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:29.190174103 CET	49892	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:29.363759041 CET	6110	49892	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:29.877415895 CET	49892	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:30.051393986 CET	6110	49892	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:31.066195965 CET	49893	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:31.234325886 CET	6110	49893	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:31.736565113 CET	49893	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:31.906044006 CET	6110	49893	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:32.408138990 CET	49893	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:32.577754974 CET	6110	49893	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:33.080003977 CET	49893	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:33.254436970 CET	6110	49893	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:33.767282009 CET	49893	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:33.934158087 CET	6110	49893	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:34.940263987 CET	49894	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:35.105911016 CET	6110	49894	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:35.610517979 CET	49894	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:35.773613930 CET	6110	49894	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:36.282320976 CET	49894	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:36.454037905 CET	6110	49894	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:36.954010963 CET	49894	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:37.117980003 CET	6110	49894	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:37.625734091 CET	49894	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:37.793992996 CET	6110	49894	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:38.798535109 CET	49895	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:38.981550932 CET	6110	49895	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:39.484723091 CET	49895	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:39.665328979 CET	6110	49895	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:40.172137976 CET	49895	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:40.353688002 CET	6110	49895	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:40.859496117 CET	49895	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:41.045418978 CET	6110	49895	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:41.546767950 CET	49895	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:41.733201981 CET	6110	49895	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:42.750878096 CET	49896	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:42.923762083 CET	6110	49896	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:43.437011003 CET	49896	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:43.599905014 CET	6110	49896	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:44.108597994 CET	49896	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:44.271531105 CET	6110	49896	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:44.780437946 CET	49896	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:44.943617105 CET	6110	49896	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:45.452219009 CET	49896	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:45.615806103 CET	6110	49896	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:46.625072956 CET	49897	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:46.789700985 CET	6110	49897	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:47.295527935 CET	49897	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:47.469739914 CET	6110	49897	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:47.982780933 CET	49897	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:48.149758101 CET	6110	49897	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:48.654664993 CET	49897	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:48.821962118 CET	6110	49897	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:49.326409101 CET	49897	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:49.493913889 CET	6110	49897	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:50.499471903 CET	49898	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:50.673836946 CET	6110	49898	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:51.185224056 CET	49898	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:51.365816116 CET	6110	49898	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:51.872612953 CET	49898	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:52.046082020 CET	6110	49898	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:52.559931040 CET	49898	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:52.733536959 CET	6110	49898	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:53.247267008 CET	49898	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:53.437980890 CET	6110	49898	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:54.451384068 CET	49899	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:54.625251055 CET	6110	49899	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:55.137526035 CET	49899	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:55.477916002 CET	6110	49899	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:55.981008053 CET	49899	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:56.157623053 CET	6110	49899	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:56.668550014 CET	49899	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:56.841519117 CET	6110	49899	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:57.355777979 CET	49899	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:57.533587933 CET	6110	49899	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:58.544109106 CET	49900	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:58.714224100 CET	6110	49900	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:59.214709044 CET	49900	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:55:59.405878067 CET	6110	49900	172.111.251.34	192.168.11.20
Jan 23, 2022 06:55:59.917732000 CET	49900	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:00.105874062 CET	6110	49900	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:00.620717049 CET	49900	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:00.786037922 CET	6110	49900	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:01.292311907 CET	49900	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:01.457746983 CET	6110	49900	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:02.465284109 CET	49901	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:02.632468939 CET	6110	49901	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:03.135807037 CET	49901	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:03.300287962 CET	6110	49901	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:03.807507038 CET	49901	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:03.971813917 CET	6110	49901	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:04.479123116 CET	49901	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:04.643660069 CET	6110	49901	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:05.150851011 CET	49901	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:05.315895081 CET	6110	49901	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:06.324142933 CET	49902	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:06.505316973 CET	6110	49902	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:07.009859085 CET	49902	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:07.193413019 CET	6110	49902	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:07.697138071 CET	49902	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:07.877384901 CET	6110	49902	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:08.384613037 CET	49902	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:08.565432072 CET	6110	49902	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:09.071842909 CET	49902	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:09.253114939 CET	6110	49902	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:10.260301113 CET	49903	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:10.425883055 CET	6110	49903	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:10.930967093 CET	49903	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:11.098110914 CET	6110	49903	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:11.602695942 CET	49903	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:11.771140099 CET	6110	49903	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:12.274317026 CET	49903	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:12.442054033 CET	6110	49903	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:12.945986986 CET	49903	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:13.113660097 CET	6110	49903	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:14.118801117 CET	49904	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:14.290035009 CET	6110	49904	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:14.805047989 CET	49904	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:14.974158049 CET	6110	49904	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:15.476942062 CET	49904	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:15.650243044 CET	6110	49904	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:16.163995981 CET	49904	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:16.329747915 CET	6110	49904	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:16.835982084 CET	49904	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:17.002311945 CET	6110	49904	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:18.009402037 CET	49905	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:18.193406105 CET	6110	49905	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:18.694664001 CET	49905	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:18.873348951 CET	6110	49905	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:19.382237911 CET	49905	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:19.573411942 CET	6110	49905	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:20.085213900 CET	49905	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:20.265938044 CET	6110	49905	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:20.772500992 CET	49905	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:20.957518101 CET	6110	49905	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:21.960885048 CET	49906	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:22.141489983 CET	6110	49906	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:22.647054911 CET	49906	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:22.829195023 CET	6110	49906	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:23.334340096 CET	49906	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:23.513561964 CET	6110	49906	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:24.021845102 CET	49906	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:24.205456972 CET	6110	49906	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:24.709002018 CET	49906	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:24.889344931 CET	6110	49906	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:25.897710085 CET	49907	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:26.066102982 CET	6110	49907	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:26.568141937 CET	49907	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:26.733897924 CET	6110	49907	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:27.239875078 CET	49907	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:27.409738064 CET	6110	49907	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:27.911488056 CET	49907	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:28.077860117 CET	6110	49907	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:28.583220005 CET	49907	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:28.754173994 CET	6110	49907	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:29.783843994 CET	49908	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:29.947901011 CET	6110	49908	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:30.457792044 CET	49908	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:30.623558998 CET	6110	49908	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:31.129565001 CET	49908	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:31.295783043 CET	6110	49908	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:31.801346064 CET	49908	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:31.964004993 CET	6110	49908	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:32.473164082 CET	49908	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:32.639791012 CET	6110	49908	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:33.645930052 CET	49909	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:33.809726954 CET	6110	49909	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:34.316407919 CET	49909	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:34.481841087 CET	6110	49909	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:34.988203049 CET	49909	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:35.154095888 CET	6110	49909	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:35.659883022 CET	49909	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:35.830096960 CET	6110	49909	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:36.331476927 CET	49909	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:36.497581005 CET	6110	49909	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:37.504296064 CET	49910	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:37.673959017 CET	6110	49910	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:38.174906015 CET	49910	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:38.341979980 CET	6110	49910	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:38.846637964 CET	49910	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:39.017966032 CET	6110	49910	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:39.518299103 CET	49910	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:39.686336994 CET	6110	49910	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:40.190077066 CET	49910	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:40.358136892 CET	6110	49910	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:41.362925053 CET	49911	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:41.537466049 CET	6110	49911	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:42.048926115 CET	49911	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:42.234858036 CET	6110	49911	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:42.736373901 CET	49911	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:42.909514904 CET	6110	49911	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:43.423737049 CET	49911	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:43.601346016 CET	6110	49911	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:44.111067057 CET	49911	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:44.285267115 CET	6110	49911	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:45.299823999 CET	49912	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:45.463833094 CET	6110	49912	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:45.970026970 CET	49912	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:46.135584116 CET	6110	49912	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:46.641755104 CET	49912	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:46.807817936 CET	6110	49912	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:47.313424110 CET	49912	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:47.476005077 CET	6110	49912	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:47.985089064 CET	49912	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:48.147464991 CET	6110	49912	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:49.157953978 CET	49913	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:49.329958916 CET	6110	49913	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:49.844048977 CET	49913	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:50.021981955 CET	6110	49913	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:50.531438112 CET	49913	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:50.705722094 CET	6110	49913	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:51.218900919 CET	49913	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:51.398281097 CET	6110	49913	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:51.906070948 CET	49913	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:52.081991911 CET	6110	49913	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:53.094604969 CET	49914	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:53.261605024 CET	6110	49914	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:53.765124083 CET	49914	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:53.930025101 CET	6110	49914	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:54.436963081 CET	49914	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:54.601856947 CET	6110	49914	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:55.108658075 CET	49914	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:55.279489994 CET	6110	49914	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:55.780368090 CET	49914	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:55.945839882 CET	6110	49914	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:56.953222990 CET	49915	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:57.137353897 CET	6110	49915	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:57.639235973 CET	49915	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:57.821120977 CET	6110	49915	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:58.326668978 CET	49915	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:58.505415916 CET	6110	49915	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:59.014034986 CET	49915	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:59.197272062 CET	6110	49915	172.111.251.34	192.168.11.20
Jan 23, 2022 06:56:59.701387882 CET	49915	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:56:59.885111094 CET	6110	49915	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:00.889842033 CET	49916	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:01.070579052 CET	6110	49916	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:01.576028109 CET	49916	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:01.742636919 CET	6110	49916	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:02.247584105 CET	49916	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:02.417736053 CET	6110	49916	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:02.919399977 CET	49916	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:03.085788965 CET	6110	49916	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:03.591177940 CET	49916	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:03.757942915 CET	6110	49916	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:04.763904095 CET	49918	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:04.937340021 CET	6110	49918	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:05.450011015 CET	49918	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:05.629547119 CET	6110	49918	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:06.137440920 CET	49918	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:06.309747934 CET	6110	49918	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:06.824707031 CET	49918	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:06.997889042 CET	6110	49918	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:07.512057066 CET	49918	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:07.685513973 CET	6110	49918	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:08.700710058 CET	49919	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:08.865812063 CET	6110	49919	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:09.371198893 CET	49919	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:09.537699938 CET	6110	49919	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:10.042764902 CET	49919	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:10.210149050 CET	6110	49919	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:10.714543104 CET	49919	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:10.886291981 CET	6110	49919	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:11.386320114 CET	49919	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:18.417426109 CET	49920	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:18.598134041 CET	6110	49920	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:19.103245974 CET	49920	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:19.277793884 CET	6110	49920	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:19.790635109 CET	49920	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:19.966340065 CET	6110	49920	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:20.477932930 CET	49920	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:20.654666901 CET	6110	49920	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:21.165358067 CET	49920	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:21.338515997 CET	6110	49920	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:22.353929996 CET	49921	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:22.529383898 CET	6110	49921	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:23.039957047 CET	49921	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:23.217880011 CET	6110	49921	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:23.727406979 CET	49921	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:23.901583910 CET	6110	49921	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:24.414742947 CET	49921	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:24.589329004 CET	6110	49921	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:25.101932049 CET	49921	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:25.273519039 CET	6110	49921	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:26.290667057 CET	49922	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:26.451858044 CET	6110	49922	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:26.960913897 CET	49922	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:27.128009081 CET	6110	49922	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:27.632767916 CET	49922	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:27.795717001 CET	6110	49922	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:28.304348946 CET	49922	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:28.467736006 CET	6110	49922	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:28.976202011 CET	49922	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:29.144251108 