Play interactive tour

Edit tour

Analysis Report #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.bat

Overview

General Information

Sample Name:	#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.bat (renamed file extension from bat to exe)
Analysis ID:	343504
MD5:	6665909a2652c5860fd874cb15c3991c
SHA1:	84a5a2e920e8165634e510766eaa51662401a227
SHA256:	1ef7ae3509e71c3cd0904a7396831e6bd2c021f14dc5d4b2485a38ebefc3dd3d
Most interesting Screenshot:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)

Multi AV Scanner detection for submitted file

Connects to many ports of the same IP (likely port scanning)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses known network protocols on non-standard ports

Abnormal high CPU Usage

Checks for available system drives (often done to infect USB drives)

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

PE file contains strange resources

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe (PID: 4164 cmdline: 'C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe' MD5: 6665909A2652C5860FD874CB15C3991C)

zr.exe (PID: 6340 cmdline: 'C:\Users\user\zT6Nm@i4\zr.exe' a 'C:\Users\user\zT6Nm@i4\111.7z' 'C:\Users\user\zT6Nm@i4\TXP\*' MD5: 045FCBE6C174AFA9A6A998BDD6F9FAD7)

conhost.exe (PID: 6356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6648 cmdline: 'C:\Windows\System32\cmd.exe' /C 'C:\Users\user\zT6Nm@i4\copy.bat' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PMRunner64.exe (PID: 7120 cmdline: 'C:\Users\user\zT6Nm@i4\PMRunner64.exe' MD5: 65DBB57517611D9DE8CE522022DCD727)

zr.exe (PID: 6800 cmdline: 'C:\ProgramData\Microsoft\zr.exe' x C:\ProgramData\Microsoft\111.7z -y MD5: 045FCBE6C174AFA9A6A998BDD6F9FAD7)

conhost.exe (PID: 6656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PMRunner64.exe (PID: 6492 cmdline: 'C:\Users\user\zT6Nm@i4\PMRunner64.exe' MD5: 65DBB57517611D9DE8CE522022DCD727)

PMRunner64.exe (PID: 6972 cmdline: 'C:\Users\user\zT6Nm@i4\PMRunner64.exe' MD5: 65DBB57517611D9DE8CE522022DCD727)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\zT6Nm@i4\ru2.url	Methodology_Suspicious_Shortcut_Local_URL	Detects local script usage for .URL persistence	@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)	0x13:$file: URL=file:/// 0x0:$url_explicit: [InternetShortcut]

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Virustotal: Detection: 15%			Perma Link
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	ReversingLabs: Detection: 22%

Privilege Escalation:

Contains functionality to bypass UAC (CMSTPLUA)

Show sources

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_0000000180002D40 CoGetObject,CoGetObject,Sleep,SleepEx,

0_2_0000000180002D40

Compliance:

Binary contains paths to debug symbols

Show sources

Source:

Binary string: C:\sourcetree\CortexCommon\Razer.ProcessManager\PMManager\x64\Release\PMRunner.pdb source: PMRunner64.exe, 0000000C.00000000.685253001.00007FF7A5177000.00000002.00020000.sdmp, PMRunner64.exe, 0000000E.00000000.707315840.00007FF7A5177000.00000002.00020000.sdmp, PMRunner64.exe, 0000000F.00000000.724614077.00007FF7A5177000.00000002.00020000.sdmp, PMRunner64.exe.0.dr

Spreading:

Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: c:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: [:	Jump to behavior

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400223C0 GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	0_2_00000001400223C0
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_00405BD6 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,	1_2_00405BD6
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0040755D FindFirstFileW,	1_2_0040755D

Source: C:\Users\user\zT6Nm@i4\zr.exe

Code function: 1_2_00406532 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,

1_2_00406532

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File opened: C:\Users\user\zT6Nm@i4\	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File opened: C:\Users\user\zT6Nm@i4\TXP\	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File opened: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File opened: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\Programs\Startup\Realtek???????? .lnk	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File opened: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\	Jump to behavior

Networking:

Connects to many ports of the same IP (likely port scanning)

Show sources

Source: global traffic

TCP traffic: 110.92.66.246 ports 1,2,13527,3,5,7

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 13527
Source: unknown	Network traffic detected: HTTP traffic on port 13527 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 13527
Source: unknown	Network traffic detected: HTTP traffic on port 13527 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 13527
Source: unknown	Network traffic detected: HTTP traffic on port 13527 -> 49746

Source: global traffic

TCP traffic: 192.168.2.4:49744 -> 110.92.66.246:13527

Source: global traffic	HTTP traffic detected: GET /\ HTTP/1.1Connection: UpgradeSec-WebSocket-Key: FCzEFfJJGECxZCsRaGKFlJqHWSec-WebSocket-Version: 13Upgrade: websocketSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsHost: 110.92.66.246:13527
Source: global traffic	HTTP traffic detected: GET /\ HTTP/1.1Connection: UpgradeSec-WebSocket-Key: hVvGEJDDITDIJDJeQLtIKCsnCSec-WebSocket-Version: 13Upgrade: websocketSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsHost: 110.92.66.246:13527
Source: global traffic	HTTP traffic detected: GET /\ HTTP/1.1Connection: UpgradeSec-WebSocket-Key: IKBXBepAaaBfkIYjnCKuMRKkFSec-WebSocket-Version: 13Upgrade: websocketSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsHost: 110.92.66.246:13527

Source: Joe Sandbox View

IP Address: 204.79.197.200 204.79.197.200

Source: Joe Sandbox View

ASN Name: HKKFGL-AS-APHKKwaifongGroupLimitedHK HKKFGL-AS-APHKKwaifongGroupLimitedHK

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 104.79.89.181
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_0000000140002220 recv,SendMessageW,_cwprintf_s_l,inet_ntoa,_cwprintf_s_l,inet_ntoa,_cwprintf_s_l,_cwprintf_s_l,_cwprintf_s_l,htons,_cwprintf_s_l,

0_2_0000000140002220

Source: global traffic	HTTP traffic detected: GET /\ HTTP/1.1Connection: UpgradeSec-WebSocket-Key: FCzEFfJJGECxZCsRaGKFlJqHWSec-WebSocket-Version: 13Upgrade: websocketSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsHost: 110.92.66.246:13527
Source: global traffic	HTTP traffic detected: GET /\ HTTP/1.1Connection: UpgradeSec-WebSocket-Key: hVvGEJDDITDIJDJeQLtIKCsnCSec-WebSocket-Version: 13Upgrade: websocketSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsHost: 110.92.66.246:13527
Source: global traffic	HTTP traffic detected: GET /\ HTTP/1.1Connection: UpgradeSec-WebSocket-Key: IKBXBepAaaBfkIYjnCKuMRKkFSec-WebSocket-Version: 13Upgrade: websocketSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsHost: 110.92.66.246:13527

Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	String found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	String found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	String found in binary or memory: http://th.symcb.com/th.crl0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	String found in binary or memory: http://th.symcb.com/th.crt0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	String found in binary or memory: http://th.symcd.com0&
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	String found in binary or memory: http://www.nsecsoft.com
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	String found in binary or memory: https://www.thawte.com/cps0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49681
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49681 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_00000001400DC700 CreateCompatibleDC,CreateCompatibleBitmap,FillRect,OpenClipboard,EmptyClipboard,CloseClipboard,SetClipboardData,CloseClipboard,

0_2_00000001400DC700

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_00000001400900A0 IsWindow,GetFocus,IsChild,SendMessageW,IsChild,SendMessageW,GetFocus,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,

0_2_00000001400900A0

Source: zr.exe, 00000001.00000002.653437096.0000000000708000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014007AAC4 MessageBeep,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,	0_2_000000014007AAC4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140085328 GetParent,ScreenToClient,free,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,	0_2_0000000140085328
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014000F35C GetKeyState,GetKeyState,GetKeyState,SendMessageW,	0_2_000000014000F35C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014008F93C GetKeyState,GetKeyState,GetKeyState,	0_2_000000014008F93C

System Summary:

Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\zT6Nm@i4\zr.exe

Code function: 1_2_00406D20: __EH_prolog,GetFileInformationByHandle,DeviceIoControl,memcpy,

1_2_00406D20

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014002007C	0_2_000000014002007C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140011818	0_2_0000000140011818
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140076074	0_2_0000000140076074
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014010E08C	0_2_000000014010E08C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400BE1D0	0_2_00000001400BE1D0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014005A1C4	0_2_000000014005A1C4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140162354	0_2_0000000140162354
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014005C3D4	0_2_000000014005C3D4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014007A4D8	0_2_000000014007A4D8
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400365D8	0_2_00000001400365D8
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140046614	0_2_0000000140046614
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014003C644	0_2_000000014003C644
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014005A694	0_2_000000014005A694
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400DE6A4	0_2_00000001400DE6A4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014004472C	0_2_000000014004472C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014000A760	0_2_000000014000A760
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400BE798	0_2_00000001400BE798
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014006C8BC	0_2_000000014006C8BC
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400768F8	0_2_00000001400768F8
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140074934	0_2_0000000140074934
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014002C960	0_2_000000014002C960
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140018AB8	0_2_0000000140018AB8
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140014AD0	0_2_0000000140014AD0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014005EAE4	0_2_000000014005EAE4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140040B54	0_2_0000000140040B54
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140092B98	0_2_0000000140092B98
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140024BFC	0_2_0000000140024BFC
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140084BF4	0_2_0000000140084BF4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140090C1C	0_2_0000000140090C1C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014005AD18	0_2_000000014005AD18
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140078D58	0_2_0000000140078D58
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140042E18	0_2_0000000140042E18
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140018EA0	0_2_0000000140018EA0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400F0FA4	0_2_00000001400F0FA4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140021100	0_2_0000000140021100
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014003910C	0_2_000000014003910C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140029308	0_2_0000000140029308
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014005F304	0_2_000000014005F304
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400BF304	0_2_00000001400BF304
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140097328	0_2_0000000140097328
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400DF350	0_2_00000001400DF350
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014009140C	0_2_000000014009140C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400CB4B4	0_2_00000001400CB4B4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014003754C	0_2_000000014003754C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014007564C	0_2_000000014007564C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140081668	0_2_0000000140081668
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014001D68C	0_2_000000014001D68C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001401636B0	0_2_00000001401636B0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400476E4	0_2_00000001400476E4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014002377C	0_2_000000014002377C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400577E8	0_2_00000001400577E8
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400F1800	0_2_00000001400F1800
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140051880	0_2_0000000140051880
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400798A4	0_2_00000001400798A4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400638BC	0_2_00000001400638BC
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001401578AC	0_2_00000001401578AC
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400A38D0	0_2_00000001400A38D0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400918D4	0_2_00000001400918D4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014007DA44	0_2_000000014007DA44
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140161B54	0_2_0000000140161B54
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140087CCC	0_2_0000000140087CCC
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140067CE4	0_2_0000000140067CE4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140159CFC	0_2_0000000140159CFC
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400BBD90	0_2_00000001400BBD90
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400DFD94	0_2_00000001400DFD94
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140041DE4	0_2_0000000140041DE4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400A1E3C	0_2_00000001400A1E3C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140043E5C	0_2_0000000140043E5C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014005BE90	0_2_000000014005BE90
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140079EC0	0_2_0000000140079EC0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140161ED4	0_2_0000000140161ED4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400B9ED4	0_2_00000001400B9ED4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400BDED8	0_2_00000001400BDED8
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014006FF0C	0_2_000000014006FF0C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140047F40	0_2_0000000140047F40
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014000DF9C	0_2_000000014000DF9C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014006BFC4	0_2_000000014006BFC4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000018000C380	0_2_000000018000C380
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001800088E0	0_2_00000001800088E0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001800090C0	0_2_00000001800090C0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000018000E274	0_2_000000018000E274
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001800104F0	0_2_00000001800104F0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000180016900	0_2_0000000180016900
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000180006AE0	0_2_0000000180006AE0
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_004292EC	1_2_004292EC
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_004419AF	1_2_004419AF
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0044C0C8	1_2_0044C0C8
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0044C0A0	1_2_0044C0A0
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0044017B	1_2_0044017B
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0045A190	1_2_0045A190
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0041C3CB	1_2_0041C3CB
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0041A459	1_2_0041A459
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_00456650	1_2_00456650
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0043674E	1_2_0043674E
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0044C8A0	1_2_0044C8A0
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_004509E8	1_2_004509E8
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0044C9B0	1_2_0044C9B0
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0044AC50	1_2_0044AC50
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_00454F00	1_2_00454F00
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_00452FB0	1_2_00452FB0
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_00451150	1_2_00451150
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0045B423	1_2_0045B423
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_004575D0	1_2_004575D0
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0045B5B1	1_2_0045B5B1
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_004015BE	1_2_004015BE
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0045B68B	1_2_0045B68B
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0045B771	1_2_0045B771
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_004159D7	1_2_004159D7
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_00401999	1_2_00401999
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_00459AE0	1_2_00459AE0
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_00451B10	1_2_00451B10
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_00459CA0	1_2_00459CA0
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0040DDF1	1_2_0040DDF1
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0044BF30	1_2_0044BF30

Source: C:\Users\user\zT6Nm@i4\zr.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: String function: 00401CC2 appears 153 times
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: String function: 0045AD30 appears 480 times

Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: K_FPS64.dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: K_FPS64.dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: K_FPS64.dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PMRunner64.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename7zr.exe, vs #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000002.686343189.0000000002530000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000002.686343189.0000000002530000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000002.686174201.0000000002430000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000002.686004489.00000000020D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000002.686469830.00000000026C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWindows.Storage.dll.MUIj% vs #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000002.686358301.0000000002550000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	Section loaded: dhcpcsvc.dll	Jump to behavior

Source: C:\Users\user\zT6Nm@i4\ru2.url, type: DROPPED

Matched rule: Methodology_Suspicious_Shortcut_Local_URL author = @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson), description = Detects local script usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019

Source: classification engine

Classification label: mal72.troj.expl.evad.winEXE@13/17@0/5

Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_00414942 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		1_2_00414942
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_00407CF5 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,		1_2_00407CF5

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_000000014001E7FC CoInitialize,CoCreateInstance,

0_2_000000014001E7FC

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_00000001400081A8 FindResourceW,LoadResource,LockResource,FreeResource,

0_2_00000001400081A8

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

File created: C:\Users\user\zT6Nm@i4

Jump to behavior

Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	Mutant created: \Sessions\1\BaseNamedObjects\V 5i
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	Mutant created: \Sessions\1\BaseNamedObjects\Random name
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6700:120:WilError_01

Source: unknown

Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'C:\Users\user\zT6Nm@i4\copy.bat'

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Virustotal: Detection: 15%
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	ReversingLabs: Detection: 22%

Source: unknown	Process created: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe 'C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe'
Source: unknown	Process created: C:\Users\user\zT6Nm@i4\zr.exe 'C:\Users\user\zT6Nm@i4\zr.exe' a 'C:\Users\user\zT6Nm@i4\111.7z' 'C:\Users\user\zT6Nm@i4\TXP\*'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'C:\Users\user\zT6Nm@i4\copy.bat'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\Microsoft\zr.exe 'C:\ProgramData\Microsoft\zr.exe' x C:\ProgramData\Microsoft\111.7z -y
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\zT6Nm@i4\PMRunner64.exe 'C:\Users\user\zT6Nm@i4\PMRunner64.exe'
Source: unknown	Process created: C:\Users\user\zT6Nm@i4\PMRunner64.exe 'C:\Users\user\zT6Nm@i4\PMRunner64.exe'
Source: unknown	Process created: C:\Users\user\zT6Nm@i4\PMRunner64.exe 'C:\Users\user\zT6Nm@i4\PMRunner64.exe'
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process created: C:\Users\user\zT6Nm@i4\zr.exe 'C:\Users\user\zT6Nm@i4\zr.exe' a 'C:\Users\user\zT6Nm@i4\111.7z' 'C:\Users\user\zT6Nm@i4\TXP\*'	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'C:\Users\user\zT6Nm@i4\copy.bat'	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process created: C:\Users\user\zT6Nm@i4\PMRunner64.exe 'C:\Users\user\zT6Nm@i4\PMRunner64.exe'	Jump to behavior

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Static file information: File size 3150336 > 1048576

Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x179c00

Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Static PE information: More than 200 imports for USER32.dll

Source:

Data Obfuscation:

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_0000000140032378 GetModuleHandleW,LoadLibraryW,GetProcAddress,

0_2_0000000140032378

Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Static PE information: section name: text
Source: zr.exe.0.dr	Static PE information: section name: .sxdata
Source: zr.exe.3.dr	Static PE information: section name: .sxdata

Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0044C2D0 push ecx; mov dword ptr [esp], ecx	1_2_0044C2D1
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0045AD30 push eax; ret	1_2_0045AD4E
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0045B0E0 push eax; ret	1_2_0045B10E

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File created: C:\Users\user\zT6Nm@i4\PMRunner64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File created: C:\Users\user\zT6Nm@i4\zr.exe	Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\ProgramData\Microsoft\zr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File created: C:\Users\user\zT6Nm@i4\K_FPS64.dll	Jump to dropped file

Source: C:\Windows\System32\cmd.exe

File created: C:\ProgramData\Microsoft\zr.exe

Jump to dropped file

Boot Survival:

Source: C:\ProgramData\Microsoft\zr.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Realtek???????? .lnk

Jump to behavior

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File created: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File created: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\Programs	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File created: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\Programs\Startup	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File created: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\Programs\Startup\Realtek???????? .lnk	Jump to behavior
Source: C:\ProgramData\Microsoft\zr.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Realtek???????? .lnk	Jump to behavior

Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NULL			Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NULL			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 13527
Source: unknown	Network traffic detected: HTTP traffic on port 13527 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 13527
Source: unknown	Network traffic detected: HTTP traffic on port 13527 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 13527
Source: unknown	Network traffic detected: HTTP traffic on port 13527 -> 49746

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400025A0 IsIconic,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	0_2_00000001400025A0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140038030 IsIconic,	0_2_0000000140038030
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400900A0 IsWindow,GetFocus,IsChild,SendMessageW,IsChild,SendMessageW,GetFocus,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,	0_2_00000001400900A0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400926C4 IsIconic,PostMessageW,	0_2_00000001400926C4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400668D4 IsWindowVisible,IsIconic,	0_2_00000001400668D4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140090DC0 GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	0_2_0000000140090DC0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140090DC0 GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	0_2_0000000140090DC0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140090DC0 GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	0_2_0000000140090DC0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140091184 IsWindowVisible,ScreenToClient,GetSystemMetrics,GetSystemMetrics,IsIconic,GetSystemMetrics,PtInRect,PtInRect,GetSystemMetrics,PtInRect,	0_2_0000000140091184
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140045388 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,GetParent,SendMessageW,UpdateWindow,GetParent,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,	0_2_0000000140045388
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400918D4 IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,PtInRect,SendMessageW,IsWindow,IsWindow,GetWindowRect,PtInRect,SendMessageW,ScreenToClient,PtInRect,GetParent,SendMessageW,SendMessageW,GetFocus,WindowFromPoint,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageW,	0_2_00000001400918D4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140037F50 SetForegroundWindow,IsIconic,	0_2_0000000140037F50

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_000000018000C380 RtlEncodePointer,_initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_000000018000C380

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Show sources

Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: K_FPS64.dll.0.dr

Binary or memory string: OLLYDBG.EXEPROCESSHACKER.EXETCPVIEW.EXEAUTORUNS.EXEAUTORUNSC.EXEFILEMON.EXEPROCMON.EXEREGMON.EXEPROCEXP.EXEIDAQ.EXEIDAQ64.EXEIMMUNITYDEBUGGER.EXEWIRESHARK.EXEDUMPCAP.EXEHOOKEXPLORER.EXEIMPORTREC.EXEPETOOLS.EXELORDPE.EXESYSINSPECTOR.EXEPROC_ANALYZER.EXESYSANALYZER.EXESNIFF_HIT.EXEWINDBG.EXEJOEBOXCONTROL.EXEJOEBOXSERVER.EXERESOURCEHACKER.EXEX32DBG.EXEX64DBG.EXEFIDDLER.EXEHTTPDEBUGGER.EXERANDOM NAMEI AM CRITICAL FUNCTION, YOU SHOULD PROTECT AGAINST INT3 BPS %DPRL_CC.EXEPRL_TOOLS.EXECHECKING PARALLELS PROCESSES: %SHARDWARE\DEVICEMAP\SCSI\SCSI PORT 0\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0IDENTIFIERQEMUCHECKING REG KEY %S QEMU-GA.EXECHECKING QEMU PROCESSES %S VBOXHARDWARE\DESCRIPTION\SYSTEMSYSTEMBIOSDATE06/23/99HARDWARE\ACPI\DSDT\VBOX__HARDWARE\ACPI\FADT\VBOX__HARDWARE\ACPI\RSDT\VBOX__SYSTEM\CONTROLSET001\SERVICES\VBOXGUESTSYSTEM\CONTROLSET001\SERVICES\VBOXMOUSESYSTEM\CONTROLSET001\SERVICES\VBOXSERVICESYSTEM\CONTROLSET001\SERVICES\VBOXSFSYSTEM\CONTROLSET001\SERVICES\VBOXVIDEOVBOXSERVICE.EXEVBOXTRAY.EXEVMSRVC.EXEVMUSRVC.EXECHECKING VIRTUAL PC PROCESSES %S SOFTWARE\MICROSOFT\VIRTUAL MACHINE\GUEST\PARAMETERSVMWAREHARDWARE\DEVICEMAP\SCSI\SCSI PORT 1\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0HARDWARE\DEVICEMAP\SCSI\SCSI PORT 2\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0SYSTEM\CONTROLSET001\CONTROL\SYSTEMINFORMATIONSYSTEMMANUFACTURERSYSTEMPRODUCTNAMECHECKING REG KEY %S

Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosDate	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	Jump to behavior

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_0-68413

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	API coverage: 4.5 %
Source: C:\Users\user\zT6Nm@i4\zr.exe	API coverage: 7.3 %

Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe TID: 6568	Thread sleep count: 342 > 30	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe TID: 6876	Thread sleep count: 60 > 30	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe TID: 6884	Thread sleep count: 45 > 30	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400223C0 GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	0_2_00000001400223C0
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_00405BD6 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,	1_2_00405BD6
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0040755D FindFirstFileW,	1_2_0040755D

Source: C:\Users\user\zT6Nm@i4\zr.exe

Code function: 1_2_00406532 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,

1_2_00406532

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_000000014015892C VirtualQuery,GetSystemInfo,SetThreadStackGuarantee,VirtualAlloc,VirtualProtect,

0_2_000000014015892C

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File opened: C:\Users\user\zT6Nm@i4\	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File opened: C:\Users\user\zT6Nm@i4\TXP\	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File opened: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File opened: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\Programs\Startup\Realtek???????? .lnk	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File opened: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\	Jump to behavior

Source: K_FPS64.dll.0.dr	Binary or memory string: ollydbg.exeProcessHacker.exetcpview.exeautoruns.exeautorunsc.exefilemon.exeprocmon.exeregmon.exeprocexp.exeidaq.exeidaq64.exeImmunityDebugger.exeWireshark.exedumpcap.exeHookExplorer.exeImportREC.exePETools.exeLordPE.exeSysInspector.exeproc_analyzer.exesysAnalyzer.exesniff_hit.exewindbg.exejoeboxcontrol.exejoeboxserver.exeResourceHacker.exex32dbg.exex64dbg.exeFiddler.exehttpdebugger.exeRandom nameI am critical function, you should protect against int3 bps %dprl_cc.exeprl_tools.exeChecking Parallels processes: %sHARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierQEMUChecking reg key %s qemu-ga.exeChecking qemu processes %s VBOXHARDWARE\Description\SystemSystemBiosDate06/23/99HARDWARE\ACPI\DSDT\VBOX__HARDWARE\ACPI\FADT\VBOX__HARDWARE\ACPI\RSDT\VBOX__SYSTEM\ControlSet001\Services\VBoxGuestSYSTEM\ControlSet001\Services\VBoxMouseSYSTEM\ControlSet001\Services\VBoxServiceSYSTEM\ControlSet001\Services\VBoxSFSYSTEM\ControlSet001\Services\VBoxVideovboxservice.exevboxtray.exeVMSrvc.exeVMUSrvc.exeChecking Virtual PC processes %s SOFTWARE\Microsoft\Virtual Machine\Guest\ParametersVMWAREHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0SYSTEM\ControlSet001\Control\SystemInformationSystemManufacturerSystemProductNameChecking reg key %s
Source: K_FPS64.dll.0.dr	Binary or memory string: 00:1C:14PV00:50:56Checking MAC starting with %svmtoolsd.exevmwaretray.exevmwareuser.exeVGAuthService.exevmacthlp.exeChecking VWware process %s kernel32.dllntdll.dllRtlGetVersionRtlAddFunctionTablentdll
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000002.685826678.0000000000641000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	API call chain: ExitProcess graph end node			graph_0-68580
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	API call chain: ExitProcess graph end node			graph_0-67129

Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_000000014015C7A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_000000014015C7A0

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_0000000180014870 RtlEncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

0_2_0000000180014870

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_0000000140032378 GetModuleHandleW,LoadLibraryW,GetProcAddress,

0_2_0000000140032378

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_0000000140002BFC VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualAlloc,

0_2_0000000140002BFC

Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014015C7A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_000000014015C7A0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140154B40 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_0000000140154B40

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_00000001800090C0 SetFileAttributesW,Sleep,SleepEx,ShellExecuteExW,Sleep,SleepEx,DeleteFileW,ShellExecuteW,Sleep,SleepEx,DeleteFileW,DeleteFileW,DeleteFileW,Sleep,SleepEx,DeleteFileW,DeleteFileW,DeleteFileW,Sleep,SleepEx,ShellExecuteExW,DeleteFileW,DeleteFileW,DeleteFileW,

0_2_00000001800090C0

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process created: C:\Users\user\zT6Nm@i4\zr.exe 'C:\Users\user\zT6Nm@i4\zr.exe' a 'C:\Users\user\zT6Nm@i4\111.7z' 'C:\Users\user\zT6Nm@i4\TXP\*'	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'C:\Users\user\zT6Nm@i4\copy.bat'	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process created: C:\Users\user\zT6Nm@i4\PMRunner64.exe 'C:\Users\user\zT6Nm@i4\PMRunner64.exe'	Jump to behavior

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: _cwprintf_s_l,GetNumberFormatW,GetLocaleInfoW,lstrlenW,		0_2_000000014006CC48
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: GetProcAddress,_errno,GetUserDefaultUILanguage,ConvertDefaultLocale,ConvertDefaultLocale,GetSystemDefaultUILanguage,ConvertDefaultLocale,ConvertDefaultLocale,GetModuleFileNameW,GetLocaleInfoW,_errno,_errno,_snwprintf_s,_errno,_errno,_errno,LoadLibraryW,		0_2_0000000140003520

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_0000000140154D44 GetSystemTimeAsFileTime,

0_2_0000000140154D44

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_0000000140161ED4 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0000000140161ED4

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_00000001400206A8 GetVersionExW,GetSystemMetrics,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00000001400206A8

Remote Access Functionality:

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_0000000140001D04 WSAStartup,WSASocketW,gethostname,gethostbyname,inet_ntoa,htons,bind,WSAIoctl,

0_2_0000000140001D04

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Scripting1	Startup Items1	Startup Items1	Deobfuscate/Decode Files or Information1	Input Capture31	System Time Discovery2	Replication Through Removable Media1	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API2	DLL Side-Loading1	Exploitation for Privilege Escalation1	Scripting1	LSASS Memory	Peripheral Device Discovery11	Remote Desktop Protocol	Input Capture31	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Application Shimming1	DLL Side-Loading1	Obfuscated Files or Information2	Security Account Manager	File and Directory Discovery4	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Non-Standard Port11	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Registry Run Keys / Startup Folder21	Application Shimming1	DLL Side-Loading1	NTDS	System Information Discovery25	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Bypass User Access Control1	Bypass User Access Control1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Access Token Manipulation1	Masquerading1	Cached Domain Credentials	Security Software Discovery241	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Process Injection11	Virtualization/Sandbox Evasion2	DCSync	Virtualization/Sandbox Evasion2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Registry Run Keys / Startup Folder21	Access Token Manipulation1	Proc Filesystem	Process Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection11	/etc/passwd and /etc/shadow	Application Window Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	15%	Virustotal		Browse
#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	22%	ReversingLabs	Win64.Trojan.CrypterX

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\Microsoft\zr.exe	0%	Virustotal		Browse
C:\ProgramData\Microsoft\zr.exe	0%	Metadefender		Browse
C:\ProgramData\Microsoft\zr.exe	0%	ReversingLabs
C:\Users\user\zT6Nm@i4\K_FPS64.dll	6%	Virustotal		Browse
C:\Users\user\zT6Nm@i4\K_FPS64.dll	10%	ReversingLabs	Win64.Trojan.Wacatac
C:\Users\user\zT6Nm@i4\PMRunner64.exe	0%	Virustotal		Browse
C:\Users\user\zT6Nm@i4\PMRunner64.exe	0%	Metadefender		Browse
C:\Users\user\zT6Nm@i4\PMRunner64.exe	0%	ReversingLabs
C:\Users\user\zT6Nm@i4\zr.exe	0%	Virustotal		Browse
C:\Users\user\zT6Nm@i4\zr.exe	0%	Metadefender		Browse
C:\Users\user\zT6Nm@i4\zr.exe	0%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.nsecsoft.com	0%	Virustotal		Browse
http://www.nsecsoft.com	0%	Avira URL Cloud	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://110.92.66.246:13527/\	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.thawte.com/ThawtePremiumServerCA.crl0	#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	false		high
https://www.thawte.com/cps0/	#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	false		high
http://crl.thawte.com/ThawtePCA.crl0	#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	false		high
http://www.symauth.com/cps0(	#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	false		high
http://www.symauth.com/rpa00	#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	false		high
https://www.thawte.com/cps0	#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	false		high
http://www.nsecsoft.com	#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.thawte.com/repository0W	#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	false		high
http://ocsp.thawte.com0	#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
40.126.31.135	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
204.79.197.200	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
110.92.66.246	unknown	Hong Kong	133115	HKKFGL-AS-APHKKwaifongGroupLimitedHK	true

Private

IP
192.168.2.1
192.168.2.4

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	343504
Start date:	24.01.2021
Start time:	10:22:33
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.bat (renamed file extension from bat to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.troj.expl.evad.winEXE@13/17@0/5
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Successful, ratio: 12.2% (good quality ratio 9.2%) Quality average: 39.6% Quality standard deviation: 29.1%
HCA Information:	Successful, ratio: 59% Number of executed functions: 58 Number of non-executed functions: 310
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 40.88.32.150, 104.43.139.144, 51.104.139.180, 92.122.213.194, 92.122.213.247, 8.248.141.254, 8.253.204.249, 8.241.121.126, 67.27.157.254, 8.248.113.254 Excluded domains from analysis (whitelisted): skypedataprdcoleus15.cloudapp.net, arc.msn.com.nsatc.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, a1449.dscg2.akamai.net, arc.msn.com, au-bg-shim.trafficmanager.net Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:23:40	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\user\zT6Nm@i4\PMRunner64.exe
10:23:48	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\user\zT6Nm@i4\PMRunner64.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
204.79.197.200	6.html	Get hash	malicious	Browse	www.bing.com/favicon.ico
204.79.197.200	6.html	Get hash	malicious	Browse	www.bing.com/favicon.ico