CET	6110	49922	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:30.161432981 CET	49923	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:30.334105968 CET	6110	49923	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:30.835030079 CET	49923	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:31.009656906 CET	6110	49923	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:31.522382975 CET	49923	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:31.693950891 CET	6110	49923	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:32.194192886 CET	49923	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:32.369913101 CET	6110	49923	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:32.881642103 CET	49923	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:33.054318905 CET	6110	49923	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:34.069953918 CET	49924	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:34.232108116 CET	6110	49924	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:34.740514040 CET	49924	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:34.907860041 CET	6110	49924	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:35.412379980 CET	49924	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:35.579662085 CET	6110	49924	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:36.084043026 CET	49924	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:36.247833014 CET	6110	49924	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:36.755691051 CET	49924	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:36.923494101 CET	6110	49924	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:37.928670883 CET	49925	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:38.094109058 CET	6110	49925	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:38.598928928 CET	49925	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:38.765574932 CET	6110	49925	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:39.270705938 CET	49925	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:39.437783957 CET	6110	49925	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:39.942361116 CET	49925	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:40.110163927 CET	6110	49925	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:40.614259005 CET	49925	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:40.782192945 CET	6110	49925	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:41.793108940 CET	49929	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:41.962004900 CET	6110	49929	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:42.473076105 CET	49929	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:42.641940117 CET	6110	49929	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:43.144773960 CET	49929	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:43.310209036 CET	6110	49929	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:43.816740990 CET	49929	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:43.982198954 CET	6110	49929	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:44.488248110 CET	49929	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:44.653830051 CET	6110	49929	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:45.661246061 CET	49930	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:45.825733900 CET	6110	49930	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:46.331752062 CET	49930	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:46.497886896 CET	6110	49930	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:47.003453016 CET	49930	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:47.174029112 CET	6110	49930	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:47.675137997 CET	49930	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:47.841655016 CET	6110	49930	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:48.346719027 CET	49930	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:48.514055014 CET	6110	49930	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:49.519659042 CET	49931	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:49.783845901 CET	6110	49931	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:50.284121037 CET	49931	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:50.455833912 CET	6110	49931	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:50.955701113 CET	49931	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:51.123553991 CET	6110	49931	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:51.627456903 CET	49931	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:51.796808004 CET	6110	49931	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:52.299279928 CET	49931	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:52.463548899 CET	6110	49931	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:53.472090960 CET	49932	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:53.637933969 CET	6110	49932	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:54.142381907 CET	49932	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:54.306045055 CET	6110	49932	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:54.814040899 CET	49932	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:54.977947950 CET	6110	49932	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:55.486020088 CET	49932	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:55.721992970 CET	6110	49932	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:56.235666037 CET	49932	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:56.405803919 CET	6110	49932	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:57.408843040 CET	49933	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:57.589205027 CET	6110	49933	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:58.094763041 CET	49933	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:58.277338982 CET	6110	49933	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:58.782100916 CET	49933	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:58.965358973 CET	6110	49933	172.111.251.34	192.168.11.20
Jan 23, 2022 06:57:59.469398022 CET	49933	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:57:59.653217077 CET	6110	49933	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:00.156801939 CET	49933	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:00.337465048 CET	6110	49933	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:01.345375061 CET	49934	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:01.517401934 CET	6110	49934	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:02.031399012 CET	49934	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:02.191781044 CET	6110	49934	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:02.702991962 CET	49934	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:02.867639065 CET	6110	49934	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:03.374819040 CET	49934	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:03.768162966 CET	6110	49934	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:04.280872107 CET	49934	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:04.456033945 CET	6110	49934	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:05.469436884 CET	49935	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:05.638386965 CET	6110	49935	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:06.139843941 CET	49935	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:06.306035995 CET	6110	49935	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:06.811566114 CET	49935	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:06.977781057 CET	6110	49935	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:07.483242035 CET	49935	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:07.645807028 CET	6110	49935	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:08.154937983 CET	49935	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:08.321841002 CET	6110	49935	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:09.327908039 CET	49936	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:09.493566990 CET	6110	49936	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:09.998414040 CET	49936	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:10.165651083 CET	6110	49936	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:10.670180082 CET	49936	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:10.833956957 CET	6110	49936	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:11.341718912 CET	49936	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:11.505974054 CET	6110	49936	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:12.013566017 CET	49936	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:12.181905031 CET	6110	49936	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:13.186973095 CET	49937	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:13.365377903 CET	6110	49937	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:13.872435093 CET	49937	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:14.053230047 CET	6110	49937	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:14.559734106 CET	49937	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:14.741317034 CET	6110	49937	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:15.247209072 CET	49937	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:15.429589033 CET	6110	49937	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:15.934545994 CET	49937	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:16.117489100 CET	6110	49937	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:17.122905016 CET	49938	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:17.287583113 CET	6110	49938	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:17.793565989 CET	49938	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:17.955806971 CET	6110	49938	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:18.465198994 CET	49938	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:18.631598949 CET	6110	49938	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:19.136908054 CET	49938	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:19.300108910 CET	6110	49938	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:19.808646917 CET	49938	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:19.971709967 CET	6110	49938	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:20.981476068 CET	49939	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:21.154225111 CET	6110	49939	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:21.667746067 CET	49939	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:21.842201948 CET	6110	49939	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:22.355004072 CET	49939	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:22.525866985 CET	6110	49939	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:23.026639938 CET	49939	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:23.198067904 CET	6110	49939	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:23.698512077 CET	49939	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:23.881963015 CET	6110	49939	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:24.887320042 CET	49940	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:25.055636883 CET	6110	49940	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:25.557302952 CET	49940	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:25.723773956 CET	6110	49940	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:26.229121923 CET	49940	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:26.391818047 CET	6110	49940	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:26.900805950 CET	49940	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:27.063747883 CET	6110	49940	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:27.572478056 CET	49940	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:27.735909939 CET	6110	49940	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:28.745419025 CET	49941	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:29.759485006 CET	49941	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:31.774725914 CET	49941	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:35.789578915 CET	49941	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:35.954256058 CET	6110	49941	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:36.461313963 CET	49941	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:36.626136065 CET	6110	49941	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:37.646770954 CET	49942	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:37.813958883 CET	6110	49942	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:38.320190907 CET	49942	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:38.486145020 CET	6110	49942	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:38.992080927 CET	49942	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:39.626622915 CET	6110	49942	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:40.132157087 CET	49942	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:40.303108931 CET	6110	49942	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:40.804157972 CET	49942	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:40.969788074 CET	6110	49942	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:41.976882935 CET	49943	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:42.140139103 CET	6110	49943	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:42.647286892 CET	49943	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:42.812074900 CET	6110	49943	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:43.319001913 CET	49943	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:43.484118938 CET	6110	49943	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:43.990864038 CET	49943	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:44.155834913 CET	6110	49943	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:44.662576914 CET	49943	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:44.883750916 CET	6110	49943	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:45.897789955 CET	49944	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:46.081603050 CET	6110	49944	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:46.584088087 CET	49944	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:46.765322924 CET	6110	49944	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:47.271401882 CET	49944	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:47.453268051 CET	6110	49944	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:47.958765030 CET	49944	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:48.137327909 CET	6110	49944	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:48.645971060 CET	49944	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:48.833631992 CET	6110	49944	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:49.850214958 CET	49945	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:50.013856888 CET	6110	49945	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:50.520677090 CET	49945	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:50.685946941 CET	6110	49945	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:51.192275047 CET	49945	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:51.357795000 CET	6110	49945	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:51.864108086 CET	49945	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:52.029761076 CET	6110	49945	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:52.535847902 CET	49945	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:52.701550007 CET	6110	49945	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:53.709018946 CET	49946	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:53.878022909 CET	6110	49946	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:54.379174948 CET	49946	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:54.545826912 CET	6110	49946	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:55.050987005 CET	49946	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:55.226135015 CET	6110	49946	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:55.738261938 CET	49946	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:55.906207085 CET	6110	49946	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:56.410074949 CET	49946	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:56.578196049 CET	6110	49946	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:57.582868099 CET	49947	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:57.747993946 CET	6110	49947	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:58.253360033 CET	49947	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:58.424165964 CET	6110	49947	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:58.925015926 CET	49947	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:59.087759972 CET	6110	49947	172.111.251.34	192.168.11.20
Jan 23, 2022 06:58:59.596640110 CET	49947	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:58:59.763672113 CET	6110	49947	172.111.251.34	192.168.11.20
Jan 23, 2022 06:59:00.268397093 CET	49947	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:59:00.431880951 CET	6110	49947	172.111.251.34	192.168.11.20
Jan 23, 2022 06:59:01.441540003 CET	49948	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:59:01.614073992 CET	6110	49948	172.111.251.34	192.168.11.20
Jan 23, 2022 06:59:02.127496004 CET	49948	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:59:02.302129984 CET	6110	49948	172.111.251.34	192.168.11.20
Jan 23, 2022 06:59:02.814749002 CET	49948	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:59:02.986036062 CET	6110	49948	172.111.251.34	192.168.11.20
Jan 23, 2022 06:59:03.486591101 CET	49948	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:59:03.657862902 CET	6110	49948	172.111.251.34	192.168.11.20
Jan 23, 2022 06:59:04.158159018 CET	49948	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:59:04.330049038 CET	6110	49948	172.111.251.34	192.168.11.20
Jan 23, 2022 06:59:05.346993923 CET	49949	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:59:05.517333984 CET	6110	49949	172.111.251.34	192.168.11.20
Jan 23, 2022 06:59:06.032753944 CET	49949	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:59:06.205394983 CET	6110	49949	172.111.251.34	192.168.11.20
Jan 23, 2022 06:59:06.720035076 CET	49949	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:59:06.889100075 CET	6110	49949	172.111.251.34	192.168.11.20
Jan 23, 2022 06:59:07.391953945 CET	49949	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:59:07.565577030 CET	6110	49949	172.111.251.34	192.168.11.20
Jan 23, 2022 06:59:08.079618931 CET	49949	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:59:08.249409914 CET	6110	49949	172.111.251.34	192.168.11.20
Jan 23, 2022 06:59:09.251730919 CET	49950	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:59:09.435621023 CET	6110	49950	172.111.251.34	192.168.11.20
Jan 23, 2022 06:59:09.938103914 CET	49950	6110	192.168.11.20	172.111.251.34
Jan 23, 2022 06:59:10.111505985 CET	6110	49950	172.111.251.34	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 23, 2022 06:51:15.569247007 CET	60139	53	192.168.11.20	1.1.1.1
Jan 23, 2022 06:51:16.426620960 CET	58460	53	192.168.11.20	1.1.1.1
Jan 23, 2022 06:51:20.520481110 CET	55429	53	192.168.11.20	1.1.1.1
Jan 23, 2022 06:51:20.532713890 CET	53	55429	1.1.1.1	192.168.11.20
Jan 23, 2022 06:52:21.624361992 CET	53233	53	192.168.11.20	1.1.1.1
Jan 23, 2022 06:52:21.635351896 CET	53	53233	1.1.1.1	192.168.11.20
Jan 23, 2022 06:53:22.609636068 CET	49426	53	192.168.11.20	1.1.1.1
Jan 23, 2022 06:53:22.622845888 CET	53	49426	1.1.1.1	192.168.11.20
Jan 23, 2022 06:54:24.533535004 CET	53111	53	192.168.11.20	1.1.1.1
Jan 23, 2022 06:54:24.546108961 CET	53	53111	1.1.1.1	192.168.11.20
Jan 23, 2022 06:55:27.144592047 CET	58328	53	192.168.11.20	1.1.1.1
Jan 23, 2022 06:55:27.156615973 CET	53	58328	1.1.1.1	192.168.11.20
Jan 23, 2022 06:56:29.771713018 CET	49551	53	192.168.11.20	1.1.1.1
Jan 23, 2022 06:56:29.782953024 CET	53	49551	1.1.1.1	192.168.11.20
Jan 23, 2022 06:57:30.148957014 CET	56088	53	192.168.11.20	1.1.1.1
Jan 23, 2022 06:57:30.160629988 CET	53	56088	1.1.1.1	192.168.11.20
Jan 23, 2022 06:58:37.633886099 CET	49208	53	192.168.11.20	1.1.1.1
Jan 23, 2022 06:58:37.645977020 CET	53	49208	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 23, 2022 06:51:15.569247007 CET	192.168.11.20	1.1.1.1	0xfa92	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Jan 23, 2022 06:51:16.426620960 CET	192.168.11.20	1.1.1.1	0x6ad4	Standard query (0)	d34m1w.bn.files.1drv.com	A (IP address)	IN (0x0001)
Jan 23, 2022 06:51:20.520481110 CET	192.168.11.20	1.1.1.1	0xe900	Standard query (0)	olufem.ddns.net	A (IP address)	IN (0x0001)
Jan 23, 2022 06:52:21.624361992 CET	192.168.11.20	1.1.1.1	0x2bb2	Standard query (0)	olufem.ddns.net	A (IP address)	IN (0x0001)
Jan 23, 2022 06:53:22.609636068 CET	192.168.11.20	1.1.1.1	0xf638	Standard query (0)	olufem.ddns.net	A (IP address)	IN (0x0001)
Jan 23, 2022 06:54:24.533535004 CET	192.168.11.20	1.1.1.1	0xf4b6	Standard query (0)	olufem.ddns.net	A (IP address)	IN (0x0001)
Jan 23, 2022 06:55:27.144592047 CET	192.168.11.20	1.1.1.1	0xaa66	Standard query (0)	olufem.ddns.net	A (IP address)	IN (0x0001)
Jan 23, 2022 06:56:29.771713018 CET	192.168.11.20	1.1.1.1	0x29fe	Standard query (0)	olufem.ddns.net	A (IP address)	IN (0x0001)
Jan 23, 2022 06:57:30.148957014 CET	192.168.11.20	1.1.1.1	0x2c5e	Standard query (0)	olufem.ddns.net	A (IP address)	IN (0x0001)
Jan 23, 2022 06:58:37.633886099 CET	192.168.11.20	1.1.1.1	0x9807	Standard query (0)	olufem.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 23, 2022 06:51:15.579026937 CET	1.1.1.1	192.168.11.20	0xfa92	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Jan 23, 2022 06:51:16.639554024 CET	1.1.1.1	192.168.11.20	0x6ad4	No error (0)	d34m1w.bn.files.1drv.com	bn-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)
Jan 23, 2022 06:51:16.639554024 CET	1.1.1.1	192.168.11.20	0x6ad4	No error (0)	bn-files.fe.1drv.com	odc-bn-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Jan 23, 2022 06:51:20.532713890 CET	1.1.1.1	192.168.11.20	0xe900	No error (0)	olufem.ddns.net		172.111.251.34	A (IP address)	IN (0x0001)
Jan 23, 2022 06:52:21.635351896 CET	1.1.1.1	192.168.11.20	0x2bb2	No error (0)	olufem.ddns.net		172.111.251.34	A (IP address)	IN (0x0001)
Jan 23, 2022 06:53:22.622845888 CET	1.1.1.1	192.168.11.20	0xf638	No error (0)	olufem.ddns.net		172.111.251.34	A (IP address)	IN (0x0001)
Jan 23, 2022 06:54:24.546108961 CET	1.1.1.1	192.168.11.20	0xf4b6	No error (0)	olufem.ddns.net		172.111.251.34	A (IP address)	IN (0x0001)
Jan 23, 2022 06:55:27.156615973 CET	1.1.1.1	192.168.11.20	0xaa66	No error (0)	olufem.ddns.net		172.111.251.34	A (IP address)	IN (0x0001)
Jan 23, 2022 06:56:29.782953024 CET	1.1.1.1	192.168.11.20	0x29fe	No error (0)	olufem.ddns.net		172.111.251.34	A (IP address)	IN (0x0001)
Jan 23, 2022 06:57:30.160629988 CET	1.1.1.1	192.168.11.20	0x2c5e	No error (0)	olufem.ddns.net		172.111.251.34	A (IP address)	IN (0x0001)
Jan 23, 2022 06:58:37.645977020 CET	1.1.1.1	192.168.11.20	0x9807	No error (0)	olufem.ddns.net		172.111.251.34	A (IP address)	IN (0x0001)