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HKKFGL-AS-APHKKwaifongGroupLimitedHK	insz.exe	Get hash	malicious	Browse	88.218.145.49
	DOCUMENTO_MEDICO.doc	Get hash	malicious	Browse	154.221.28.167
	NI3651011817UL.doc	Get hash	malicious	Browse	103.210.237.241
	BAL_46979369.doc	Get hash	malicious	Browse	103.210.237.241
	427424855528075826480424.doc	Get hash	malicious	Browse	103.210.237.241
	FILE_81380052.doc	Get hash	malicious	Browse	103.210.237.241
	FILE_PO_09152020EX.doc	Get hash	malicious	Browse	103.210.237.241
	DOC_PO_09152020EX.doc	Get hash	malicious	Browse	103.210.237.241
	KH3117818420XX.doc	Get hash	malicious	Browse	103.210.237.241
	XCP_87353228.doc	Get hash	malicious	Browse	103.210.237.241
	BAL_PO_09152020EX.doc	Get hash	malicious	Browse	103.210.237.241
	IO3812758081JW.doc	Get hash	malicious	Browse	103.210.237.241
	BAL_53345761.doc	Get hash	malicious	Browse	103.210.237.241
	FILE_PO_09152020EX.doc	Get hash	malicious	Browse	103.210.237.241
	FILE_YZGLOSASM.doc	Get hash	malicious	Browse	103.210.237.241
	BAL_3105782760272.doc	Get hash	malicious	Browse	103.210.237.241
	VCG4PMFIB0AR.doc	Get hash	malicious	Browse	103.210.237.241
	4502009880852.doc	Get hash	malicious	Browse	103.210.237.241
	INV_PO_09152020EX.doc	Get hash	malicious	Browse	103.210.237.241
	W_RS5947693334AJ.doc	Get hash	malicious	Browse	103.210.237.241
MICROSOFT-CORP-MSN-AS-BLOCKUS	Shipping Document PL&BL Draft.exe	Get hash	malicious	Browse	52.165.230.236
	397282_BHJ.LNK	Get hash	malicious	Browse	157.55.165.21
	075782_NGD.LNK	Get hash	malicious	Browse	157.55.165.21
	118.apk	Get hash	malicious	Browse	52.177.138.113
	oHqMFmPndx.exe	Get hash	malicious	Browse	52.110.67.58
	ID652411022142.vbs	Get hash	malicious	Browse	104.41.44.79
	FileZilla_3.52.2_win64_sponsored-setup.exe	Get hash	malicious	Browse	104.208.16.0
	mfpVTSmyz-Fichero.msi	Get hash	malicious	Browse	40.112.173.153
	Proforma Invoice.exe	Get hash	malicious	Browse	52.97.170.34
	ID196619484.vbs	Get hash	malicious	Browse	104.41.44.79
	#Ud83d#Udcde stephane.viard@colt.net @ 1200 PM 1200 PM.pff.HTM	Get hash	malicious	Browse	104.41.163.16
	57229937-122020-4-7676523.doc	Get hash	malicious	Browse	52.165.155.237
	20202237F.html	Get hash	malicious	Browse	52.239.172.132
	demo.js	Get hash	malicious	Browse	191.233.233.157
	demo.js	Get hash	malicious	Browse	191.233.233.157
	E-DEKONT.exe	Get hash	malicious	Browse	52.97.144.178
	PO-RY 001-21 Accuri.jar	Get hash	malicious	Browse	23.98.35.163
	ID32256523109.vbs	Get hash	malicious	Browse	104.41.44.79
	SHIPPING DOCUMENTS.exe	Get hash	malicious	Browse	20.190.63.69
	DHL Notification -AWB DHL-2021011293002.exe	Get hash	malicious	Browse	52.97.201.82
MICROSOFT-CORP-MSN-AS-BLOCKUS	Shipping Document PL&BL Draft.exe	Get hash	malicious	Browse	52.165.230.236
	397282_BHJ.LNK	Get hash	malicious	Browse	157.55.165.21
	075782_NGD.LNK	Get hash	malicious	Browse	157.55.165.21
	118.apk	Get hash	malicious	Browse	52.177.138.113
	oHqMFmPndx.exe	Get hash	malicious	Browse	52.110.67.58
	ID652411022142.vbs	Get hash	malicious	Browse	104.41.44.79
	FileZilla_3.52.2_win64_sponsored-setup.exe	Get hash	malicious	Browse	104.208.16.0
	mfpVTSmyz-Fichero.msi	Get hash	malicious	Browse	40.112.173.153
	Proforma Invoice.exe	Get hash	malicious	Browse	52.97.170.34
	ID196619484.vbs	Get hash	malicious	Browse	104.41.44.79
	#Ud83d#Udcde stephane.viard@colt.net @ 1200 PM 1200 PM.pff.HTM	Get hash	malicious	Browse	104.41.163.16
	57229937-122020-4-7676523.doc	Get hash	malicious	Browse	52.165.155.237
	20202237F.html	Get hash	malicious	Browse	52.239.172.132
	demo.js	Get hash	malicious	Browse	191.233.233.157
	demo.js	Get hash	malicious	Browse	191.233.233.157
	E-DEKONT.exe	Get hash	malicious	Browse	52.97.144.178
	PO-RY 001-21 Accuri.jar	Get hash	malicious	Browse	23.98.35.163
	ID32256523109.vbs	Get hash	malicious	Browse	104.41.44.79
	SHIPPING DOCUMENTS.exe	Get hash	malicious	Browse	20.190.63.69
	DHL Notification -AWB DHL-2021011293002.exe	Get hash	malicious	Browse	52.97.201.82

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\111.7z Download File
Process:	C:\Windows\System32\cmd.exe
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	871
Entropy (8bit):	7.6751333998200835
Encrypted:	false
SSDEEP:	24:CIOegEZhc5iZzVT78nOwNDSxEqrohfoi4:CLegEZnf8nhmtURoT
MD5:	23AEFC140636655BE400C41403524704
SHA1:	BD581B29370FD93ABF63BD2C02998A0EF2DFD2A4
SHA-256:	D37575E0B66A925ACB5432CC7B706DA8985635B80B3D60C6C90F748D1F743505
SHA-512:	2517137ABEE797FCA5E597A3826B7C02B1CB1EC045DAE4C1B493C8EE2070D6473DA9E7C584F8302D598DF11C687EE11BF2DDE9E33616243C6F94986CBD0A7AA0
Malicious:	false
Reputation:	low
Preview:	7z..'....A`.$.......#.........8.....l].&.0.!?...o..1b..V..pS.G.U.>............Gg..1>....;....>\|.P..D.H.ta......0ur4..F6..f.d.2..Vzr.....#.%..a...?.6.j8KM..$...Uh..{.{._.21.!....ui8..Y..M...K.L+.6zE0.....S=..c......4.H...E}..z. D......k...P:3...c9.......7."....V........>..l......R.a.i.Pk.....?.2.c...,.L.. .VC...ui...y^..[.$..%.ea........B...l-.....w.Ao.0.`.....Z>.......,\>.x...l..d......B.v.#P....a.8V.9`lw.f..J"r.._."9j...r".C.......?.L@..=.....9%...-..4...".[.....I...-...').(Dj.....`0L.Jq.;yZ.!w.i./..\2.e.....iCg...P....xr..9^........"..Q...V.V......... 0..M...q.).?uB...H.D..{Q.......[.4C..5....(:.{!\.u}5......{..'-..X=T.....3....Ed^.$...p..@.p.u/..........#.,..o.(iAk.HY-.}1./vF...].%...W.z@.@l.......gS........{....E.i.n..q.]Y....H.=<.R.[..V%.!K-}.....v...y.M&..^....T..@....s...AZP.....t..........#....]......r......

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Realtek???????? .lnk Download File
Process:	C:\ProgramData\Microsoft\zr.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Thu Jan 14 15:39:10 2021, mtime=Thu Jan 14 15:39:10 2021, atime=Thu Jan 14 15:39:10 2021, length=271704, window=hide
Category:	dropped
Size (bytes):	1791
Entropy (8bit):	3.466273590595946
Encrypted:	false
SSDEEP:	24:8Z3AX3ighdUAfmqpdoe7KODlWJdo7aB6m:8Z3AnisOqjl2k0B6
MD5:	5FF572CBE6B366349A9D3389D4A60CAC
SHA1:	497C442D14F4A09D00C3294784ECA1DC43A6F4A2
SHA-256:	16731A0D7B072BE60F580E93797D2E91F2DE970CF45C31EE7B9BAE52D4824B6E
SHA-512:	6DF6B097BFF0B76EC465A886ABE72EBC7DB3C850E4FA7D8CE1D60A36F57E04E3063507D3F23F059AA7024E7E7162F8F298610AA1702E16217730B1EF79D176B8
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ....K......K......K.....X%......................,.:..DG..Yr?.D..U..k0.&...&...........-....k.2...X,~.2.......t...CFSF..1.....8R.J7.zT6Nm@i4....t.Y^...H.g.3..(.....gVA.G..k...B......8R.J8R.J....3X.......................z.T.6.N.m.@.i.4...D.j.2.X%...R. .PMRUNN~1.EXE..N.......R..R......W........................P.M.R.u.n.n.e.r.6.4...e.x.e.......U...............-.......T..............w.....C:\Users\user\zT6Nm@i4\PMRunner64.exe........\.....\.....\.....\.....\.P.M.R.u.n.n.e.r.6.4...e.x.e...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.z.T.6.N.m.@.i.4.&.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.z.T.6.N.m.@.i.4.\.P.M.R.u.n.n.e.r.6.4...e.x.e.........%USERPROFILE%\zT6Nm@i4\PMRunner64.exe...............................................................................................................................................................................................................................%.U.S.E.R.P.R.O.F.I.L.E.%.\.z.T.6.N.m.@.i.4.\.P.M.R.u.n.n.e.r.6.4...e.x.e..........

C:\ProgramData\Microsoft\zr.exe Download File
Process:	C:\Windows\System32\cmd.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461088
Entropy (8bit):	6.581027593342649
Encrypted:	false
SSDEEP:	12288:tUBwDn0mdLrMkNpj6hTEXRrn9VsArg1xi:tUu7t3GTEhrn9VsA+i
MD5:	045FCBE6C174AFA9A6A998BDD6F9FAD7
SHA1:	9F477006DC176608E953EF44902FCE17DDF8FCA3
SHA-256:	08E510EF41795B4192650452D8E5482DBF71CEFAF9D67CFE02F60253D6023F96
SHA-512:	59CE53DDA80567A3B3E19FA2FBE404B655CB4203170B1295B1E6C33B9EBD0B6D2526FB568255610E64FA5C29A6F5C464766CDD746E207FFD2D48DA36811D717B
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................G..............J.......L..G............\|.....H........Rich..........................PE..L......W........../..........X....................@..................................W..........................................x.......(............... ............................................................................................text...u........................... ..`.rdata..............................@..@.data...\k..........................@....sxdata......p......................@....rsrc...(...........................@..@........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Plugin32.dll Download File
Process:	C:\Users\user\zT6Nm@i4\PMRunner64.exe
File Type:	data
Category:	dropped
Size (bytes):	191488
Entropy (8bit):	7.99619087524627
Encrypted:	true
SSDEEP:	3072:SGtyjkUNHHoDhFMFI0rciHPgZwkndg0WU15pI9SmDCPAuE1L3kaF/F1Dmq:S0yjkKHHAh9t4EbHI9SmDiAQWd1Dmq
MD5:	F6773A1C5D1566F4BEBDBF81BDDDC57D
SHA1:	38CC9D3391DE6AE3773076E23B528F9534E40471
SHA-256:	5B672EE64618CCCBC94011E1BA713E5B6EFA574A8CCA18CC3653C499B2AF2202
SHA-512:	63E4BE550A66783ADFA6D064BA4912A6440986D3AF396F608F3C7B0B9F830DB8BB718216824689E1CA23D636AE67838ADB49DC0DA3263C9D64D823FB15CC964C
Malicious:	false
Reputation:	low
Preview:	U...u].Z....u.....D<(.8x.S....L..N...+^...^.r.!.........!.\|u.N).Fa...L.;..{b..F.t.<.#.2=.}.r\|.!l....KnR.F..4{Ih..5..\......L...Fm...4F)J..%(q..<...zE8..8...A..#.b...&...\..Y.+^.,.......0..oi..`.g.kD.48.G....L.QNor..+2.&"..r.!.Q...".V....l7.@.)8!..h.C8.....:&=.@.1.I..~....bg.r..Z....vK..h.D\8..8....sBM..^..5+^...~.r.!...u... .\|.\|..@V)8.%..+.8......-..B{1.)..j..=.B..._.Z.....v...(.D.(.p8......L@.N/..+^.....rN!............\|..@.)8.%.(+.8.t..s:&}.@.1....>....b%.r..Z.U<`.v.....D.8..8.g..7.L..N...+^r...rNv&)9.5..}..<..Q.@.+8A).+d8.....:&.B@;....L.....r..r..Z....^i....D\|(.08...4.....N..U+^....r.!............\|..@v)8.%..+.8.4..3:&=.@.1.......].b..r..Z.....v...H.D.(..8.'....L`.NO..+^2....rn!.1.....=....\|..@.)8.%.H+$8.....:&..@.1.9..^....bE.r..Zs..p.v+....D<(..8....S.L..N...+^...^.r.!...U.....\.\|u.@6)8a%.+.8.....:&..@[1.......b..rN.Z.....v.....D.(.P8......L .N..u+^....r.!............\|..@.)8.%..+.8.T..S:&].@.1.......}.b..r..Z3..0.v...h.D.(..8.GN"*8L.\.N.N.3

C:\Users\user\zT6Nm@i4\111.7z Download File
Process:	C:\Users\user\zT6Nm@i4\zr.exe
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	895
Entropy (8bit):	7.58674925006426
Encrypted:	false
SSDEEP:	24:7OegEZhc5iZzVT78nOwNDSxEqrohfoiQ3T:KegEZnf8nhmtURo/3T
MD5:	8B8E701F0984126214856AEA7B49A3E1
SHA1:	BC4995ABD24C3451D3AF427F7CE03FA484055157
SHA-256:	D4714CBC4612E14FA5D62B26274411A435396094EFECAAC6D82325FA2400FD04
SHA-512:	7049B6C1ED94B5F10138C3971598A7C98D2E25F340A3C914F4E0D27074AF70A51FF53A7652CE4373140054B0E16A484D1083483CFEB105F6DF5D313C3FAF35E5
Malicious:	false
Reputation:	low
Preview:	7z..'...............................l].&.0.!?...o..1b..V..pS.G.U.>............Gg..1>....;....>\|.P..D.H.ta......0ur4..F6..f.d.2..Vzr.....#.%..a...?.6.j8KM..$...Uh..{.{._.21.!....ui8..Y..M...K.L+.6zE0.....S=..c......4.H...E}..z. D......k...P:3...c9.......7."....V........>..l......R.a.i.Pk.....?.2.c...,.L.. .VC...ui...y^..[.$..%.ea........B...l-.....w.Ao.0.`.....Z>.......,\>.x...l..d......B.v.#P....a.8V.9`lw.f..J"r.._."9j...r".C.......?.L@..=.....9%...-..4...".[.....I...-...').(Dj.....`0L.Jq.;yZ.!w.i./..\2.e.....iCg...P....xr..9^........"..Q...V.V......... 0..M...q.).?uB...H.D..{Q.......[.4C..5....(:.{!\.u}5......{..'-..X=T.....3....Ed^.$...p..@.p.u/..........#.,..o.(iAk.HY-.}1./vF...].%...W.z@.@l.......gS........{....E.i.n..q.]Y....H.=<.R.[..V%.!K-}.....v...y.M&..^....T..@....s...AZP.....t..........#....]......r.......A`.$.......#.........8.

C:\Users\user\zT6Nm@i4\KK.txt Download File
Process:	C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
File Type:	data
Category:	dropped
Size (bytes):	224323
Entropy (8bit):	7.996498851977439
Encrypted:	true
SSDEEP:	6144:5SDdKtn3KwKa9xg8LIzF9yWeSBvd+tResBuYU:4Dde3xKhOIzOGBF
MD5:	7B30F5D321E85813F5E5835F92FFA0FC
SHA1:	369474EA5BFFA01DAC8C663EDE08D7D0D8967054
SHA-256:	445E5B49DA01A0D99AFD84EF3D9C5238E02D5E4FBC546D43C619005A622C9917
SHA-512:	8797E96456F2C822DA7B79486784BA49ED7A4CC85FF74F76D097339EA8C2FDC945E1EB51BEF28F7E1358EA38BD6BBB8D1C35D63A54F5000A1D75C5E90DDAB0FD
Malicious:	false
Reputation:	low
Preview:	rc(.%c.Q.q....<cfW.&.-...SP#....\|O.%'q5.XrVN\....@J..)F.YZ.....%...,...y.s.x.....C...L.y.'....V.Ck....I.4'L.b....e'.Q..QS...w.xgF...L.Q......../.....'v6=.yj..t.h.n.i.a%g..:#.\.Q.lN...r.ht....y..I..k.ATu/.._..j._B...?%....-..N\|.G....\|1.V..&..^..8.L..E.y.PQ.....j\|fhfm 2....e..k..\. ...Q.......'}u....<.AW".I.a6..Dv.....G.j#..f...^..6.)...ky..yI.X..vv.....v..........$..4...I..........S..Zoz..n).....%....\...TFg...`~.@V.....E.Q....L.._.PnR4OI...^ .Av.y.d.....2.t2...-.D....Y.2.T!.Pl6...@;...[..q.o..'./.3..[k.E :....i.+%....c.@.o......eL....1.cig....?rP.O.C'....Ak...7..R....EG......Q.ey.._.k.r./..TOCe.y......q..<.I:9#+5...^..&.A..........U`v.w..t...A7m.Jg..m..".mz.......#....gW.^...q.z..HbX.......2..iH.!...#H.9..>W....S..&e..k..h<2..c.........b._..0.D1.Bno.q.$bP....o8[.Lq.bCG.E3g.W2.^.{.."n.........N4..(.....=E..R..O....\|......._L...IX.._.%.....x...`;...]Nm...Q.s7..i..QW.B...h.u.3.~..).#."&..(X.....l0.............X......z...b'..34.

C:\Users\user\zT6Nm@i4\K_FPS64.dll Download File
Process:	C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	302592
Entropy (8bit):	5.94262128533878
Encrypted:	false
SSDEEP:	6144:YDVMbwz0W4gWqPcjwhum9o34Ec2x1tRuf+X4zNEP:YDGO0WTWq4wYb34Ec2vupEP
MD5:	B8477E4DF0F24A96BBAFD2F13C31A4A2
SHA1:	E4548C10552B1906BBE4A7EED90E97D24C958CF5
SHA-256:	5EFD269CA1CD474F68ECE50E6AC3F88F1831ACA273DE9789C17DD8A46AEA8D71
SHA-512:	6FE6FF9E3BD95CE0583AA2BBB06B8AB123363D94AFEEAB3CCE377B1FB5EABB0BA58F1107E822C39FF2D186E788783262EFFAB8270519A2A118C055013BEEC6B3
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 6%, Browse Antivirus: ReversingLabs, Detection: 10%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......sl..7.@.7.@.7.@.B..6.@...-.0.@...;.,.@.7.A...@.>u...@.>u..=.@.>u..H.@.>u..+.@.>u..6.@.)_..6.@.>u..6.@.Rich7.@.................PE..d......`.........." ................4........................................@......=.....@.........................................@...................x....@..............................................h$..(....................................................text...h........................... ..`.rdata..G...........................@..@.data..............................@....pdata.......@...0..................@..@.tls.........p......................@....rsrc...x...........................@..@.reloc...(.......*...t..............@..B........................................................................................................................................................................................................

C:\Users\user\zT6Nm@i4\PMRunner64.exe Download File
Process:	C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	271704
Entropy (8bit):	5.761811520401724
Encrypted:	false
SSDEEP:	3072:wWHyRIh1NDBeEOqDhPbsuB35WlP+7l1MYMb3URvwgwWwBHNFs:nrrNDBeJwhbh3mU9wgw
MD5:	65DBB57517611D9DE8CE522022DCD727
SHA1:	B33E6DB5C460E5E38DD636C4D48E9D4523E2838F
SHA-256:	0525B815E61D3CD83FD4C87032DE7C1DCBA5E8D2619539F925E43624EB6E1D77
SHA-512:	D8D34BC3642255DFF395CB47A0EA58CC07D911B3535A0A6D972CC4E501F6CCAB200A7D636FCDEE77DC6E7AD6B735918BCDF48EA6F0EA0E26804C31F2D175490D
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$..eJ.eJ.eJ.....eJ.....+eJ.....eJ.;I.eJ.;O.eJ.;N.eJ.d...eJ.eK.>eJ..;C.eJ..;J.eJ.+;..eJ.e..eJ..;H.eJ.Rich.eJ.........................PE..d....S.^.........."......`..........l0.........@.............................`............`................................................. ...P....... ....`..........X#...P.. ...`...p............................................p..x............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data....*...0......................@....pdata.......`.......&..............@..@.gfids...............<..............@..@.rsrc... ............>..............@..@.reloc.. ....P......................@..B................................................................................................................................................................................

C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\Programs\Startup\Realtek???????? .lnk Download File
Process:	C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Thu Jan 14 15:39:10 2021, mtime=Thu Jan 14 15:39:10 2021, atime=Thu Jan 14 15:39:10 2021, length=271704, window=hide
Category:	dropped
Size (bytes):	1791
Entropy (8bit):	3.466273590595946
Encrypted:	false
SSDEEP:	24:8Z3AX3ighdUAfmqpdoe7KODlWJdo7aB6m:8Z3AnisOqjl2k0B6
MD5:	5FF572CBE6B366349A9D3389D4A60CAC
SHA1:	497C442D14F4A09D00C3294784ECA1DC43A6F4A2
SHA-256:	16731A0D7B072BE60F580E93797D2E91F2DE970CF45C31EE7B9BAE52D4824B6E
SHA-512:	6DF6B097BFF0B76EC465A886ABE72EBC7DB3C850E4FA7D8CE1D60A36F57E04E3063507D3F23F059AA7024E7E7162F8F298610AA1702E16217730B1EF79D176B8
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ....K......K......K.....X%......................,.:..DG..Yr?.D..U..k0.&...&...........-....k.2...X,~.2.......t...CFSF..1.....8R.J7.zT6Nm@i4....t.Y^...H.g.3..(.....gVA.G..k...B......8R.J8R.J....3X.......................z.T.6.N.m.@.i.4...D.j.2.X%...R. .PMRUNN~1.EXE..N.......R..R......W........................P.M.R.u.n.n.e.r.6.4...e.x.e.......U...............-.......T..............w.....C:\Users\user\zT6Nm@i4\PMRunner64.exe........\.....\.....\.....\.....\.P.M.R.u.n.n.e.r.6.4...e.x.e...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.z.T.6.N.m.@.i.4.&.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.z.T.6.N.m.@.i.4.\.P.M.R.u.n.n.e.r.6.4...e.x.e.........%USERPROFILE%\zT6Nm@i4\PMRunner64.exe...............................................................................................................................................................................................................................%.U.S.E.R.P.R.O.F.I.L.E.%.\.z.T.6.N.m.@.i.4.\.P.M.R.u.n.n.e.r.6.4...e.x.e..........

C:\Users\user\zT6Nm@i4\copy.bat Download File
Process:	C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
File Type:	ASCII text, with CR, LF line terminators
Category:	dropped
Size (bytes):	148
Entropy (8bit):	4.859584238440697
Encrypted:	false
SSDEEP:	3:55Pt+ZIgUAdkdZkRErG+ffbNQdi25Pt+ZIrUhFmRdZkRErG+fUNhn:PwZIPAra3ZQdi2wZIroakn
MD5:	7EE919ABFE2EBEFCDD420D0E0784F1C9
SHA1:	760A5A935E7453C7C3D0CFE786975F97931382BB
SHA-256:	21C285FD608237D8B329AD8266FDCC0E9C671BAEB956E9544CAEC712944EF8A9
SHA-512:	0327C9A5500BEF65DFF1501553F0471B7CF2584CAA56CBF15673AC4AF10E748C08E15C5878F0C792907F2F777C6393925A22AB36BDBB70C29963FEC9A07AFFF5
Malicious:	false
Reputation:	low
Preview:	copy "C:\Users\user\zT6Nm@i4\zr.exe" "C:\ProgramData\Microsoft\zr.exe"..copy "C:\Users\user\zT6Nm@i4\111.7z" "C:\ProgramData\Microsoft\111.7z"..

C:\Users\user\zT6Nm@i4\ru2.url Download File
Process:	C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:///C:\Users\user\zT6Nm@i4\run001.lnk>), ASCII text, with CR line terminators
Category:	dropped
Size (bytes):	65
Entropy (8bit):	4.934228490671524
Encrypted:	false
SSDEEP:	3:HRAbABGQVuOt+ZIo7g:HRYF5OwZIig
MD5:	004A6C48B0C8EE5A854123B30016589A
SHA1:	E491D660E83A6DC76EDFB00A8750B98E6F66C665
SHA-256:	2CF3CC8BCD1655AE232418CCFEBBF8D0AA5EFB062F95DF320C27B5C3A69E9A7C
SHA-512:	02CD3B044426D6CE89CECBFD16D294882AF867C33F53E6AE71104A4D4E2D57C9A551E659616B7D331CD8714E55DED39538796AD4A1F076483E619CF49E864E7E
Malicious:	false
Yara Hits:	Rule: Methodology_Suspicious_Shortcut_Local_URL, Description: Detects local script usage for .URL persistence, Source: C:\Users\user\zT6Nm@i4\ru2.url, Author: @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)
Reputation:	low
Preview:	[InternetShortcut].URL=file:///C:\Users\user\zT6Nm@i4\run001.lnk

C:\Users\user\zT6Nm@i4\run.lnk Download File
Process:	C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Wed Apr 11 22:34:14 2018, mtime=Wed Sep 30 06:35:53 2020, atime=Wed Apr 11 22:34:14 2018, length=273920, window=hide
Category:	dropped
Size (bytes):	1845
Entropy (8bit):	3.204025472281673
Encrypted:	false
SSDEEP:	24:8PHjJW6PV7Mmc7S6MAdx+/5+fUt+/g4I0Z57aB6m:8PMYdCXLiu8sIrB6
MD5:	BE3AF8B163611E11E35121A9C0DE546F
SHA1:	DFEEE23EAE5794D9C6D7B54A00CB0E42800AFAA3
SHA-256:	271541E40261A329ED49F004A2ABAAA533009C1E94B9F7CA3CED62756E59912B
SHA-512:	495C1D2427C943DFBC3739CFC3E104934449E629B39FEF81074F21151345DBA06A96DFE766B03F8CF74CDE5EB8D52CB8F00FA969186E8CECDFCF3B37346739EF
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...].......J..S....]...............................5....P.O. .:i.....+00.../C:\...................V.1.....>Qz<..Windows.@......L..8R.J..............................W.i.n.d.o.w.s.....Z.1.....8R.J..System32..B......L..8R.J..........................e...S.y.s.t.e.m.3.2.....V.2......LH. .cmd.exe.@......LH.>Qx<...............t...........&.c.m.d...e.x.e.......J...............-.......I..............w.....C:\Windows\System32\cmd.exe..!.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.c.m.d...e.x.e...C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.&. ./.c. .C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.z.T.6.N.m.@.i.4.\.r.u.n.0.0.1...l.n.k...C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.c.m.d...e.x.e.........%SystemRoot%\System32\cmd.exe.......................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.y

C:\Users\user\zT6Nm@i4\run001.lnk Download File
Process:	C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	1457
Entropy (8bit):	1.9452446037061828
Encrypted:	false
SSDEEP:	12:8zM0i/kdvrHjHbQbfnbB5baP0yZ3ZrwPH:8AIzD7kzzk0yZ3Zk
MD5:	95A5332A3DE1AE6E16F7E139EE968E9B
SHA1:	9E7DD05E15FCAC8C1B8E91978B7EFEB923CD6A88
SHA-256:	5D0904F70763CA9D1118EFD2171BA4A0CF0D7C10B8D121836F95CE16A3E03C5A
SHA-512:	53A9CA5C5754D742BD568953B8B4A5AB58BDEA9C9CFC7E49C921484883BCF93CA9E5B6758FDFF72FF98BD0C5D1B70B97B264C89912880A7BB179CE26E8A768B0
Malicious:	false
Reputation:	low
Preview:	L..................F.@......................................................A....P.O. .:i.....+00.../C:\...................b.1...........ProgramData.H............................................P.r.o.g.r.a.m.D.a.t.a.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....T.2...........zr.exe..>............................................z.r...e.x.e.......%.....\.....\.....\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.z.r...e.x.e...C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.%. .x. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.1.1.1...7.z. .-.y...C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.z.r...e.x.e.........%ALLUSERSPROFILE%\Microsoft\zr.exe..................................................................................................................................................................................................................................%.A.L.L.U.S.E.R.S.P.R.O.F.I.L.E.%.\.M.i.c.r.o.s.o.f.t.\.z.r...e.x.e

C:\Users\user\zT6Nm@i4\run003.lnk Download File
Process:	C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Sun Apr 30 07:53:46 2017, mtime=Sun Apr 30 07:53:46 2017, atime=Sun Apr 30 07:53:46 2017, length=461088, window=hide
Category:	dropped
Size (bytes):	1837
Entropy (8bit):	3.401424786774406
Encrypted:	false
SSDEEP:	24:8hJ3AX3igX1AnxQfouopHO8jAIM7aB6m:8/3AniRyfouopHdB6
MD5:	4AC952055902E20C748E96234BF2F56C
SHA1:	9B0BADF7DE8286543D6D5C45CD19E834E76E671F
SHA-256:	0D7B6A444BFA014BEE1DC4769FB66663BB1F0FC0B3327EC41AB9F5342BF571EF
SHA-512:	80639E1E8B2C4DD3BEC66CBEF87B7E1293D9CCE7E8B34C71B9011400E536CBA39801155CAC3C691B096F2B2B55254CF53FB402B7D843E429196C8B5484DD83DA
Malicious:	false
Preview:	L..................F.@.. ......i.......i.......i.... .........................:..DG..Yr?.D..U..k0.&...&...........-....k.2...X,~.2.......t...CFSF..1.....8R.J7.zT6Nm@i4....t.Y^...H.g.3..(.....gVA.G..k...B......8R.J8R.J....3X........................z.T.6.N.m.@.i.4...D.T.2. ....J.F .zr.exe..>......J.F.J.F....:X........................z.r...e.x.e.......M...............-.......L..............w.....C:\Users\user\zT6Nm@i4\zr.exe......\.z.r...e.x.e...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.z.T.6.N.m.@.i.4.B.a. .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.z.T.6.N.m.@.i.4.\.1.1.1...7.z.". .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.z.T.6.N.m.@.i.4.\.T.X.P.\.*."...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.z.T.6.N.m.@.i.4.\.z.r...e.x.e.........%USERPROFILE%\zT6Nm@i4\zr.exe.......................................................................................................................................................................................................................................%.U.S.E.R.P.R.O.F.I.L.E.%.\.z.T.6.N.m

C:\Users\user\zT6Nm@i4\zr.exe Download File
Process:	C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461088
Entropy (8bit):	6.581027593342649
Encrypted:	false
SSDEEP:	12288:tUBwDn0mdLrMkNpj6hTEXRrn9VsArg1xi:tUu7t3GTEhrn9VsA+i
MD5:	045FCBE6C174AFA9A6A998BDD6F9FAD7
SHA1:	9F477006DC176608E953EF44902FCE17DDF8FCA3
SHA-256:	08E510EF41795B4192650452D8E5482DBF71CEFAF9D67CFE02F60253D6023F96
SHA-512:	59CE53DDA80567A3B3E19FA2FBE404B655CB4203170B1295B1E6C33B9EBD0B6D2526FB568255610E64FA5C29A6F5C464766CDD746E207FFD2D48DA36811D717B
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................G..............J.......L..G............\|.....H........Rich..........................PE..L......W........../..........X....................@..................................W..........................................x.......(............... ............................................................................................text...u........................... ..`.rdata..............................@..@.data...\k..........................@....sxdata......p......................@....rsrc...(...........................@..@........................................................................................................................................................................................................................................................................................