Start time:	06:50:41
Start date:	23/01/2022
Path:	C:\Users\user\Desktop\171121_PDF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\171121_PDF.exe"
Imagebase:	0x400000
File size:	112464 bytes
MD5 hash:	60D8B8589BA8045361AE148EE76C7582
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Start time:	06:50:56
Start date:	23/01/2022
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\171121_PDF.exe"
Imagebase:	0xaa0000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Start time:	06:50:57
Start date:	23/01/2022
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\171121_PDF.exe"
Imagebase:	0xaa0000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000000.95166069748.0000000003000000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	93.5%
Signature Coverage:	46.8%
Total number of Nodes:	124
Total number of Limit Nodes:	6

Executed Functions

Function 023647F1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 231
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(1AE1C299), ref: 0236BFE4

Strings

~iD, xrefs: 0236BFC5

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: ~iD
API String ID: 1029625771-1955462559
Opcode ID: d03e2929a55809ffc75b54e53ba69d622c1a22addc169433234063c90710a046
Instruction ID: 49734424e1e8e97c4a4c7bf64bec68757e3bc2d19346fde78667903851d86b2a
Opcode Fuzzy Hash: d03e2929a55809ffc75b54e53ba69d622c1a22addc169433234063c90710a046
Instruction Fuzzy Hash: 31A1DE315083899FCB749E24C8887FEBBEAFF54354F01881EDD8A9B615C7308A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0236FB8E Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAddVectoredExceptionHandler.NTDLL ref: 02370110

Strings

eKU$, xrefs: 0236FF26

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID: eKU$
API String ID: 3310709589-2864510924
Opcode ID: 5a888558f530ea920920d540d0bbc9b17a70b8a607c4af46095f8a0e8cebe8bd
Instruction ID: d13b6cfa55610a1b2e0ccdf87a708d10ea4c4ef4cf913be76155f95c67e2bcd2
Opcode Fuzzy Hash: 5a888558f530ea920920d540d0bbc9b17a70b8a607c4af46095f8a0e8cebe8bd
Instruction Fuzzy Hash: 3071D370509249CFDB3DDE28D9A8BFA77A6AF85310F10812ACC4B8BA96C7349641CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0236CFC2 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0236BEFB: LoadLibraryA.KERNELBASE(1AE1C299), ref: 0236BFE4

NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0236D344

Strings

W&R_, xrefs: 0236D139

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: W&R_
API String ID: 2616484454-940024294
Opcode ID: fd72866d491360dbc49b3b2a6e7cb8fcdc270621c7c3a384141e676c2bda7b9a
Instruction ID: 963b37040cea38eb58ae5a49da364444d576d5fc0516b147e50c2bd20cdc6dac
Opcode Fuzzy Hash: fd72866d491360dbc49b3b2a6e7cb8fcdc270621c7c3a384141e676c2bda7b9a
Instruction Fuzzy Hash: 40516C7160938CCFDB709F20CC097FA7BB9AF49350F158419CC8A9BA5AD7708946CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0236CFED Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 137
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0236BEFB: LoadLibraryA.KERNELBASE(1AE1C299), ref: 0236BFE4

NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0236D344

Strings

W&R_, xrefs: 0236D139

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: W&R_
API String ID: 2616484454-940024294
Opcode ID: 1d7feb93c1e0cce13a763aa75c650759768cb17940812feec9c66e92c3145dc0
Instruction ID: 2424f36aff2eafe70406481dfab2b3c7141e3dfd71fd4817868445a7d48f39af
Opcode Fuzzy Hash: 1d7feb93c1e0cce13a763aa75c650759768cb17940812feec9c66e92c3145dc0
Instruction Fuzzy Hash: D9512971609388CBDB709F20CC097FABBBDAF55354F158019CC8A9BA1AD7708A46CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0236D046 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0236BEFB: LoadLibraryA.KERNELBASE(1AE1C299), ref: 0236BFE4

NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0236D344

Strings

W&R_, xrefs: 0236D139

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: W&R_
API String ID: 2616484454-940024294
Opcode ID: 6d3ec819fca886c26ff7a179f79721739e75eccedb5a213723b6c300aa9ce506
Instruction ID: d87c172d8f627e7432ba8cae50efebf1f76234e0928f6e9654ebdfe45e75e53e
Opcode Fuzzy Hash: 6d3ec819fca886c26ff7a179f79721739e75eccedb5a213723b6c300aa9ce506
Instruction Fuzzy Hash: E4512471209388CFDB709F60CC09BFABBB9AF55350F15841AC8CA4BA5AD7708586CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0236D0D1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0236BEFB: LoadLibraryA.KERNELBASE(1AE1C299), ref: 0236BFE4

NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0236D344

Strings

W&R_, xrefs: 0236D139

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: W&R_
API String ID: 2616484454-940024294
Opcode ID: 44088a8b423f241dde5861bdd25c8833e8c219ac7ece6668bd2f616940731547
Instruction ID: ad5d0f3c453376ad7669ddf288cf6254e6919f63adcfaafe1666fa50ee94268c
Opcode Fuzzy Hash: 44088a8b423f241dde5861bdd25c8833e8c219ac7ece6668bd2f616940731547
Instruction Fuzzy Hash: EA412871209388CFDB709F20CC097FABBF9AF85340F148019D88E8BA5AD7308942CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0236D0E6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 113
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0236D344

Strings

W&R_, xrefs: 0236D139

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: W&R_
API String ID: 2167126740-940024294
Opcode ID: 9816b7768e3a806f5268fa1b33f22c823fffe13cf82ef30dfe4e9a093f944bcf
Instruction ID: 914978ac71ad230e22a81834e820b768df237c1989145beacc320b9ad1401746
Opcode Fuzzy Hash: 9816b7768e3a806f5268fa1b33f22c823fffe13cf82ef30dfe4e9a093f944bcf
Instruction Fuzzy Hash: B4411371209388CFDB70DF60CC09BFABBB9AF55350F148419C8CA4BA5AC3708946CB56

Uniqueness

Uniqueness Score: -1.00%

Function 023684F7 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 144
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE ref: 02368D72

Strings

vk2#, xrefs: 02368704

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: vk2#
API String ID: 3472027048-1686446494
Opcode ID: a24a85b7e2fe9af2471a09c835a92835126ee5096237c5642aa9958a30c384d3
Instruction ID: 20ea88ba7fed3f5116821cc63944ccbb1611403f2f61003a7fff66e9ad63589c
Opcode Fuzzy Hash: a24a85b7e2fe9af2471a09c835a92835126ee5096237c5642aa9958a30c384d3
Instruction Fuzzy Hash: 8F51F13141C2C9CFCB369F348C096E9BF79AF1A304F14899AC9859B8A7C3304649CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0236D13C Relevance: 1.6, APIs: 1, Instructions: 104
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0236D344

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 31c114de92f744edb83625db5b48e2a7e83e0d90de3b3f5ca56bfabb0c68a7a7
Instruction ID: 079ab60db2754fd77eb880c880476d5836f9391123690d09f990c2ec615aae94
Opcode Fuzzy Hash: 31c114de92f744edb83625db5b48e2a7e83e0d90de3b3f5ca56bfabb0c68a7a7
Instruction Fuzzy Hash: D0410771209788CFDB709F20CC09BFABBB9AF85354F158019DC8E4BA6AD3308946CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0236D210 Relevance: 1.6, APIs: 1, Instructions: 97memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0236D344

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 13e0267752e4356819f03f81f0c4b7b49f7e91d615854204c28a7e2e460fb956
Instruction ID: de23321a31912dc262306f465630394912bce9a80333000af8d2c34a40336199
Opcode Fuzzy Hash: 13e0267752e4356819f03f81f0c4b7b49f7e91d615854204c28a7e2e460fb956
Instruction Fuzzy Hash: 97310971249688CFDB309F10CC45BFABBBAAF59354F158019C88E4FA6AC3708A46CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0236D295 Relevance: 1.6, APIs: 1, Instructions: 68memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0236D344

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 35f17c6955378cdd63720aa2360d474b865b2c11fc31b1f8ed2b5c2810160e82
Instruction ID: 789aae865c7b891c5269bcbc2a7c1c4c8a2ee6f8bfb954b76ff292dda35e7eca
Opcode Fuzzy Hash: 35f17c6955378cdd63720aa2360d474b865b2c11fc31b1f8ed2b5c2810160e82
Instruction Fuzzy Hash: CB210631249288CFD7319F10CC15BFABF7AAF49394F148505D88A5B95BC3308A46CB15

Uniqueness

Uniqueness Score: -1.00%

Function 0236D2E0 Relevance: 1.6, APIs: 1, Instructions: 61memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0236D344

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 833df68078b0f54b4324a03178602dd50c05a2423dda8891bf3383eb7303c877
Instruction ID: 4838278698e7afbb2818b246031de030383043ba4fb710434cbdffe614f3ae17
Opcode Fuzzy Hash: 833df68078b0f54b4324a03178602dd50c05a2423dda8891bf3383eb7303c877
Instruction Fuzzy Hash: E62126312092C8CFC7319F10C914BFABF79AF49394F188105D88A0FA5BC3309A46CB11

Uniqueness

Uniqueness Score: -1.00%

Function 0236D311 Relevance: 1.6, APIs: 1, Instructions: 57memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-8270BE20), ref: 0236D344

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 1ed1646b72c225e054776e6b9c80ad645b0125cb99d5103ec849b391657de2b4
Instruction ID: c069443b0da735698a10d64be30b4d36e5937758803a6f356c41a7392862b7de
Opcode Fuzzy Hash: 1ed1646b72c225e054776e6b9c80ad645b0125cb99d5103ec849b391657de2b4
Instruction Fuzzy Hash: 612102312092C8CFDB319F50C815BEABF79AF49394F148505D88E5FA5BC3309A45CB11

Uniqueness

Uniqueness Score: -1.00%

Function 0236F695 Relevance: 1.5, APIs: 1, Instructions: 35nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 0236F776

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d9d5fe42c558867c47ff0812a8cb6df3d09a26546aeda0ca16a2ba3de1ef4832
Instruction ID: 77ae01bdde577acc6422c91855e0ca506adf4c7323296115b5ae423b92402c64
Opcode Fuzzy Hash: d9d5fe42c558867c47ff0812a8cb6df3d09a26546aeda0ca16a2ba3de1ef4832
Instruction Fuzzy Hash: 5D013CB16086858FD721DE58CD58AFAB7EABFD8344F14C12DDD8A8B609D7309A01CB15

Uniqueness

Uniqueness Score: -1.00%

Function 02368A05 Relevance: 1.5, APIs: 1, Instructions: 26nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,?), ref: 02368A17

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 56e16f54b69c42899c2ae2f523c582f4a80e6a8ab5c6b80d9a3094d2db55f621
Instruction ID: 4116331f52b5038fc8486ec17b82e5d2949406e238f7aadfc8e6ac2e2924ca19
Opcode Fuzzy Hash: 56e16f54b69c42899c2ae2f523c582f4a80e6a8ab5c6b80d9a3094d2db55f621
Instruction Fuzzy Hash: F3E0D83D1251CA6B8744CF21948C6AFBEFDAF5B1217514476B511EE909DA358184C316

Uniqueness

Uniqueness Score: -1.00%

Function 0236AB06 Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0236AB37

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0057671d6353e1d0ec41c7d87df063793f6ef573fe760fcfe31f83a1f728b025
Instruction ID: a803f94b5b4bd58c22709ed8bed149765c256c9004aac10f792156b270fd616f
Opcode Fuzzy Hash: 0057671d6353e1d0ec41c7d87df063793f6ef573fe760fcfe31f83a1f728b025
Instruction Fuzzy Hash: 8BD017B24493C0CFD371EFE84404A4B7E31AB32310794985EE0821FA87D770028AEB36

Uniqueness

Uniqueness Score: -1.00%

Function 02361A5F Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deaf34fbfc0284bc89a9a34986d1a08ec29e8e0fc51b643f153a9479dc3d2115
Instruction ID: 7746598e7ab1379efaaad207ec0e65b62fda9a5b070345de79f41e43aeb0ce15
Opcode Fuzzy Hash: deaf34fbfc0284bc89a9a34986d1a08ec29e8e0fc51b643f153a9479dc3d2115
Instruction Fuzzy Hash: A2817A728083C58FC7229F7888982F97FB8EF12210F14899DC0D89B667D7614547CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02361DBE Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24b4c77ad923b09a42d0c728debfd8632988641a9cdda6cbd685c1ce6ebdd6d3
Instruction ID: f6c3707ed015ad329dd25dfcf4996ef8638cc11e0119eaee177330d349cd1568
Opcode Fuzzy Hash: 24b4c77ad923b09a42d0c728debfd8632988641a9cdda6cbd685c1ce6ebdd6d3
Instruction Fuzzy Hash: 335124B18083C58FC7269F7488592FA7FB8EF16300F14899EC4C88B666E7714546DB56

Uniqueness

Uniqueness Score: -1.00%

Function 00416BA0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,004010A8,004024D0,00000218), ref: 00416C1C
__vbaLateMemCallLd.MSVBVM60(?,?,Add,00000002), ref: 00416C6A
__vbaVarSetVar.MSVBVM60(?,00000000), ref: 00416C78
__vbaFreeObj.MSVBVM60 ref: 00416C81
__vbaHresultCheckObj.MSVBVM60(00000000,004010A8,004024D0,000002B4), ref: 00416CA2
__vbaR8IntI4.MSVBVM60 ref: 00416CAE
__vbaFreeVar.MSVBVM60(00416CF0), ref: 00416CE9

Strings

vb.commandbutton, xrefs: 00416BF8
Add, xrefs: 00416C5D
Cmd1, xrefs: 00416C50

Memory Dump Source

Source File: 00000002.00000002.95420674121.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.95420644610.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000002.00000002.95420830163.0000000000417000.00000004.00020000.sdmpDownload File
Associated: 00000002.00000002.95420868524.0000000000419000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_171121_PDF.jbxd

Similarity

API ID: __vba$CheckFreeHresult$CallLate
String ID: Add$Cmd1$vb.commandbutton
API String ID: 305031756-2351469399
Opcode ID: 86c8c4e18875b1e6af665bd720da9b2a10bcf72e5815a6f596bb8fa22780111d
Instruction ID: f88ade7cd543f66a4aac683785c3c4feef702e574f8b5d3de027c4b2330f6eea
Opcode Fuzzy Hash: 86c8c4e18875b1e6af665bd720da9b2a10bcf72e5815a6f596bb8fa22780111d
Instruction Fuzzy Hash: 48415F71901208AFCB00DF98C948ADDBFF8FF48714F24856AE845B72A1D7759985CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004011BB Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401199

Strings

VB5!6&*, xrefs: 00401194

Memory Dump Source

Source File: 00000002.00000002.95420674121.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.95420644610.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000002.00000002.95420830163.0000000000417000.00000004.00020000.sdmpDownload File
Associated: 00000002.00000002.95420868524.0000000000419000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_171121_PDF.jbxd

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 60fa8c3065fe033f1738318b9b090bc371a0b23f51cd03b96e801335617b5e4d
Instruction ID: af42044adc57a1f6c059b7c30ee1fd78fb8e6d1c82520dc48754f4d6afad53bd
Opcode Fuzzy Hash: 60fa8c3065fe033f1738318b9b090bc371a0b23f51cd03b96e801335617b5e4d
Instruction Fuzzy Hash: C641EAA248E7C05FD30387B08C656917FB4AE53228B0A86EBC4C1CF4F3D25D190ADB66

Uniqueness

Uniqueness Score: -1.00%

Function 0236D5C7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(1AE1C299), ref: 0236BFE4

Strings

~iD, xrefs: 0236BFC5

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: ~iD
API String ID: 1029625771-1955462559
Opcode ID: 57d693f531353628a3b477cbe76b9b5da69eef17910e5efe44229ee05fd73a19
Instruction ID: 21dec3ad9c7a3004a77f102e2bfda9a6c6e846d842a2a73d83ca625eec24e6e8
Opcode Fuzzy Hash: 57d693f531353628a3b477cbe76b9b5da69eef17910e5efe44229ee05fd73a19
Instruction Fuzzy Hash: 56219F70148784DBCB31DF608848AFEBBAAAF55358F148409D889AE91AC3304A45CF25

Uniqueness

Uniqueness Score: -1.00%

Function 0236BEF6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(1AE1C299), ref: 0236BFE4

Strings

~iD, xrefs: 0236BFC5

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: ~iD
API String ID: 1029625771-1955462559
Opcode ID: f22d72dfbe8584e41e1283b85695698eb0de99e2651c130974e8c406437ab02a
Instruction ID: 421f6105bb022120755f3195266f20e624648e62d28dd45569935bb8ec069dbc
Opcode Fuzzy Hash: f22d72dfbe8584e41e1283b85695698eb0de99e2651c130974e8c406437ab02a
Instruction Fuzzy Hash: DF017C7000E7D4AFD722DBB0981C7EEBFAA9F12358F14955A9C46AE55AC3764A01CF02

Uniqueness

Uniqueness Score: -1.00%

Function 0236BEFB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(1AE1C299), ref: 0236BFE4

Strings

~iD, xrefs: 0236BFC5

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: ~iD
API String ID: 1029625771-1955462559
Opcode ID: 0b1f4ef82597150acb0c0035b749fdd4253229fdc8b8995d10706d9417939067
Instruction ID: ef571bde76b2d9c222f0fea9c0f546296c42b83652bf3f9b0a01038052befd64
Opcode Fuzzy Hash: 0b1f4ef82597150acb0c0035b749fdd4253229fdc8b8995d10706d9417939067
Instruction Fuzzy Hash: A8012870208698AFCB70DE64C88CBFEBAAAAF45358F009416EC49AA619C3704B01DF11

Uniqueness

Uniqueness Score: -1.00%

Function 00401194 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401199

Strings

VB5!6&*, xrefs: 00401194

Memory Dump Source

Source File: 00000002.00000002.95420674121.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.95420644610.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000002.00000002.95420830163.0000000000417000.00000004.00020000.sdmpDownload File
Associated: 00000002.00000002.95420868524.0000000000419000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_171121_PDF.jbxd

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 4e8cd71f24929f04a384fa40ee1b9263bc0f44107e98a8a096ba516acf44c8ce
Instruction ID: 7c201c1c41bf3efc9138c70f9f249352741062b138810f808ceab0e8fdd70dce
Opcode Fuzzy Hash: 4e8cd71f24929f04a384fa40ee1b9263bc0f44107e98a8a096ba516acf44c8ce
Instruction Fuzzy Hash: 00E0245194F3C01EC30712B54C211856FB08D6722532A42EB91D0DE4F7D05D4C4EC777

Uniqueness

Uniqueness Score: -1.00%

Function 0236B33D Relevance: 1.6, APIs: 1, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 0236B67C

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f4e2f788b8c0b89ff964337a9ff2733ea7af6b8a92d9c1f22bc67d389b543f5b
Instruction ID: 612ca7143b99ee3fc91d01bb8117a6ab083d7bda49b8cb7de50dc22264852849
Opcode Fuzzy Hash: f4e2f788b8c0b89ff964337a9ff2733ea7af6b8a92d9c1f22bc67d389b543f5b
Instruction Fuzzy Hash: 9121F971608304DBD7355E348988AFDB7AEEF60309F05852E9986F7E0AE3708A41CF16

Uniqueness

Uniqueness Score: -1.00%

Function 0236B340 Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 0236B67C

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 191f3c4898debd0053b1a881641acf634ec38ccce335fb726118714705d289df
Instruction ID: 904b90ebf1e1671cdbbe935230fbed1c6501132d88f43b1e2e0e85982c03ad07
Opcode Fuzzy Hash: 191f3c4898debd0053b1a881641acf634ec38ccce335fb726118714705d289df
Instruction Fuzzy Hash: BC21E771608304DBD7355E348888AFDB7AEEF50308F05851E998AF7E0AD3704A41CF16

Uniqueness

Uniqueness Score: -1.00%

Function 0236B39C Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 0236B67C

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 119bd0f5df08b913e7755431f7bc020f5ffb80dbb7fc4b2314ecfb469711253e
Instruction ID: bda4a830d9f7d0225a14541f1c8f136d605cdfafe62aaa5879039539f004cc2c
Opcode Fuzzy Hash: 119bd0f5df08b913e7755431f7bc020f5ffb80dbb7fc4b2314ecfb469711253e
Instruction Fuzzy Hash: 4A21D371609204DBD7356E348848AFEB6AEEF10308F05851E998AF6E0AD3744A81CF23

Uniqueness

Uniqueness Score: -1.00%

Function 0236B3BA Relevance: 1.6, APIs: 1, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 0236B67C

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e3b6cdef90bb82cff36af5f4f8512e975fefbdb7d2b57415ba763839f191e667
Instruction ID: 31c90e2d2317547d5796fb5a20e5d5fc33fcf59d3a5f72ee0377d3a5f798d5b2
Opcode Fuzzy Hash: e3b6cdef90bb82cff36af5f4f8512e975fefbdb7d2b57415ba763839f191e667
Instruction Fuzzy Hash: 4721E571548344DBD7319F6488486FEBBBAEF10314F05891E84C6BBE4AD3704981CF22

Uniqueness

Uniqueness Score: -1.00%

Function 0236B3FD Relevance: 1.6, APIs: 1, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 0236B67C

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb3b53fb6f6f647481d877d5f13a70bcecab48a7ac7ffc882a0eff20f206e7a1
Instruction ID: 85d11ef06cad1d24fe558943eb78017caca6ff8048ab45a84d9ae177b8bf2c0b
Opcode Fuzzy Hash: eb3b53fb6f6f647481d877d5f13a70bcecab48a7ac7ffc882a0eff20f206e7a1
Instruction Fuzzy Hash: 8711A571549304DBD7216E2489886FDB7ADDF10204F45892E998AFBA0AD3744A81CF63

Uniqueness

Uniqueness Score: -1.00%

Function 0236B50D Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 0236B67C

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 92adf7d8b0cf98552cb709ca7e6e0ddbd010713ed85e3940d9d3d956d05032d0
Instruction ID: ef801e551fa7093dcecafc43037d687ee6bd2b0d209a602ec613df34177fc98f
Opcode Fuzzy Hash: 92adf7d8b0cf98552cb709ca7e6e0ddbd010713ed85e3940d9d3d956d05032d0
Instruction Fuzzy Hash: 23F0F971845244DBD7309E38C988AFE76EEEF04305F05851B9989FB70DD2708641CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0236B541 Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 0236B67C