\Device\ConDrv Download File
Process:	C:\ProgramData\Microsoft\zr.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	484
Entropy (8bit):	4.98831110003937
Encrypted:	false
SSDEEP:	12:pltQzsBRwgaQH7pyTkaHo8ajFsQcE5+svhJAISLGN2Gy:pYzsDwXQboTjUZH+svhJAI9wv
MD5:	70C66FCD7F376B7EC9AD79053CA63030
SHA1:	E3AE64762463879E0B8C91713A291B540131E423
SHA-256:	3FD565B1794F89DB8FFA179D9EBF283A0AC7B37BD9E8AD8DE94BB1443B0416BA
SHA-512:	0B07E9206A5B8D60D93AE7AE826605FFBC2DE13B072DB3EEF2A74E0E05485B8ADDA1E5D6231CC9965FD34093739603566841098631FBD89B8F7CC8889A2FBDA0
Malicious:	false
Preview:	..7-Zip (r) [32] 16.04 : Igor Pavlov : Public domain : 2016-10-04....Scanning the drive for archives:.. 0M Scan C:\ProgramData\Microsoft\. .1 file, 871 bytes (1 KiB)....Extracting archive: C:\ProgramData\Microsoft\111.7z..--..Path = C:\ProgramData\Microsoft\111.7z..Type = 7z..Physical Size = 871..Headers Size = 243..Method = LZMA2:12..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Folders: 4..Files: 1..Size: 1791..Compressed: 871..

Static File Info

General
File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.805779435598225
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
File size:	3150336
MD5:	6665909a2652c5860fd874cb15c3991c
SHA1:	84a5a2e920e8165634e510766eaa51662401a227
SHA256:	1ef7ae3509e71c3cd0904a7396831e6bd2c021f14dc5d4b2485a38ebefc3dd3d
SHA512:	c7ca90037a3e67b443fe6b8f8a8df510eb2794d53a80a416b7234de123703cf5b590f3314f1e0acf749156ce40cc176182d521679c83afceb18b60d39e07c6a5
SSDEEP:	49152:jwBFRHHY3rC5IgDAI9q8xCFEXlZ40nqSvLcUhGcwKEAX/ivWPlGbjtGysnISnvpZ:jwlHYm5IML9hGvTWlGnUysnISnBdu2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c`7...d...d...dFL.d...d.z.d...d.z.d...d.z.d...d...d...d.t.dd..d.t.d...d.t.d...d.t.d...d.t.d...dRich...d................PE..d..

File Icon


Icon Hash:	74cac4d4d4d0c4d4

Static PE Info

General
Entrypoint:	0x1401543b0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x600BDCC7 [Sat Jan 23 08:22:31 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	5894f7ecf05bebd0f6f297d29b91f916