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: af5a0ec251ba285eb4c2f5fcc5f7d4c3128bef85e62d7c4a24cd94df22664a2b
Instruction ID: 379749a122b72a10e259456c0b3ba3945b5f44e3bd2c9f6cf6a1a4ce514ff890
Opcode Fuzzy Hash: af5a0ec251ba285eb4c2f5fcc5f7d4c3128bef85e62d7c4a24cd94df22664a2b
Instruction Fuzzy Hash: F3F0C871445158DBD7309E38C948AFE77EEAF04305F05852B9989FB709D7708641CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0236B5AD Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 0236B67C

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0f7061ce7ec2c9980a7ce6070be0d3ec452d6640e8782201e0de56ecb6d1eaf6
Instruction ID: dc5382a4158a573dfdd978b4499ad0d89c71b0ffb8ae02b20dba9235daf36a3c
Opcode Fuzzy Hash: 0f7061ce7ec2c9980a7ce6070be0d3ec452d6640e8782201e0de56ecb6d1eaf6
Instruction Fuzzy Hash: 4DF0A031898158DBD7205E748508AEEBBA8FF14201F0A481A8CC9FB609D7B0C980CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0236B5E8 Relevance: 1.5, APIs: 1, Instructions: 20fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 0236B67C

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4cd2aec42154dc64c7b6aff9b7e2f1b8649bef3c3d873b5db2a081e53b403b04
Instruction ID: da3c7352f7e06dd645003579c0be1527b5415f63f87d5fd3165af9b620e31157
Opcode Fuzzy Hash: 4cd2aec42154dc64c7b6aff9b7e2f1b8649bef3c3d873b5db2a081e53b403b04
Instruction Fuzzy Hash: 1CE04F31899154EFDB309E74C948AFE76A8FF10201F4A45299CC5FB295C7B089818FA5

Uniqueness

Uniqueness Score: -1.00%

Function 0236A1FA Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0236AB37

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 624066f5884a5a8763813083cf81a7c2e165c8680da2509c735e8c2b82d79627
Instruction ID: b2b22dbbf346fa1ec5aada1938e72ff4a1ddf63f3ca67304390697af9b8c73e8
Opcode Fuzzy Hash: 624066f5884a5a8763813083cf81a7c2e165c8680da2509c735e8c2b82d79627
Instruction Fuzzy Hash: F3E07DB240C2C45ED3115B6C88442EE3F18A753B107A5C24DC0925B5CFC6210202F7F2

Uniqueness

Uniqueness Score: -1.00%

Function 0236B619 Relevance: 1.5, APIs: 1, Instructions: 17fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 0236B67C

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d07a0f0660d20d61ea79881b08ce5f2b72ee7d8dc448ce8e19c11b54a837dc13
Instruction ID: a711155d887d17d1bcd4205563d6303c5aefca275e026e4284162495ad121a0f
Opcode Fuzzy Hash: d07a0f0660d20d61ea79881b08ce5f2b72ee7d8dc448ce8e19c11b54a837dc13
Instruction Fuzzy Hash: E2E08C31829258DBDB30AE20CC48AED73A8FF10301F05042A9888AB250CBB099418FA5

Uniqueness

Uniqueness Score: -1.00%

Function 0236B66D Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 0236B67C

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f72a1cc11805a60fd870e32b0ad0d62b864aa7e363c3df7fb791dfcdffa0d56f
Instruction ID: 697cdcaeb78753e3388d6a2b5f42ec4d6a25c9fa1d501708c7e3d8a3206a3565
Opcode Fuzzy Hash: f72a1cc11805a60fd870e32b0ad0d62b864aa7e363c3df7fb791dfcdffa0d56f
Instruction Fuzzy Hash: 68B092319A626ACEFB309E689C44BDA36589F21300F0240315C08EB141CAB19D418AA0

Uniqueness

Uniqueness Score: -1.00%

Function 023696B7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE ref: 023696B7

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: c0afe43128711c10c1f3279f9138c5eb041f0334a379efdb483d156338410906
Instruction ID: aac19403dbea7a5cd6293e8fc350dc81ea41ad7e5d5d68f215ab341cd10a786c
Opcode Fuzzy Hash: c0afe43128711c10c1f3279f9138c5eb041f0334a379efdb483d156338410906
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 02367F16 Relevance: 1.4, APIs: 1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6701051800404775ebc5985b7fd4b3ea37ba8433769fc91943c8f6c5a051e480
Instruction ID: b0884cc78ee65ec6ee1c670c1ebb549136b52b57cc4cc96f26edf6d3b910a9bf
Opcode Fuzzy Hash: 6701051800404775ebc5985b7fd4b3ea37ba8433769fc91943c8f6c5a051e480
Instruction Fuzzy Hash: BF41443201C3469FCB668F30CC4AAB8FBB9FF16714F188A5DD8954B997D3216056CB86

Uniqueness

Uniqueness Score: -1.00%

Function 02368AEC Relevance: 1.4, APIs: 1, Instructions: 112sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 02368D72

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 0a6802aca7557838e0ed1390658d0733b80a36c18f6f99765d3e946c0e89bd04
Instruction ID: b6a674d5b65b209f8c4697c533151413a5ba225b66c9e3be26caa42f3c1fc985
Opcode Fuzzy Hash: 0a6802aca7557838e0ed1390658d0733b80a36c18f6f99765d3e946c0e89bd04
Instruction Fuzzy Hash: 3A410175009289DFCF7A6F34DC58AECBBB6FF18314F058519D9998B51AC3320699CB42

Uniqueness

Uniqueness Score: -1.00%

Function 023681D4 Relevance: 1.3, APIs: 1, Instructions: 77sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 02368D72

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 57afa0a398aa11df66fa3bc981b21b7e99f5b9fc50bf280cc59a90cba119a774
Instruction ID: d032243d3e0e3fc52321585e397cb24a4c847a93fedee48995f06464ae510396
Opcode Fuzzy Hash: 57afa0a398aa11df66fa3bc981b21b7e99f5b9fc50bf280cc59a90cba119a774
Instruction Fuzzy Hash: 5A216835018388DBCF266F60AC885FCBFB9FF1D310F154419E9850A80BC3324599CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02368A77 Relevance: 1.3, APIs: 1, Instructions: 68sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 02368D72

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: fef98fbfdc8ac9e5c6d7e60ec6bbeabb1e8f011517b71136ce83d31bf8c29886
Instruction ID: a5f0e0828a380bac93ae54736e4119640b31839c1bc787d9777221cc687d8ed3
Opcode Fuzzy Hash: fef98fbfdc8ac9e5c6d7e60ec6bbeabb1e8f011517b71136ce83d31bf8c29886
Instruction Fuzzy Hash: EE21063100828ACFCB665F38CC097ECBBB5BF05714F148669D9949A456C33245A9CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02367A72 Relevance: 1.3, APIs: 1, Instructions: 62sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 02368D72

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a8074036657c86605386923733c272db6dd469ce90789a7a6e80d746f4985718
Instruction ID: e387c8dbc8e6b23e7aa8935fb7cdc452df2db60aa376eba6ee7dea7b718a03fc
Opcode Fuzzy Hash: a8074036657c86605386923733c272db6dd469ce90789a7a6e80d746f4985718
Instruction Fuzzy Hash: AD21DE320092888BCB262F34CC08AFCBBA5FF16310F198659D9914A0A6C7328599DB86

Uniqueness

Uniqueness Score: -1.00%

Function 02368D1D Relevance: 1.3, APIs: 1, Instructions: 26sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 02368D72

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 925591e5255f357b731162b300754998fea45dba551c36effb1a3da38608406f
Instruction ID: 306efc7a33301fc37609b62e7ae08e3f11428ce79db8cd38172d6bba6170635e
Opcode Fuzzy Hash: 925591e5255f357b731162b300754998fea45dba551c36effb1a3da38608406f
Instruction Fuzzy Hash: E4F08C3109C249CBCB6A3F3488096FCFBB5FF11700F25882CD9C596816C73246898F86

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0236E59E Relevance: 4.4, Strings: 3, Instructions: 679COMMON

Download Yara Rule

Strings

xs T, xrefs: 0236E7E4
oja:, xrefs: 0236F381
TG-F, xrefs: 0236ED5A

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: TG-F$oja:$xs T
API String ID: 3389902171-2920937423
Opcode ID: 9e54541e5fce6fcdeb2816a74887ac58870364969fef084744e6eecb4ccffc82
Instruction ID: edd709a64a0cd5a776dbedfd05fc7362c50d0c25d90d5abc4d294ef293d909bc
Opcode Fuzzy Hash: 9e54541e5fce6fcdeb2816a74887ac58870364969fef084744e6eecb4ccffc82
Instruction Fuzzy Hash: 3742E4755083858FCB35CF38C89C7FA7BA9AF52314F55C19AC89A8FA9AD3308506C712

Uniqueness

Uniqueness Score: -1.00%

Function 0236E5EC Relevance: 2.8, Strings: 2, Instructions: 317COMMON

Download Yara Rule

Strings

xs T, xrefs: 0236E7E4
TG-F, xrefs: 0236ED5A

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: TG-F$xs T
API String ID: 2706961497-2826639612
Opcode ID: f331a96151e7f3e5db4fbe2402f59eaccb52cf8b4402ebfceaa9bd57c2afeb94
Instruction ID: a3de87199b37a2acc0cd255a1a5cf3e8f0eaf36dbb073527ccda1d4b617a0808
Opcode Fuzzy Hash: f331a96151e7f3e5db4fbe2402f59eaccb52cf8b4402ebfceaa9bd57c2afeb94
Instruction Fuzzy Hash: E7D1B3655083C58FCB35CF38C89CBA67BD96F52220F19C29AC89A8F5ABD374454AC713

Uniqueness

Uniqueness Score: -1.00%

Function 0236E629 Relevance: 2.8, Strings: 2, Instructions: 310COMMON

Download Yara Rule

Strings

xs T, xrefs: 0236E7E4
TG-F, xrefs: 0236ED5A

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: TG-F$xs T
API String ID: 2706961497-2826639612
Opcode ID: ff141ac1576d6412a07127cfc266af0f001cfbe9e8270e323faf97388b79cb3b
Instruction ID: d1c0641322ebda5f5c137cbba91b4b12fde876806e27c939929a7c053fcc7998
Opcode Fuzzy Hash: ff141ac1576d6412a07127cfc266af0f001cfbe9e8270e323faf97388b79cb3b
Instruction Fuzzy Hash: 80D1C4655083C58FCB35CF38C89CBA67BD9AF52220F19C29AC89A4F5ABD374454AC713

Uniqueness

Uniqueness Score: -1.00%

Function 0236E665 Relevance: 2.8, Strings: 2, Instructions: 308COMMON

Download Yara Rule

Strings

xs T, xrefs: 0236E7E4
TG-F, xrefs: 0236ED5A

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: TG-F$xs T
API String ID: 2706961497-2826639612
Opcode ID: ed5a1dd5ac680cf5cbba7a48185afb6f279e4e1c915d245b037461df1137c04f
Instruction ID: c4f9e872fae4374ba43859e50d479c8b9e4a152931772c02d54eaa11aba548ec
Opcode Fuzzy Hash: ed5a1dd5ac680cf5cbba7a48185afb6f279e4e1c915d245b037461df1137c04f
Instruction Fuzzy Hash: CBD1C32540C3C58ECB36CF38889DBA67FDA6F52220F59C29AC89A4F59BD374414AC717

Uniqueness

Uniqueness Score: -1.00%

Function 0236E6CD Relevance: 2.8, Strings: 2, Instructions: 292COMMON

Download Yara Rule

Strings

xs T, xrefs: 0236E7E4
TG-F, xrefs: 0236ED5A

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: TG-F$xs T
API String ID: 2706961497-2826639612
Opcode ID: 8454e73eb01a0cee21c77c09f66041c3b28802374ab27b78d0368915ad1203a5
Instruction ID: a507745648048acf7011a85f398eedc93cc79b86305a5e5bac23877429a50fc8
Opcode Fuzzy Hash: 8454e73eb01a0cee21c77c09f66041c3b28802374ab27b78d0368915ad1203a5
Instruction Fuzzy Hash: 65C1C3255083C58ECB35CF38C89CBA67FDA6F52220F59C29AC89A4F5ABD374414AC717