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F7DAC8515DCh
dec eax
add esp, 28h
jmp 00007F7DAC84AA97h
int3
int3
dec eax
mov dword ptr [esp+08h], ebx
push edi
dec eax
sub esp, 20h
dec eax
lea eax, dword ptr [00076193h]
mov ebx, edx
dec eax
mov edi, ecx
dec eax
mov dword ptr [ecx], eax
call 00007F7DAC851667h
test bl, 00000001h
je 00007F7DAC84AC4Ah
dec eax
mov ecx, edi
call 00007F7DAC6F960Eh
dec eax
mov eax, edi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
add esp, 20h
pop edi
ret
int3
int3
int3
dec eax
sub esp, 28h
dec eax
mov eax, edx
dec eax
lea edx, dword ptr [ecx+11h]
dec eax
lea ecx, dword ptr [eax+11h]
call 00007F7DAC8516B1h
test eax, eax
sete al
dec eax
add esp, 28h
ret
int3
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], ebp
dec eax
mov dword ptr [esp+20h], esi
push edi
inc ecx
push esp
inc ecx
push ebp
inc ecx
push esi
inc ecx
push edi
dec eax
sub esp, 20h
dec ecx
arpl word ptr [eax+0Ch], di
dec esp
mov edi, ecx
dec ecx
mov ecx, eax
dec ecx
mov ebp, ecx
dec ebp
mov ebp, eax
dec esp
mov esi, edx
call 00007F7DAC8517ADh
dec ebp
mov edx, dword ptr [edi]
dec esp
mov dword ptr [ebp+00h], edx
inc esp
mov esp, eax
test edi, edi
je 00007F7DAC84ACCAh
dec eax
lea ecx, dword ptr [edi+edi*4]
dec eax
lea esi, dword ptr [FFFFFFECh+ecx*4]
dec ecx
arpl word ptr [ebp+10h], bx
dec ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[C++] VS2010 build 30319
[RES] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1ff938	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x306000	0xb0f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x2f0000	0x13518	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x17b000	0x1350	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x179a48	0x179c00	False	0.519473729112	data	6.37063911403	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x17b000	0x886cc	0x88800	False	0.253088870765	data	4.38109791814	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x204000	0xeb290	0xdee00	False	0.944429595485	data	7.74292213666	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x2f0000	0x13518	0x13600	False	0.497505040323	data	6.14754754116	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
text	0x304000	0xbbd	0xc00	False	0.466796875	data	5.50929008744	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA
data	0x305000	0x760	0x800	False	0.6806640625	data	5.89712002279	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x306000	0xb0f8	0xb200	False	0.413031074438	data	5.68750375192	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x306c10	0x134	data	Chinese	China
RT_CURSOR	0x306d44	0xb4	data	Chinese	China
RT_CURSOR	0x306df8	0x134	AmigaOS bitmap font	Chinese	China
RT_CURSOR	0x306f2c	0x134	data	Chinese	China
RT_CURSOR	0x307060	0x134	data	Chinese	China
RT_CURSOR	0x307194	0x134	data	Chinese	China
RT_CURSOR	0x3072c8	0x134	data	Chinese	China
RT_CURSOR	0x3073fc	0x134	data	Chinese	China
RT_CURSOR	0x307530	0x134	data	Chinese	China
RT_CURSOR	0x307664	0x134	data	Chinese	China
RT_CURSOR	0x307798	0x134	data	Chinese	China
RT_CURSOR	0x3078cc	0x134	data	Chinese	China
RT_CURSOR	0x307a00	0x134	AmigaOS bitmap font	Chinese	China
RT_CURSOR	0x307b34	0x134	data	Chinese	China
RT_CURSOR	0x307c68	0x134	data	Chinese	China
RT_CURSOR	0x307d9c	0x134	data	Chinese	China
RT_BITMAP	0x307ed0	0xb8	data	Chinese	China
RT_BITMAP	0x307f88	0x144	data	Chinese	China
RT_ICON	0x3080cc	0xea8	data	Chinese	China
RT_ICON	0x308f74	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0	Chinese	China
RT_ICON	0x30981c	0x568	GLS_BINARY_LSB_FIRST	Chinese	China
RT_ICON	0x309d84	0x25ad	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Chinese	China
RT_ICON	0x30c334	0x25a8	data	Chinese	China
RT_ICON	0x30e8dc	0x10a8	data	Chinese	China
RT_ICON	0x30f984	0x468	GLS_BINARY_LSB_FIRST	Chinese	China
RT_DIALOG	0x30fdec	0xde	data	Chinese	China
RT_DIALOG	0x30fecc	0x210	data	Chinese	China
RT_DIALOG	0x3100dc	0xe2	data	Chinese	China
RT_DIALOG	0x3101c0	0x34	data	Chinese	China
RT_STRING	0x3101f4	0x6a	data	Chinese	China
RT_STRING	0x310260	0x4e	data	Chinese	China
RT_STRING	0x3102b0	0x2c	data	Chinese	China
RT_STRING	0x3102dc	0x84	data	Chinese	China
RT_STRING	0x310360	0x1c4	data	Chinese	China
RT_STRING	0x310524	0x14e	data	Chinese	China
RT_STRING	0x310674	0x10e	data	Chinese	China
RT_STRING	0x310784	0x50	data	Chinese	China
RT_STRING	0x3107d4	0x44	data	Chinese	China
RT_STRING	0x310818	0x68	data	Chinese	China
RT_STRING	0x310880	0x1b2	data	Chinese	China
RT_STRING	0x310a34	0xf4	data	Chinese	China
RT_STRING	0x310b28	0x24	data	Chinese	China
RT_STRING	0x310b4c	0x1a6	data	Chinese	China
RT_GROUP_CURSOR	0x310cf4	0x22	Lotus unknown worksheet or configuration, revision 0x2	Chinese	China
RT_GROUP_CURSOR	0x310d18	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x310d2c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x310d40	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x310d54	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x310d68	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x310d7c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x310d90	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x310da4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x310db8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x310dcc	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x310de0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x310df4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x310e08	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x310e1c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_ICON	0x310e30	0x68	data	Chinese	China
RT_MANIFEST	0x310e98	0x25f	ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	IsValidCodePage, GetTimeZoneInformation, LCMapStringW, GetConsoleCP, GetConsoleMode, WriteConsoleW, SetEnvironmentVariableA, RtlCaptureContext, RtlVirtualUnwind, IsDebuggerPresent, UnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, HeapCreate, GetVersion, HeapSetInformation, FlsAlloc, FlsFree, FlsSetValue, FlsGetValue, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetStdHandle, SizeofResource, SetUnhandledExceptionFilter, GetFileType, SetStdHandle, VirtualQuery, GetSystemInfo, SetThreadStackGuarantee, HeapSize, HeapQueryInformation, RtlPcToFileHeader, GetOEMCP, CreateThread, ExitThread, HeapReAlloc, GetSystemTimeAsFileTime, DecodePointer, EncodePointer, RtlUnwindEx, RtlLookupFunctionEntry, GetStartupInfoW, GetCommandLineW, FindResourceExW, SearchPathW, Sleep, GetProfileIntW, InitializeCriticalSectionAndSpinCount, GetTickCount, GetNumberFormatW, GetWindowsDirectoryW, GetTempPathW, GetTempFileNameW, GetFileTime, GetFileSizeEx, GetFileAttributesW, FileTimeToLocalFileTime, GetFileAttributesExW, SetErrorMode, FileTimeToSystemTime, GlobalGetAtomNameW, lstrlenA, GetFullPathNameW, GetACP, GetCPInfo, RaiseException, GetStringTypeW, GetVolumeInformationW, FindFirstFileW, FindClose, GetCurrentProcess, DuplicateHandle, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, CreateFileW, lstrcmpiW, GetThreadLocale, lstrcpyW, DeleteFileW, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, GlobalHandle, GlobalReAlloc, TlsAlloc, InitializeCriticalSection, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalAlloc, GlobalFlags, GetCurrentDirectoryW, ReleaseActCtx, CreateActCtxW, CopyFileW, GlobalSize, FormatMessageW, LocalFree, MulDiv, GlobalFindAtomW, GetVersionExW, CompareStringW, GlobalUnlock, GlobalFree, FreeResource, GetCurrentProcessId, GlobalAddAtomW, GetPrivateProfileStringW, lstrlenW, WritePrivateProfileStringW, GetPrivateProfileIntW, CreateEventW, SuspendThread, SetEvent, WaitForSingleObject, ResumeThread, SetThreadPriority, CloseHandle, lstrcmpA, GlobalDeleteAtom, GetCurrentThread, GetCurrentThreadId, GetUserDefaultUILanguage, ConvertDefaultLocale, GetSystemDefaultUILanguage, GetModuleFileNameW, GetLocaleInfoW, ActivateActCtx, LoadLibraryW, GetLastError, DeactivateActCtx, SetLastError, WideCharToMultiByte, GlobalLock, lstrcmpW, GlobalAlloc, GetModuleHandleW, HeapAlloc, FreeLibrary, GetProcessHeap, HeapFree, IsBadReadPtr, LoadLibraryA, GetProcAddress, VirtualFree, VirtualProtect, VirtualAlloc, MultiByteToWideChar, TerminateThread, ExitProcess, FindResourceW, LoadResource, LockResource
USER32.dll	SetMenuDefaultItem, PostThreadMessageW, CreateMenu, IsMenu, UpdateLayeredWindow, UnionRect, MonitorFromPoint, TranslateMDISysAccel, DrawMenuBar, DefMDIChildProcW, DefFrameProcW, RegisterClipboardFormatW, CopyImage, GetIconInfo, EnableScrollBar, HideCaret, InvertRect, GetMenuDefaultItem, UnpackDDElParam, ReuseDDElParam, LoadImageW, InsertMenuItemW, TranslateAcceleratorW, LockWindowUpdate, BringWindowToTop, SetCursorPos, CreateAcceleratorTableW, LoadAcceleratorsW, GetKeyboardState, GetKeyboardLayout, ToUnicodeEx, DrawFocusRect, DrawFrameControl, DrawEdge, DrawIconEx, DrawStateW, SetClassLongPtrW, GetAsyncKeyState, NotifyWinEvent, CreatePopupMenu, DestroyAcceleratorTable, SetParent, RedrawWindow, SetWindowRgn, IsZoomed, UnregisterClassW, MessageBeep, GetNextDlgGroupItem, InvalidateRgn, SetRect, IsRectEmpty, CopyAcceleratorTableW, OffsetRect, CharNextW, IntersectRect, LoadMenuW, CharUpperW, DestroyIcon, WaitMessage, ReleaseCapture, WindowFromPoint, SetCapture, GetSysColorBrush, LoadCursorW, SetLayeredWindowAttributes, SetRectEmpty, KillTimer, SetTimer, InvalidateRect, RealChildWindowFromPoint, DeleteMenu, EndPaint, BeginPaint, GetWindowDC, ClientToScreen, GrayStringW, DrawTextExW, DrawTextW, TabbedTextOutW, FillRect, SystemParametersInfoW, DestroyMenu, IsClipboardFormatAvailable, InflateRect, GetMenuStringW, InsertMenuW, RemoveMenu, ShowWindow, SetWindowTextW, IsDialogMessageW, SetDlgItemTextW, CheckDlgButton, RegisterWindowMessageW, SendDlgItemMessageW, SendDlgItemMessageA, WinHelpW, IsChild, GetCapture, GetClassNameW, GetClassLongPtrW, SetPropW, GetPropW, RemovePropW, SetFocus, GetWindowTextLengthW, GetWindowTextW, GetForegroundWindow, BeginDeferWindowPos, EndDeferWindowPos, GetTopWindow, GetWindowLongPtrW, SetWindowLongPtrW, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, MonitorFromWindow, GetMonitorInfoW, MapWindowPoints, ScrollWindow, TrackPopupMenu, SetMenu, SetScrollRange, GetScrollRange, SetScrollPos, GetScrollPos, SetForegroundWindow, ShowScrollBar, UpdateWindow, GetSubMenu, GetMenuItemID, GetMenuItemCount, CreateWindowExW, GetClassInfoExW, GetClassInfoW, RegisterClassW, GetSysColor, AdjustWindowRectEx, GetWindowRect, ScreenToClient, EqualRect, DeferWindowPos, GetScrollInfo, SetScrollInfo, PtInRect, SetWindowPlacement, GetWindowPlacement, GetDlgCtrlID, DefWindowProcW, CallWindowProcW, GetMenu, GetWindow, SetWindowContextHelpId, FrameRect, GetUpdateRect, GetWindowRgn, DestroyCursor, SubtractRect, MapVirtualKeyExW, IsCharLowerW, GetDoubleClickTime, MapDialogRect, SetWindowPos, MapVirtualKeyW, GetKeyNameTextW, ReleaseDC, GetDC, CopyRect, GetDesktopWindow, SetActiveWindow, CreateDialogIndirectParamW, CharUpperBuffW, CopyIcon, EmptyClipboard, CloseClipboard, SetClipboardData, GetMenuItemInfoW, OpenClipboard, DestroyWindow, IsWindow, GetDlgItem, GetNextDlgTabItem, EndDialog, GetWindowThreadProcessId, GetLastActivePopup, IsWindowEnabled, MessageBoxW, ShowOwnedPopups, SetCursor, SetWindowsHookExW, CallNextHookEx, GetMessageW, TranslateMessage, DispatchMessageW, GetActiveWindow, IsWindowVisible, GetKeyState, PeekMessageW, GetCursorPos, ValidateRect, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapW, GetFocus, GetParent, ModifyMenuW, GetMenuState, EnableMenuItem, CheckMenuItem, PostMessageW, PostQuitMessage, GetSystemMetrics, LoadIconW, EnableWindow, GetClientRect, IsIconic, GetSystemMenu, SendMessageW, AppendMenuW, DrawIcon, MoveWindow, GetWindowLongW, SetWindowLongW, EnumDisplayMonitors
GDI32.dll	CreateSolidBrush, CreateHatchBrush, CreateDIBitmap, CreateCompatibleBitmap, GetTextMetricsW, EnumFontFamiliesW, GetTextCharsetInfo, SetRectRgn, CombineRgn, GetMapMode, DPtoLP, GetBkColor, GetTextColor, GetRgnBox, CreateDIBSection, CreateRoundRectRgn, CreatePolygonRgn, CreateEllipticRgn, Polyline, Ellipse, Polygon, CreatePalette, GetPaletteEntries, GetNearestPaletteIndex, RealizePalette, GetSystemPaletteEntries, OffsetRgn, SetDIBColorTable, CreatePen, SetPixel, Rectangle, EnumFontFamiliesExW, LPtoDP, GetWindowOrgEx, GetViewportOrgEx, PtInRegion, FillRgn, FrameRgn, GetBoundsRect, ExtFloodFill, SetPaletteEntries, GetTextFaceW, SetPixelV, RectVisible, PtVisible, GetPixel, GetObjectType, TextOutW, SelectPalette, GetStockObject, CreatePatternBrush, DeleteDC, ExtSelectClipRgn, ScaleWindowExtEx, SetWindowExtEx, OffsetWindowOrgEx, SetWindowOrgEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, StretchBlt, CreateBitmap, GetWindowExtEx, GetViewportExtEx, CreateRectRgn, SelectClipRgn, DeleteObject, SetLayout, GetLayout, SetTextAlign, MoveToEx, LineTo, IntersectClipRect, ExcludeClipRect, GetClipBox, SetMapMode, SetROP2, SetPolyFillMode, SetBkMode, RestoreDC, SaveDC, GetTextExtentPoint32W, ExtTextOutW, BitBlt, CreateCompatibleDC, CreateFontIndirectW, CreateDCW, CopyMetaFileW, GetDeviceCaps, GetObjectW, SetBkColor, SetTextColor, PatBlt, CreateRectRgnIndirect, Escape
MSIMG32.dll	AlphaBlend, TransparentBlt
COMDLG32.dll	GetFileTitleW
WINSPOOL.DRV	ClosePrinter, OpenPrinterW, DocumentPropertiesW
ADVAPI32.dll	RegEnumKeyExW, RegQueryValueExW, RegOpenKeyExW, RegCreateKeyExW, RegSetValueExW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyW, RegQueryValueW, RegCloseKey, RegEnumValueW
SHELL32.dll	SHAppBarMessage, SHGetFileInfoW, ShellExecuteW, DragFinish, DragQueryFileW, SHBrowseForFolderW, SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHGetDesktopFolder
COMCTL32.dll	ImageList_GetIconSize
SHLWAPI.dll	PathFindFileNameW, PathStripToRootW, PathIsUNCW, PathFindExtensionW, PathRemoveFileSpecW
ole32.dll	OleInitialize, CoFreeUnusedLibraries, OleUninitialize, CoInitializeEx, CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, StgOpenStorageOnILockBytes, CoGetClassObject, CoInitialize, CoUninitialize, OleCreateMenuDescriptor, CoTaskMemAlloc, ReleaseStgMedium, CoTaskMemFree, OleDestroyMenuDescriptor, OleTranslateAccelerator, IsAccelerator, OleLockRunning, CreateStreamOnHGlobal, OleIsCurrentClipboard, OleFlushClipboard, DoDragDrop, CLSIDFromString, CLSIDFromProgID, CoCreateGuid, RevokeDragDrop, CoLockObjectExternal, RegisterDragDrop, OleGetClipboard, OleDuplicateData, CoRegisterMessageFilter, CoCreateInstance, CoRevokeClassObject
OLEAUT32.dll	SysFreeString, VarBstrFromDate, VariantCopy, SafeArrayDestroy, SystemTimeToVariantTime, VariantTimeToSystemTime, OleCreateFontIndirect, SysStringLen, VariantInit, VariantChangeType, VariantClear, SysAllocStringLen, SysAllocString
oledlg.dll	OleUIBusyW
WS2_32.dll	WSAIoctl, htons, inet_ntoa, gethostbyname, gethostname, WSASocketW, WSAStartup, ntohs, recv, bind
OLEACC.dll	LresultFromObject, AccessibleObjectFromWindow, CreateStdAccessibleObject
gdiplus.dll	GdipGetImagePixelFormat, GdipGetImageHeight, GdipGetImageWidth, GdipCloneImage, GdipDrawImageRectI, GdipSetInterpolationMode, GdipGetImagePaletteSize, GdiplusShutdown, GdiplusStartup, GdipCreateBitmapFromHBITMAP, GdipDisposeImage, GdipDeleteGraphics, GdipAlloc, GdipFree, GdipGetImagePalette, GdipCreateBitmapFromStream, GdipCreateBitmapFromScan0, GdipBitmapLockBits, GdipBitmapUnlockBits, GdipGetImageGraphicsContext, GdipCreateFromHDC, GdipDrawImageI
IMM32.dll	ImmGetOpenStatus, ImmReleaseContext, ImmGetContext
WINMM.dll	PlaySoundW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 24, 2021 10:23:23.492737055 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:23.493050098 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:23.493232012 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:23.493341923 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:23.493448019 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:23.493484020 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:23.493712902 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:23.493824005 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:23.493865967 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:23.503756046 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.503794909 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.503830910 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.503869057 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.503894091 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.503979921 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.504018068 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.504620075 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.504646063 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.504668951 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.504837036 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.504875898 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.505203962 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.505242109 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.505482912 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.505522966 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.505681992 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.505717039 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.505799055 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.505855083 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:23.506150961 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.506251097 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.506513119 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.506541967 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.626178026 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.626334906 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:28.676939011 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:28.677278996 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:28.677455902 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:28.677529097 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:28.677571058 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:28.677608013 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:28.677635908 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:28.677711964 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:28.677747011 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:28.677762985 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:28.677767992 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:28.686454058 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.686647892 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.686887026 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.687319994 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.687814951 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.687844992 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.687937021 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.688262939 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.688580036 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.688678026 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.688756943 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:28.688922882 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.689089060 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.689160109 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:28.689368963 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.689434052 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.689743042 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.689924002 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.720083952 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.720293045 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:28.755439043 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.755672932 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:37.462538004 CET	49683	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:23:37.462593079 CET	49682	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:23:37.462704897 CET	49683	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:23:37.462745905 CET	49682	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:23:37.499459982 CET	443	49683	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.499675989 CET	443	49683	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.499989986 CET	443	49682	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.500017881 CET	443	49682	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.553977013 CET	443	49683	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.554744005 CET	443	49682	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645104885 CET	443	49682	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645154953 CET	443	49682	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645194054 CET	443	49682	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645241976 CET	443	49682	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645297050 CET	443	49682	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645302057 CET	49682	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:23:37.645345926 CET	49682	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:23:37.645354986 CET	443	49682	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645435095 CET	49682	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:23:37.645481110 CET	443	49682	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645541906 CET	443	49682	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645591974 CET	443	49682	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645615101 CET	49682	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:23:37.645648003 CET	443	49683	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645689964 CET	443	49683	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645725965 CET	443	49683	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645764112 CET	443	49683	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645801067 CET	443	49683	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645807028 CET	49683	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:23:37.645837069 CET	443	49683	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645838022 CET	49683	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:23:37.645874023 CET	443	49683	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645915031 CET	49683	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:23:37.645931005 CET	443	49683	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645987034 CET	443	49683	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.646002054 CET	49683	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:23:37.686861992 CET	49683	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:23:37.697947025 CET	49682	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:23:44.404624939 CET	49744	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:44.628895998 CET	13527	49744	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:44.629020929 CET	49744	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:44.673149109 CET	49744	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:44.892343998 CET	13527	49744	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:44.932837963 CET	49744	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:45.670763016 CET	49744	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:45.893397093 CET	13527	49744	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:45.948796988 CET	49744	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:49.980010986 CET	13527	49744	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:49.994618893 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:50.026993036 CET	49744	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:50.186917067 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:50.187036037 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:50.193909883 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:50.387290955 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:50.411216974 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:50.610318899 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:50.652071953 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:50.759540081 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:50.963913918 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:50.963973999 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:50.964061022 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:50.964103937 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:50.964139938 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:50.964200974 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.156513929 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.156574011 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.156611919 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.156658888 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.156680107 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.156770945 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.156811953 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.156830072 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.156867981 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.156903982 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.156936884 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.157119989 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.349153042 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.349229097 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.349268913 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.349322081 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.349366903 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.349406958 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.349477053 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.349519968 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.349538088 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.349575996 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.349631071 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.349673986 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.349726915 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.349766970 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.349803925 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.349841118 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.349877119 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.349896908 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.349946022 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.349986076 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.350016117 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.350043058 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.350085974 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.350173950 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.542428017 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.542546988 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.542587996 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.542634964 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.542674065 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.542704105 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.542759895 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.542800903 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.542840004 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.542848110 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.542865038 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.542913914 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.542951107 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.542988062 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.543021917 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.543028116 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.543055058 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.543097973 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.543144941 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.543188095 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.543222904 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.543231010 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.543251991 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.543289900 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.543327093 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.543365002 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.543396950 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.543402910 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.543423891 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.543462038 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.543500900 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.543540001 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.543574095 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.543585062 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.543644905 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.543694019 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.543729067 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.544234037 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.545517921 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.789244890 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.994138002 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.994185925 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.994221926 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.994277954 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.994292021 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.994347095 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.994389057 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.994426966 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.994462013 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.994478941 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.994518995 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.994558096 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.994613886 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.994626999 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.994636059 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.994688988 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.994756937 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.994805098 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.994833946 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.994873047 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.994910955 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.994950056 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.994997978 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995035887 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.995060921 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995099068 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995135069 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995170116 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995208979 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995225906 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.995270014 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995282888 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.995316982 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995352030 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995398045 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995440006 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995476961 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995517969 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995568037 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.995575905 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.995587111 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995625973 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995659113 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995697021 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995733023 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995779037 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995820045 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995839119 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.995846033 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.995883942 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995920897 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995956898 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995990038 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.996009111 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.996016026 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.996048927 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.996084929 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.996121883 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.996159077 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.996175051 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.996186018 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.996227980 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.996268034 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.996304989 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.996336937 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.996356964 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.996364117 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.996397018 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.996433973 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.996469975 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.996522903 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.996534109 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.188680887 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.188730001 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.188767910 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.188790083 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.188832998 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.188877106 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.188992023 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.230405092 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.778477907 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.979238987 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.979288101 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.979325056 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.979362011 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.979389906 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.979429960 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.979448080 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.979487896 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.979523897 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.979542971 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.979597092 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.979652882 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.979665041 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.979716063 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.979763031 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.979773998 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.979813099 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.979849100 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.979871035 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.979918003 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.979973078 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.979986906 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.980030060 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980077982 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980089903 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.980128050 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980164051 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980180025 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.980217934 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980254889 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980271101 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.980309010 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980345964 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980376959 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980392933 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.980436087 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.980458975 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980506897 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980556011 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980566978 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.980606079 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980648994 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980659962 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.980698109 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980746984 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980757952 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.980792046 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980834007 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980844975 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.980882883 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980923891 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980936050 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.980983973 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.981025934 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.981041908 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.981071949 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.981113911 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:53.118199110 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:53.365730047 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:53.814583063 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:53.814702988 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:53.859205008 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:54.051073074 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:54.051347017 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:54.270224094 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:54.270334005 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:54.288530111 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:54.507450104 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:54.574243069 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:54.612688065 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:54.836000919 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:54.886840105 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:55.295989037 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:55.307897091 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:55.515795946 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:55.515813112 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:55.515820980 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:55.515970945 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:55.516011953 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:55.526813030 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:55.526993990 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:55.735239983 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:55.735272884 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:55.735299110 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:55.735323906 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:55.735451937 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:55.745811939 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:55.745851994 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:55.954360008 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:55.954396009 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:55.954477072 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:55.954575062 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:55.954715014 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:56.223587990 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:56.223792076 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:56.491796970 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:56.491944075 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:56.761743069 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:56.761857033 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:57.030440092 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:57.030524969 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:57.300798893 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:57.300970078 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:57.570388079 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:57.571827888 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:57.698775053 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:57.840342045 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:57.917685032 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:57.917718887 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:57.917814970 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:57.993100882 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:58.214649916 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:58.214685917 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:58.215725899 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:58.484622002 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:58.486310959 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:58.755295992 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:58.755490065 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:59.024013996 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:59.024091959 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:59.292634964 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:59.296293020 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:59.564798117 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:59.564878941 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:59.833225012 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:59.836514950 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:00.106441021 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:00.108120918 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:00.376741886 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:00.376991987 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:00.645517111 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:00.645638943 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:00.914259911 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:00.914372921 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:01.182372093 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:01.182488918 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:01.451486111 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:01.451598883 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:01.720177889 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:01.720314980 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:01.988185883 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:01.988405943 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:02.258222103 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:02.258667946 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:02.527736902 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:02.527841091 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:02.796634912 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:02.798907995 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:03.067519903 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:03.067601919 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:03.336163044 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:03.336451054 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:03.482877970 CET	80	49688	93.184.220.29	192.168.2.4
Jan 24, 2021 10:24:03.483721018 CET	49688	80	192.168.2.4	93.184.220.29
Jan 24, 2021 10:24:03.597266912 CET	80	49687	93.184.220.29	192.168.2.4
Jan 24, 2021 10:24:03.598772049 CET	49687	80	192.168.2.4	93.184.220.29
Jan 24, 2021 10:24:03.605046034 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:03.605139017 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:03.873642921 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:03.876305103 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:04.144437075 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:04.144527912 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:04.188651085 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:04.406955004 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:04.407644987 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:04.452977896 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:04.577502966 CET	80	49711	93.184.220.29	192.168.2.4
Jan 24, 2021 10:24:04.577620983 CET	49711	80	192.168.2.4	93.184.220.29
Jan 24, 2021 10:24:04.626560926 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:04.715922117 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:04.757339001 CET	80	49712	93.184.220.29	192.168.2.4
Jan 24, 2021 10:24:04.759186983 CET	49712	80	192.168.2.4	93.184.220.29
Jan 24, 2021 10:24:04.984618902 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:04.984940052 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:05.253281116 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:05.255887032 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:05.271456957 CET	49713	443	192.168.2.4	104.79.89.181
Jan 24, 2021 10:24:05.271657944 CET	49714	80	192.168.2.4	93.184.220.29
Jan 24, 2021 10:24:05.524389982 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:05.524590015 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:05.753616095 CET	80	49707	93.184.220.29	192.168.2.4
Jan 24, 2021 10:24:05.753742933 CET	49707	80	192.168.2.4	93.184.220.29
Jan 24, 2021 10:24:05.792771101 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:05.793199062 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:06.062020063 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:06.062305927 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:06.330858946 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:06.330975056 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:06.609314919 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:06.609409094 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:06.877954006 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:06.878751993 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:07.146608114 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:07.147188902 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:07.415678024 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:07.415781021 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:07.685522079 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:07.685849905 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:07.954140902 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:07.954351902 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:08.223099947 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:08.223467112 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:08.492399931 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:08.494678020 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:08.763119936 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:08.763338089 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:09.031897068 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:09.031997919 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:09.300657034 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:09.301146984 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:09.570686102 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:09.570786953 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:09.838772058 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:09.839318037 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:10.108814001 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:10.402307034 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:10.670810938 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:10.672283888 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:10.940509081 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:11.392703056 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:11.661114931 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:11.661201954 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:11.930252075 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:11.930355072 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:12.199026108 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:12.199130058 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:12.467624903 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:12.467708111 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:12.735907078 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:12.736166000 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:13.004185915 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:13.005191088 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:13.274581909 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:13.278134108 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:13.546989918 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:13.547348976 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:13.816880941 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:13.817001104 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:14.087378025 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:14.087476015 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:14.363312960 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:14.365601063 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:14.634673119 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:14.634782076 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:14.904660940 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:14.904779911 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:15.172898054 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:15.172988892 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:15.441334963 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:15.441540956 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:15.711215973 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:15.711436987 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:15.989732027 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:15.990199089 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:16.258379936 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:16.258465052 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:16.527291059 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:16.527455091 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:16.566608906 CET	49744	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:16.798059940 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:16.800570965 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:16.838176966 CET	13527	49744	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:17.069073915 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:17.069190979 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:17.337997913 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:17.338148117 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:17.606755018 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:17.607089996 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:17.876199007 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:17.877790928 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:18.146377087 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:18.146477938 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:18.414860010 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:18.416063070 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:18.684304953 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:18.685837984 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:18.954674006 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:18.956798077 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:19.225153923 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:19.225323915 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:19.494291067 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:19.497940063 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:19.766884089 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:19.767023087 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:20.036458969 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:20.036592007 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:20.304441929 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:20.304681063 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:20.574187994 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:20.574295998 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:20.842816114 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:20.843712091 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:21.112056971 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:21.113923073 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:21.382647038 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:21.382750988 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:21.651397943 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:21.651499033 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:21.929666996 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:21.929831028 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:22.198828936 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:22.200498104 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:22.468805075 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:22.470222950 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:22.738514900 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:22.738609076 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:23.007834911 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:23.008702993 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:23.277044058 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:23.277196884 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:23.546056032 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:23.546264887 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:23.815642118 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:23.815763950 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:24.084367037 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:24.084583044 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:24.352526903 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:24.353346109 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:24.622344017 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:24.623051882 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:24.891127110 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:24.892421961 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:25.161118031 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:25.161360025 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:25.440212011 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:25.442578077 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:25.710808039 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:25.713737011 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:25.805048943 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:25.903383017 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:25.982023001 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:26.023891926 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:26.035103083 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:26.123476982 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:26.143909931 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:26.254165888 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:26.254245996 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:26.362951040 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:26.364584923 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:26.523013115 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:26.526617050 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:26.633141041 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:26.634171009 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:26.793479919 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:26.904495955 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:26.906682968 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:27.175882101 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:27.178646088 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:27.447189093 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:27.450264931 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:27.718775034 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:27.893541098 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:28.162134886 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:28.162406921 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:28.431360960 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:28.664343119 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:28.933193922 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:28.933428049 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:29.203636885 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:29.203773022 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:29.471947908 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:29.472130060 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:29.740379095 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:29.740506887 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:30.009432077 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:30.009541988 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:30.279051065 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:30.279210091 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:30.548115969 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:30.548228979 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:30.816816092 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:30.817253113 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:31.086479902 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:31.086667061 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:31.355819941 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:31.355921984 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:31.625742912 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:31.625927925 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:31.894752026 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:31.895200968 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:32.163626909 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:32.163947105 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:32.434046030 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:32.434236050 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:32.702395916 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:32.705086946 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:32.973676920 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:32.973814011 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:33.244616032 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:33.244744062 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:33.513820887 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:33.513923883 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:33.783210039 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:33.783324003 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:34.051631927 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:34.051717997 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:34.329853058 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:34.333246946 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:34.602957964 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:34.603135109 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:34.871273994 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:34.874190092 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:35.143079042 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:35.143322945 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:35.412717104 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:35.414908886 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:35.683578968 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:35.687561989 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:35.956814051 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:35.959089041 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:36.228622913 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:36.228730917 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:36.496671915 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:36.496763945 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:36.764910936 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:36.767513990 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:37.036355019 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:37.039608002 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:37.308146000 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:37.311693907 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:37.589992046 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:37.590531111 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:37.858679056 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:37.858841896 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:38.127378941 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:38.127494097 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:38.395629883 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:38.395757914 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:38.664344072 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:38.664644957 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:38.933423042 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:38.933621883 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:39.203843117 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:39.203955889 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:39.472434044 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:39.472563028 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:39.741750002 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:39.743758917 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:40.012676954 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:40.012800932 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:40.281017065 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:40.281892061 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:40.559911966 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:40.561508894 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:40.830530882 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:40.834180117 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:41.102693081 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:41.107939005 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:41.376296043 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:41.376650095 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:41.645350933 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:41.647895098 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:41.916986942 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:41.917927027 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:42.186188936 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:42.186285973 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:42.455260038 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:42.456051111 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:42.724718094 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:42.725914955 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:42.994393110 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:42.994574070 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:43.262664080 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:43.262840033 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:43.531454086 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:43.531548023 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:43.800040960 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:43.800143957 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:44.069000959 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:44.072150946 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:44.340634108 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:44.344223022 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:44.612821102 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:44.612912893 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:44.883492947 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:44.884325027 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:45.154580116 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:45.156296015 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:45.426048994 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:45.428379059 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:45.696516037 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:45.700423002 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:45.969198942 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:46.025207996 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:46.293617964 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:46.293797970 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:46.562621117 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:46.562864065 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:46.832654953 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:46.832895994 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:47.103919983 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:47.104196072 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:47.373049021 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:47.530911922 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:47.799447060 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:47.799551010 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:48.067898035 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:48.068078041 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:48.336503983 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:48.336639881 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:48.563296080 CET	49744	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:48.604945898 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:48.605097055 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:48.832588911 CET	13527	49744	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:48.871464014 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:48.871565104 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:49.140199900 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:49.140345097 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:49.408720016 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:49.408828020 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:49.491842031 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:49.589169979 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:49.668848991 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:49.677587032 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:49.710947037 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:49.808396101 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:49.808531046 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:49.887806892 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:49.887897968 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:50.076951981 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:50.077136040 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:50.155924082 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:50.156117916 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:50.346848965 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:50.346959114 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:50.426770926 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:50.426847935 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:50.615374088 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:50.615545988 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:50.698685884 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:50.698919058 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:50.884274960 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:50.884433031 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:50.968293905 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:50.968377113 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:51.153485060 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:51.153713942 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:51.233433962 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:51.233550072 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:51.423113108 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:51.423212051 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:51.502192020 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:51.502307892 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:51.692327976 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:51.692431927 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:51.780338049 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:51.780431032 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:51.970549107 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:51.970638990 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:52.051393986 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:52.051599026 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:52.188894987 CET	49681	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:24:52.188981056 CET	49688	80	192.168.2.4	93.184.220.29
Jan 24, 2021 10:24:52.189145088 CET	49687	80	192.168.2.4	93.184.220.29
Jan 24, 2021 10:24:52.189455986 CET	49682	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:24:52.189517975 CET	49683	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:24:52.208045959 CET	80	49687	93.184.220.29	192.168.2.4
Jan 24, 2021 10:24:52.208093882 CET	80	49688	93.184.220.29	192.168.2.4
Jan 24, 2021 10:24:52.208141088 CET	49687	80	192.168.2.4	93.184.220.29
Jan 24, 2021 10:24:52.208235979 CET	49688	80	192.168.2.4	93.184.220.29
Jan 24, 2021 10:24:52.226140976 CET	443	49683	40.126.31.135	192.168.2.4
Jan 24, 2021 10:24:52.226186037 CET	443	49682	40.126.31.135	192.168.2.4
Jan 24, 2021 10:24:52.226263046 CET	49683	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:24:52.226301908 CET	49682	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:24:52.226382971 CET	443	49681	40.126.31.135	192.168.2.4
Jan 24, 2021 10:24:52.226444960 CET	49681	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:24:52.238904953 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:52.239022970 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:52.319817066 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:52.319921970 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:52.507154942 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:52.507349968 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:52.589071989 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:52.589237928 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:52.775427103 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:52.775521040 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:52.857549906 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:52.857676029 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:53.044110060 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:53.044199944 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:53.127254963 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:53.127372026 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:53.316621065 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:53.316842079 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:53.397062063 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:53.397192955 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:53.585668087 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:53.585906982 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:53.665972948 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:53.666102886 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:53.857163906 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:53.857336044 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:53.934221029 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:53.934329033 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:54.125595093 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:54.125682116 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:54.203318119 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:54.203411102 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:54.395068884 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:54.395226002 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:54.472225904 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:54.472315073 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:54.663928032 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:54.664071083 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:54.741497993 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:54.741610050 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:54.932316065 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:54.932586908 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:55.010271072 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:55.010534048 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:55.210603952 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:55.210728884 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:55.278749943 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:55.278855085 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:55.479554892 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:55.479738951 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:55.547542095 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:55.547776937 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:55.748570919 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:55.748764038 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:55.816817045 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:55.816941023 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:56.016659975 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:56.016762972 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:56.084697008 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:56.084783077 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:56.439024925 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:57.141978979 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:58.439088106 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:58.658382893 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:58.658638954 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:58.926501036 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:58.926610947 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:59.198493004 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:59.198596001 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:59.467097044 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:59.467199087 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:59.736037016 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:59.736176014 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:00.004898071 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:00.009469986 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:00.279738903 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:00.279871941 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:00.548027992 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:00.548173904 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:00.816198111 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:00.816298008 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:01.084546089 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:01.084662914 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:01.353806019 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:01.353905916 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:01.622065067 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:01.622251034 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:01.900883913 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:01.901091099 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:02.169213057 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:02.169425011 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:02.437884092 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:02.438002110 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:02.706109047 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:02.706192017 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:02.974900007 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:02.975006104 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:03.245841980 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:03.246011972 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:03.516577005 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:03.516772985 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:03.785427094 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:03.785567999 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:04.054411888 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:04.054568052 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:04.322794914 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:04.322896957 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:04.591923952 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:04.592142105 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:04.862068892 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:04.862157106 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:05.140609026 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:05.140750885 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:05.318269968 CET	443	49701	204.79.197.200	192.168.2.4
Jan 24, 2021 10:25:05.409532070 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:05.409619093 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:05.678798914 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:05.678910971 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:05.947104931 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:05.947381973 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:06.009604931 CET	80	49707	93.184.220.29	192.168.2.4
Jan 24, 2021 10:25:06.009776115 CET	49707	80	192.168.2.4	93.184.220.29
Jan 24, 2021 10:25:06.216638088 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:06.216909885 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:06.485739946 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:06.485903978 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:06.753957987 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:06.754064083 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:07.022171021 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:07.022286892 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:07.291866064 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:07.292124987 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:07.561003923 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:07.561110020 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:07.679440022 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:07.830420017 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:07.830729961 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:07.898576021 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:07.898680925 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:07.987287998 CET	443	49702	204.79.197.200	192.168.2.4
Jan 24, 2021 10:25:08.100558996 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:08.100708961 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:08.167654037 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:08.167772055 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:08.278325081 CET	443	49699	204.79.197.200	192.168.2.4
Jan 24, 2021 10:25:08.278882027 CET	443	49705	204.79.197.200	192.168.2.4
Jan 24, 2021 10:25:08.368813992 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:08.368916035 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:08.439265013 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:08.549748898 CET	443	49710	13.107.42.23	192.168.2.4
Jan 24, 2021 10:25:08.637607098 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:08.637706995 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:08.669476032 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:08.888273954 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:08.888361931 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:08.936176062 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:09.157208920 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:09.157329082 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:09.426207066 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:09.426316023 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:09.695178986 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:09.695285082 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:09.699049950 CET	443	49698	204.79.197.200	192.168.2.4
Jan 24, 2021 10:25:09.890197039 CET	443	49700	204.79.197.200	192.168.2.4
Jan 24, 2021 10:25:09.959615946 CET	443	49703	204.79.197.200	192.168.2.4
Jan 24, 2021 10:25:09.963783979 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:09.963912964 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:10.235433102 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:10.235539913 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:10.246742010 CET	443	49708	13.107.5.88	192.168.2.4
Jan 24, 2021 10:25:10.504143000 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:10.504251957 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:10.605376959 CET	443	49704	204.79.197.200	192.168.2.4
Jan 24, 2021 10:25:10.772947073 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:10.773081064 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:11.041670084 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:11.041863918 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:11.142512083 CET	443	49709	13.107.5.88	192.168.2.4
Jan 24, 2021 10:25:11.310424089 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:11.310537100 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:11.579118967 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:11.579272032 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:11.847428083 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:11.847585917 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:11.989367008 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:12.092156887 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:12.116403103 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:12.170695066 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:12.172115088 CET	443	49715	204.79.197.222	192.168.2.4
Jan 24, 2021 10:25:12.208189964 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:12.208236933 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:12.250076056 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:12.311028004 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:12.311070919 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:12.389642954 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:12.389686108 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:12.389746904 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:12.469042063 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:12.469257116 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:12.659431934 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:12.662571907 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:12.738796949 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:12.738878012 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:12.939498901 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:12.939615965 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:13.009527922 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:13.009603024 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:13.210366964 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:13.210443020 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:13.278295994 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:13.434866905 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:13.479104996 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:13.653752089 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:13.653937101 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:13.922641993 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:13.922785997 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:14.193414927 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:14.193538904 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:14.461852074 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:14.462007999 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:14.483470917 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:14.702274084 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:14.702451944 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:14.761816025 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:14.981149912 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:14.981362104 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:15.241889954 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:15.242021084 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:15.510221958 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:15.510304928 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:15.778426886 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:15.778532982 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:16.060941935 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:16.061047077 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:16.329827070 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:16.330060005 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:16.598242044 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:16.598447084 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:16.866916895 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:16.867100000 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:17.135126114 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:17.135281086 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:17.403434038 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:17.403614044 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:17.672471046 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:17.672673941 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:17.941854000 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:17.941977024 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:18.210589886 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:18.210741997 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:18.479249001 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:18.479408026 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:18.747505903 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:18.747643948 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:19.016108990 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:19.301820993 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:19.429673910 CET	49744	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:19.570580959 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:19.570741892 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:19.699790001 CET	13527	49744	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:19.839732885 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:19.839920044 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:20.108160019 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:20.108325005 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:20.161662102 CET	80	49707	93.184.220.29	192.168.2.4
Jan 24, 2021 10:25:20.161837101 CET	49707	80	192.168.2.4	93.184.220.29
Jan 24, 2021 10:25:20.377080917 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:20.377254009 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:20.645407915 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:20.852606058 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:21.131155968 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:21.131283045 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:21.400587082 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:21.400790930 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:21.669661999 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:21.669862032 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:21.938733101 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:21.938947916 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:22.207583904 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:22.207676888 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:22.477802992 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:22.477909088 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:22.746829033 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:22.746915102 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:23.015248060 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:23.017405987 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:23.285511971 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:23.285794973 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:23.554758072 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:23.555485964 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:23.825571060 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:23.825710058 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:24.094038963 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:24.094124079 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:24.362963915 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:24.363495111 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:24.631658077 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:24.631743908 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:24.900302887 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:24.903404951 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:25.171988964 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:25.173912048 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:25.442148924 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:25.447627068 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:25.716079950 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:25.716372967 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:25.984467030 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:25.984622955 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:26.253187895 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:26.253884077 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:26.523453951 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:26.523643017 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:26.793775082 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:26.794178009 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:27.062589884 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:27.063272953 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:27.332279921 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:27.332389116 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:27.600822926 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:27.603584051 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:27.872706890 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:27.873569012 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:28.142493010 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:28.142584085 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:28.411519051 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:28.411621094 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:28.679925919 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:28.680083036 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:28.950053930 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:28.951919079 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:29.219504118 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:29.220015049 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:29.489149094 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:29.492090940 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:29.760782957 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:29.764039993 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:30.032726049 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:30.032829046 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:30.311604977 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:30.311722040 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:30.580347061 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:30.580459118 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:30.849612951 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:30.850210905 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:31.119383097 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:31.122268915 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:31.391403913 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:31.392136097 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:31.660047054 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:31.660253048 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:31.928343058 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:31.928462982 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:32.198287010 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:32.198410034 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:32.466777086 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:32.466887951 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:32.735479116 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:32.735675097 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:33.004374981 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:33.004971981 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:33.274585009 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:33.274689913 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:33.543323994 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:33.543417931 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:33.821815014 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:33.821902990 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:34.089786053 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:34.091139078 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:34.359627008 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:34.359741926 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:34.628345013 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:34.628453016 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:34.897989035 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:34.898721933 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:34.994081974 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:35.167524099 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:35.167637110 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:35.212827921 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:35.436116934 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:35.436244965 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:35.704838991 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:35.705209017 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:35.789550066 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:25:35.973540068 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:35.974869013 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:36.038981915 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:36.243877888 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:36.244633913 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:36.257977009 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:36.514252901 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:36.514350891 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:36.785731077 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:36.785995007 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:37.055166960 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:37.055274010 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:37.323863983 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:37.324106932 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:37.548943996 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:37.592978954 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:37.673412085 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:37.767819881 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:37.767844915 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:37.768060923 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:37.870428085 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:37.892501116 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:38.037353992 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:38.037563086 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:38.089272022 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:38.089548111 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:38.308374882 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:38.308840036 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:38.577912092 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:38.578017950 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:38.846225977 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:38.846391916 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:39.115302086 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:39.115736008 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:39.384159088 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:39.384387970 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:39.652415991 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:39.653819084 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:39.921762943 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:39.921943903 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:40.189997911 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:40.190288067 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:40.459741116 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:40.460187912 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:40.728326082 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:40.732275963 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:41.000852108 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:41.001213074 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:41.270035028 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:41.270123005 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:41.538613081 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:41.538708925 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:41.806782961 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:41.806895018 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:42.075192928 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:42.075742006 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:42.345067978 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:42.345768929 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:42.614276886 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:42.614376068 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:42.885521889 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:42.885649920 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:43.155566931 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:43.155860901 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:43.424901009 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:43.425229073 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:43.694047928 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:43.694153070 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:43.962793112 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:43.962922096 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:44.230937004 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:44.231046915 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:44.499701023 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:44.499792099 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:44.769310951 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:44.770132065 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:45.039064884 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:45.039186001 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:45.307105064 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:45.307214975 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:45.575519085 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:45.575668097 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:45.845530987 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:45.845948935 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:46.114037037 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:46.114161968 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:46.382684946 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:46.382801056 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:46.650896072 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:46.651015997 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:46.919786930 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:46.921416998 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:47.189661026 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:47.190571070 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:47.458534002 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:47.458667040 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:47.727315903 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:47.727509975 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:47.996248960 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:47.996428013 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:48.264758110 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:48.265588045 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:48.534209967 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:48.537630081 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:48.804461956 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:48.804667950 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:49.073492050 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:49.073601007 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:49.345246077 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:49.345331907 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:49.614111900 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:49.614449978 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:49.882350922 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:49.883657932 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:50.161946058 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:50.162249088 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:50.430856943 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:50.431824923 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:50.701349020 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:50.701440096 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:50.957868099 CET	49744	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:50.971667051 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:50.972004890 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:51.232930899 CET	13527	49744	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:51.240814924 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:51.240953922 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:51.509495020 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:51.509670973 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:51.777699947 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:51.777831078 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:52.045835972 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:52.045934916 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:52.314860106 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:52.314974070 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:52.583288908 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:52.585428953 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:52.853586912 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:52.853761911 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:53.131726980 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:53.134107113 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:53.403244972 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:53.403343916 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:53.674995899 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:53.676291943 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:53.944113970 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:53.944233894 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:54.068289995 CET	49744	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:54.068381071 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:54.212507010 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:54.212594986 CET	49746	13527	192.168.2.4	110.92.66.246

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 24, 2021 10:23:13.309921980 CET	55854	53	192.168.2.4	8.8.8.8
Jan 24, 2021 10:23:13.332984924 CET	53	55854	8.8.8.8	192.168.2.4
Jan 24, 2021 10:23:13.920188904 CET	64549	53	192.168.2.4	8.8.8.8
Jan 24, 2021 10:23:13.943337917 CET	53	64549	8.8.8.8	192.168.2.4
Jan 24, 2021 10:23:14.716948032 CET	63153	53	192.168.2.4	8.8.8.8
Jan 24, 2021 10:23:14.740032911 CET	53	63153	8.8.8.8	192.168.2.4
Jan 24, 2021 10:23:15.511826038 CET	52991	53	192.168.2.4	8.8.8.8
Jan 24, 2021 10:23:15.535604000 CET	53	52991	8.8.8.8	192.168.2.4
Jan 24, 2021 10:23:16.968394041 CET	53700	53	192.168.2.4	8.8.8.8
Jan 24, 2021 10:23:16.991550922 CET	53	53700	8.8.8.8	192.168.2.4
Jan 24, 2021 10:23:17.860275030 CET	51726	53	192.168.2.4	8.8.8.8
Jan 24, 2021 10:23:17.883440971 CET	53	51726	8.8.8.8	192.168.2.4
Jan 24, 2021 10:23:19.125066996 CET	56794	53	192.168.2.4	8.8.8.8
Jan 24, 2021 10:23:19.150897026 CET	53	56794	8.8.8.8	192.168.2.4
Jan 24, 2021 10:23:19.983750105 CET	56534	53	192.168.2.4	8.8.8.8
Jan 24, 2021 10:23:20.006917000 CET	53	56534	8.8.8.8	192.168.2.4
Jan 24, 2021 10:23:20.637813091 CET	56627	53	192.168.2.4	8.8.8.8
Jan 24, 2021 10:23:20.664338112 CET	53	56627	8.8.8.8	192.168.2.4
Jan 24, 2021 10:23:21.486450911 CET	56621	53	192.168.2.4	8.8.8.8
Jan 24, 2021 10:23:21.512278080 CET	53	56621	8.8.8.8	192.168.2.4
Jan 24, 2021 10:23:22.337990046 CET	63116	53	192.168.2.4	8.8.8.8
Jan 24, 2021 10:23:22.361217976 CET	53	63116	8.8.8.8	192.168.2.4
Jan 24, 2021 10:23:23.166867018 CET	64078	53	192.168.2.4	8.8.8.8
Jan 24, 2021 10:23:23.201261997 CET	53	64078	8.8.8.8	192.168.2.4
Jan 24, 2021 10:23:37.773974895 CET	64801	53	192.168.2.4	8.8.8.8
Jan 24, 2021 10:23:37.796924114 CET	53	64801	8.8.8.8	192.168.2.4
Jan 24, 2021 10:23:40.221301079 CET	61721	53	192.168.2.4	8.8.8.8
Jan 24, 2021 10:23:40.253931046 CET	53	61721	8.8.8.8	192.168.2.4
Jan 24, 2021 10:24:03.344569921 CET	51255	53	192.168.2.4	8.8.8.8
Jan 24, 2021 10:24:03.370654106 CET	53	51255	8.8.8.8	192.168.2.4
Jan 24, 2021 10:24:32.072946072 CET	61522	53	192.168.2.4	8.8.8.8
Jan 24, 2021 10:24:32.110757113 CET	53	61522	8.8.8.8	192.168.2.4