Uniqueness

Uniqueness Score: -1.00%

Function 0236E6F9 Relevance: 2.8, Strings: 2, Instructions: 289COMMON

Download Yara Rule

Strings

xs T, xrefs: 0236E7E4
TG-F, xrefs: 0236ED5A

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: TG-F$xs T
API String ID: 2706961497-2826639612
Opcode ID: ae471aaba8c3bdb66088603f9ad9dc32901db74fec8c900afbc207a33172220d
Instruction ID: c88f44d5e651a5285f0fa7e338a5425f50754bd917298f067eee30671b03fd64
Opcode Fuzzy Hash: ae471aaba8c3bdb66088603f9ad9dc32901db74fec8c900afbc207a33172220d
Instruction Fuzzy Hash: 02C1B3255083C58ECB36CF38C89CBA67FD96F52220F59C29AC89A4F5ABD374414AC717

Uniqueness

Uniqueness Score: -1.00%

Function 0236E734 Relevance: 2.8, Strings: 2, Instructions: 283COMMON

Download Yara Rule

Strings

xs T, xrefs: 0236E7E4
TG-F, xrefs: 0236ED5A

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: TG-F$xs T
API String ID: 2706961497-2826639612
Opcode ID: 18a5481a87d4143e8c30b5e9b52d69514ef89c2073f565378767924e90ce1919
Instruction ID: 1ab6b358113df995e72126555dd52c4c321d29b520bc061ef2a63e109a7a61b4
Opcode Fuzzy Hash: 18a5481a87d4143e8c30b5e9b52d69514ef89c2073f565378767924e90ce1919
Instruction Fuzzy Hash: E1C1B3255083C58ECB35CF38C89CBA67FDA6F52220F59C29AC89A4F5ABD374414AC717

Uniqueness

Uniqueness Score: -1.00%

Function 0236E76E Relevance: 2.8, Strings: 2, Instructions: 283COMMON

Download Yara Rule

Strings

xs T, xrefs: 0236E7E4
TG-F, xrefs: 0236ED5A

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID:
String ID: TG-F$xs T
API String ID: 0-2826639612
Opcode ID: 533014a9c16c18a50f172478e61148e3d5d74b82139ad0eb0d9bf995b73b4ac7
Instruction ID: afaa3a8e60bd71afe2fe2de40233e5513de125d748b5679abec9bebf901c17f4
Opcode Fuzzy Hash: 533014a9c16c18a50f172478e61148e3d5d74b82139ad0eb0d9bf995b73b4ac7
Instruction Fuzzy Hash: 6DC1B22550C3C18EDB32CF38889CBA67FD66F52220F49C29AC89A4F5ABD374414AC717

Uniqueness

Uniqueness Score: -1.00%

Function 0236E819 Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

TG-F, xrefs: 0236ED5A

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID:
String ID: TG-F
API String ID: 0-2943050470
Opcode ID: f7e8a0c6bee2915afe6aabd9d69ab1411135d86f209b06907a63be872e94cefa
Instruction ID: 5c84f5d24ec982757e13146f126625de4ece30a72ffa3941995f0498fda1dfe8
Opcode Fuzzy Hash: f7e8a0c6bee2915afe6aabd9d69ab1411135d86f209b06907a63be872e94cefa
Instruction Fuzzy Hash: 4FB1A22550C3C58ECB35CF38889CBA67FDA6B52220F59C29AC89A4F5ABD374414AC717

Uniqueness

Uniqueness Score: -1.00%

Function 0236E844 Relevance: 1.5, Strings: 1, Instructions: 259COMMON

Download Yara Rule

Strings

TG-F, xrefs: 0236ED5A

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID:
String ID: TG-F
API String ID: 0-2943050470
Opcode ID: f2e225a5557ec388d035185e65395ae1d2c47942b08b487237cb84eafb7d3224
Instruction ID: 294bc2d6791e6a969fb2766299afc4bc9fe3c088ffcff469cc79225792af2a97
Opcode Fuzzy Hash: f2e225a5557ec388d035185e65395ae1d2c47942b08b487237cb84eafb7d3224
Instruction Fuzzy Hash: 0BB1B22550C3C58ECB35CF38889CBA67FDA6F52220F59C29AC89A4F5ABD374414AC717

Uniqueness

Uniqueness Score: -1.00%

Function 02360A5C Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

,qp$, xrefs: 02360CC5

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: ,qp$
API String ID: 1029625771-2377076954
Opcode ID: 3a6ea12f1679e3a79602be95117d920597d8ad43a665947770670afd515bbca4
Instruction ID: 119afc0902855f6f7b72363bdb9ad86a9d2d4db63eaf6c287cba7819e7399302
Opcode Fuzzy Hash: 3a6ea12f1679e3a79602be95117d920597d8ad43a665947770670afd515bbca4
Instruction Fuzzy Hash: F871EE7281C3858FC3198F74889E1B9BBA9BB12314F54C99EC9C18FA4BD761844BCB52

Uniqueness

Uniqueness Score: -1.00%

Function 0236330D Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

:B?&, xrefs: 02363477

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID:
String ID: :B?&
API String ID: 0-1193226678
Opcode ID: e4ab62abb44269dd9d870e56d1e6217136b3d75f1e00fdea6f6687777aa0fda8
Instruction ID: c8bc0cb6cd8e93b808c59fa72bebdf170ce007a7127fa06e9945b385ba256aaa
Opcode Fuzzy Hash: e4ab62abb44269dd9d870e56d1e6217136b3d75f1e00fdea6f6687777aa0fda8
Instruction Fuzzy Hash: 3B513672A08288CFDB318E25CC8C7FAB7EAEF98750F55805DDC4D9761AD7714A41CA41

Uniqueness

Uniqueness Score: -1.00%

Function 0236272C Relevance: .5, Instructions: 463COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6690f50c9312fba0250a7336f078444cdbb16ada7789d82bfb055eae2a554299
Instruction ID: 1b145b783ebfedf721b8d33865640370a354c158ce53672266e3f909e1731f00
Opcode Fuzzy Hash: 6690f50c9312fba0250a7336f078444cdbb16ada7789d82bfb055eae2a554299
Instruction Fuzzy Hash: 99F1B8729082858FD7268F34884D6FA7BBDEF02310F218AAED9908F597D7308546CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0236D698 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: afebeab93fac1bdd5688cf52e1255c9d753ea20a36ac4581508fc95405916abd
Instruction ID: a9673c7906e225823715551a94238b190dfed29d32b0bc5eecf3ff315701824d
Opcode Fuzzy Hash: afebeab93fac1bdd5688cf52e1255c9d753ea20a36ac4581508fc95405916abd
Instruction Fuzzy Hash: 32A1D071608249DFDB349E25C98D7FA77BEAF95340F15C02ACC4A8BA19D7305A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02367463 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1cc9359e3ee92ab53e1f4fe62f0acfc878525d83089c8000f0be342e46f6f41
Instruction ID: 02ea7d5243a4aaabe9e6fb6376e1c169e21865faa5f45512e9326e91f68c8b4e
Opcode Fuzzy Hash: c1cc9359e3ee92ab53e1f4fe62f0acfc878525d83089c8000f0be342e46f6f41
Instruction Fuzzy Hash: BE619B7250C2828FD3228F38880D3F5FFA9FB5121CFA58A99C5A19B597D730844BCB95

Uniqueness

Uniqueness Score: -1.00%

Function 02364819 Relevance: .2, Instructions: 189libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(1AE1C299), ref: 0236BFE4

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b49a8a561d453542ecced20594aec47b85a42442f0d68dbb115246ff38d9aff5
Instruction ID: 7a2f7bdd2de749fe471326a93a298596e5e0e7b2d5dec68de257371ca34117a2
Opcode Fuzzy Hash: b49a8a561d453542ecced20594aec47b85a42442f0d68dbb115246ff38d9aff5
Instruction Fuzzy Hash: AC81EE359083499FCB349E25C9897FEB7EAEF94300F41881EDD8A87656C7308A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0236D66F Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f240d23d4925602c8667ba8727a06c5dcab915b48267a4ecf351759f53c0b464
Instruction ID: 7e371dbe7fbaef8d6858bb5737ce7cda6c00fbafbb44b796d10a71574b3cac0d
Opcode Fuzzy Hash: f240d23d4925602c8667ba8727a06c5dcab915b48267a4ecf351759f53c0b464
Instruction Fuzzy Hash: 65613271608249CFDB34CE25C94D7FAB7BEAF55340F10C11ACC8A8BA5AD3305A81CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02369784 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 5c25d0b3ffb5a6aea68954858b93c9f8588a544eaf0abaa2fe1493046ceadc74
Instruction ID: 723a5e3f8d42f36fdd24b3b6ba436f61587424fd2369d242ebcb8729d645a9d3
Opcode Fuzzy Hash: 5c25d0b3ffb5a6aea68954858b93c9f8588a544eaf0abaa2fe1493046ceadc74
Instruction Fuzzy Hash: 105156764083888FC7758F74C8993EABBB9FF16320F244A5AC9A5DAA97D3344446CB11

Uniqueness

Uniqueness Score: -1.00%

Function 023648DD Relevance: .2, Instructions: 163libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(1AE1C299), ref: 0236BFE4

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4e20730c14b86e5a5bed2215f6137a2eee15eb07a4fceac1d0bc43a990196613
Instruction ID: 1b19f6f89f02589bc0caa3a16b56e92c65bbc791d36df1c370b051cba09834f3
Opcode Fuzzy Hash: 4e20730c14b86e5a5bed2215f6137a2eee15eb07a4fceac1d0bc43a990196613
Instruction Fuzzy Hash: 2261D031908348EFDB349E25C9897FFB7BAAF94340F41841EDD8A87616C7309A81CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0236DA30 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78818622be4586ef25332df433d6954aa3c813f88a288513509018d83b88fbe6
Instruction ID: ac739684965f189fb1f7af2f9049108f63fa89c080702ba44377ccb889ce5773
Opcode Fuzzy Hash: 78818622be4586ef25332df433d6954aa3c813f88a288513509018d83b88fbe6
Instruction Fuzzy Hash: 12510471648289CBDB34CE24C94C7FA7BBAEF55340F10C11ADC8A8BA5DC3309681CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0236D71E Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 305447bcee7da2e52235cd681ebbf663f6f532c7d9fafecbbae7e35b03401258
Instruction ID: a3d4516898157e62d28c2b416d95aa997c0b3a0591c5279f4a9b65df5b51db79
Opcode Fuzzy Hash: 305447bcee7da2e52235cd681ebbf663f6f532c7d9fafecbbae7e35b03401258
Instruction Fuzzy Hash: 0B51C17260824DDBDB34DE25C98D7FA77BEAF58340F15C11ACC4A8BA19D3305A85CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0236DBC5 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22eac137611daf6930f21d32f2df13c95d8e7e54db472528bc9f2d27f19fb9af
Instruction ID: 2ce53b4e46bcdd619fa6a78236e4421f67c466a973b3c108cffbdfae293087e8
Opcode Fuzzy Hash: 22eac137611daf6930f21d32f2df13c95d8e7e54db472528bc9f2d27f19fb9af
Instruction Fuzzy Hash: A451F271648289CFDB34CF24C88D7FA7BBAAF55340F15C11AC88A8BA19D3305681CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0236D758 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4ceba02aea663d3b0d4c3c637d657eaa76ec5652c4217849ced9eebdc67cc51d
Instruction ID: 0b489f3d215d20b2335da7cace87d1543d22762e5cd9a10228122f4687989a7a
Opcode Fuzzy Hash: 4ceba02aea663d3b0d4c3c637d657eaa76ec5652c4217849ced9eebdc67cc51d
Instruction Fuzzy Hash: 8351B17264824DDBDB34DE25C98D7FA77BEAF58340F15C11ACC4A8BA19D3305A85CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02367005 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc53da47d7a08c9219707005f94e5080251094a24f02c1cc1eb344e836888eb
Instruction ID: 9c46a981283c321eb452d2652536b655d2ed9843fc2eab493851414bb987f23d
Opcode Fuzzy Hash: 3dc53da47d7a08c9219707005f94e5080251094a24f02c1cc1eb344e836888eb
Instruction Fuzzy Hash: D951F2312453499FDB34CE1589AC7FAB6BAEF59708FD8811A8D4A4B609C330A640CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00405395 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95420674121.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.95420644610.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000002.00000002.95420830163.0000000000417000.00000004.00020000.sdmpDownload File
Associated: 00000002.00000002.95420868524.0000000000419000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_171121_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddfa1e2126db24b7a54a272fe4ce32455352fcfc5afebec1f3adba33ceec1b84
Instruction ID: a6ea1aa60396d634613261b6997d55d7790720d0167aca9184c63197e1827c53
Opcode Fuzzy Hash: ddfa1e2126db24b7a54a272fe4ce32455352fcfc5afebec1f3adba33ceec1b84
Instruction Fuzzy Hash: D74146311CEAD195C722DB78A6E46D3FFB0ED0621833D5ADEC0D15AA43D220E14ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 02366FD9 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a32cb04a8d3e3afe0e60e6ad01a018951e61b603c95d619379f1d1366b1c86
Instruction ID: 860baeb81d0b65f3ae637f746f3fd92e7f1d12f973f29fccb0ff29dd4c4d712d
Opcode Fuzzy Hash: 10a32cb04a8d3e3afe0e60e6ad01a018951e61b603c95d619379f1d1366b1c86
Instruction Fuzzy Hash: 5251E171644384CFDB34CE25C9986FAB7F6EF58708FD8851EC94A4B609C730A640CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0236D855 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a6f72e0ba72bc432f3238a3256fa6993081265a11d5c91502341aa1897aa52
Instruction ID: 3909a40c9fdf933a10d47d0c6b6fb265370b16098b090858c0a43d863b7810fe
Opcode Fuzzy Hash: 61a6f72e0ba72bc432f3238a3256fa6993081265a11d5c91502341aa1897aa52
Instruction Fuzzy Hash: 8451D07164828DDBDB34CE25C98D7FA77BAAF58340F15C11ACC8A8BA19C3306681CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0236D89D Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c16778567d2b2c3b305e164b99efe8135f354af021a89474ffb673d931403087
Instruction ID: bcd4f744ae0fbcb8196ead6603e162e07c9f2cf577be771d911efc407498250f
Opcode Fuzzy Hash: c16778567d2b2c3b305e164b99efe8135f354af021a89474ffb673d931403087
Instruction Fuzzy Hash: C951CE7164828DDBDB34DE25C98D7FA77BEAF54340F15C11ACC8A8BA19C3306A81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0236D989 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 698b6dfe4a3aad258947946d7ead03f9653c011f906f9837f128bd32ce873031
Instruction ID: df39a9203e90e515799f85505a59b7b1cd5a8696877e17e23a977e9d8500bb05
Opcode Fuzzy Hash: 698b6dfe4a3aad258947946d7ead03f9653c011f906f9837f128bd32ce873031
Instruction Fuzzy Hash: 2D51BE7164828DDBDB34DE25C98D7FA77BEAF54340F15C11ACC8A8BA19C3306681CB46