HTTP Request Dependency Graph

110.92.66.246:13527

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49744	110.92.66.246	13527	C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Timestamp	kBytes transferred	Direction	Data
Jan 24, 2021 10:23:44.673149109 CET	405	OUT	GET /\ HTTP/1.1 Connection: Upgrade Sec-WebSocket-Key: FCzEFfJJGECxZCsRaGKFlJqHW Sec-WebSocket-Version: 13 Upgrade: websocket Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits Host: 110.92.66.246:13527

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	110.92.66.246	13527	192.168.2.4	49744	C:\Users\user\zT6Nm@i4\PMRunner64.exe

Timestamp	kBytes transferred	Direction	Data
Jan 24, 2021 10:23:44.892343998 CET	406	IN	HTTP/1.1 101 Switching Protocols Connection: Upgrade Upgrade: WebSocket Sec-WebSocket-Accept: J6aOSpBDe/Sy9K0gZYEbzVgYYn8= Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49745	110.92.66.246	13527	C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Timestamp	kBytes transferred	Direction	Data
Jan 24, 2021 10:23:50.193909883 CET	407	OUT	GET /\ HTTP/1.1 Connection: Upgrade Sec-WebSocket-Key: hVvGEJDDITDIJDJeQLtIKCsnC Sec-WebSocket-Version: 13 Upgrade: websocket Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits Host: 110.92.66.246:13527

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	110.92.66.246	13527	192.168.2.4	49745	C:\Users\user\zT6Nm@i4\PMRunner64.exe

Timestamp	kBytes transferred	Direction	Data
Jan 24, 2021 10:23:50.387290955 CET	407	IN	HTTP/1.1 101 Switching Protocols Connection: Upgrade Upgrade: WebSocket Sec-WebSocket-Accept: Zt5ptgVJyb+M21WHDTqV3GKtCPo= Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49746	110.92.66.246	13527	C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Timestamp	kBytes transferred	Direction	Data
Jan 24, 2021 10:23:54.288530111 CET	607	OUT	GET /\ HTTP/1.1 Connection: Upgrade Sec-WebSocket-Key: IKBXBepAaaBfkIYjnCKuMRKkF Sec-WebSocket-Version: 13 Upgrade: websocket Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits Host: 110.92.66.246:13527

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	110.92.66.246	13527	192.168.2.4	49746	C:\Users\user\zT6Nm@i4\PMRunner64.exe

Timestamp	kBytes transferred	Direction	Data
Jan 24, 2021 10:23:54.507450104 CET	607	IN	HTTP/1.1 101 Switching Protocols Connection: Upgrade Upgrade: WebSocket Sec-WebSocket-Accept: Kj9tthj3c2jmoKNtKOHJo/S2svQ= Content-Length: 0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe PID: 4164 Parent PID: 5908

General

Start time:	10:23:18
Start date:	24/01/2021
Path:	C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe'
Imagebase:	0x140000000
File size:	3150336 bytes
MD5 hash:	6665909A2652C5860FD874CB15C3991C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: zr.exe PID: 6340 Parent PID: 4164

General

Start time:	10:23:22
Start date:	24/01/2021
Path:	C:\Users\user\zT6Nm@i4\zr.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\zT6Nm@i4\zr.exe' a 'C:\Users\user\zT6Nm@i4\111.7z' 'C:\Users\user\zT6Nm@i4\TXP\*'
Imagebase:	0x400000
File size:	461088 bytes
MD5 hash:	045FCBE6C174AFA9A6A998BDD6F9FAD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Virustotal, Browse Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 6356 Parent PID: 6340

General

Start time:	10:23:22
Start date:	24/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6648 Parent PID: 4164

General

Start time:	10:23:24
Start date:	24/01/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /C 'C:\Users\user\zT6Nm@i4\copy.bat'
Imagebase:	0x7ff622070000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6700 Parent PID: 6648

General

Start time:	10:23:24
Start date:	24/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: zr.exe PID: 6800 Parent PID: 6796

General

Start time:	10:23:28
Start date:	24/01/2021
Path:	C:\ProgramData\Microsoft\zr.exe
Wow64 process (32bit):	true
Commandline:	'C:\ProgramData\Microsoft\zr.exe' x C:\ProgramData\Microsoft\111.7z -y
Imagebase:	0x400000
File size:	461088 bytes
MD5 hash:	045FCBE6C174AFA9A6A998BDD6F9FAD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Virustotal, Browse Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 6656 Parent PID: 6800

General

Start time:	10:23:28
Start date:	24/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: PMRunner64.exe PID: 7120 Parent PID: 4164

General

Start time:	10:23:37
Start date:	24/01/2021
Path:	C:\Users\user\zT6Nm@i4\PMRunner64.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\zT6Nm@i4\PMRunner64.exe'
Imagebase:	0x7ff7a5160000
File size:	271704 bytes
MD5 hash:	65DBB57517611D9DE8CE522022DCD727
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Virustotal, Browse Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: PMRunner64.exe PID: 6492 Parent PID: 3424

General

Start time:	10:23:48
Start date:	24/01/2021
Path:	C:\Users\user\zT6Nm@i4\PMRunner64.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\zT6Nm@i4\PMRunner64.exe'
Imagebase:	0x7ff7a5160000
File size:	271704 bytes
MD5 hash:	65DBB57517611D9DE8CE522022DCD727
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: PMRunner64.exe PID: 6972 Parent PID: 3424

General

Start time:	10:23:56
Start date:	24/01/2021
Path:	C:\Users\user\zT6Nm@i4\PMRunner64.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\zT6Nm@i4\PMRunner64.exe'
Imagebase:	0x7ff7a5160000
File size:	271704 bytes
MD5 hash:	65DBB57517611D9DE8CE522022DCD727
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.bat

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Dropped Files

Sigma Overview

Signature Overview

AV Detection:

Privilege Escalation:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

HTTP Request Dependency Graph

HTTP Packets