Uniqueness

Uniqueness Score: -1.00%

Function 0236D9D1 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fe5b635362ca2dae788e59d39370c3735985e4be5ad958376af25b7dfff2e18
Instruction ID: 4d5ce7c47d5ffdb85bc33bea491c4a13e263b600c937734d15152bf643bcc694
Opcode Fuzzy Hash: 2fe5b635362ca2dae788e59d39370c3735985e4be5ad958376af25b7dfff2e18
Instruction Fuzzy Hash: FE51CE7164828DDBDB34DE25C98D7FA77BEAF54340F15C11ACC8A8BA19C3306A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02364A41 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 736329a274195ce185861daaeefb96a5b44308733e1e9fb39fc625224ddc77da
Instruction ID: f80b193eee4fea9c70745e58769e7354295b59b61717e943fd8d1b31008f2bc7
Opcode Fuzzy Hash: 736329a274195ce185861daaeefb96a5b44308733e1e9fb39fc625224ddc77da
Instruction Fuzzy Hash: E741C135908388DFDB309F25C9897EBB7BAEF91340F55C51E8D8987226C7349981CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0236702D Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86211384a82839369e5ede4fe902d7796e954b5b99675d3ba7a5420e0b4fd398
Instruction ID: 1aa1cf4d66180f469e3eabc84827128722f69c86a5b51719ea11c91a105c6c9e
Opcode Fuzzy Hash: 86211384a82839369e5ede4fe902d7796e954b5b99675d3ba7a5420e0b4fd398
Instruction Fuzzy Hash: D441C2312443459FDB34CE15C9A86FAB7F6EF59708FE8811EC94E5B649C330A640CB96

Uniqueness

Uniqueness Score: -1.00%

Function 02364A81 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72c316ce28be51e235c4b8899aea3cb24570f3793c90a2966c8184f3f5131e19
Instruction ID: a8e4df98e4451399d07d8379932c8599ec6a088da55e605f27010d00ed475e6e
Opcode Fuzzy Hash: 72c316ce28be51e235c4b8899aea3cb24570f3793c90a2966c8184f3f5131e19
Instruction Fuzzy Hash: B941C035908388DFDB349F25C9897EFB7BAAF95340F11C52E9D8987226C7349981CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00405A7F Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95420674121.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.95420644610.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000002.00000002.95420830163.0000000000417000.00000004.00020000.sdmpDownload File
Associated: 00000002.00000002.95420868524.0000000000419000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_171121_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34436cc67429fb65084dd4df6dbd5c38cfcd05c41577f2c8a05c996be513182
Instruction ID: df235acb1f07602ac1940a3628c275a89387a192458c2b18f1c45a0e22d9b8bc
Opcode Fuzzy Hash: e34436cc67429fb65084dd4df6dbd5c38cfcd05c41577f2c8a05c996be513182
Instruction Fuzzy Hash: 9431F7321DD99055C631DA7C9AA46E3FBB0DC0A12437E89DBC0D1A9747D150F146CD90

Uniqueness

Uniqueness Score: -1.00%

Function 00406A36 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95420674121.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.95420644610.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000002.00000002.95420830163.0000000000417000.00000004.00020000.sdmpDownload File
Associated: 00000002.00000002.95420868524.0000000000419000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_171121_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbb61b717a4a871aaf52add14cf808cd21c27587c5183f7a8ff5fa115d16b8a6
Instruction ID: 6d6d9c208e3e8842e418d43e7cc4a5c8ab895ec131689eb0fcf70fc51be859e2
Opcode Fuzzy Hash: fbb61b717a4a871aaf52add14cf808cd21c27587c5183f7a8ff5fa115d16b8a6
Instruction Fuzzy Hash: D331C1326CA69056CB21DB7996A56D3FFF1DD0611837E989BC0D29A707D210F50ACF81

Uniqueness

Uniqueness Score: -1.00%

Function 02364AE4 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a51230c8191efc611dc907eb77165e4f4582038edf028bffc777d903f97dab1
Instruction ID: 806545c526d57145fe556e3ca4251f8221739c5f107c1c886e54b2016006208b
Opcode Fuzzy Hash: 2a51230c8191efc611dc907eb77165e4f4582038edf028bffc777d903f97dab1
Instruction Fuzzy Hash: F541DF369083889FDB309F35C9897EBB7BAAF90300F11C91E8DD987226D7349581CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02364B2E Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4d9f3bf9bbedc28e89d58109357f05ffc8ac6777fb3452a5b0ca55548f565fa
Instruction ID: 8314dbffb6a39a04ac7d3c5159ca063ca684bface2e6fec7c7fc63ab2796f07b
Opcode Fuzzy Hash: b4d9f3bf9bbedc28e89d58109357f05ffc8ac6777fb3452a5b0ca55548f565fa
Instruction Fuzzy Hash: 2631E032908384DFD7309F7589497EBBBBAAF61340F15891EDDC997616C3309486CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02364C32 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdf40409105280c446f57738a16c8acd2b60af73f5953a8d4f29cbaaf0f477f1
Instruction ID: ac84aa03db8d323068b6a9dd2c63bf1cbda585bf1f3df0662a5b1dde26bfe4c6
Opcode Fuzzy Hash: cdf40409105280c446f57738a16c8acd2b60af73f5953a8d4f29cbaaf0f477f1
Instruction Fuzzy Hash: 6431F132908384DFD7309F7488097ABBBBAAF91350F06891ED9D6676A6C3704086CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02364BB4 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfbf909ba3063c2247537e466d3eb1560fe567a0b09991017b07f02ca78ef5f7
Instruction ID: dd86d24084ef7d651d92b9337156a038d91ba1dff0124bb34a7d539c56aae41f
Opcode Fuzzy Hash: dfbf909ba3063c2247537e466d3eb1560fe567a0b09991017b07f02ca78ef5f7
Instruction Fuzzy Hash: 1F21E236908348DFDB34AF3589097ABB7EAAF90340F16C91E9DC993666D3349481CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0040721E Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95420674121.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.95420644610.0000000000400000.00000002.00020000.sdmpDownload File
Associated: 00000002.00000002.95420830163.0000000000417000.00000004.00020000.sdmpDownload File
Associated: 00000002.00000002.95420868524.0000000000419000.00000002.00020000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_171121_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15834e53a2a19bcf1de4f409aff727f0c196484e4bbf55940e25dc89a41e66c2
Instruction ID: a483147d1e2fa76e5cde8dc1b193befe57f493faf733702a5982777ecfb72492
Opcode Fuzzy Hash: 15834e53a2a19bcf1de4f409aff727f0c196484e4bbf55940e25dc89a41e66c2
Instruction Fuzzy Hash: 8F0112221CD6A111CA61EA78D7A4AD7FBF08D0A01477EA9DBC0D1A5B07D101F54ACD91

Uniqueness

Uniqueness Score: -1.00%

Function 0236C982 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975061465194cda268d7fcf1ad8779e68bf434ac311aa3d4c0419eda6ab156c9
Instruction ID: 1d49864a77024c7733887f3db183ba84ff8f296c99ffa12190a9f7d6de559b22
Opcode Fuzzy Hash: 975061465194cda268d7fcf1ad8779e68bf434ac311aa3d4c0419eda6ab156c9
Instruction Fuzzy Hash: DF115B71650745CFC720CF19C9DCFEAB3A9BB58340F01996BC99A8B71AD331EA40CA21

Uniqueness

Uniqueness Score: -1.00%

Function 023640AA Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0245025f8a0f38c0cd6f96d0222ce9d429d7178478981045d68e2f97f64c6993
Instruction ID: 47c1484aef735aafc596885f238c3f28625c94ad1c856f603d8cd8c2be695e8f
Opcode Fuzzy Hash: 0245025f8a0f38c0cd6f96d0222ce9d429d7178478981045d68e2f97f64c6993
Instruction Fuzzy Hash: 52C012C2D5C12869697226B8561D2A8681D4AA6660B00C2502D05AAE0DE4928D874598

Uniqueness

Uniqueness Score: -1.00%

Function 023696BF Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07b1805490ec913ada3960bb4895aecee439d7037e57c98862b62a2d76bfb909
Instruction ID: faf5c84bfd82d314ed9d2de2451c6eec3daf283e97258214da88fc7e5edfd3fe
Opcode Fuzzy Hash: 07b1805490ec913ada3960bb4895aecee439d7037e57c98862b62a2d76bfb909
Instruction Fuzzy Hash: 09D012722615C4CFEF15DB18C8917A073A8F753B15F1C19D4D1428F649C95CA801CA00

Uniqueness

Uniqueness Score: -1.00%

Function 0236BEA2 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2360000_171121_PDF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a785c2a620c5eda7a528560d83b6cb4ef67904fdd379f4fe76bec28096aec66
Instruction ID: 7b592b6eece59378a5c697f7e34b0985d2936be1bca5d19eb79ac1589d362ef8
Opcode Fuzzy Hash: 3a785c2a620c5eda7a528560d83b6cb4ef67904fdd379f4fe76bec28096aec66
Instruction Fuzzy Hash: DFB092362516408FCE81CA08C390EA0B3A8BB05A44F414480E85197B12C324E800C940

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ieinstal.exePID: 7000, Parent PID: 4656COMMON

Execution Graph

Execution Coverage:	8.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	33
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 03010951 Relevance: 3.0, APIs: 2, Instructions: 38
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000005), ref: 030109BA
NtProtectVirtualMemory.NTDLL(000000FF,-0000001C,-00000018), ref: 03010A1B

Memory Dump Source

Source File: 00000005.00000002.100060846948.0000000003010000.00000040.00000001.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3010000_ieinstal.jbxd

Similarity

API ID: MemoryProtectSleepVirtual
String ID:
API String ID: 3235210055-0
Opcode ID: aea5ae5cffa184ed5320bb05cee1fd1553872febbe1df755439489c3a7edf0ad
Instruction ID: 16c299e3532227cf1f1998b977e67592b31a7efbf58da97386816bd10fa8405d
Opcode Fuzzy Hash: aea5ae5cffa184ed5320bb05cee1fd1553872febbe1df755439489c3a7edf0ad
Instruction Fuzzy Hash: D60116B995A300DFF344DF25C85CB6EB7A4AF10321F568589E9955E0A2C3B898D08F62

Uniqueness

Uniqueness Score: -1.00%

Function 030103D9 Relevance: 1.6, APIs: 1, Instructions: 124
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNEL32(53F4BA63,-B100C1FB), ref: 03010607

Memory Dump Source

Source File: 00000005.00000002.100060846948.0000000003010000.00000040.00000001.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3010000_ieinstal.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 12a915a1c255f7baea0b6ed0ea89a390d1e3c39e3e268040b4f761b9a9695434
Instruction ID: f95efa7281c19e73edc2da0e3d7f8eb6494785aa44e723c5d614a19fc2e76f3e
Opcode Fuzzy Hash: 12a915a1c255f7baea0b6ed0ea89a390d1e3c39e3e268040b4f761b9a9695434
Instruction Fuzzy Hash: 2541667181A355CFDB70CF64C484BEB77A2AF11350F0988A6D8C55F6A6C37089E2CB92

Uniqueness

Uniqueness Score: -1.00%

Function 03010A64 Relevance: 1.6, APIs: 1, Instructions: 64
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 03010B84

Memory Dump Source

Source File: 00000005.00000002.100060846948.0000000003010000.00000040.00000001.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3010000_ieinstal.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: dfe5491774e129632c9c5380598219ec1ca87663e7974d995c5ed1f78f874684
Instruction ID: 01f9e7b0d55c82861ae5b9f4b468b478ec1f6c8ee2d7b7c4c4256feaf49425d6
Opcode Fuzzy Hash: dfe5491774e129632c9c5380598219ec1ca87663e7974d995c5ed1f78f874684
Instruction Fuzzy Hash: 571104B6402301DFE704CE68CAC6B9A36A4AF2636CB550396D9C29B1E1E374C8D1CA55

Uniqueness

Uniqueness Score: -1.00%

Function 03010A5D Relevance: 1.6, APIs: 1, Instructions: 56
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 03010B84

Memory Dump Source

Source File: 00000005.00000002.100060846948.0000000003010000.00000040.00000001.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3010000_ieinstal.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 9ead596dd0e32c98b3cf1206b9b72cd2cb0600e5838dac0c64b48fa6db1eefa8
Instruction ID: 54374b05a93f4b1ff6a2924023ad52febc6e70a9d43faea1d4954c5a20fc12bc
Opcode Fuzzy Hash: 9ead596dd0e32c98b3cf1206b9b72cd2cb0600e5838dac0c64b48fa6db1eefa8
Instruction Fuzzy Hash: 5B11CEB1402301EFE704DF64CAC5F9A3664AF2632CB150396D9C69B1A1D770D8D18A55

Uniqueness

Uniqueness Score: -1.00%

Function 03010471 Relevance: 1.6, APIs: 1, Instructions: 87
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNEL32(53F4BA63,-B100C1FB), ref: 03010607

Memory Dump Source

Source File: 00000005.00000002.100060846948.0000000003010000.00000040.00000001.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3010000_ieinstal.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: d0273375df8fa2e1dbeb2c0c53ed65a7eeb517e5bc4d544ea02c1235704e9b20
Instruction ID: fe234687aecfa9d94bbce5939808884499f73dc77e1d58db47528d9e5d95e024
Opcode Fuzzy Hash: d0273375df8fa2e1dbeb2c0c53ed65a7eeb517e5bc4d544ea02c1235704e9b20
Instruction Fuzzy Hash: AD31277591B355CFDB70CF54C484BEA73A5AF40350F0985A6D8C52B1A1C3749AE2CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 030104F9 Relevance: 1.6, APIs: 1, Instructions: 74
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNEL32(53F4BA63,-B100C1FB), ref: 03010607

Memory Dump Source

Source File: 00000005.00000002.100060846948.0000000003010000.00000040.00000001.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3010000_ieinstal.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 2edd50acdd38f7f6a7497457179114617b642ee84af8f0350dc455c6c1d34f38
Instruction ID: d67c4482e82ade54b5ac42ac4a84875cc33d3d19f5f6cd6914fe0657bd330b7c
Opcode Fuzzy Hash: 2edd50acdd38f7f6a7497457179114617b642ee84af8f0350dc455c6c1d34f38
Instruction Fuzzy Hash: 1D21063490B345CFDB70CB548494BAA77E56F41314F0D88E6D4C51B0B2C3759AE2CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0301056A Relevance: 1.6, APIs: 1, Instructions: 64
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNEL32(53F4BA63,-B100C1FB), ref: 03010607

Memory Dump Source

Source File: 00000005.00000002.100060846948.0000000003010000.00000040.00000001.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3010000_ieinstal.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 40ae0880ad4e0f42b26bc80f558c7009f509becb192f1b9215a4515a00083571
Instruction ID: 675ae62e0c095c3b718e2be3e551986e318851f28b62ba5bcb4627f8b20f2084
Opcode Fuzzy Hash: 40ae0880ad4e0f42b26bc80f558c7009f509becb192f1b9215a4515a00083571
Instruction Fuzzy Hash: BF21DF3490B205CFEB70CB14C488BAA73E5AF40324F1989E6D0C50B1B6C3B499E2CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0301094C Relevance: 1.3, APIs: 1, Instructions: 17
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000005), ref: 030109BA

Memory Dump Source

Source File: 00000005.00000002.100060846948.0000000003010000.00000040.00000001.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3010000_ieinstal.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: adaaf01e77f4b00efc295d959163e3e7e2d2bf2231ef39df1fbcaacbb0783e5a
Instruction ID: cffdd40b5cf56af0be830b172bd56e6fb8e5cce2df8fde9a4cf9d04d7f55c9ba
Opcode Fuzzy Hash: adaaf01e77f4b00efc295d959163e3e7e2d2bf2231ef39df1fbcaacbb0783e5a
Instruction Fuzzy Hash: 98E0127420A340DFF345DF60C4ACF5876A1AF48311F4A85C5D9C90F0A7C761C8E0CA21

Uniqueness

Uniqueness Score: -1.00%

Function 03010979 Relevance: 1.3, APIs: 1, Instructions: 14
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000005), ref: 030109BA
NtProtectVirtualMemory.NTDLL(000000FF,-0000001C,-00000018), ref: 03010A1B

Memory Dump Source

Source File: 00000005.00000002.100060846948.0000000003010000.00000040.00000001.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3010000_ieinstal.jbxd

Similarity

API ID: MemoryProtectSleepVirtual
String ID:
API String ID: 3235210055-0
Opcode ID: c82ec7da101fca2f653d90e3fd8c7e70840e6cfe92f345ba4a8a4315c0fd82e0
Instruction ID: 62ab6e6f4b38a8be4394d141708f8ace4ca01a9827da770a2d5c088b5b2e25d6
Opcode Fuzzy Hash: c82ec7da101fca2f653d90e3fd8c7e70840e6cfe92f345ba4a8a4315c0fd82e0
Instruction Fuzzy Hash: 0BD017B0249350DFE345CF50949CF147660AF04321F4A84C5E6890F0A6C360C8D0CA11

Uniqueness

Uniqueness Score: -1.00%

Function 030109A9 Relevance: 1.3, APIs: 1, Instructions: 8
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000005), ref: 030109BA
NtProtectVirtualMemory.NTDLL(000000FF,-0000001C,-00000018), ref: 03010A1B

Memory Dump Source

Source File: 00000005.00000002.100060846948.0000000003010000.00000040.00000001.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3010000_ieinstal.jbxd

Similarity

API ID: MemoryProtectSleepVirtual
String ID:
API String ID: 3235210055-0
Opcode ID: 2c1198beb465e2317190844a4692b2826d20829c6b614156ad9c9b84275f91ac
Instruction ID: 1704150054680a25a0458fffeaa6bf3da479c1d30eb36501e8355ec357674827
Opcode Fuzzy Hash: 2c1198beb465e2317190844a4692b2826d20829c6b614156ad9c9b84275f91ac
Instruction Fuzzy Hash: 2DC02B30102300CFD300DF00C8ECF007360AB00311B4688EAD6441F062C330C8C2CE00

Uniqueness

Uniqueness Score: -1.00%

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
olufem.ddns.net	Hong Tak Engineering SB Payment Receipt 241121_PDF.exe	Get hash	malicious	Browse	124.82.81.98
olufem.ddns.net	EASTWAY COMNAGA SB PAYMENT BANK IN SLIP 250521_PDF.exe	Get hash	malicious	Browse	192.253.242.6

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
M247GB	1367630_9.xlsm	Get hash	malicious	Browse	45.138.98.34
	RSec.arm	Get hash	malicious	Browse	38.203.128.125
	C7dKkydVsM.exe	Get hash	malicious	Browse	185.216.34.82
	pop.arm7	Get hash	malicious	Browse	196.16.120.143
	4OLERjZGzs	Get hash	malicious	Browse	38.204.70.37
	7eu06uws3p.dll	Get hash	malicious	Browse	45.138.98.34
	74654_0572.xlsm	Get hash	malicious	Browse	45.138.98.34
	CshcvHW436.dll	Get hash	malicious	Browse	45.138.98.34
	WWAaHV4zF5.dll	Get hash	malicious	Browse	45.138.98.34
	5F4cRaOS5o.dll	Get hash	malicious	Browse	45.138.98.34
	a3p0uD3moG.dll	Get hash	malicious	Browse	45.138.98.34
	stbuiv_9200401.xlsm	Get hash	malicious	Browse	45.138.98.34
	lppseqc_368423.xlsm	Get hash	malicious	Browse	45.138.98.34
	3569_71040251.xlsm	Get hash	malicious	Browse	45.138.98.34
	2k7GDMVeXP.dll	Get hash	malicious	Browse	45.138.98.34
	EhOpfHFsNa.dll	Get hash	malicious	Browse	45.138.98.34
	rnHNA7QWKe.dll	Get hash	malicious	Browse	45.138.98.34
	KEuNDK6tEw.dll	Get hash	malicious	Browse	45.138.98.34
	fcZINN0PI1.dll	Get hash	malicious	Browse	45.138.98.34
	B0OiokCj3u.dll	Get hash	malicious	Browse	45.138.98.34

Entrypoint:	0x401194
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4ED97EE6 [Sat Dec 3 01:44:06 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	fca27436e553ec62bb2d0905390fd4e6

Signature Valid:	false
Signature Issuer:	E=Bibaciousnessmnten3@Pinjerforhaa.Non, CN=Vrdiheftesgalets, OU=Formationsskridt, O=ptychoptery, L=Retrickedtrbesk, S=Linoxininvectivel5, C=LV
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	17/11/2021 03:35:05 17/11/2022 03:35:05
Subject Chain	E=Bibaciousnessmnten3@Pinjerforhaa.Non, CN=Vrdiheftesgalets, OU=Formationsskridt, O=ptychoptery, L=Retrickedtrbesk, S=Linoxininvectivel5, C=LV
Version:	3
Thumbprint MD5:	81C291A64F4EEAD3EB815B820975A11F
Thumbprint SHA-1:	3B9FB2B3310D80BB215D1F0A8A1B4C5CE397126F
Thumbprint SHA-256:	6E26EF48D70BCD9763606EA3E88539664649D7701B6F561892E318BB4DB04839
Serial:	00

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x16d14	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x19000	0x2bca	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1b000	0x750	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x238	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x90	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x15ffc	0x16000	False	0.495827414773	data	6.39269902756	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x17000	0x17f8	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x19000	0x2bca	0x3000	False	0.236735026042	data	3.87641922123	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country
SET	0x19724	0x24a6	MS Windows icon resource - 3 icons, 24x24, 16 colors, 4 bits/pixel, 24x24, 8 bits/pixel	English	United States
RT_ICON	0x1943c	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4152326007, next used block 7370615
RT_GROUP_ICON	0x19428	0x14	data
RT_VERSION	0x19140	0x2e8	data	English	United States

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 171121_PDF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe

C:\Users\user\AppData\Local\Temp\~DFFFD65EAE6BEE96C9.TMP

C:\Users\user\AppData\Roaming\wifitskl\logs.dat

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Windows Analysis Report
171121_PDF.exe

Function 023647F1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 231
libraryCOMMON

Function 0236FB8E Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198
COMMON

Function 0236CFC2 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153
memorynativeCOMMON

Function 0236CFED Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 137
memorynativeCOMMON

Function 0236D046 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126
memorynativeCOMMON

Function 0236D0D1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114
memorynativeCOMMON

Function 0236D0E6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 113
memorynativeCOMMON

Function 023684F7 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 144
sleepCOMMON

Function 0236D13C Relevance: 1.6, APIs: 1, Instructions: 104
memorynativeCOMMON

Function 00416BA0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 104
COMMON

Function 004011BB Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 156
COMMON

Function 0236D5C7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
libraryCOMMON

Function 0236BEF6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37
libraryCOMMON

Function 0236BEFB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36
libraryCOMMON

Function 00401194 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20
COMMON